Medicare and State Healthcare Programs: Fraud and Abuse; Revisions To Safe Harbors Under the Anti-Kickback Statute, and Civil Monetary Penalty Rules Regarding Beneficiary Inducements, 55694-55765 [2019-22027]

Agencies

• DEPARTMENT OF HEALTH AND HUMAN SERVICES
• Office of Inspector General

[Federal Register Volume 84, Number 201 (Thursday, October 17, 2019)]
[Proposed Rules]
[Pages 55694-55765]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2019-22027]



[[Page 55693]]

Vol. 84

Thursday,

No. 201

October 17, 2019

Part II





Department of Health and Human Services





-----------------------------------------------------------------------





 Office of Inspector General





-----------------------------------------------------------------------





42 CFR Parts 1001 and 1003





Department of Health and Human Services





-----------------------------------------------------------------------





Centers for Medicare & Medicaid Services





-----------------------------------------------------------------------

42 CFR Part 411





Medicare and State Healthcare Programs: Fraud and Abuse; Revisions To 
Safe Harbors Under the Anti-Kickback Statute, And Civil Monetary 
Penalty Rules Regarding Beneficiary Inducements; Medicare Program; 
Modernizing and Clarifying the Physician Self-Referral Regulations; 
Proposed Rules

Federal Register / Vol. 84 , No. 201 / Thursday, October 17, 2019 / 
Proposed Rules

[[Page 55694]]


-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES

Office of Inspector General

42 CFR Parts 1001 and 1003

RIN 0936-AA10


Medicare and State Healthcare Programs: Fraud and Abuse; 
Revisions To Safe Harbors Under the Anti-Kickback Statute, and Civil 
Monetary Penalty Rules Regarding Beneficiary Inducements

AGENCY: Office of Inspector General (OIG), Department of Health and 
Human Services (HHS).

ACTION: Proposed rule.

-----------------------------------------------------------------------

SUMMARY: This proposed rule is being issued by the Office of Inspector 
General (OIG) in conjunction with the Department of Health and Human 
Services' Regulatory Sprint to Coordinated Care. It proposes to add, on 
a prospective basis only after a final rule is issued, safe harbor 
protections under the Federal anti-kickback statute for certain 
coordinated care and associated value-based arrangements between or 
among clinicians, providers, suppliers, and others that squarely meet 
all safe harbor conditions. It also would add protections under the 
anti-kickback statute and civil monetary penalty (CMP) law that 
prohibits inducements offered to patients for certain patient 
engagement and support arrangements to improve quality of care, health 
outcomes, and efficiency of care delivery that squarely meet all safe 
harbor conditions. The proposed rule would add a new safe harbor for 
donations of cybersecurity technology and amend the existing safe 
harbors for electronic health records (EHR) arrangements, warranties, 
local transportation, and personal services and management contracts. 
Further, the proposed rule would add a new safe harbor pursuant to a 
statutory change set forth in the Bipartisan Budget Act of 2018 (Budget 
Act of 2018) related to beneficiary incentives under the Medicare 
Shared Savings Program and a new CMP exception for certain telehealth 
technologies offered to patients receiving in-home dialysis, also 
pursuant to the Budget Act of 2018.

DATES: To ensure consideration, comments must be delivered to the 
address provided below by 5 p.m. on December 31, 2019. The 75-day 
period for public comments being set forth in this proposed rule will 
serve to protect the public's interest in this rulemaking process by 
allowing for an opportunity for additional input and recommendations, 
without unduly delaying any final rulemaking.

ADDRESSES: In commenting, please reference file code OIG-0936-AA10-P. 
Because of staff and resource limitations, we cannot accept comments by 
facsimile (fax) transmission. However, you may submit comments using 
one of three ways (no duplicates, please):
    1. Electronically. You may submit electronic comments on this 
regulation to https://www.regulations.gov. Follow the ``Submit a 
comment'' instructions.
    2. By regular, express, or overnight mail. You may send written 
comments to the following address: Office of Inspector General, 
Department of Health and Human Services, Attention: OIG-0936-AA10-P, 
Room 5521, Cohen Building, 330 Independence Avenue SW, Washington, DC 
20201.
    Please allow sufficient time for mailed comments to be received 
before the close of the comment period.
    3. By hand or courier. If you prefer, you may deliver your written 
comments by hand or courier before the close of the comment period to: 
Office of Inspector General, Department of Health and Human Services, 
Cohen Building, Room 5521, 330 Independence Avenue SW, Washington, DC 
20201.
    Because access to the interior of the Cohen Building is not readily 
available to persons without Federal Government identification, 
commenters are encouraged to schedule their delivery with one of our 
staff members at (202) 619-0335.
    Inspection of Public Comments: All comments received before the end 
of the comment period will be posted on https://www.regulations.gov for 
public viewing. Hard copies will also be available for public 
inspection at the Office of Inspector General, Department of Health and 
Human Services, Cohen Building, 330 Independence Avenue SW, Washington, 
DC 20201, Monday through Friday from 8:30 a.m. to 4 p.m. To schedule an 
appointment to view public comments, phone (202) 619-0335.

FOR FURTHER INFORMATION CONTACT: Jillian Sparks or Meredith Williams, 
(202) 619-0335.

SUPPLEMENTARY INFORMATION: 

------------------------------------------------------------------------
       Social Security  Act citation         United States Code citation
------------------------------------------------------------------------
1128B, 1128D, 1102, 1128A.................  42 U.S.C. 1320a-7b, 42
                                             U.S.C. 1320a-7d, 42 U.S.C.
                                             1302, 42 U.S.C. 1320a.-7a.
------------------------------------------------------------------------

I. Executive Summary

A. Purpose and Need for Regulatory Action

    The Secretary of Health and Human Services (the Secretary) has 
identified transforming our healthcare system to one that pays for 
value as one of the top priorities of the Department of Health and 
Human Services (the Department or HHS). Unlike the traditional fee-for-
service (FFS) payment system, which rewards providers for the volume of 
care delivered, a value-driven healthcare system is one that pays for 
health and outcomes. Delivering better value from our healthcare system 
will require the transformation of established practices and enhanced 
collaboration among providers and other individuals and entities. The 
purpose of this proposed rule is to modify existing safe harbors to the 
anti-kickback statute and add new safe harbors and a new CMP law 
exception to remove potential barriers to more effective coordination 
and management of patient care and delivery of value-based care that 
improves quality of care, health outcomes, and efficiency.
    Since the enactment in 1972 of the Federal anti-kickback statute, 
there have been significant changes in the delivery of, and payment 
for, healthcare items and services within the Medicare and Medicaid 
programs and for non-Federal payors and patients. This has included 
changes to traditional FFS Medicare (i.e., Medicare Parts A and B), 
Medicare Advantage, and states' Medicaid programs. For some time, the 
Department has worked to align payment under the Medicare program with 
the quality of the care provided to Federal health care program 
beneficiaries. Laws such as the Medicare Prescription Drug, 
Improvement, and Modernization Act of 2003 (MMA),\1\ the Deficit 
Reduction Act of 2005 (DRA),\2\ and the Medicare Improvements for 
Patients and Providers Act of 2008 (MIPPA) \3\ are among statutes that 
guided the Department's efforts to move toward healthcare delivery and 
payment reform. The Patient Protection and Affordable Care Act (ACA) 
\4\ required or encouraged significant changes to the Medicare 
program's payment systems and provided the Secretary with broad 
authority to test and implement models to promote reforms, including 
through the Center for Medicare and Medicaid

[[Page 55695]]

Innovation (the Innovation Center) within the Centers for Medicare & 
Medicaid Services (CMS).\5\
---------------------------------------------------------------------------

    \1\ Public Law 108-173, 117 Stat. 2066.
    \2\ Public Law 109-171, 120 Stat. 4.
    \3\ Public Law 110-275, 122 Stat. 2494.
    \4\ Public Law 111-148, 124 Stat. 119, as amended by the Health 
Care and Education Reconciliation Act of 2010 (Pub. L. 111-152, 124 
Stat. 1029).
    \5\ The Innovation Center's purpose is to test innovative 
payment and service delivery models to reduce the cost of care 
furnished to patients in the Medicare and Medicaid programs while 
preserving or enhancing the quality of that care. Using its 
authority in section 1115A of the Social Security Act (the Act), 42 
U.S.C. 1315a, the Innovation Center is testing many healthcare 
delivery and payment models in which providers, suppliers, and 
individual practitioners participate.
---------------------------------------------------------------------------

    The Department has identified the broad reach of the Federal anti-
kickback statute \6\ and the CMP law provision prohibiting inducements 
to beneficiaries, the ``beneficiary inducements CMP,'' \7\ as well as 
the Federal physician self-referral law (sometimes known as the Stark 
law),\8\ as potentially inhibiting beneficial arrangements that would 
advance the transition to value-based care and improve the coordination 
of patient care among providers and across care settings in both the 
Federal health care programs and commercial sectors. Industry 
stakeholders have informed the Department that, because the 
consequences of potential noncompliance with the physician self-
referral law and the Federal anti-kickback statute could be dire, 
providers, suppliers, and others may be discouraged from entering into 
innovative arrangements that would improve quality and health outcomes, 
produce health system efficiencies, and lower costs (or slow their rate 
of growth).
---------------------------------------------------------------------------

    \6\ 42 U.S.C. 1320a-7b(b).
    \7\ 42 U.S.C. 1320a-7a(a)(5).
    \8\ 42 U.S.C. 1395nn.
---------------------------------------------------------------------------

    To address these concerns and accelerate the transformation of the 
healthcare system into one that better pays for value and promotes care 
coordination, HHS launched a Regulatory Sprint to Coordinated Care 
(Regulatory Sprint), led by the Deputy Secretary. This Regulatory 
Sprint aims to remove potential regulatory barriers to care 
coordination and value-based care created by four key healthcare laws 
and associated regulations: (i) The physician self-referral law, (ii) 
the Federal anti-kickback statute, (iii) the Health Insurance 
Portability and Accountability Act of 1996 (HIPAA),\9\ and (iv) rules 
under 42 CFR part 2 related to substance use disorder treatment.
---------------------------------------------------------------------------

    \9\ Public Law 104-191, 110 Stat. 1936.
---------------------------------------------------------------------------

    Through the Regulatory Sprint, HHS aims to encourage and improve:
     A patient's ability to understand treatment plans and make 
empowered decisions;
     providers' alignment on end-to-end treatment (i.e., 
coordination among providers along the patient's full care journey);
     incentives for providers to coordinate, collaborate, and 
provide patients tools to be more involved in their own care; and
     information sharing among providers, facilities, and other 
stakeholders in a manner that facilitates efficient care while 
preserving and protecting patient access to data.
    In connection with the Regulatory Sprint, OIG issued a request for 
information (OIG RFI) regarding the Federal anti-kickback statute and 
beneficiary inducements CMP on August 27, 2018.\10\ CMS published a 
Request for Information Regarding the Physician Self-Referral Law in 
June 2018 (CMS RFI).\11\ In the OIG RFI, we sought feedback on ways in 
which we might modify or add new safe harbors to the Federal anti-
kickback statute and exceptions to the beneficiary inducements CMP 
definition of ``remuneration'' to foster arrangements that would 
promote care coordination and advance the delivery of value-based care 
while also protecting patients and taxpayer dollars against harms 
caused by fraud and abuse. OIG received 359 comments in response to its 
RFI from a variety of individuals and organizations.
---------------------------------------------------------------------------

    \10\ Medicare and State Health Care Programs: Fraud and Abuse; 
Request for Information Regarding the Anti-Kickback Statute and 
Beneficiary Inducements CMP, 83 FR 43607 (Aug. 27, 2018), available 
at https://oig.hhs.gov/authorities/docs/2018/RFI_Regarding_AKS_Beneficiary_Inducements_CMP.pdf.
    \11\ Medicare Program; Request for Information Regarding the 
Physician Self-Referral Law, 83 FR 29524 (June 25, 2018), available 
at https://www.gpo.gov/fdsys/pkg/FR-2018-06-25/pdf/2018-13529.pdf.
---------------------------------------------------------------------------

    While most commenters strongly asserted the need for regulatory 
reform to the anti-kickback statute safe harbors and exceptions to the 
definition of ``remuneration'' under the beneficiary inducements CMP, a 
number of commenters acknowledged that increased regulatory flexibility 
could create program integrity vulnerabilities or increase the risk of 
harms associated with fraud and abuse and urged OIG to exercise caution 
and include adequate safeguards in any regulatory proposals. Comments 
supporting regulatory reform encompassed a number of themes, including 
requests for:
     New safe harbors protecting financial arrangements among 
parties participating in alternative payment models (APMs), value-based 
arrangements, and care coordination activities;
     safe harbor protection for financial arrangements with 
entities not participating in Innovation Center models, including 
commercial and self-pay APM arrangements;
     additional protection for patient tools and supports, such 
as in-kind items and services to support patient compliance with 
discharge and care plans, services and supports to address unmet social 
needs affecting health, and expanded protections under the local 
transportation safe harbor;
     enhanced safe harbor protection for transfers of 
information technology, data, and cybersecurity tools;
     modifications to the current ``patchwork'' fraud and abuse 
waiver framework for Innovation Center models and the Medicare Shared 
Savings Program; and
     a variety of protections for pharmaceutical and medical 
device manufacturer arrangements, including broad protections for drug 
and medical device manufacturer participation in value-based contracts, 
pricing arrangements, warranty arrangements, and APMs, as well as 
protection for coupons and other means of direct copayment assistance 
to Medicare Part D beneficiaries in certain situations.

B. Summary of OIG's Approach and Proposals

    These proposed regulations are informed by comments and other 
internal and external sources of information, as well as our experience 
interpreting and applying the safe harbors and beneficiary inducements 
CMP exceptions to a wide variety of arrangements. In developing this 
proposed rule, OIG has followed several guiding principles. The first 
guiding principle has been to design proposed safe harbors that allow 
for beneficial innovations in healthcare delivery. The second guiding 
principle has been to avoid promulgating safe harbors and exceptions 
that drive such innovation to limited channels that may not reflect up-
to-date understandings in medicine, science, and technology. The third 
guiding principle has been to design proposed safe harbors useful for a 
range of individuals and entities engaged in the coordination and 
management of patient care, including large and small practices and 
health systems, rural and urban providers and suppliers, primary care 
physicians and specialists, providers and suppliers contracting with 
public and private payors, clinically integrated networks, and looser 
affiliations of providers and suppliers collaborating to coordinate 
care for patients across the continuum of care.

[[Page 55696]]

    Designing proposed safe harbors with these principles in mind is 
not without challenges and potential pitfalls, particularly with 
respect to ensuring sufficient safeguards against potential abuses and 
harms by those who might misuse the safe harbors. In this proposed 
rule, we have tried to strike the right balance between flexibility for 
beneficial innovation and safeguards to protect patients and Federal 
health care programs. No final determination has yet been made that the 
balance is correct with respect to each proposed safe harbor. Thus, no 
final determination has been made that the arrangements described in 
the proposals are, or should be, exempt from liability under the anti-
kickback statute. To aid us in making that determination in a final 
rule, we solicit public comments throughout this proposed rule about 
whether we have achieved the proper balance such that the arrangements 
described in the proposed safe harbors should be protected from 
criminal liability under the anti-kickback statute. To this end, we 
caution that these proposed safe harbors remain subject to change 
through the rulemaking process, and that the types of arrangements 
described in this proposed rule remain subject to case-by-case review 
under the anti-kickback statute, and if applicable, the beneficiary 
inducements CMP, including with respect to the requisite intent of the 
parties. The proposed safe harbors, if finalized, specifically would 
address barriers to coordinated and value-based care posed by the 
Federal anti-kickback statute and the beneficiary inducements CMP and 
would have no application to any other law. In addition, any final safe 
harbors would provide only prospective protection.
    OIG's mission is to protect the integrity of the Federal health 
care programs as well as the health and welfare of the people they 
serve. OIG prevents and detects fraud, waste, and abuse, and promotes 
economy, effectiveness, and efficiency in HHS programs. Stakeholders, 
including patients, depend upon OIG to be thoughtful, cautious, and 
deliberate in promulgating safe harbors to ensure that the arrangements 
the safe harbors protect do not inappropriately increase costs to the 
Federal health care programs or patients, corrupt practitioners' 
medical judgment, or result in overutilization, inappropriate patient 
steering, unfair competition, or poor-quality care. These abuses are 
sometimes characterized as traditional FFS fraud and abuse risks.
    Model design characteristics common to properly structured value-
based payment models could curb some traditional FFS risks. However, 
value-based payment models could present other risks, including 
stinting on care (underutilization), cherry picking lucrative or 
adherent patients, lemon dropping costly or noncompliant patients, and 
incentives to manipulate or falsify data used to verify performance and 
outcomes for payment purposes. In addition, emerging value-based 
payment models might present risks not yet identified by OIG or others 
in the healthcare industry. Many new models combine FFS and value-based 
payment features, subjecting providers to mixed incentives and 
potentially posing all or some of the risks raised by volume- and 
value-based payment. We seek comments on how best to address existing 
and emerging risks with respect to our proposals below, individually 
and collectively.
    Section C of this Executive Summary and sections III and IV of this 
preamble summarize our specific proposals. Several proposals address 
particular types of value-based arrangements designed to promote care 
coordination and allow for outcomes-based payments. We have included a 
proposed safe harbor for arrangements that engage patients more 
actively in preventive care and adhering to treatment and care plans 
developed between them and their healthcare providers. We also are 
proposing a new safe harbor related to cybersecurity tools, as well as 
modifications to the existing safe harbors related to personal services 
arrangements, electronic health records, warranties, and local 
transportation.
    Our proposals in this rulemaking focus on ensuring protected 
arrangements: (i) Promote coordinated patient care and foster improved 
quality, better health outcomes, and improved efficiency; and (ii) 
would not be misused to perpetrate fraud and abuse, including, for 
example, schemes in which patients receive unnecessary or substandard 
care or Federal health care programs are billed for medically 
unnecessary items or services. We have sought to strike an effective 
balance among the goals of clarity, objectivity, flexibility, 
safeguards (including accountability and transparency), and ease of 
implementation.
    OIG and CMS coordinated closely to develop our respective proposed 
rulemakings in connection with the Regulatory Sprint and strove, where 
appropriate, to propose consistent terminology for value-based 
arrangements. In many respects, OIG's proposed rules for value-based 
arrangements are different or more restrictive than CMS's comparable 
proposals, in recognition of the differences in statutory structures 
and penalties. For some arrangements, we believe it is appropriate for 
the anti-kickback statute, which is a criminal, intent-based statute, 
to serve as ``backstop'' protection for arrangements that might be 
protected by a less restrictive exception to the civil, strict 
liability physician self-referral law. For any final rule, we would 
examine our rules in combination with any rules CMS may choose to 
finalize with the goal of creating an overall regulatory landscape that 
is well-coordinated and serves the intended purpose to allow for 
beneficial innovation; that is as streamlined as possible, consistent 
with program integrity considerations; and that provides strong 
protections for patients and programs, both in terms of promoting value 
and ensuring that the Government can take action to protect patients 
and address fraud or abuse. Arrangements that might be protected by a 
physician self-referral law exception, but might not be explicitly 
protected by an anti-kickback statute safe harbor, would not 
necessarily be unlawful under the anti-kickback statute. They would 
need to be examined on a case-by-case basis, including with respect to 
the intent of the parties. We note that OIG's proposed new safe harbor 
for cybersecurity items and services and modifications to the existing 
safe harbor for electronic health record items and services are closely 
aligned with CMS' proposals.

C. Summary of the Major Provisions

1. Anti-Kickback Statute and Safe Harbors
    As described in more detail below, we propose to amend 42 CFR 
1001.952 by modifying certain existing safe harbors to the anti-
kickback statute and by adding safe harbors that would provide new 
protections or codify an existing statutory protection. Subject to 
definitions and conditions set forth in the proposed regulations, these 
proposed changes include:
     Three proposed new safe harbors for certain remuneration 
exchanged between or among participants in a value-based arrangement 
(as further defined) that fosters better coordinated and managed 
patient care: (i) Care coordination arrangements to improve quality, 
health outcomes, and efficiency (1001.952(ee)); (ii) value-based 
arrangements with substantial downside financial risk (1001.952(ff)); 
and (iii) value-based arrangements with full financial risk 
(1001.952(gg)). These proposed safe harbors vary, among other ways, by 
the types of remuneration protected (in-kind or in-kind and

[[Page 55697]]

monetary), the level of financial risk assumed by the parties, and the 
types of safeguards included as safe harbor conditions;
     a proposed new safe harbor (1001.952(hh)) for certain 
tools and supports furnished under patient engagement and support 
arrangements to improve quality, health outcomes, and efficiency;
     a proposed new safe harbor (1001.952(ii)) for certain 
remuneration provided in connection with a CMS-sponsored model, which 
should reduce the need for OIG to issue separate and distinct fraud and 
abuse waivers for new CMS-sponsored models;
     a proposed new safe harbor (1001.952(jj)) for donations of 
cybersecurity technology and services;
     proposed modifications to the existing safe harbor for 
electronic health records items and services (1001.952(y)) to add 
protections for certain cybersecurity technology included as part of an 
electronic health records arrangement, to update provisions regarding 
interoperability, and to remove the sunset date;
     proposed modifications to the existing safe harbor for 
personal services and management contracts (1001.952(d)) to add 
flexibility with respect to outcomes-based payments and part-time 
arrangements;
     proposed modifications to the existing safe harbor for 
warranties (1001.952(g)) to revise the definition of ``warranty'' and 
provide protection for warranties for one or more items and related 
services;
     proposed modifications to the existing safe harbor for 
local transportation (1001.952(bb)) to expand and modify mileage limits 
for rural areas and for transportation for discharged patients; and
     codification of the statutory exception to the definition 
of ``remuneration'' at section 1128B(b)(3)(K) of the Act related to ACO 
Beneficiary Incentive Programs for the Medicare Shared Savings Program 
(1001.952(kk)).
2. Civil Monetary Penalty Authorities
    We propose to amend the definition of ``remuneration'' in the CMP 
rules at 42 CFR 1003.110 by interpreting and incorporating a new 
statutory exception to the prohibition on beneficiary inducements for 
``telehealth technologies'' furnished to certain in-home dialysis 
patients, pursuant to section 50302(c) of the Budget Act of 2018.
    We further note that, if finalized, the proposed new safe harbor 
for patient engagement and support arrangements (1001.952(hh)) and the 
proposed modifications to the local transportation safe harbor 
(1001.952(bb)) would by operation of law serve as exceptions to the 
beneficiary inducements CMP prohibition's definition of 
``remuneration.''
3. Costs and Benefits
    There are no significant costs associated with the proposed 
regulatory revisions that would impose any mandates on State, local, or 
Tribal Governments or on the private sector.

II. Background

A. Anti-Kickback Statute and Safe Harbors

    Section 1128B(b) of the Act, (42 U.S.C. 1320a-7b(b), the anti-
kickback statute), provides for criminal penalties for whoever 
knowingly and willfully offers, pays, solicits, or receives 
remuneration to induce or reward the referral of business reimbursable 
under any of the Federal health care programs, as defined in section 
1128B(f) of the Act (42 U.S.C. 1320a-7b(f)). The offense is classified 
as a felony and is punishable by fines of up to $100,000 and 
imprisonment for up to 10 years. Violations of the anti-kickback 
statute also may result in the imposition of CMPs under section 
1128A(a)(7) of the Act (42 U.S.C. 1320a-7a(a)(7)), program exclusion 
under section 1128(b)(7) of the Act (42 U.S.C. 1320a-7(b)(7)), and 
liability under the False Claims Act (31 U.S.C. 3729-33).
    The types of remuneration covered specifically include, without 
limitation, kickbacks, bribes, and rebates, whether made directly or 
indirectly, overtly or covertly, in cash or in kind. In addition, 
prohibited conduct includes not only the payment of remuneration 
intended to induce or reward referrals of patients but also the payment 
of remuneration intended to induce or reward the purchasing, leasing, 
or ordering of, or arranging for or recommending the purchasing, 
leasing, or ordering of, any good, facility, service, or item 
reimbursable by any Federal health care program.
    Because of the broad reach of the statute, concern was expressed 
that some relatively innocuous business arrangements were covered by 
the statute and, therefore, potentially subject to criminal 
prosecution. In response, Congress enacted section 14 of the Medicare 
and Medicaid Patient and Program Protection Act of 1987, Public Law 
100-93 (section 1128B(b)(3)(E) of the Act; 42 U.S.C. 1320a-
7b(b)(3)(E)), which specifically requires the development and 
promulgation of regulations, the so-called safe harbor provisions, that 
would specify various payment and business practices that would not be 
subject to sanctions under the anti-kickback statute, even though they 
potentially may be capable of inducing referrals of business for which 
payment may be made under a Federal health care program.
    Section 205 of HIPAA established section 1128D of the Act (42 
U.S.C. 1320a-7d), which includes criteria for modifying and 
establishing safe harbors. Specifically, section 1128D(a)(2) of the Act 
provides that, in modifying and establishing safe harbors, the 
Secretary may consider whether a specified payment practice may result 
in:
     An increase or decrease in access to healthcare services;
     an increase or decrease in the quality of healthcare 
services;
     an increase or decrease in patient freedom of choice among 
healthcare providers;
     an increase or decrease in competition among healthcare 
providers;
     an increase or decrease in the ability of healthcare 
facilities to provide services in medically underserved areas or to 
medically underserved populations;
     an increase or decrease in the cost to Federal health care 
programs;
     an increase or decrease in the potential overutilization 
of healthcare services;
     the existence or nonexistence of any potential financial 
benefit to a healthcare professional or provider, which benefit may 
vary depending on whether the healthcare professional or provider 
decides to order a healthcare item or service or arrange for a referral 
of healthcare items or services to a particular practitioner or 
provider; or
     any other factors the Secretary deems appropriate in the 
interest of preventing fraud and abuse in Federal health care programs.
    We have considered these factors in designing our proposals. We are 
interested in public comments on these factors as they relate to our 
proposals. Properly structured and operated, we believe that the 
arrangements we propose to protect have the potential to increase 
access to care, increase quality of care, aid in the provision of items 
and services in underserved areas and to underserved populations, 
decrease costs to Federal health care programs, and decrease the 
potential for overutilization of healthcare services. We are concerned 
about reduced patient freedom of choice among providers, potential 
decreases in competition among health providers, and potential 
financial benefits to

[[Page 55698]]

healthcare professionals or providers that may vary inappropriately 
based on their ordering decisions. We solicit comments on whether or 
not our proposals adequately address these or other undesired effects; 
if commenters believe the proposals would not adequately address these 
effects, we solicit comments on the degree to which such effects might 
occur and on additional safeguards to mitigate them.
    In giving the Department the authority to protect certain 
arrangements and payment practices under the anti-kickback statute, 
Congress intended the safe harbor regulations to be updated 
periodically to reflect changing business practices and technologies in 
the healthcare industry.\12\ Since July 29, 1991, there have been a 
series of final regulations published in the Federal Register 
establishing safe harbors in various areas.\13\ These safe harbor 
provisions have been developed ``to limit the reach of the statute 
somewhat by permitting certain non-abusive arrangements, while 
encouraging beneficial or innocuous arrangements.'' \14\
---------------------------------------------------------------------------

    \12\ H.R. Rep. No. 100-85, Pt. 2, at 27 (1987).
    \13\ Medicare and State Health Care Programs: Fraud and Abuse; 
OIG Anti-Kickback Provisions, 56 FR 35952 (July 29, 1991); Medicare 
and State Health Care Programs: Fraud and Abuse; Safe Harbors for 
Protecting Health Plans, 61 FR 2122 (Jan. 25, 1996); Federal Health 
Care Programs: Fraud and Abuse; Statutory Exception to the Anti-
Kickback Statute for Shared Risk Arrangements, 64 FR 63504 (Nov. 19, 
1999); Medicare and State Health Care Programs: Fraud and Abuse; 
Clarification of the Initial OIG Safe Harbor Provisions and 
Establishment of Additional Safe Harbor Provisions Under the Anti-
Kickback Statute, 64 FR 63518 (Nov. 19, 1999); 64 FR 63504 (Nov. 19, 
1999); Medicare and State Health Care Programs: Fraud and Abuse; 
Ambulance Replenishing Safe Harbor Under the Anti-Kickback Statute, 
66 FR 62979 (Dec. 4, 2001); Medicare and State Health Care Programs: 
Fraud and Abuse; Safe Harbors for Certain Electronic Prescribing and 
Electronic Health Records Arrangements Under the Anti-Kickback 
Statute, 71 FR 45109 (Aug. 8, 2006); Medicare and State Health Care 
Programs: Fraud and Abuse; Safe Harbor for Federally Qualified 
Health Centers Arrangements Under the Anti-Kickback Statute, 72 FR 
56632 (Oct. 4, 2007); Medicare and State Health Care Programs: Fraud 
and Abuse; Electronic Health Records Safe Harbor Under the Anti-
Kickback Statute, 78 FR 79202 (Dec. 27, 2013); and Medicare and 
State Health Care Programs: Fraud and Abuse; Revisions to the Safe 
Harbors Under the Anti-Kickback Statute and Civil Monetary Penalty 
Rules Regarding Beneficiary Inducements, 81 FR 88368 (Dec. 7, 2016).
    \14\ Medicare and State Health Care Programs: Fraud and Abuse; 
OIG Anti-Kickback Provisions, 56 FR at 35958.
---------------------------------------------------------------------------

    Healthcare providers and others may voluntarily seek to comply with 
final safe harbors so that they have the assurance that their business 
practices would not be subject to any anti-kickback enforcement action. 
Compliance with an applicable safe harbor insulates an individual or 
entity from liability under the anti-kickback statute and the 
beneficiary inducements CMP only; individuals and entities remain 
responsible for complying with all other laws, regulations, and 
guidance that apply to their businesses.
    In developing our proposals, we have taken into account information 
gleaned from a variety of sources: Industry stakeholder input, 
including through comments to the OIG RFI; learnings from OIG's work 
(e.g., fraud and abuse waivers for the Medicare Shared Savings Program 
and Innovation Center models, investigative and oversight work applying 
the fraud and abuse laws, and audits and evaluations of program 
effectiveness and efficiency); expertise from CMS and other HHS 
agencies; and other sources, including literature on care coordination 
and value-based payments.

B. Civil Monetary Penalty Authorities

1. Overview of OIG Civil Monetary Penalty Authorities
    In 1981, Congress enacted the CMP law, section 1128A of the Act, 42 
U.S.C. 1320a-7a, as one of several administrative remedies to combat 
fraud and abuse in Medicare and Medicaid. The law authorized the 
Secretary to impose penalties and assessments on persons who defrauded 
Medicare or Medicaid or engaged in certain other wrongful conduct. The 
CMP law also authorized the Secretary to exclude persons from Federal 
health care programs (as defined in section 1128B(f) of the Act, 42 
U.S.C. 1320a-7b(f)) and to direct the appropriate State agency to 
exclude the person from participating in any State healthcare programs 
(as defined in section 1128(h) of the Act, 42 U.S.C. 1320a-7(h)). 
Congress later expanded the CMP law and the scope of exclusion to apply 
to all Federal health care programs, but the CMP applicable to 
beneficiary inducements remains limited to Medicare and State 
healthcare program beneficiaries. Since 1981, Congress has created 
various other CMP authorities covering numerous types of fraud and 
abuse.
2. The Beneficiary Inducements CMP and the Definition of 
``Remuneration''
    Section 1128A(a)(5) of the Act, 42 U.S.C. 1320a-7a(a)(5), the 
``beneficiary inducements CMP,'' provides for the imposition of civil 
monetary penalties against any person who offers or transfers 
remuneration to a Medicare or State healthcare program (including 
Medicaid) beneficiary that the benefactor knows or should know is 
likely to influence the beneficiary's selection of a particular 
provider, practitioner, or supplier of any item or service for which 
payment may be made, in whole or in part, by Medicare or a State 
healthcare program (including Medicaid). Section 1128A(i)(6) of the 
Act, 42 U.S.C. 1320a-7a(i)(6), defines ``remuneration'' for purposes of 
the beneficiary inducements CMP as including ``transfers of items or 
services for free or for other than fair market value.'' Section 
1128A(i)(6) of the Act also includes a number of exceptions to the 
definition of ``remuneration.''
    Pursuant to section 1128A(i)(6)(B) of the Act, any practice 
permissible under the anti-kickback statute, whether through statutory 
exception or regulations issued by the Secretary, is also excepted from 
the definition of ``remuneration'' for purposes of the beneficiary 
inducements CMP. However, no parallel exception exists in the anti-
kickback statute. Thus, the exceptions in section 1128A(i)(6) of the 
Act apply only to the definition of ``remuneration'' applicable to 
section 1128A.
    Relevant to this proposed rulemaking, the Budget Act of 2018 
created a new exception to the definition of ``remuneration'' for 
purposes of the beneficiary inducements CMP. This exception applies to 
``telehealth technologies'' provided on or after January 1, 2019, by a 
provider of services or a renal dialysis facility to an individual with 
end-stage renal disease (ESRD) who is receiving home dialysis for which 
payment is being made under Medicare Part B.

III. Provisions of the Proposed Rule: Anti-Kickback Statute Safe 
Harbors

A. Value-Based Framework

    This section provides background on, and an overarching summary of, 
the framework for value-based arrangements set forth in this proposed 
rulemaking; explains proposed terminology used in certain proposed safe 
harbors; and explains the specific safe harbor proposals to protect 
value-based arrangements (as defined in proposed paragraph 
1001.952(ee)) designed to foster better care at lower cost through 
improved care coordination for patients.
    Our proposals endeavor to remove real or perceived regulatory 
barriers to promote flexible, industry-led innovation in the delivery 
of more efficient and better coordinated healthcare. Further, 
consistent with emerging understandings of the benefits of better care 
coordination and the increasing adoption of value-based care and 
payment models in the healthcare industry, our proposals may support a 
more rapid transition from volume (e.g.,

[[Page 55699]]

FFS reimbursement for office visits, tests, or procedures) toward value 
(e.g., paying for patient or population outcomes).
1. Anti-Kickback Statute Implications of Care Coordination and the 
Value-Based Framework
    Better care coordination--including more effective transitions for 
patients across the care continuum, less duplication of items and 
services, and open sharing of health data (consistent with privacy and 
security rules)--is integrally connected to advancing the transition to 
a value-based healthcare system. Care coordination arrangements, 
especially when linked to appropriate clinical or other value-driven 
outcomes, can help improve health and the patient experience of care; 
enable providers to participate successfully in value-based care and 
payment models; and advance the goals of value-based care: Delivering 
better health outcomes and maximizing desirable efficiency in 
healthcare delivery. For example, OIG's recent report entitled, ``ACOs' 
Strategies for Transitioning to Value-Based Care: Lessons From the 
Medicare Shared Savings Program,'' \15\ highlights the tools--including 
care coordination arrangements--that certain accountable care 
organizations (ACOs) under the Medicare Shared Savings Program have 
deployed successfully to reduce costs and improve quality. Many of the 
strategies discussed in this report involve care coordination, care 
management, and patient engagement, including: engaging beneficiaries 
to improve their own health, managing beneficiaries with costly or 
complex care needs to improve their health outcomes, addressing 
behavioral health needs and social determinants of health, and using 
technology to increase information sharing among providers.\16\
---------------------------------------------------------------------------

    \15\ OIG, ACOs' Strategies for Transitioning to Value-Based 
Care: Lessons From the Medicare Shared Savings Program (July 2019), 
available at https://oig.hhs.gov/oei/reports/oei-02-15-00451.pdf.
    \16\ Id.
---------------------------------------------------------------------------

    Because care coordination often involves arrangements between 
providers that refer Federal health care program patients to one 
another and an exchange of remuneration, the anti-kickback statute may 
be implicated. Moreover, providing patients with remuneration to engage 
and support them in achieving better health outcomes may implicate both 
the anti-kickback statute and the beneficiary inducements CMP.
2. Balancing Innovation With Protection Against Fraud and Abuse Risks
    To remove regulatory barriers to care coordination and support 
value-based arrangements, we are faced with the challenge of designing 
safe harbor protections for emerging healthcare arrangements. The 
optimal form, design, and efficacy of such emerging arrangements remain 
unknown or unproven. This is a key challenge of regulating during a 
period of innovation and experimentation. The challenge of designing 
appropriate safe harbors is exacerbated by: The substantial variation 
in care coordination and value-based arrangements contemplated by the 
healthcare industry (meaning that one-size-fits-all safe harbor designs 
may be less than optimal), variation among patient populations and 
provider characteristics, emerging health technologies and data 
capabilities, the still-developing science of quality and performance 
measurement, and our desire not to chill beneficial innovation.
    It is sometimes difficult to gauge fraud and abuse risk in a 
rapidly evolving environment of substantial innovation, 
experimentation, and deployment of technology and digital data. In some 
cases, innovations and the availability of more actionable, transparent 
data may enhance program integrity and protect against fraud and abuse. 
There is a compelling concern that uncertainty and regulatory 
barriers--real or perceived--could prevent the best and most 
efficacious innovations from emerging and being tested in the 
marketplace. Our goal is to craft safe harbors that, if finalized, 
would protect arrangements that promote value, while also protecting 
against fraud, abuse and associated harms. Over time, we expect that 
best practices in care coordination and value-based payment will 
emerge.
3. Overview of Proposed Safe Harbors
    We are proposing safe harbors for value-based arrangements, with 
greater flexibilities available to parties as they assume more downside 
financial risk for the cost and quality of care. This ``tiered'' 
structure is intended to support the transformation of industry payment 
systems and takes into account that arrangements involving higher 
levels of downside risk curb, at least to some degree, FFS incentives 
to order medically unnecessary or overly costly items and services. We 
propose these safe harbors, recognizing that the transition from an FFS 
to a value-based care and payment system will take time. Where parties 
may have both FFS and value-based payment incentives, we believe 
assuming downside financial risk from a payor for items and services 
furnished to patients helps mitigate incentives that often drive fraud 
and abuse present in traditional FFS.
    For the purposes of this rule, the proposed safe harbors that 
require assumption of risk focus on value-based arrangements with 
substantial downside financial risk (1001.952(ff)) and value-based 
arrangements at full financial risk (1001.952(gg)). While these 
proposed safe harbors largely focus on the assumption of downside 
financial risk, we understand that participants in value-based 
arrangements may assume certain types of risk other than downside 
financial risk for items and services furnished to a target patient 
population (e.g., upside risk, clinical risk, operational risk, 
contractual risk, or investment risk).
    We believe that our focus on downside financial risk is appropriate 
because the assumption of downside financial risk may shift the 
incentives that serve to influence those making the referring and 
ordering decisions, the conduct at the center of the anti-kickback 
statute. We solicit comments on whether, for purposes of a final rule, 
other types of risk would have a comparable effect. We are particularly 
interested in fact patterns that illustrate how other types of risk 
would operate to change ordering or referring behaviors of providers 
and suppliers that might still be paid on an FFS basis or otherwise 
help ensure that safe-harbored arrangements would serve appropriate 
value-based purposes.
    Remuneration has at least two dimensions relevant to this proposed 
rulemaking: (i) Payments by payors; and (ii) remuneration exchanged 
between clinicians, providers, suppliers, and others. Payor payments 
that drive toward value include capitated payments and global budgets 
at one end of the ``value-based payments'' spectrum; shared savings and 
bundled payment mechanisms in the middle; and bonuses and reductions 
applied to FFS payments at the other end of the spectrum. Examples of 
remuneration exchanged among clinicians, providers, suppliers, and 
others include sharing staff, such as care coordinators, or technology, 
such as data analytics tools, to improve quality or efficiency or to 
achieve other performance or outcomes targets, whether set by payors or 
among themselves. In some cases, these parties also may have value-
based payment arrangements among themselves, such as gainsharing or 
shared savings agreements.
    We are proposing a suite of safe harbors that, if finalized, would 
address a variety of scenarios. Collectively, we

[[Page 55700]]

believe these proposed safe harbors, in combination with existing safe 
harbors, would provide pathways for protection for most beneficial care 
coordination and value-based care and payment arrangements. In crafting 
these safe harbors, we have endeavored to be agnostic with respect to 
the composition of the value-based enterprise (VBE), a concept and 
defined term described further below, and scope of protected value-
based arrangements to allow for innovation and experimentation in the 
healthcare marketplace and to foster a level playing field for those 
seeking safe harbor protection, whether they are large health systems 
or individual practitioners. The proposed safe harbors would cover 
value-based arrangements involving both publicly and privately insured 
patients.
    The first proposed safe harbor, at 1001.952(ee), covers care 
coordination arrangements to improve quality, health outcomes, and 
efficiency (``care coordination arrangements'' safe harbor). It covers 
certain in-kind remuneration, including services and infrastructure. 
The second proposed safe harbor, at 1001.952(ff), with greater 
flexibility, covers certain in-kind and monetary arrangements where the 
VBE is at substantial downside financial risk from a payor (as 
defined). The third proposed safe harbor, at 1001.952(gg), is for in-
kind and monetary arrangements where the VBE is at full downside 
financial risk from a payor and allows for even more flexibility. In 
addition, we propose to protect certain outcomes-based compensation 
(regardless of whether it meets the criteria for substantial downside 
financial risk) under the rubric of ``outcomes-based payments'' through 
proposed modifications to the personal services and management 
contracts safe harbor at 1001.952(d), as discussed in the section 
III.J. below.
    We are mindful of the role patient engagement can play in improved 
coordination of patient care and health outcomes. Thus, we are 
proposing a safe harbor at 1001.952(hh) for arrangements for patient 
engagement and support to improve quality, health outcomes, and 
efficiency (the ``patient engagement and support'' safe harbor). We are 
further proposing a separate safe harbor at 1001.952(ii) for care 
delivery and payment arrangements as well as beneficiary incentives 
pursuant to certain CMS-sponsored models, including Innovation Center 
models. This proposed safe harbor would largely, if not entirely, 
replace OIG's current model-by-model fraud and abuse waiver process for 
CMS-sponsored models. The requirements of each proposed safe harbor are 
discussed in detail below.
    As always, all safe harbor conditions would need to be precisely 
met for safe harbor protections to apply. Many value-based arrangements 
and activities may qualify for existing safe harbor protections, 
including under the employees safe harbor (1001.952(i)), the EHR items 
and services safe harbor (1001.952(y)), the personal services and 
management contracts safe harbor (1001.952(d)), the local 
transportation safe harbor (1001.952(bb)), and the several safe harbors 
pertaining to health plans and managed care organizations set forth at 
1001.952(l), (m), (t), and (u). Many others may not raise anti-kickback 
issues at all if they do not relate to Federal health care program 
beneficiaries or are not tied in any way to the volume or value of 
Federal health care program business. (Likewise, with respect to 
compliance with the beneficiary inducements CMP, patient engagement and 
support arrangements and activities may fit in existing exceptions to 
the CMP law, may be within applicable nominal value limits, or may not 
raise concerns under that statute if they do not relate to Medicare or 
Medicaid patients or are not likely to influence the selection of 
providers, practitioners, or suppliers.)
    In the next section, we describe the proposed definitions for 
several key terms used in the proposed safe harbors for value-based 
arrangements at proposed paragraphs 1001.952(ee), (ff), and (gg) for 
care coordination arrangements, value-based arrangements with 
substantial downside financial risk, and value-based arrangements at 
full financial risk, respectively. We then describe each proposed safe 
harbor in detail. Related proposed modifications to the personal 
services and management contracts safe harbor (1001.952(d)) for 
outcomes-based payments (where there is no substantial downside 
financial risk) are described at section III.J. The patient engagement 
and support safe harbor is described at section III.F. The proposed 
safe harbor for CMS-sponsored models, including Innovation Center 
models, is described at section III.G.

B. Proposed Value-Based Terminology (1001.952(ee))

    We propose definitions for key terms in paragraph 1001.952(ee). 
These terms are used consistently in several proposed safe harbors. The 
proposed defined terms are intended to work in conjunction with one 
another to describe the universe of value-based arrangements 
potentially eligible for proposed safe harbor protection and of 
individuals and entities that can engage in protected arrangements, 
provided all conditions of a specific safe harbor are squarely met.
    Generally speaking, when read together, the proposed terminology 
and safe harbors are intended to protect care coordination and support 
value-based arrangements where, as a threshold matter, the arrangements 
are under the auspices of a VBE (of any size, and as further defined in 
proposed paragraph 1001.952(ee)) that is essentially a network of 
participants (such as clinicians, providers, or suppliers) that has 
agreed to collaborate to, for example: (i) Put the patient at the 
center of care through improved care coordination, (ii) increase 
efficiencies in the delivery of care, and (iii) improve quality of care 
and health outcomes for patients or populations. The VBE has value-
based purposes and its participants enter into value-based arrangements 
for value-based activities to further those purposes.
    Wherever possible and appropriate, it is our intent to align our 
proposed value-based terminology with those that CMS proposes in its 
notice of proposed rulemaking regarding the physician self-referral 
law, ``Modernizing and Clarifying the Physician Self-Referral 
Regulations.'' Because of the close nexus between the value-based 
terminology in our proposed rule and CMS's proposed terminology, we may 
also consider for purposes of making determinations for a final rule 
comments submitted about value-based terminology in response to CMS's 
proposed rule.
    We use the term ``value-based'' in our proposed terminology in a 
non-technical way to signal value produced through improved care 
coordination, improved health outcomes, lower costs or reduced growth 
of costs for patients and payors, and improved efficiencies in the 
delivery of care. We recognize that our use of the words ``value'' and 
``value-based'' here do not necessarily capture all dimensions of value 
in healthcare. We solicit comments on our approach, as well as comments 
on whether we should define ``value'' specifically in the final rule, 
and if so, how best to define ``value'' as it pertains to care 
coordination and value-based payment. For example, we are considering 
for the final rule whether ``value'' should be defined with reference 
to financial arrangements under advanced APMs (whether HHS or other 
payor models).
1. Value-Based Enterprise (VBE)
    We propose to use the term ``value-based enterprise'' to describe 
the

[[Page 55701]]

network of individuals and entities that collaborate together to 
achieve one or more value-based purposes (as defined in proposed 
paragraph 1001.952(ee)). As defined in this rulemaking, and as a 
general matter, the VBE would delineate the universe of individuals and 
entities participating in arrangements eligible for safe harbor 
protection, if all safe harbor conditions are fully met. The VBE also 
would be accountable for ensuring that such protected arrangements are 
conducted under the auspices of the VBE.
a. Two or More VBE Participants
    First, we propose that VBE would mean two or more VBE participants 
(as defined in proposed paragraph 1001.952(ee)) that are collaborating 
to achieve at least one value-based purpose. VBEs may take many 
different forms, and we intend for the definition of ``VBE'' to be 
flexible. For example, a VBE could be as small as two individual 
physician practices collaborating to coordinate care for shared 
patients. The same term also could cover a formal or informal network 
of hospital systems, post-acute care providers, and physician 
practices. An accountable care organization or health system comprised 
of hospitals and physician practices, for example, could also 
constitute a VBE.
b. Party to a Value-Based Arrangement
    Second, we propose that each VBE participant in the VBE must be a 
party to a value-based arrangement (as defined below) with at least one 
other VBE participant from the same VBE. In the case of a VBE comprised 
of two VBE participants, the two VBE participants would need to be 
engaged in a value-based arrangement with each other. We intend for 
this criterion to ensure that parties qualifying as part of a VBE are 
contributing to a value-based arrangement. Consistent with our 
intention to provide flexibility for innovation, VBE participants could 
engage in one or multiple value-based arrangements, so long as all of 
the value-based arrangements further the value-based purpose(s) of the 
VBE.
c. Accountable Body
    Third, we propose that the VBE must have an accountable body (such 
as a board of directors or other governing body) or person (which, 
depending on the size and scope of the VBE, may be an entity, such as a 
hospital or physician practice that is among the VBE participants, or 
an individual) responsible for financial and operational oversight of 
the VBE. As part of its oversight role, we expect that the accountable 
body or responsible person would serve as the ``gatekeeper'' to the 
VBE, with a process and criteria to ensure that those admitted to the 
VBE after its formation as VBE participants have a legitimate role in 
the VBE and in VBE arrangements and that VBE participants are not 
participants in name only. In addition to ensuring operational and 
financial oversight, we believe the accountable body or responsible 
person would be positioned to identify program integrity issues and to 
initiate action to address them, as necessary and appropriate. We are 
considering for the final rule, and solicit comment on, whether the VBE 
or its participants should be required to have a compliance program 
that covers at least those value-based arrangements for which safe 
harbor protection is sought and whether the accountable body or person 
should have responsibility for the compliance program.
    The arrangements that would be protected by these proposed safe 
harbors would not have the benefit of programmatic oversight comparable 
to CMS-sponsored models. Accordingly, we view this accountability 
criterion as important to ensure that arrangements operate for their 
designated value-based purpose(s) and as a key safeguard to ensure that 
value-based arrangements are aligned with at least one value-based 
purpose and not misused for purposes that raise program integrity 
concerns (e.g., arrangements that encourage providers to steer patients 
in ways that are not in the patients' best interests or stint on 
medically necessary care).
    The oversight role may include, depending on the applicable 
proposed safe harbor at 42 CFR 1001.952(ee), (ff), and (gg) and how the 
applicable VBE effectuates safe harbor requirements, monitoring whether 
VBE participants are performing under their value-based arrangements in 
a manner that furthers the coordination and management of care for the 
target patient population. We are considering for the final rule a 
requirement that all VBE participants affirmatively recognize the 
oversight role of the accountable body or responsible person and 
explicitly agree to cooperate with its oversight efforts (e.g., by 
requiring the inclusion of a statement to this effect in the applicable 
written agreement).
    We also are considering for the final rule whether the accountable 
body or responsible person (or some other party or parties to value-
based arrangements addressed by the proposed safe harbors) should have 
more specific oversight responsibilities, such as oversight related to 
utilization of items and services, cost, quality of care, patient 
experience, adoption of technology, and the quality, integrity, 
privacy, and security of data related to the arrangement (such as 
outcomes, quality, and payment data). To facilitate effective 
oversight, we are considering for the final rule whether VBEs should be 
required to implement reporting requirements for their VBE participants 
or mechanisms for obtaining access to, and verifying, VBE participant 
data concerning performance under any value-based arrangement.
    We welcome comments on this approach or any different or additional 
actions that may help ensure effective ongoing oversight.
    We intend for VBEs to implement the criterion regarding the 
accountable body or responsible person in a manner that is tailored to 
the complexity and sophistication of the VBE. For example, a VBE 
involving two physician practices with a single value-based arrangement 
could designate one of the physician practices (or its compliance 
professional) as the individual responsible for this oversight. Where 
the VBE is larger and involves numerous sophisticated entities, it 
might be advisable and a best practice to create a separate governing 
body to serve as the accountable body, overseeing the VBE.
    The proposed definition of ``VBE'' does not require the VBE's 
accountable body or responsible person to be independent of the 
interests of individual VBE participants (which would preclude a VBE 
participant from acting as the accountable body or responsible person) 
or to have a distinct duty of loyalty to the VBE. However, to provide 
further assurances that a VBE's accountable body or responsible person 
is acting in furtherance of the VBE's value-based purpose(s) and not 
any one VBE participant's individual interests, we are considering for 
the final rule imposing a standard requiring either independence or a 
duty of loyalty as a criterion of this definition or as a safe harbor 
requirement. We solicit comments on the benefits, burdens, and 
challenges of this approach.
d. Governing Document
    Fourth, we propose that each VBE must have a governing document 
that describes the VBE and how the VBE participants intend to achieve 
its value-based purpose(s). The intent of this requirement is to 
provide transparency regarding the structure of the VBE, the VBE's 
value-based purpose(s), and the VBE participants' roadmap for achieving 
such purpose(s). This document may include any other terms the VBE 
participants deem important. The governing document need not be formal 
bylaws or in another specific format.

[[Page 55702]]

Written documentation recording the terms of a value-based arrangement 
may serve as the required VBE governing document, provided it describes 
the enterprise and how the parties intend to achieve its value-based 
purpose(s).
e. VBE's Assumption of Downside Financial Risk
    Lastly, we note that two of our proposed safe harbors require that 
a VBE has assumed downside financial risk from a payor. We anticipate 
that VBEs could contract with payors and other entities in a variety of 
ways. For example, a VBE comprised of a large number of VBE 
participants across a range of healthcare settings might create a 
standalone legal entity that enters into contracts directly with payors 
on the VBE participants' behalf. Alternatively, one VBE participant 
might contract with payors on behalf of other VBE participants within 
the VBE. In the latter example, the VBE would still be required to be 
at risk, but it would be through one of its VBE participants rather 
than through a contract directly with the payor.
2. Value-Based Arrangement
    The proposed safe harbors at 42 CFR 1001.952(ee), (ff), and (gg) 
would protect remuneration paid or exchanged pursuant to a ``value-
based arrangement'' if all conditions are met. We propose to define a 
value-based arrangement as ``an arrangement for the provision of at 
least one value-based activity for a target patient population between 
or among: (A) The value-based enterprise and one or more of its VBE 
participants; or (B) VBE participants in the same value-based 
enterprise.'' We intend for these requirements to ensure that each 
value-based arrangement is aligned with the VBE's value-based 
purpose(s) and subject to its financial and operational oversight. Our 
proposed definition is intended to capture arrangements for care 
coordination and certain other value-based activities among VBE 
participants within the same VBE.
    Addressing each requirement of the definition in turn, we first 
propose to require that the value-based arrangement include at least 
one value-based activity (as defined in proposed paragraph 
1001.952(ee)) to be undertaken by the parties. We would expect that 
many value-based arrangements would be comprised of multiple value-
based activities.
    Second, we propose that the value-based arrangement's value-based 
activities must be undertaken with respect to a target patient 
population (as defined in proposed paragraph 1001.952(ee)). That is, 
the value-based arrangement, and its value-based activities, must be 
tailored to meet the needs of a defined patient population. This 
element further ties the value-based arrangement to care coordination 
of patients and value-based goals. We note that the definition of 
``value-based arrangement'' is broad enough to cover commercial and 
private insurer arrangements.
3. Target Patient Population
    We propose to define ``target patient population'' as ``an 
identified patient population selected by the VBE or its VBE 
participants using legitimate and verifiable criteria that: (A) Are set 
out in writing in advance of the commencement of the value-based 
arrangement; and (B) further the value-based enterprise's value-based 
purpose(s).'' Our intent in defining this term is to protect value-
based arrangements that serve an identifiable patient population for 
whom the value-based activities likely would improve health outcomes or 
lower costs (or both). By using the terms ``legitimate and 
verifiable,'' we seek to ensure the target patient population selection 
process is transparent and that VBE participants select their target 
patient population in an objective manner based on criteria that 
further the applicable value-based arrangement's value-based 
purpose(s). If VBE participants selectively include patients in a 
target patient population for purposes inconsistent with the objectives 
of a properly structured value-based arrangement (e.g., cherry picking 
or lemon dropping patients), we would not consider such a selection 
process to be based on ``legitimate and verifiable criteria that 
further the value-based enterprise's value-based purpose(s).''
    This proposed definition is not limited to Federal health care 
program beneficiaries. For example, VBE participants seeking to enhance 
access to, and usage of, primary care services for patients 
concentrated in a certain geographic region might base the target 
patient population on ZIP Code or county of residence. If a value-based 
arrangement is focused on enhancing care coordination for patients with 
a chronic disease, the target patient population might be patients with 
that disease (e.g., congestive heart failure). VBE participants might 
also, for example, use data to identify a target patient population at 
increased risk of developing a chronic disease for improved care 
coordination under a value-based arrangement.
    We are considering for the final rule and solicit comments on 
limiting the definition of ``target patient population'' to patients 
with a chronic condition, or alternatively, limiting any or all of the 
proposed safe harbors that use the target patient population definition 
to value-based arrangements for patients with a chronic condition. We 
might effectuate this approach through changes to the scope of the 
target patient population definition or other definitions, including 
value-based activity, value-based arrangement, and value-based purpose.
    This alternative proposal is in recognition that patients with 
chronic conditions may be more susceptible to comorbidities, requiring 
care across the health spectrum, and thus most likely to benefit from 
the care coordination central to this proposed rule. To the extent we 
include such a limitation in the final rule, either by definition or 
through a safe harbor requirement, we are considering how to define 
``chronic condition,'' and whether OIG should cross-reference other 
Medicare or Medicaid program guidelines or rules related to chronic 
conditions. In particular, we are considering and seek comment on 
defining ``chronic condition'' as the list of 15 Special Needs Plans 
(SNP)-specific chronic conditions developed by the SNP Chronic 
Condition Panel, as may be modified from time to time.\17\ As new 
chronic conditions are identified, and as existing conditions benefit 
from life-prolonging technological advances, we are mindful that any 
definition of ``chronic condition'' might need flexibility to expand to 
remain appropriately inclusive and consistent with clinical 
understandings.
---------------------------------------------------------------------------

    \17\ CMS, Chronic Condition Special Need Plans (C-SNP), List of 
Chronic Conditions, https://www.cms.gov/Medicare/Health-Plans/SpecialNeedsPlans/Chronic-Condition-Special-Need-Plans-C-SNP.html#s1.
---------------------------------------------------------------------------

    As an additional alternative, we are considering for purposes of 
the final rule, and solicit comments on, limiting the definition of 
``target patient population'' to patients with a shared disease state 
that would benefit from care coordination.
    We seek comment on how best to address the need for flexibility in 
any final rule, especially should we limit a final safe harbor to 
patients with a chronic condition or shared disease state. Moreover, we 
are interested in feedback on impacts of such limitations on the 
ability of VBE participants to provide better coordinated care for 
other categories of patients, including patients discharged from 
hospitals following acute care, patients requiring maternal

[[Page 55703]]

care, patients needing preventive care, and patients with mental health 
conditions.
    Additionally, we solicit comments on whether we should replace 
``legitimate and verifiable'' in this proposed definition with language 
that would require VBE participants to have more parameters and 
structure with respect to their selection of the target patient 
population and are considering whether use of the term ``evidence-
based'' would achieve this goal. (Our proposed interpretation of 
``evidence-based'' is addressed below in our discussion of the proposed 
safe harbor for care coordination arrangements.)
    Last, we are considering for the final rule, and seek comments on, 
whether and if so how, parties other than VBE participants should or 
could be involved in selecting the target patient population. For 
example, we are considering for the final rule the role of payors in 
identifying or selecting the target patient population or establishing 
outcome measures with respect to a value-based arrangement. While 
payors might not be parties to a value-based arrangement, we believe 
many care coordination and other value-based arrangements may be 
entered into in order to achieve performance or outcome goals set by 
payors. We seek feedback on the potential benefit, including any 
reduced program integrity risks, of allowing or requiring payors to 
select either or both the target patient population and relevant 
outcome measures and targets (for purposes of the definitions, safe 
harbors, or both). If there would be benefit in doing so, we seek 
feedback on how best to implement such a permission or requirement. We 
also seek feedback on whether, for purposes of the final rule, we 
should treat as a favorable factor that a value-based arrangement (or 
outcomes-based payment arrangement) aligns its target patient 
population or its outcome measures and targets with payor-driven 
incentives.
4. Value-Based Activity
    For purposes of these safe harbors, we propose that the term 
``value-based activity'' would mean ``any of the following activities, 
provided that the activity is reasonably designed to achieve at least 
one value-based purpose of the value-based enterprise: (A) the 
provision of an item or service; (B) the taking of an action; or (C) 
the refraining from taking an action.'' ``Value-based activity'' does 
not include the making of a referral.
    We are considering for the final rule whether to interpret 
``reasonably designed'' to mean that the value-based activities set 
forth in the value-based arrangement are expected to further the value-
based purpose of the arrangement. While this standard would not require 
that the value-based purpose actually be achieved, we are considering 
whether to require in the final rule that the VBE participants entering 
into the value-based arrangement engage in an evidence-based process to 
design value-based activities that they believe will reach such a goal. 
Our proposed interpretation of ``evidence-based'' for purposes of this 
proposed rule is addressed below in our discussion of the proposed care 
coordination arrangements safe harbor.
    With this definition, we acknowledge that a ``value-based 
activity'' may encompass not only affirmative actions taken by VBE 
participants (e.g., providing care coordinators to help patients with 
complex needs navigate the transition from a hospital to their homes) 
but also instances of inaction (e.g., refraining from ordering certain 
items or services in accordance with a medically appropriate care 
protocol that reduces the number of required steps in a given 
procedure). Under no circumstances would simply making a referral 
constitute a ``value-based activity.''
    Lastly, we are considering for the final rule expressly excluding 
from the definition of ``value-based activity'' any activity that 
results in information blocking. Similar to the concerns articulated in 
the section detailing our proposed modifications to the electronic 
health records safe harbor, we seek to preclude from protection under 
our proposed safe harbors at 42 CFR 1001.952(ee), (ff), and (gg) any 
arrangement that may, on its face, meet our definition of ``value-based 
activity'' but that ultimately is used to engage in practices of 
information blocking (e.g., the donation of health information 
technology that may facilitate care coordination across providers 
participating in the VBE, but also prevents or unreasonably interferes 
with the exchange of electronic health information with other providers 
in order to lock-in referrals between such providers). Information 
blocking practices that may affect value-based activities include, but 
are not limited to, (i) locking electronic health information into the 
VBE or keeping it only between VBE participants, or (ii) preventing 
referrals or other electronic health information from leaving the VBE 
or being transmitted from a VBE participant to another healthcare 
provider. This exclusion would be based on the definition and 
exceptions for ``information blocking'' in the 21st Century Cures Act 
and the Office of the National Coordinator for Health Information 
Technology (ONC), HHS Notice of Proposed Rulemaking ``21st Century 
Cures Act: Interoperability, Information Blocking, and the ONC Health 
IT Certification Program,'' to the extent such definition and 
exceptions are finalized.
5. VBE Participant
    We propose to define ``VBE participant'' as ``an individual or 
entity that engages in at least one value-based activity as part of a 
value-based enterprise.'' Depending upon the terms and requirements of 
the value-based arrangement (and the conditions of the relevant safe 
harbor), ``engaging in'' a value-based activity may be, for example, 
(i) performing an action to achieve certain quality or outcome metrics 
and the providing or receiving of payment for such achievement, or (ii) 
coordinating care to achieve better outcomes or efficiencies (e.g., 
sharing staff or infrastructure to improve the discharge planning and 
care follow-up process between two VBE participants). Subject to the 
limitations proposed below, such term would broadly include clinicians, 
providers, and suppliers, as well as other individuals and entities. 
Potential VBE participants could be, by way of example only, physician 
practices, hospitals, payors, post-acute providers, pharmacies, chronic 
care and disease management companies, and social services 
organizations. Given that our proposed definition may encompass non-
traditional healthcare entities, and our experience with respect to 
financial arrangements between such entities and providers and 
suppliers is limited, we are considering for the final rule, and 
solicit comments on, any fraud and abuse risks that financial 
arrangements with these entities may present and what, if any, 
additional safeguards we may need to place around these entities' 
participation in value-based arrangements under the proposed safe 
harbors.
a. Entities Not Included as VBE Participants
    The ``VBE participant'' definition expressly excludes 
pharmaceutical manufacturers; manufacturers, distributors, or suppliers 
of durable medical equipment, prosthetics, orthotics or supplies 
(DMEPOS); and laboratories. On the basis of our historical enforcement 
and oversight experience, we are concerned that some companies within 
these types of entities, which are heavily dependent upon practitioner 
prescriptions and referrals, might misuse the proposed

[[Page 55704]]

safe harbors primarily as a means of offering remuneration to 
practitioners and patients to market their products, rather than as a 
means to create value for patients and payors by improving the 
coordination and management of patient care, reducing inefficiencies, 
or lowering health care costs. For example, we are concerned that these 
entities might create arrangements styled as value-based arrangements 
that serve to tether clinicians or patients to the use of a particular 
product (e.g., a drug or implantable device, such as a device with a 
mechanical or physical effect on the body) when a different product 
could be more clinically effective for the patient. Moreover, 
pharmaceutical manufacturers, and manufacturers, distributors, and 
suppliers of DMEPOS, and laboratories are less likely to be on the 
front line of care coordination and treatment decisions in the same way 
as other types of proposed VBE entities, such as hospitals, physicians, 
and remote monitoring companies that provide care coordination and 
management tools and services directly to patients. We solicit comments 
on whether this assumption is correct, along with examples of the 
specific roles played by these entities in coordinating and managing 
care for patients.
    We note that we received comments in response to the OIG RFI from 
pharmaceutical manufacturers seeking safe harbor protection for a 
variety of emerging outcomes-based and value-based contracting 
practices for their pharmaceutical products, as well as related patient 
medication adherence and similar programs. We also acknowledge that 
some pharmaceutical manufacturers may help facilitate care coordination 
and management of care through, for example, data analytics associated 
with their pharmaceutical products furnished to purchasers of their 
products. These kinds of manufacturer arrangements raise different 
program integrity issues from those addressed in this rulemaking and 
would likely require different safeguards. We are considering 
pharmaceutical manufacturers' role in coordination and management of 
care and may address it in future rulemaking. We may also consider 
specifically tailored safe harbor protection for value-based 
contracting and outcomes-based contracting for the purchase of 
pharmaceutical products (and potentially other types of products) in 
future rulemaking.
    We are considering for the final rule whether some or all of the 
entities we propose to exclude from the definition of a ``VBE 
participant'' and from the proposed safe harbor for outcomes-based 
compensation under the personal services and management contracts safe 
harbor should be included in the definition of ``VBE participant'' and 
potentially protected by the applicable safe harbors. We are interested 
in comments with examples of how and the extent to which the entities 
we propose to exclude participate in the coordination and management of 
care for patients and whether and how they may be involved in providing 
beneficial health technology, including digital technology, used to 
coordinate and manage care and improve health outcomes. We also are 
considering and are interested in comments on additional safeguards we 
could include in the safe harbors to: (i) Prevent abusive marketing 
practices with respect to the items and services these entities (or 
other entities, not excluded from the proposed definition of ``VBE 
participant'') sell to patients, payors, and providers (e.g., practices 
that include payments to physicians, hospitals, or patients to reward 
them for ordering the entity's products); (ii) protect clinical 
decision-making about products that are in the patient's best medical 
interests and patient freedom of choice; and (iii) reduce the risk of 
inappropriate cost-shifting to Federal health care programs and 
inappropriate increased costs to Federal health care programs. We are 
considering whether to include a safeguard, in the applicable proposed 
safe harbors, that would preclude protection for value-based 
arrangements and outcomes-based payments that include exclusivity 
requirements, such as a requirement that the VBE participant is the 
exclusive provider of care coordination items or services or the 
exclusive provider of a reimbursable item or service. We are further 
considering whether to impose certain heightened standards and 
conditions on certain entities that would receive safe harbor 
protection, such as enhanced monitoring, reporting, or data submission 
requirements or some or all of the conditions presented in the 
discussion of proposed 1001.952(ee) below.
    While pharmaceutical manufacturers and other listed entities would 
not be eligible for protection under the proposed safe harbors for 
value-based arrangements, patient engagement and support, and revisions 
related to outcomes-based payments included in the personal services 
and management contracts safe harbor, other elements of this proposed 
rule would be available to them. As explained below, we propose certain 
other modifications to the personal services and management contracts 
safe harbor that would be available, including greater flexibility for 
part-time arrangements and arrangements in which the aggregate 
compensation is not known in advance. These entities also would be 
eligible under the proposed safe harbors for cybersecurity items and 
services and for CMS-sponsored models, as well as for the proposed 
modifications to the warranties safe harbor. Further, we solicit 
comments on potential revisions to the reporting requirements in the 
warranties safe harbor that could accommodate outcomes-based warranty 
arrangements that excluded manufacturers and suppliers may want to 
undertake. Lastly, we note that pharmaceutical manufacturers or other 
entities we propose to exclude from the definition of ``VBE 
participant'' may use the OIG's advisory opinion process for value-
based or other arrangements they may want to undertake.
    We are considering for the final rule, and seek comments on, 
whether we should exclude other entities from the definition of ``VBE 
participant.'' For example, we are considering excluding pharmacies 
(including compounding pharmacies) from the definition of ``VBE 
participant.'' We acknowledge that some pharmacies (and pharmacists) 
have the potential to contribute to the type of beneficial value-based 
arrangements this rulemaking is designed to foster (e.g., through 
medication adherence programs or educational services for patients with 
diabetes). However, pharmacies, like the entities we propose to exclude 
from the definition of ``VBE participant,'' primarily provide items, 
and we are concerned that their participation in value-based 
arrangements may not further the care coordination purposes of this 
rulemaking. We seek comments on beneficial arrangements pharmacies may 
want to undertake under the new value-based framework and any 
safeguards we could implement in the final rule if we were to allow 
such entities to participate in value-based arrangements eligible for 
safe harbor protection. We are further considering for the final rule 
whether specific types of pharmacies, such as compounding pharmacies, 
should be excluded as VBE participants even if others, such as retail 
and community pharmacies, are included. In particular, we are concerned 
that pharmacies that specialize in compounding pharmaceuticals may pose 
a heightened risk of fraud and abuse, as evidenced by our enforcement 
experience, and would not play a direct role in patient care 
coordination.

[[Page 55705]]

    We also are considering for the final rule excluding pharmacy 
benefits managers (PBMs), wholesalers, and distributors from the 
definition of ``VBE participant'' for reasons comparable to those for 
excluding pharmaceutical manufacturers.\18\ We may further consider the 
role of these entities in care coordination and management in future 
rulemaking. We are aware that PBMs are increasingly providing services 
related to the coordination of care for patients. We are interested in 
comments with examples demonstrating how PBMs engage in care 
coordination and management with healthcare providers and suppliers, as 
well as insights into the risks and benefits of including PBMs as VBE 
participants eligible to enter into value-based arrangements that could 
qualify for safe harbor protection if all conditions are satisfied.
---------------------------------------------------------------------------

    \18\ Note that, should we adopt, as discussed below, the 
definition of ``applicable manufacturer'' set forth in 42 CFR 
403.902, such definition would include distributors and wholesalers 
(which include re-packagers, re-labelers, and kit assemblers) that 
hold title to a covered drug, device, biological, or medical supply.
---------------------------------------------------------------------------

b. Health Technology Companies
    We are mindful that a growing number of companies are providing 
mobile health and digital technologies to physicians, hospitals, 
patients, and others for the coordination and management of patients 
and their healthcare, and such companies are eligible to be VBE 
participants under the proposed definition. These companies provide a 
range of services such as remote monitoring, predictive analytics, data 
analytics, care consultations, patient portals, and telehealth and 
other communications that may be used by providers, clinicians, payors, 
patients, and others to coordinate and manage care, improve the quality 
and safety of care, and increase efficiency. These companies also 
furnish a variety of devices, technologies, software, and applications 
that support their services, are used by customers to coordinate and 
monitor patient care and health outcomes (for individuals and 
populations), or are used directly by patients and their caregivers to 
monitor their health, manage treatment, and communicate and access 
patient medical information. For example, we are aware of companies 
that provide diabetes management services, leveraging devices that can 
be worn or attached to the body to monitor blood sugar levels and 
transmit that data, through an application to a cloud storage service, 
for review by patients and the clinicians managing the patients' 
diabetes care.
    We are further aware that mobile health and digital health 
technology companies may be newer entrants to the healthcare 
marketplace or they may be existing companies. In some cases, they are 
existing healthcare companies that have developed new lines of business 
in digital health technology. For example, in some cases, they are 
companies that have historically manufactured medical devices 
reimbursed by Federal health care programs and have developed digital 
technologies that are used in conjunction with medical devices, such as 
pacemakers. It is our understanding that, depending on the company's 
business model, what is included as part of the Food and Drug 
Administration (FDA)-approved device, and payor coverage 
determinations, the digital technologies and associated functionalities 
may be included as part of the customer's cost of the medical device, 
or they may be part of a separate services arrangement.
    These technologies hold promise for improving care coordination and 
health outcomes through monitoring of real-time patient data and 
detection and prevention of health problems. We are concerned, however, 
and solicit public comments, about the risk that some companies that 
manufacture medical devices covered by Federal health care programs, 
particularly implantable devices used in a hospital or ambulatory 
surgical center setting, might misuse value-based arrangements to 
disguise improper payments for care coordination intended as kickbacks 
to purchase the medical devices they manufacture. This concern arises 
from historical law enforcement experience, including large False 
Claims Act settlements involving kickbacks paid to physicians, 
hospitals, and ambulatory surgery centers to market various medical 
devices, such as devices used for invasive procedures; in some cases, 
these schemes resulted in patients getting medically unnecessary 
surgeries. OIG also has longstanding anti-kickback concerns about 
physician-owned distributorships because the financial incentives 
physician-owned distributorships offer to their physician-owners may 
induce the physicians both to perform more procedures (or more 
extensive procedures) than are medically necessary and to use the 
devices the physician-owned distributorships sell in lieu of other, 
potentially more clinically appropriate, devices.\19\
---------------------------------------------------------------------------

    \19\ OIG, Special Fraud Alert: Physician-Owned Entities (Mar. 
26, 2013), available at https://oig.hhs.gov/fraud/docs/alertsandbulletins/2013/POD_Special_Fraud_Alert.pdf.
---------------------------------------------------------------------------

    To address these concerns, we are considering for the final rule 
the exclusion of some or all device manufacturers under the definition 
of ``VBE participant'' and from protection under the various proposed 
safe harbors, including the exclusion from participation in outcomes-
based payment arrangements under proposed 1001.952(d)(2) and (3). As 
with pharmaceutical manufacturers, it is not clear that all device 
manufacturers play a comparable role in the coordination and management 
of patient care as those entities proposed to come within the 
definition of a VBE participant. We solicit comments about this 
assumption and the roles that traditional device manufacturers play in 
care coordination and management. Also, as with issues raised by 
arrangements involving pharmaceutical manufacturers, we are considering 
future safe harbor rulemaking to address specifically tailored 
protection for value-based and outcomes-based contracting for device 
manufacturers. This proposed rule focuses primarily on arrangements to 
coordinate and manage the care of patients, and does not, for example, 
address purchase and sale arrangements for covered items and services. 
We may take up the issue of purchase and sale arrangements, including 
consideration of modifications to the discount safe harbor or 
additional modifications to the warranties safe harbor, in future 
rulemaking.
    We recognize that defining a universe of device manufacturers that 
would be excluded would present difficulties, and we are interested in 
public feedback on the following issues. First, there is no specific 
definition of a device manufacturer or medical device manufacturer in 
the Medicare program. As explained below, in the absence of a Medicare 
definition, we are considering several other approaches. Second, any 
definition of the term ``device manufacturer'' may be so broad as to 
sweep in virtually any kind of device or health technology, including 
the kinds of digital and remote monitoring technology that may support 
and improve care coordination. Relatedly, given that many companies 
pursue multiple lines of business and that digital technologies are 
being integrated into traditional medical devices, it may not be 
possible to distinguish clearly a traditional medical device 
manufacturer from a health technology company.
    OIG is considering for the final rule, and seeks comments 
regarding, whether to define medical device manufacturers using CMS's 
definition of ``applicable manufacturer'' in 42 CFR 403.902,

[[Page 55706]]

which relates to the ``Sunshine'' provisions of the ACA (section 6002 
of the ACA, which added section 1128G to the Act). We also are 
considering, and seek comment on, whether any definition of ``device 
manufacturer'' should include an entity that manufacturers any item 
that requires premarket approval by, or premarket notification to, the 
FDA or that is classified by the FDA as a medical device. We are 
further considering whether we could define a device manufacturer, in 
whole or in part, with respect to whether the item it manufactures is 
eligible for separate or bundled payment from a Federal health care 
program or other payor or is used in a test that is eligible for 
separate or bundled payment from a Federal health care program or other 
payor. We are considering whether the definition of a device 
manufacturer should include distributors or wholesalers when they are 
distributing or selling devices manufactured by a device manufacturer. 
With respect to these proposed definitional approaches, we solicit 
public comments on whether the proposals would be too broad or too 
narrow, including whether they would have the effect of excluding from 
the safe harbors companies that develop and provide digital or other 
health technologies for care coordination and patient engagement. We 
are interested in other recommended definitions that would exclude 
medical device manufacturers without limiting beneficial digital 
technologies, or recommended factors that we should consider if we were 
to craft a definition of ``device manufacturer'' or ``medical device 
manufacturer.''
    Finally, apart from excluding device manufacturers, we are 
considering, and solicit comments on, whether to include additional 
safeguards in the final safe harbors to mitigate risks of abuse. These 
safeguards might apply specifically to arrangements involving VBE 
participants that are health technology companies or device 
manufacturers or more broadly to all VBE participants. Specifically, as 
stated above, we are considering and are interested in comments on 
safeguards that (i) prevent abusive marketing practices with respect to 
the items and services these the companies sell to patients, payors, 
and providers (e.g., practices that include payments to physicians, 
hospitals, or patients to reward them for ordering the company's 
products); (ii) protect independent clinical decision making about 
products that are in the patient's best medical interests and patient 
freedom of choice; and (iii) reduce the risk of inappropriate cost-
shifting or inappropriately increasing costs to Federal health care 
programs. We are considering whether to include a safeguard in the 
final rule that would preclude protection for value-based arrangements 
that include exclusivity requirements, such as a requirement that the 
VBE participant is the exclusive provider of care coordination items or 
services or the exclusive provider of a reimbursable item or service. 
We are furthering considering whether heightened standards and 
conditions could include enhanced monitoring, reporting, or data 
submission requirements or some or all of the conditions presented in 
the proposed rule's discussion of proposed 1001.952(ee).
c. Alternatives to ``VBE Participant'' Exclusion List
    We are interested in comments on whether, instead of excluding 
broad categories of entities from the definition of ``VBE 
participant,'' we should distinguish among entities that would be 
included or excluded from the definition on the basis of factors such 
as product type, company structure, heightened fraud risk, or other 
features. We solicit similar input with respect to exclusions from the 
proposed revisions to the personal services and management contracts 
safe harbor related to outcomes-based payments.
    Making distinctions by product or arrangement type might alleviate 
some of the difficulty presented by the increasing integration of 
healthcare company business lines and the movement of traditional 
healthcare companies into digital health technology. In this regard, we 
are considering for the final rule whether to address program integrity 
concerns regarding potentially abusive drug, device, DMEPOS, and 
laboratory arrangements by regulating the type of items, goods, or 
services that can be included in an arrangement eligible for safe 
harbor protection (under any of the proposed safe harbors) rather than 
regulating the types of entities included and excluded. For example, we 
might include arrangements involving the use of mobile or digital 
technology to coordinate care or achieve outcomes-based payments but 
exclude arrangements for the sale or distribution of implantable 
medical devices (e.g., devices with a mechanical or physical effect on 
the body) or durable medical equipment. In determining for a final rule 
which products or arrangements would be included and excluded from safe 
harbor protection, we would take into account any heightened fraud risk 
based on enforcement experience, CMS's experience administering 
provider enrollment, claims analysis, and other data sources. We are 
interested in feedback on which kinds of products or arrangements, if 
any, should be excluded from safe harbor protection based on heightened 
fraud risk and examples of such arrangements.
    As another alternative to finalizing specific exclusions in the 
definition of ``VBE participant,'' we are considering excluding 
entities under the proposed paragraphs (ee), (ff), (gg), and (hh). 
These paragraphs could each include a condition excluding certain 
specified entities from protection under the safe harbor. Specifically, 
we would consider excluding from each of these safe harbors one or more 
of the following entities: Pharmaceutical manufacturers; manufacturers, 
distributors, or suppliers of DMEPOS; laboratories; pharmacies 
(including compounding pharmacies or only compounding pharmacies); 
device manufacturers; PBMs; pharmaceutical wholesalers; and 
pharmaceutical distributors. If we include safe harbor-specific 
conditions excluding certain specified entities from protection under 
each of (ee), (ff), (gg), and (hh), the entities excluded from each 
safe harbor could differ.
    We also solicit public comment on how best to treat hospitals, 
health systems, and other types of entities that we have not proposed 
to exclude under the definition of ``VBE participant'' when they own or 
operate an entity that we propose to exclude, such as a DMEPOS supplier 
or laboratory. For example, we are considering for the final rule 
whether the exclusion should apply only to independent or free-standing 
DMEPOS suppliers and laboratories and to DMEPOS suppliers and 
laboratories owned or operated in whole or part by another entity 
excluded as a VBE participant. For the final rule, we are considering, 
and solicit comments on, how best to treat health systems and others 
that may be entering into the device or technology development arenas.
6. Value-Based Purpose
    We propose to define a ``value-based purpose'' as: (i) Coordinating 
and managing the care of a target patient population; (ii) improving 
the quality of care for a target patient population; (iii) 
appropriately reducing the costs to, or growth in expenditures of, 
payors without reducing the quality of care for a target patient 
population; or (iv) transitioning from healthcare delivery and payment 
mechanisms based on the volume of items and services provided to 
mechanisms based on the quality of

[[Page 55707]]

care and control of costs of care for a target patient population. With 
respect to purpose (iii), we are considering whether appropriately 
reducing the costs to, or growth in expenditures of, payors should be a 
value-based purpose only when there is improvement in patient quality 
of care or the parties are maintaining an improved level of care.
    We intend for this definition to include infrastructure investment 
and operations necessary to redesign care delivery to better coordinate 
care for patients across settings, including technology, data 
analytics, and training. For example, this could include investing in 
application programming interface (API) technology that facilitates the 
exchange of data between VBE participants regarding the target patient 
population.
    Each of our proposed safe harbors at 1001.952(ee), (ff), and (gg) 
requires that the protected arrangement include value-based activities 
that directly further the first of the four value-based purposes: The 
coordination and management of care for the target patient population. 
We are considering for the final rule, and seek comments on, whether we 
should include other objectives in the definition of ``value-based 
purpose'' to reflect our goal of promoting care coordination and the 
shift toward value-based care and whether any other or different 
objectives should be prerequisites to protection under our proposed 
safe harbors. We also are considering for the final rule, and solicit 
comments on, whether, instead of requiring that some value-based 
activities directly further the coordination and management of care, we 
require only that value-based activities be directly connected to, or 
be reasonably designed to achieve, any of the value-based purposes.
    We propose that the first value-based purpose in the definition is 
the coordination and management of care for a target patient 
population. This purpose may include taking significant steps to 
prepare or position oneself to coordinate and manage the care of 
patients effectively. We propose to define ``coordination and 
management of care'' and ``coordinating and managing care'' 
synonymously to mean, for purposes of the anti-kickback statute safe 
harbors, the deliberate organization of patient care activities and 
sharing of information between two or more VBE participants or VBE 
participants and patients, tailored to improving the health outcomes of 
the target patient population, in order to achieve safer and more 
effective care for the target patient population.'' \20\ For example, 
such coordination might occur between hospitals and post-acute care 
providers, between specialists and primary care physicians, or between 
hospitals or physician practices and patients. Coordinating and 
managing care could include using care managers, providing care or 
medication management, creating a patient-centered medical home, 
helping with transitions of care, sharing and using health data to 
improve outcomes, or sharing accountability for the care of a patient 
across a continuum of care.\21\ Importantly, our proposed definition of 
``coordination and management of care'' relates only to the application 
of the proposed safe harbor regulations. Although other laws and 
regulations, including the physician self-referral law and associated 
regulations, may utilize the same or similar terminology, the 
definition and interpretations proposed here would not affect CMS's (or 
any other governmental agency's) interpretation or ability to interpret 
such term.
---------------------------------------------------------------------------

    \20\ See, e.g., Agency for Healthcare Research and Quality, Care 
Coordination Measures Atlas 6 (2014) (citing K. McDonald et al., 
Closing the Quality Gap: A Critical Analysis of Quality Improvement 
Strategies (2007)), https://www.ahrq.gov/sites/default/files/publications/files/ccm_atlas.pdf.
    \21\ See, e.g., NEJM Catalyst, What is Care Coordination? (Jan. 
1, 2018), https://catalyst.nejm.org/what-is-care-coordination/ 
(providing examples and noting that ``[c]are coordination 
synchronizes the delivery of a patient's health care from multiple 
providers and specialists. The goals of coordinated care are to 
improve health outcomes by ensuring that care from disparate 
providers is not delivered in silos, and to help reduce health care 
costs by eliminating redundant tests and procedures.'').
---------------------------------------------------------------------------

    Through the proposed definition of ``coordination and management of 
care,'' we seek to distinguish between referral arrangements, which 
would not be protected, and legitimate care coordination arrangements, 
which naturally involve referrals across provider settings but include 
beneficial activities beyond the mere referral of a patient or ordering 
of an item or service. We are particularly concerned about 
distinguishing between coordinating and managing patient care 
transitions for the purpose of improving the quality of patient care or 
appropriately reducing costs, on one hand, and churning patients 
through care settings to capitalize on a reimbursement scheme or 
otherwise generate revenue, on the other. For example, the coordination 
and management of care of a target patient population would not include 
cycling patients through skilled nursing facilities (SNFs) and assisted 
living facilities for the purpose of maximizing revenue under any 
applicable Federal health care program reimbursement payment systems.
    We are considering for the final rule, and solicit comments on, 
ways in which we could revise the definition of the ``coordination and 
management of care'' or additional elements we could include in the 
definition to protect against fraudulent and abusive practices that 
parties attempt to characterize as the coordination and management of 
patient care.
    One approach we are considering for the final rule to address these 
concerns would be to preclude some or all protection under the proposed 
safe harbors for arrangements between entities that have common 
ownership. We might do this through refinements to the definition of 
``value-based arrangement'' or by adding restrictions to one or more of 
the proposed safe harbors at paragraphs (ee), (ff), (gg), or (hh). We 
recognize that while this approach might protect against abusive 
cycling of patients for financial gain among entities with common 
ownership, it might also preclude protection for care coordination 
arrangements among entities in integrated health systems that could 
otherwise qualify for proposed safe harbor protection. We solicit 
comments on this potential exclusion, and specifically, how best to (i) 
define ``common ownership''; and (ii) appropriately demarcate 
beneficial versus problematic financial arrangements between commonly 
owned entities. We are interested in feedback on the extent to which 
integrated health systems believe they need new safe harbor protection 
for care coordination arrangements in light of currently available 
protections.
    We would not consider the provision of billing or administrative 
services to be the management of patient care for purposes of this 
proposed rulemaking; we would consider the sharing or use of health 
information technology and data to identify a target patient 
population, coordinate care, or measure outcomes to fit our definition.
    We solicit comments on the unique intersection between 
cybersecurity and the coordination and management of care, and 
specifically, whether remuneration in the form of cybersecurity items 
or services could ever meet definition of the ``coordination and 
management of care'' for a target patient population. For example, we 
solicit feedback on whether we should consider cybersecurity items or 
services to only meet this defined term when such remuneration is 
donated and used in conjunction with health information

[[Page 55708]]

technology that meets this definition of ``coordination and management 
of care.'' As entities engage in care coordination, increased 
connectivity and information exchanges may further the need for 
donating or sharing cybersecurity technology or services to ensure that 
appropriate cybersecurity safeguards are used to address the 
cybersecurity risks arising from connections among the entities engaged 
in care coordination. We recognize the patient safety risks and risk of 
harm attributed to cybersecurity vulnerabilities and threats.\22\ We 
also solicit comments on whether parties should simply seek protection 
for cybersecurity items or services under the proposed cybersecurity 
safe harbor at 1001.952(jj) explained below.
---------------------------------------------------------------------------

    \22\ See, e.g., Health Care Industry Cybersecurity Task Force 
Report, available at https://www.phe.gov/preparedness/planning/cybertf/documents/report2017.pdf.
---------------------------------------------------------------------------

    In addition to undertaking value-based activities that are directly 
connected to the coordination and management of care for the target 
patient population, our proposed definition of ``value-based purpose'' 
recognizes that a VBE could have additional value-based purposes and 
qualify under the value-based framework, namely to: (i) Improve the 
quality of care for a target patient population; (ii) appropriately 
reduce the costs to, or growth in expenditures of, payors without 
reducing the quality of care for a target patient population; and (iii) 
transition from healthcare delivery and payment mechanisms based on the 
volume of items and services provided to mechanisms based on the 
quality of care and control of costs.

C. Care Coordination Arrangements to Improve Quality, Health Outcomes, 
and Efficiency Safe Harbor (42 CFR 1001.952(ee))

    The first proposed safe harbor for value-based arrangements would 
protect certain care coordination arrangements. Numerous commenters to 
the OIG RFI noted that individuals and entities may promote value-based 
care and facilitate care coordination even when assuming no financial 
risk. We agree. This proposed safe harbor would protect in-kind 
remuneration exchanged between qualifying VBE participants with value-
based arrangements that squarely satisfy all of the proposed safe 
harbor's requirements. (Certain monetary remuneration associated with 
care coordination or other value-based activities may be protected 
under other proposed safe harbors, including those at proposed 42 CFR 
1001.952(ff), (gg), (ii), as well as the proposed modifications to the 
personal services and management safe harbor at 1001.952(d) for 
outcomes-based payment arrangements.)
    Under this proposal, each offer of remuneration must be analyzed 
separately for compliance with the safe harbor. For example, in a 
value-based arrangement between a hospital and a SNF, the hospital 
might provide a behavioral health nurse to follow designated inpatients 
with mental health disorders in the event of discharge to the SNF. In 
turn, the SNF might provide certain staff to assist the hospital in 
coordinating designated patients' care through the discharge planning 
process or might provide office space for the behavioral health nurse. 
The hospital's offer of the behavioral health nurse to the SNF must be 
analyzed separately from the SNF's offer of certain staff members or 
office space to the hospital.
    This proposed safe harbor does not require parties to bear or 
assume downside financial risk. We are concerned that the offer or 
provision of remuneration under value-based arrangements could present 
opportunities for the types of fraud and abuse traditionally seen in 
the FFS system, particularly where the parties offering or receiving 
the remuneration have not assumed downside financial risk for the care 
of the target patient population. For this reason and to ensure that 
the safe harbored arrangements operate to achieve their value-based 
purposes, we propose the conditions and safeguards described below.
1. Outcome Measures
    We propose to require that parties to a value-based arrangement 
establish one or more specific evidence-based, valid outcome measures 
against which the recipient of remuneration will be measured, and which 
the parties reasonably anticipate will advance the coordination and 
management of care of the target patient population. We intend for the 
outcome measures to serve as benchmarks for assessing the recipient's 
performance under the value-based arrangement and advancement toward 
achieving the coordination and management of care for the target 
patient population. Accordingly, we expect such outcome measures to 
have a close nexus to the value-based activities undertaken by the 
parties to the value-based arrangement and to the needs of the target 
patient population.
    For purposes of this proposed rule, we would consider ``evidence-
based'' to mean the selected outcome measures must be grounded in 
legitimate, verifiable data or other information, whether the 
information is internal to one or more of the VBE participants or from 
a credible external source, such as a medical journal, social sciences 
journal, scientific study, an established industry quality standards 
organization, or results of a payor- or a CMS-sponsored model or 
quality program. For example, a specific evidence-based, valid outcome 
measure in the context of a hospital's provision of a care coordinator 
to a SNF could be an increase in the target patient population's 
average mobility functional score by a certain percentage over the 
course of a year, contributing to earlier, medically appropriate 
discharges of patients to their homes and fewer readmissions to acute 
care. We do not consider measures related to patient satisfaction or 
convenience (e.g., timeliness of appointments) to be valid outcome 
measures for purposes of this proposed requirement because we are 
concerned that such measures may not reflect actual improvement in the 
quality of patient care, health outcomes, or efficiency in the delivery 
of care. We solicit comments on whether there are categories of 
evidence-based outcomes measures in the areas of patient satisfaction 
or convenience that we should permit in the final rule because they 
reflect quality or efficiency of care.
    Any identified evidence-based, valid outcome measures against which 
the recipient of remuneration will be measured should not simply 
reflect the status quo. Consequently, we are considering for the final 
rule an express requirement that outcome measures be designed to drive 
meaningful improvements in quality, health outcomes, or efficiencies in 
care delivery. We intend to provide flexibility given the range of 
arrangements that may be covered by the proposed safe harbor. For 
example, an outcome measure may drive meaningful improvements if it 
drives improvements that are measurable or that are more than nominal 
in nature. Additionally, we are considering for the final rule, and 
solicit comment on, whether the outcome measures requirement should be 
broader or narrower than the standard we are proposing.
    We also are considering for the final rule, and solicit comments 
on, whether to require parties to rebase the outcome measures (i.e., 
reset the benchmark used to determine whether the outcome measure was 
achieved) where rebasing is feasible. We are considering whether 
parties should rebase measures (or determine whether rebasing is 
feasible)

[[Page 55709]]

periodically or pursuant to a specified timeframe, such as at least 
every 1 year, 3 years, or other time period. We are interested in 
comments addressing whether and, if so, why the appropriate time frame 
for rebasing should depend on the type of outcome measure or nature of 
the arrangement, and what rebasing time periods would be best for 
different types of measures or arrangements. We are interested in 
feedback on whether rebasing should be tied to any relevant 
requirements set by payors. We further solicit comments on whether we 
should specify a particular party that should be responsible for 
implementing the rebasing and which party would be best positioned to 
do so (e.g., the VBE or the offeror of the remuneration). We would 
anticipate any rebasing requirement would align with the rebasing 
proposal set forth in our proposed modifications to the personal 
services and management contracts safe harbor related to outcomes-based 
payments.
    If parties to a value-based arrangement revise the evidence-based, 
valid outcome measure(s) through an amendment during the term of the 
arrangement, the revised outcome measure(s) would need to continue to 
incentivize the recipient of the remuneration to make meaningful 
improvements. Were parties retrospectively to revise their outcome 
measures (e.g., modify the outcome measures and make such modifications 
effective 6 months prior), such revisions would raise questions 
regarding whether the modified measures were designed to obscure a lack 
of meaningful improvement by the recipient of the remuneration. For 
purposes of the final rule, we are considering whether to incorporate 
the CMS Quality Payment Program measures into the requirement to 
establish outcome measures.
    As described below, the parties to the arrangement also must 
include a description of the outcome measure(s) in a signed writing, 
and the VBE, the VBE's accountable body or responsible person, or a VBE 
participant in the value-based arrangement acting on the VBE's behalf 
must monitor and assess the recipient's progress toward achieving the 
outcome measure(s). In addition, as described below, should the VBE's 
accountable body or responsible person determine through monitoring or 
otherwise that the value-based arrangement is (i) unlikely to achieve 
the evidence-based, valid outcome measure(s) or further the 
coordination and management of care for the target patient population 
or (ii) has resulted in material deficiencies in quality of care, the 
parties must terminate the arrangement within 60 days of such a 
determination or lose safe harbor protection thereafter.
    We recognize that it may be difficult for parties giving 
information technology pursuant to a value-based arrangement to 
establish an outcome measure upon which to assess the recipient's 
performance that is ``evidence-based'' as we propose to interpret the 
term. For this reason, we are considering for the final rule imposing a 
requirement that information technology meet a different standard than 
the proposed specific evidence-based, valid outcome measures standard. 
Specifically, we may require an adoption and use standard (i.e., has 
the technology been adopted and used in a meaningful way for the 
intended purposes, such that it advances the coordination and 
management of care for the target patient population), a performance 
standard (i.e., has the technology been used to achieve a certain 
result, such as efficiencies), or a similar standard that serves as a 
benchmark for assessing a recipient's use of remuneration without 
requiring the parties to establish evidence-based outcome measures to 
measure performance. As part of this adoption and use, performance, or 
similar standard, we are considering requiring parties to a value-based 
arrangement for the provision of information technology to set forth, 
in a signed writing, the specific reasons for which the technology is 
being provided, which would be required to directly relate to health 
outcomes, patient care quality improvements, or the appropriate 
reduction in costs to, or growth in expenditures of, payors or 
patients. For example, parties giving information technology, such as 
accessibility to a patient portal or data analytics platform, would be 
required to have health-outcome, quality-related, or efficiency-related 
reasons, such as improving efficiencies by increasing patient access to 
health information.
    In addition, under an adoption and use, performance, or similar 
standard, we may require that the parties set forth specific, 
meaningful measures that relate to the remuneration's intended purpose 
against which the recipient will be measured. For example, under an 
adoption and use standard, parties to a value-based arrangement may set 
a percentage adoption and use measure for a patient portal platform, 
pursuant to which the recipient would be measured by its adoption and 
use of the patient portal for a specified percentage of the target 
patient population.
    Lastly, we are considering for the final rule adding the following 
safeguards for the exchange of information technology: (i) The 
requirements set forth in paragraph (4) of the current electronic 
health records items and services safe harbor (1001.952(y)), 
prohibiting making the receipt of items or services a condition of 
doing business with the offeror); (ii) a requirement limiting the time 
frame during which a recipient can receive information technology to, 
for example, 1, 3, or 5 years, after which time the recipient would be 
required to pay fair market value for the continued use of the 
information technology; and (iii) a remedy for the failure to achieve 
the applicable standard, such as discontinued use of the information 
technology.
2. Commercial Reasonableness
    We propose to require that the value-based arrangement is 
commercially reasonable, considering both the arrangement itself and 
all value-based arrangements within the VBE. By way of example with 
respect to the first prong of the commercial reasonableness 
requirement, if VBE participants enter into a value-based arrangement 
to facilitate the sharing of patient-outcome data, it may be 
commercially reasonable for a hospital VBE participant to donate 
technology to a group practice VBE participant to facilitate this 
process. However, it may not be commercially reasonable for that same 
hospital VBE participant to donate technology substantially more 
sophisticated, or with enhanced functionality, beyond that necessary 
for communicating data on shared patients between the two parties. (We 
note that nothing would prevent the donation of technology with 
enhanced functionality when a value-based arrangement requires that 
capability or when technology without that functionality is not 
practicable.) With respect to the second prong of the commercial 
reasonableness assessment, again by way of example, a single value-
based arrangement in which a hospital VBE participant provides a 
necessary number of care coordinators for the target patient population 
to a SNF VBE participant may be commercially reasonable. However, if a 
VBE includes multiple similar value-based arrangements, each of which 
involves the same hospital VBE participant furnishing care coordinators 
to the same SNF VBE participant for the same or a similar target 
patient population, the commercial reasonableness of the remuneration 
exchanged within the value-based arrangements in the aggregate may be 
suspect if it lacks a legitimate business purpose.

[[Page 55710]]

    We are considering for the final rule whether to define 
``commercially reasonable arrangement'' as an arrangement that would 
make commercial sense if entered into by reasonable entities of a 
similar type and size, even without the potential for referrals. We 
solicit comments on the need for a definition of ``commercially 
reasonable arrangement,'' and if we incorporate a definition, whether 
we should select this particular definition or an alternative 
definition.
3. Writing
    To promote transparency and accountability, we propose a 
requirement that the value-based arrangement be set forth in a writing. 
We propose that the writing be signed by the parties and established in 
advance of, or contemporaneous with, the commencement of the value-
based arrangement or any material change to the value-based 
arrangement. We propose that the writing state, at a minimum: (i) The 
value-based activities to be undertaken by the parties to the value-
based arrangement; (ii) the term of the value-based arrangement; (iii) 
the target patient population; (iv) a description of the remuneration; 
(v) the offeror's cost for the remuneration; (vi) the percentage of the 
offeror's costs contributed by the recipient; (vii) if applicable, the 
frequency with which the recipient will make payments for ongoing 
costs; and (viii) the specific evidence-based, valid outcome measures 
against which the recipient would be measured. In the final rule, we 
would align the writing requirements in (v) and (vi) with the 
requirements for the contribution requirement described below; in other 
words, if we were to change the contribution requirements, we would 
correspondingly change the writing requirement.
    We believe that a writing, setting forth the above terms in advance 
of, or contemporaneous with the commencement of or any material change 
to the value-based arrangement, constitutes a key safeguard to ensure 
that VBE participants are not using the value-based arrangement merely 
to incentivize and reward referrals of business. We are interested in 
comments regarding whether a requirement to have a single writing 
signed by all parties may be burdensome, especially for large-scale 
arrangements, and whether we should instead permit a collection of 
writings provided that every party to the arrangement has signed a 
writing acknowledging consent to the arrangement.
4. Limitations on Remuneration
a. In-Kind Remuneration
    We propose to protect only in-kind, non-monetary remuneration, 
provided all other conditions of the safe harbor are met. (While 
monetary remuneration is not protected by this proposed safe harbor, 
certain outcomes-based payment arrangements may be protected by 
proposed modifications to the personal services and management 
contracts safe harbor, as subsequently addressed.) We further propose 
that this safe harbor would exclude protection for gift cards, 
regardless of whether they may be considered cash equivalents. By way 
of example, we intend for this safe harbor to allow a VBE participant 
to share a care coordinator with another VBE participant if the 
conditions of this safe harbor are met (including the proposed 
contribution requirement). However, this safe harbor would not protect 
cash provided from one VBE participant to another to hire a care 
coordinator. Lastly, we note that by virtue of our exclusion of 
monetary remuneration, the proposed safe harbor would not protect an 
ownership or investment interest in the VBE or any distributions 
related to an ownership or investment interest. In addition to our 
long-standing view that the exchange of monetary remuneration poses 
heightened and different fraud and abuse risks and thus should be 
subject to safeguards such as a fair market value requirement, we do 
not view the offer or receipt of ownership or investment interests as 
integral to the coordination and management of care for a target 
patient population.
b. Primarily Engaged in Value-Based Activities
    We propose to require that the remuneration provided by, or shared 
among, VBE participants be used primarily to engage in value-based 
activities that are directly connected to the coordination and 
management of care of the target patient population. As set forth in 
proposed paragraph 1001.952(ee), we propose to define a ``value-based 
activity'' as ``any of the following activities, provided that the 
activity is reasonably designed to achieve at least one value-based 
purpose of the value-based enterprise: (i) the provision of an item or 
service; (ii) the taking of an action; or (iii) the refraining from 
taking an action.'' In the definition of ``value-based activity'', we 
specify that it does not include the making of a referral. We also 
propose to require that the value-based arrangement be set forth in a 
signed writing stating the value-based activities to be undertaken by 
the parties in the value-based arrangement.
    We recognize that in-kind remuneration exchanged for value-based 
activities may indirectly benefit patients outside of the scope of the 
value-based arrangement, and furthermore, that parties may find it 
difficult to anticipate or project the scope or extent of such 
``spillover'' benefits. This, in and of itself, would not result in the 
loss of safe harbor protection, provided the parties primarily use the 
remuneration for its intended purposes (i.e., the specific value-based 
activities for which the remuneration is being provided, as set forth 
in the parties' signed writing). We are mindful of the need to provide 
parties with sufficient flexibility, while also minimizing the risks of 
potentially abusive arrangements that disguise remuneration unrelated 
to the coordination and management of care for the target patient 
population.
    For purposes of the final rule, as an alternative to the 
requirement that remuneration exchanged between VBE participants be 
used primarily to engage in value-based activities, we are considering 
requiring that the remuneration exchanged be limited to value-based 
activities that only benefit the target patient population. Under this 
approach, arrangements with ``spillover'' benefits would not be 
protected by the safe harbor. We solicit comments on this alternative 
approach.
c. No Furnishing of Medically Unnecessary Items or Services or 
Reduction in Medically Necessary Items or Services
    We propose to require that the remuneration exchanged not induce 
the parties to furnish medically unnecessary items or services or 
reduce or limit medically necessary items or services furnished to any 
patient. Remuneration that induces a provider to order or furnish 
unnecessary care is inherently suspect. In addition, a reduction in 
medically necessary services would be contrary to the goals of this 
rulemaking and, in some instances involving hospitals and physicians, 
could be a violation of the CMP law provision relating to gainsharing 
arrangements at sections 1128A(b)(1) and (2) of the Act (42 U.S.C. 
1320a-7a(b)(1) and (2)).
d. No Remuneration From Individuals or Entities Outside the Applicable 
VBE
    We propose that this safe harbor would not protect any remuneration 
funded by, or otherwise resulting from the contributions of, an 
individual or entity outside of the applicable VBE. This proposal is 
intended to ensure that protected arrangements are closely

[[Page 55711]]

related to the VBE, that VBE participants are committed to the VBE and 
striving to achieve the coordination and management of care of the 
target patient population, and that non-VBE participants cannot 
indirectly use the safe harbor to protect arrangements that are 
designed to influence the referrals or decision making of VBE 
participants. For example, a pharmaceutical manufacturer could not 
circumvent the proposed exclusion of pharmaceutical manufacturers from 
the definition of ``VBE participant'' by providing funds to a third-
party entity and then directing or otherwise controlling any aspect of 
the third-party entity's participation as a VBE or a VBE participant. 
We solicit comments on this approach and whether there may be defined, 
limited circumstances in which non-VBE participants should be able to 
contribute to a value-based arrangement eligible for safe harbor 
protection.
    As a corollary to this requirement, we are considering for the 
final rule whether to require that remuneration be provided directly 
from the offeror to the recipient. This requirement would prohibit the 
involvement of individuals or entities other than the VBE or a VBE 
participant in the exchange of remuneration under a value-based 
arrangement, including, potentially, third-party vendors and 
contractors. We solicit comments on any practical impediments such as 
restriction would create.
5. The Offeror Does Not Take Into Account the Volume or Value of, or 
Condition Remuneration on, Business or Patients Not Covered Under the 
Value-Based Arrangement
    We propose a requirement that prohibits the offeror of the 
remuneration from taking into account the volume or value of, or 
conditioning an offer of remuneration on: (i) Referrals of patients 
that are not part of the value-based arrangement's target patient 
population, or (ii) business not covered under the value-based 
arrangement. This proposal is modeled on a similar safeguard contained 
in the existing safe harbor at paragraph 1001.952(t)(1)(ii)(B), which 
provides that ``neither party gives or receives remuneration in return 
for or to induce the provision or acceptance of business (other than 
business covered by the agreement) for which payment may be made in 
whole or in part by a Federal health care program on a fee-for-service 
or cost basis.'' Our purpose in proposing this requirement is to 
prohibit protection for remuneration offered under the guise of a 
value-based arrangement when that remuneration actually is intended to 
induce referrals of patients or business not covered under the value-
based arrangement (sometimes called ``swapping'' arrangements).
    This requirement would exclude safe harbor protection for any 
remuneration that is explicitly or implicitly offered, paid, solicited, 
or received in return for, or to induce or reward, any referrals or 
other business generated outside of the value-based arrangement. Under 
our proposal, VBE participants could encourage referrals of the target 
patient population as part of value-based activities (e.g., a hospital 
could develop a ``preferred network'' of post-acute care providers that 
meet certain quality criteria). However, VBE participants could not 
offer remuneration in connection with the preferred network to induce 
business or the referral of patients that fall outside the scope of the 
value-based arrangement.
    In lieu of the proposed requirement that prohibits the offeror of 
the remuneration from taking into account the volume or value of, or 
conditioning an offer of remuneration on: (i) Referrals of patients 
that are not part of the value-based arrangement's target patient 
population, or (ii) business not covered under the value-based 
arrangement, we are considering for the final rule, and solicit 
comments on, an alternative requirement that would require that the 
aggregate compensation paid by the offeror is not determined in a 
manner that takes into account the volume or value of referrals or 
business generated between the parties for which payment may be made by 
a Federal health program. While we believe that this condition could 
potentially better protect against bad actors who may seek to use the 
care coordination arrangements safe harbor as an affirmative defense 
for an unlawful referral arrangement or to disguise arrangements that 
result in unnecessary increases in utilization and expenditures, we 
seek comments on whether and to what extent this requirement might 
impede to goal of this rulemaking, namely to remove barriers for 
beneficial care coordination and value-based arrangements. We are 
interested in specific examples of arrangements that would be unable to 
use this safe harbor were we to adopt this requirement.
6. Contribution Requirement
    The goal of this proposed rulemaking is to remove barriers to 
improved care coordination and to promote efficient, value-driven care. 
To this end, it is important that protected remuneration be used to 
facilitate the coordination and management of care for the target 
patient population. We are proposing a recipient contribution 
requirement as a safeguard to help ensure that the use of any 
remuneration exchanged pursuant to this safe harbor would be for the 
coordination and management of the target patient population's care.
    Specifically, the proposed rule would condition safe harbor 
protection on the recipient's payment of at least 15 percent of the 
offeror's cost for the in-kind remuneration. This requirement is 
intended to mirror that set forth in the current electronic health 
records items and services safe harbor, 1001.952(y). We are considering 
for the final rule, and solicit comments on, whether we should require 
a more specific methodology for determining value, such as either the 
fair market value of the remuneration to the recipient or the 
reasonable value of the remuneration to the recipient. If we were to 
require that parties assess the fair market value of the remuneration 
to the recipient in order to determine the required contribution 
amount(s), we would not require parties to obtain an independent fair 
market valuation. We are interested in feedback on whether the method 
for determining the contribution requirement should be different for 
services than for goods.
    We believe that requiring financial participation by a recipient 
should: Increase the likelihood that the recipient actually would use 
the care coordination items and services, ensure that the remuneration 
is well-tailored to the recipient, and promote the recipient's vested 
interest in achieving the intended purpose of the value-based 
arrangement, namely, furthering the coordination and management of care 
of the target patient population.
    In proposing this contribution requirement, we solicit feedback on 
the proposed contribution amount, whether certain recipients, such as 
rural providers, small providers, Tribal providers, providers who serve 
underserved populations, or critical access hospitals should be 
exempted from the contribution requirement or pay a lower contribution 
percentage and if so, why. We are considering for the final rule 
alternative contribution amounts ranging from 5 percent to 35 percent 
and solicit comments on an appropriate amount (or amounts) that would 
invest recipients in using the remuneration they receive to advance the 
coordination and management of care of the target patient population, 
while still allowing flexibility for parties with fewer financial 
resources to engage in value-based arrangements. We are considering 
whether we should require different contribution amounts for

[[Page 55712]]

different types of remuneration (e.g., a higher or lower contribution 
amount for technology and a higher or lower contribution amount for 
care coordinators or other services arrangements).
    We also are considering whether in the final rule we should impose 
different contribution requirements for different recipients. Because a 
contribution requirement may impose a significant financial burden on 
certain recipients, we are considering for the final rule, and solicit 
comments on, whether a lower contribution amount, or no contribution 
amount, would be appropriate for arrangements involving certain 
providers with financial constraints, such as providers in rural or 
underserved areas, providers serving underserved populations, small 
providers, Tribal providers, and critical access hospitals.
    For consideration of this potential contribution requirement 
condition, and whether a lower contribution amount, or no contribution 
amount, is appropriate for arrangements involving such providers, we 
cross-reference the proposals discussed more fully in relation to the 
electronic health records arrangements safe harbor's 15 percent 
contribution requirement. We will review and consider comments received 
about those proposals in relation to our consideration of this 
potential condition. Based on feedback on the contribution requirement 
in our existing electronic health records safe harbor, we are mindful 
of the potential administrative burdens of a contribution requirement 
and seek comments on this issue.
    We also solicit comments on how to apply the contribution 
requirement for ongoing costs and unexpected ``add-ons'' (e.g., updates 
or upgrades to software that trigger additional costs). Under the 
proposed contribution requirement, if the remuneration represents a 
one-time cost, the recipient would be required to make a contribution 
in advance of receiving the remuneration. However, for any ongoing 
costs, the proposed rule would require that the recipient make any 
contributions on reasonable, regular intervals, with the frequency of 
such payments documented in writing. We are considering for the final 
rule, and seek comment on, an alternative requirement for the recipient 
to make a contribution with respect to the initial provision of 
remuneration but not with respect to any update, upgrade, or patch of 
the remuneration already provided. This is similar to an option being 
considering for the electronic health records arrangements safe harbor, 
1001.952(y). We recognize that this alternative option may affect 
contribution requirements only for technology-based remuneration that 
is most likely to need upgrades, updates, and patches to continue 
operating as intended.
7. Requirements of a Value-Based Arrangement
a. Direct Connection to the Coordination and Management of Care
    We propose that the value-based arrangement has a direct connection 
to the coordination and management of care for the target patient 
population. We interpret this requirement to mean that any remuneration 
offered pursuant to a value-based arrangement has a close nexus to the 
coordination and management of care for the target patient population, 
as opposed to the VBE participants' referral patterns and business 
generated. By way of example only, arrangements where VBE participants 
offer, or are required to provide, remuneration to receive referrals or 
to be included in a ``preferred provider network'' (i.e., ``pay-to-
play'' arrangements) would not have a direct connection to the 
coordination and management of care. We are considering for purposes of 
the final rule, and solicit comments on, whether we should use 
alternative language to ``direct connection'' (e.g., ``reasonably 
related and directly tied'') in order to better convey the close nexus 
that this safe harbor requires between each value-based arrangement and 
the coordination and management of care of a target patient population.
b. No Limitation on Decision Making; Restrictions on Directing or 
Restricting Referrals
    We propose that the value-based arrangement must not limit parties' 
ability to make decisions in the best interests of their patients. That 
is, VBEs and VBE participants to a value-based arrangement must 
maintain their independent, medical, or other professional judgment. 
Additionally, we are aware that some payors and others, such as 
employers, direct or restrict where their networks or employees refer 
patients; moreover, we are aware that under some value-based 
arrangements, referrals would be directed within a network or continuum 
of preferred providers (based on quality and other legitimate 
considerations). We propose that, in addition to not limiting parties' 
ability to make referral decisions in the patients' best medical 
interests, value-based arrangements cannot direct or restrict referrals 
if: (i) A patient expresses a preference for a different practitioner, 
provider, or supplier; (ii) the patient's payor determines the 
provider, practitioner, or supplier; or (iii) such direction or 
restriction is contrary to applicable law or regulations under titles 
XVIII and XIX of the Act. This provision is intended, in part, to 
preserve patient freedom of choice among healthcare providers and 
ensure the VBE's and VBE participants' independent medical or 
professional judgment is not unduly restricted. That being said, we do 
not intend for this criterion to bar VBEs or VBE participants from 
communicating the benefits of receiving care from other VBE 
participants in the VBE.
c. No Marketing of Items or Services or Patient Recruitment Activities
    We propose to exclude safe harbor protection for value-based 
arrangements that include marketing items or services to patients or 
patient recruitment activities. Our enforcement experience demonstrates 
that fraud schemes often involve the purchase of beneficiaries' medical 
identity or other inducements to lure beneficiaries to obtain 
unnecessary care. This proposed safe harbor condition would protect 
beneficiaries and make clear that such coercive arrangements are not 
value-based arrangements protected by the proposed safe harbor. 
Accordingly, the proposed safe harbor would offer flexibility to 
improve quality of care, health outcomes, and efficiency while limiting 
the risk of the value-based arrangement being used as a marketing or 
recruiting tool to generate federally payable business for a VBE 
participant. Specifically, this requirement would restrict any party to 
a value-based arrangement, or such party's agent, from marketing, or 
engaging in patient recruitment activities related to, any items or 
services offered or provided to patients in the target patient 
population under a value-based arrangement.
    We do not intend for this limitation to prohibit a VBE participant 
that is a party to a value-based arrangement from educating patients in 
the target patient population regarding permissible value-based 
activities. For example, if a SNF or home health agency placed a staff 
member at a hospital to assist patients in the discharge planning 
process, and in doing so, the staff member educated patients regarding 
care management processes used by the SNF or home health agency, this 
would not constitute marketing of items and services (provided the 
staff member only worked with patients that had already selected the 
SNF or home health agency and SNF or home-health agency care was

[[Page 55713]]

medically appropriate for such patient). However, if the SNF or home 
health agency placed a staff member at a hospital to market its 
services to hospital patients, the arrangement would not comply with 
this proposed requirement. We solicit comments on this approach.
8. Monitoring and Assessment
    We propose a requirement that the VBE, a VBE participant in the 
value-based arrangement acting on the VBE's behalf, or the VBE's 
accountable body or responsible person monitors and assesses, no less 
frequently than annually, or once during the term of the value-based 
arrangement for arrangements with terms of less than 1 year: (i) The 
coordination and management of care for the target population in the 
value-based arrangement, (ii) any deficiencies in the delivery of 
quality care under the value-based arrangement, and (iii) progress 
toward achieving the evidence-based, valid outcome measure(s) in the 
value-based arrangement. We further propose to require that the party 
conducting such monitoring and assessment reports such monitoring and 
assessment to the VBE's accountable body or responsible person (if the 
VBE's accountable body or responsible person is not itself conducting 
the monitoring and assessment). Through this proposal, we seek to 
ensure that the VBE's accountable body or responsible person 
periodically assesses the parties' performance of certain key metrics 
under each value-based arrangement. We note that this proposal does not 
mandate how this monitoring should be performed. We intend for the 
monitoring to be tailored based on the complexity and sophistication of 
the VBE participants, the VBE, and the value-based arrangement and 
available resources. We are considering for the final rule, and solicit 
comments on, whether to require that both the party offering the 
remuneration and its recipient jointly conduct monitoring and 
assessment responsibilities. We further solicit comments on the role 
monitoring of utilization, referral patterns, and expenditure data 
could play in ensuring that the potential for abuses or gaming is 
reduced.
    The proposed rule would further require that if the VBE's 
accountable body or responsible person determines, through reports of 
monitoring and assessment, that the value-based arrangement (i) is 
unlikely to further the coordination and management of care for the 
target patient population, (ii) has resulted in material deficiencies 
in quality of care, or (iii) is unlikely to achieve the evidence-based, 
valid outcome measure(s), the parties terminate the arrangement within 
60 days of such a determination. To the extent the parties do not 
terminate an arrangement within 60 days of such determination, the 
parties would lose safe harbor protection under this proposal. We 
solicit comments on whether to adopt a longer or shorter timeframe for 
termination; our goal is a reasonable but also prompt termination of 
arrangements that are no longer serving the goals for which safe harbor 
protection is offered. In addition, we are considering for the final 
rule and seek comment regarding whether, in lieu of the proposed 
termination requirement for the above subsections (i) through (iii), 
the safe harbor should instead allow for remediation--within a 
reasonable timeframe--before any required termination.
    We are not proposing to define ``material deficiency in quality of 
care.'' We believe that such ``material deficiency'' may vary depending 
on the nature of the VBE and the value-based arrangements of its VBE 
participants. Examples of a ``material deficiency in quality of care'' 
may include, but are not limited to, identified instances of potential 
patient harm or a pattern of diminished quality of care.
    Our proposals with respect to monitoring and assessment stem from a 
recognition that most arrangements protected by this proposed care 
coordination arrangements safe harbor would not be subject to 
governmental programmatic requirements, oversight, or monitoring 
comparable to CMS-sponsored models. Accordingly, to aid in protecting 
against abusive arrangements, to further facilitate the government's 
understanding and awareness of value-based arrangements and their 
impacts on Federal health care program beneficiaries and expenditures, 
and to create incentives for VBEs to exercise due diligence when 
establishing them, we are considering for the final rule requiring VBEs 
to submit certain data to the Department that would identify the VBE, 
VBE participants, and value-based arrangements, as a requirement for 
safe harbor protection. We solicit comments on whether such a 
requirement would present compliance or operational burdens for VBEs 
seeking the protection of this safe harbor.
    Were such a proposal finalized, required data might include the 
National Provider Identifier (NPI) number or other identifying 
information of each VBE participant in the VBE, each party 
participating in the value-based arrangement, as well as information 
regarding the arrangement, such as its duration. This data could be 
used, for example, by the government for data analysis to understand 
whether value-based arrangements are associated with increased or 
decreased utilization or outlier levels of utilization (taking into 
account that in some value-based arrangements one would expect to see 
increased utilization of some types of items and services and decreases 
in others). Should we adopt this approach, information would be 
submitted in a form and manner and at times specified by the Secretary 
in guidance. We solicit comments on the types of data that the parties 
availing themselves of safe harbor protection should be required to 
submit to the Department, potential reporting and compliance burdens 
for small and large value-based enterprises, and any different or 
additional actions that may help ensure appropriate oversight.
9. No Diversion, Resell, or Use for Unlawful Purposes
    We propose that the exchange of remuneration under this safe harbor 
would not be protected if the offeror knows or should know that the 
remuneration is likely to be diverted, resold, or used by the recipient 
for an unlawful purpose. Here, we state expressly what is otherwise 
implicit in the design of a value-based arrangement under this proposed 
safe harbor: The exchange of remuneration that the offeror knows or 
should know is likely to be diverted, resold, or used by the recipient 
for purposes other than the coordination and management of care of a 
target patient population would not be protected.
10. Materials and Records
    To ensure transparency, we propose a requirement that VBE 
participants or the VBE make available to the Secretary, upon request, 
all materials and records sufficient to establish compliance with the 
conditions of this safe harbor. We are not proposing parameters 
regarding the creation or maintenance of documentation to allow VBE 
participants the flexibility to determine what constitutes best 
documentation practices, but welcome comments on whether such 
parameters may be needed. In particular, we seek comment regarding 
whether we should require, in the final rule, a requirement that 
parties maintain materials and records sufficient to establish 
compliance with the conditions of this safe harbor for a set period of 
time (e.g., at least 6 years or 10 years).

[[Page 55714]]

11. Possible Additional Safeguards
a. Bona Fide Determination
    We are considering for the final rule a condition that would 
require that, in advance of, or contemporaneous with, the commencement 
of the applicable value-based arrangement, the VBE's accountable body 
or responsible person make two bona fide determinations with respect to 
the value-based arrangement. First, we are considering a condition 
requiring that the accountable body or responsible person make a bona 
fide determination that the value-based arrangement is directly 
connected to the coordination and management of care for the target 
patient population. Second, we are considering a condition requiring 
that the accountable body or responsible person make a bona fide 
determination that the value-based arrangement is commercially 
reasonable, considering both the arrangement and all value-based 
arrangements within the VBE.
b. Cost-Shifting Prohibition
    We are considering for the final rule, and seek comment on, a 
condition prohibiting VBEs or VBE participants from billing Federal 
health care programs, other payors, or individuals for the 
remuneration; claiming the value of the remuneration as a bad debt for 
payment purposes under a Federal health care program; or otherwise 
shifting costs to a Federal health care program, other payors, or 
individuals.
    This proposal would not exclude arrangements from safe harbor 
protection that involve legitimate shifting of some costs that result 
from achieving care coordination goals or other value-based purposes. 
For example, depending on the arrangement, one might expect to see 
increases in primary care costs or costs for care furnished in home and 
community settings paired with reductions in unnecessary 
hospitalizations, duplicative testing, and emergency room visits; one 
also might see increases in remote monitoring or care management 
services.
c. Fair Market Value Requirement and Restriction on Remuneration Tied 
to the Volume or Value of Referrals
    Commenters to the OIG RFI pointed to fair market value requirements 
and restrictions on remuneration based on the volume or value of 
business in existing safe harbors as barriers to arrangements that 
facilitate coordinated and value-based care, so we have crafted this 
proposed safe harbor without them, relying instead upon other program 
integrity safeguards. However, fair market value requirements and 
restrictions that prohibit paying remuneration based on the volume or 
value of referrals help ensure that protected payments are for 
legitimate purposes and are not kickbacks. We have endeavored to draft 
this safe harbor to distinguish between beneficial care coordination 
arrangements and payment-for-referral schemes that do not serve, and 
may be contrary to, the goals of coordinated care and the shift to 
value. We solicit comments from stakeholders for safeguards that may 
help distinguish payments to reward or induce referrals from 
remuneration provided to promote or support legitimate care 
coordination activities.
    To this end, we are considering as an alternate proposal for the 
final rule's care coordination arrangements safe harbor: (i) Whether we 
should include a fair market value requirement on any remuneration 
exchanged pursuant to a value-based arrangement, and (ii) whether we 
should include a further or alternate requirement prohibiting VBE 
participants from determining the amount or nature of the remuneration 
they offer, or the VBE participants to whom they offer such 
remuneration, in a manner that takes into account the volume or value 
of referrals or other business generated, including both business or 
patients that are part of the value-based arrangement and those that 
are not. To the extent these requirements would impede value-based and 
care coordination arrangements, we are interested in feedback on 
potential, alternative safe harbor conditions that might mitigate such 
effects.
    We are further considering for the final rule whether we could best 
achieve the goals of this rulemaking through a safe harbor design that 
requires value-based arrangements to be fair market value but that does 
not prohibit determining the amount or nature of the remuneration on 
the volume or value of referrals or other business generated. This 
approach would recognize the anti-kickback statute compliance challenge 
that the restriction on the volume or value of referrals or other 
business generated poses for arrangements that inherently reflect the 
volume of patients for whom care is coordinated or the value of 
services offered under a value-based arrangement. In addition, or as an 
alternative, we are considering a restriction that would prohibit 
remuneration based directly on the volume or value of business 
generated between the parties (thus permitting remuneration based 
indirectly on the volume or value of referrals or other business 
generated between the parties).
d. Additional Requirements for Dialysis Providers
    Dialysis providers furnish vital services to patients with critical 
and extensive care needs. Patients with end stage renal disease (ESRD) 
stand to benefit substantially from better coordinated, more efficient 
care as envisioned by this proposed rule. Dialysis providers play a 
central role in coordinating the care of individuals with ESRD. 
However, the dialysis industry has unique attributes--in particular, 
market dominance by a limited number of dialysis providers--that may 
increase fraud and abuse risks attendant to financial relationships 
between dialysis providers and others. We are concerned that present 
levels of market consolidation could impact access to dialysis care, 
quality of care, and associated health outcomes.\23\ In addition, we 
are concerned that, because of the aforementioned market dominance of a 
limited number of providers, the conduct that would be protected by 
this proposed safe harbor could lead to a decrease in competition among 
dialysis providers. We seek comment on whether and how the potential 
protection of financial arrangements between dialysis providers and 
others under this proposed safe harbor could affect the concentration 
of the dialysis market, access to care, quality of care, and associated 
health outcomes. We are considering whether to include in the final 
rule certain conditions specific to dialysis providers to further 
ensure that their care coordination arrangements operate to improve the 
management and care of patients and are not pay-for-referral schemes. 
These conditions could include enhanced monitoring, reporting, or data 
submission requirements or some of the conditions discussed in sections 
a., b., and c. directly above, including fair market value requirements 
and restrictions that prohibit paying remuneration based on the volume 
or value of referrals.
---------------------------------------------------------------------------

    \23\ See Kevin F. Erickson et al., Consolidation in the Dialysis 
Industry, Patient Choice, and Local Market Competition, 28 Clinical 
J. of the American Society of Nephrology 3 (Mar. 7, 2017).
---------------------------------------------------------------------------

12. Example of a Value-Based Arrangement Analyzed Under the Proposed 
Care Coordination Arrangements Safe Harbor
    The following example demonstrates how parties might analyze the 
proposed care coordination arrangements safe harbor's various 
requirements with

[[Page 55715]]

respect to the following fact pattern: To coordinate care between an 
acute care hospital and a SNF for mental health patients, the hospital 
and SNF enter into a care coordination arrangement under which the 
hospital engages in the value-based activity of providing a behavioral 
health nurse for to the SNF to follow designated inpatients with 
certain mental health disorders for a 1-year time period, who comprise 
the target patient population, following discharge from the hospital 
and during admission to and while receiving care at the SNF. In this 
example, both the hospital and the SNF stand to benefit from this 
arrangement because they participate in a value-based payment 
arrangement that offers them shared savings payments for improved 
quality and patient outcomes and reduced emergency room visits. The 
hospital and SNF are the only VBE participants in a VBE that is 
designed to accomplish the value-based purpose of coordinating and 
managing the care of patients with mental health disorders (namely, by 
improving the quality of care they receive during the care transition 
process from acute care to skilled nursing care and during their SNF 
stay).
    This proposed arrangement would implicate the anti-kickback 
statute, because the hospital would be providing the SNF with 
remuneration (the behavioral health nurse services) and the SNF could 
refer Medicare, Medicaid, or other Federal health care program patients 
to the hospital. Safe harbor protection is afforded only to those 
arrangements that precisely meet all of a safe harbor's conditions. 
Consequently, the hospital and SNF might engage in the following 
analysis to determine whether their proposed arrangement satisfies the 
proposed care coordination arrangements safe harbor's requirements.
    First, the hospital and SNF must establish specific evidence-based, 
valid outcome measures against which the SNF will be measured 
throughout the arrangement, and which the parties reasonably anticipate 
will advance the coordination and management of care for the target 
patient population.
    Second, the parties must ensure that devoting one full-time nurse 
to oversee these patients would be commercially reasonable, considering 
both the arrangement itself and all value-based arrangements in the 
VBE.
    Third, the hospital and SNF must execute a signed writing 
documenting the terms of the value-based arrangement prior to, or 
contemporaneous with, its commencement or any material changes to the 
arrangement. The writing must include: (i) The term of the value-based 
arrangement; (ii) the value-based activities to be undertaken; (iii) 
the target patient population; (iv) a description of the remuneration 
(e.g., the assignment of a full-time nurse to the SNF and the cost of 
the nurse's services to the offeror); (v) the offeror's cost of the 
remuneration; (vi) the percentage of the offeror's cost contributed by 
the recipient; (vii) if applicable, the frequency of the recipient's 
contribution payments for ongoing costs; and (viii) set forth the 
specific, evidence-based valid outcome measure(s) against which the SNF 
would be measured.
    Fourth, the remuneration must: (i) Be in-kind; (ii) be used 
primarily to engage in one or more value-based activities that have a 
direct connection to the coordination and management of care for the 
target patient population; and (iii) not induce VBE participants to 
furnish medically unnecessary items or services or reduce or limit 
medically necessary items and services furnished to any patient. In 
addition, the hospital could not provide the nurse to the SNF if any 
part of the cost of the nurse would be funded by, or otherwise result 
from the contributions of, an individual or entity outside of the VBE, 
such as a pharmaceutical or medical device manufacturer.
    Fifth, the hospital's provision of the nurse to the SNF must not 
take into account the volume or value of, or condition the remuneration 
on, referrals of patients who are not part of the target patient 
population and business not covered under the value-based arrangement.
    Sixth, the SNF must pay for at least 15 percent of the hospital's 
cost of the care coordination services provided by the nurse over the 
arrangement's one-year term. Assuming the nurse provides periodic 
services throughout the year, the SNF must pay its required 
contribution amount at reasonable, regular intervals, such as on a 
monthly basis.
    Seventh, the value-based arrangement must be directly connected to 
the coordination and management of care of the target patient 
population. In addition, the value-based arrangement must not place any 
limitation on the VBE participants' ability to make decisions in the 
best interest of their patients. Further, if the value-based 
arrangement restricts or directs referrals, the value-based arrangement 
may not require referrals to a particular provider, practitioner, or 
supplier: (i) If a patient expresses a preference for a different 
practitioner, provider, or supplier; (ii) if the patient's payor 
determines the provider, practitioner, or supplier; or (iii) such 
direction or restriction is contrary to applicable law or regulations 
under titles XVIII and XIX of the Act. For example, the hospital could 
not require physicians on its medical staff to refer patients in the 
target patient population to the SNF if a patient expresses a 
preference for a different facility or if the patient's payor does not 
cover services at the SNF.
    Eighth, the arrangement must not include marketing to patients of 
items or services or engaging in patient recruitment activities.
    Ninth, the VBE (or alternatively, the SNF or hospital acting on the 
VBE's behalf), or the VBE's accountable body or responsible person must 
monitor and assess at least annually (or once during the agreement's 
term if the agreement is for less than a year): (i) The coordination 
and management of care of the target patient population; (ii) any 
deficiencies in the delivery of quality care under the value-based 
arrangement; and (iii) progress toward achieving the evidence-based, 
valid outcome measure(s) in the value-based arrangement. If, through 
monitoring and assessment, the VBE's accountable body or responsible 
person determines that the value-based arrangement is: (i) Is unlikely 
to further the coordination and management of care for the target 
patient population, (ii) has resulted in material deficiencies in 
quality of care, or (iii) is unlikely to achieve the evidence-based, 
valid outcome measure(s), the parties terminate the arrangement within 
60 days of such a determination.
    Tenth, the hospital does not, and should not, know that the 
behavioral nurse's services are likely to be ``diverted'' by the SNF 
(e.g., used by the SNF to perform tasks unrelated to the care 
coordination and management of the target patient population) or used 
for an unlawful purpose (e.g., the provision of medically unnecessary 
services).
    Finally, the VBE participants must provide documentation, such as 
the signed writing, to the Secretary, upon request, showing that the 
parties complied with the safe harbor provisions.
13. Alternative Regulatory Structure
    This proposed rule provides protections for certain care 
coordination and value-based arrangements through a combination of 
proposed revisions to the personal services and management contracts 
safe harbor at 1001.952(d), the proposed care coordination arrangements 
safe harbor at 1001.952(ee), the proposed substantial downside 
financial risk safe harbor at

[[Page 55716]]

1001.952(ff), and the full downside financial risk safe harbor at 
1001.952(gg). As an alternative to this suite of protections, we are 
considering for the final rule a different regulatory structure and 
approach to protect care coordination and other value-based 
arrangements that are not at full financial risk (as defined at 
proposed 1001.952(gg)) and are not part of a CMS-sponsored model (as 
defined at proposed 1001.952(ii)). For this alternate approach, we 
would rely solely on the personal services and management contracts 
safe harbor at paragraph 1001.952(d) as a platform to create tiered 
protection for value-based arrangements, each step of which would 
remove additional conditions of paragraph 1001.952(d) to allow greater 
flexibility for innovation as the arrangements become more closely 
aligned with value-based purposes (as defined in proposed paragraph 
1001.952(ee)) and the parties take on more downside financial risk.
    First, as proposed and described in our proposed modifications to 
the personal services and management contracts safe harbor, we would 
remove the requirement that aggregate compensation under service 
arrangements be set forth in advance, substituting a requirement that 
the methodology for determining the compensation be set in advance. 
This would offer broader protection for certain outcomes-based payment 
arrangements that are fair market value and do not take into account 
the volume or value of referrals or other business. Protected 
arrangements would not be required to meet the proposed definition of 
``value-based arrangement.''
    Second, for value-based arrangements that meet applicable 
requirements of the VBE framework previously outlined (e.g., the 
parties to the arrangement are VBE participants in a VBE), we would 
provide additional flexibility under the personal services and 
management contracts safe harbor by removing the requirements that the 
aggregate compensation: (i) Be set in advance (but requiring that the 
compensation methodology be set in advance); and (ii) not be determined 
in a manner that takes into account the volume or value of referrals. 
We may also incorporate safeguards from our proposed care coordination 
arrangements safe harbor (e.g., the monitoring requirement). To ensure 
that protected arrangements meet their value-based purposes, we might 
incorporate additional accountability and transparency requirements, 
such as those proposed for new safe harbor 1001.952(ee). We envision 
this framework would be similar to our current proposal to add new 
protections for outcomes-based payments at proposed new paragraph 
1001.952(d)(2).
    Third, for parties that meet the requirements of the value-based 
framework and also assume substantial downside financial risk (as 
defined in proposed 1001.952(ff)), we would provide increased 
flexibility under the personal services and management contracts safe 
harbor for their arrangements by removing the requirements that the 
aggregate compensation: (i) Be set in advance (but requiring that the 
compensation methodology be set in advance); (ii) not be determined in 
a manner that takes into account the volume or value of any referrals; 
and (iii) be consistent with fair market value in arm's-length 
transactions. This additional flexibility would be afforded in 
recognition of the parties' assumption of downside financial risk.
    With respect to the volume or value requirement, we are considering 
for the final rule several alternative ways we might remove it in the 
second and third steps of this approach. We might remove it entirely or 
remove it in part by retaining a requirement that the compensation not 
relate directly to the volume or value of referrals or other business 
generated between the parties (allowing for indirect correlations). 
With respect to a fair market value requirement, we might remove it 
entirely; remove it only for monetary remuneration or only for in-kind 
remuneration; or remove it where the non-fair market value arrangement 
primarily benefits the offeror of the remuneration, with such benefit 
independent of any increase in the volume or value of referrals (e.g., 
a hospital offering care managers to a post-acute care facility to 
better coordinate care and prevent avoidable readmissions for which the 
hospital might be penalized). We might also permit a broader set of 
free or below fair market value arrangements for providers coordinating 
care in rural or underserved areas or providers serving underserved 
populations.
    We are cognizant that this alternative approach may present 
operational challenges for parties, particularly with respect to 
determining fair market value for value-based arrangements. Moreover, 
we solicit comments on this approach as a whole and, in particular, on 
the following: (i) How to include in any safe harbor finalized 
consistent with this approach protection for the exchange of 
information technology and infrastructure that might not be part of a 
personal services or management contract, with a scope of protection 
equivalent to the protection collectively proposed under paragraphs 
1001.952(ee) and (ff); and (ii) how parties would determine that a 
payment for quality outcomes is consistent with fair market value. As 
with the second tier described above, to ensure that protected 
arrangements meet their value-based purposes, we might incorporate 
additional accountability and transparency requirements, such as those 
proposed for new safe harbor 1001.952(ee).
    We are also interested in comments regarding any special problems a 
fair market value requirement would pose for providers in rural or 
underserved areas, providers serving underserved populations, or 
others. With respect to other proposed safe harbors where we have 
indicated that we are considering including in the final rule a 
restriction related to the volume or value of referrals and other 
business generated or a requirement for fair market value, we will 
consider comments to this alternative regulatory structure addressing 
how these criteria would operate in connection with value-based 
arrangements.

D. Value-Based Arrangements With Substantial Downside Financial Risk 
(1001.952(ff))

    We are proposing a new safe harbor for certain value-based 
arrangements involving VBEs that assume substantial downside financial 
risk (as defined in the proposed regulation) from a payor. We propose 
to incorporate the definitions of ``coordination and management of 
care,'' ``target patient population,'' ``value-based activity,'' 
``value-based arrangement,'' ``value-based enterprise,'' ``value-based 
purpose,'' and ``VBE participant'' found in proposed paragraph 
1001.952(ee).
    This safe harbor, which would protect both monetary and in-kind 
remuneration, would offer greater flexibility than the safe harbor for 
care coordination arrangements in recognition of the VBE's assumption 
of substantial downside financial risk. It could apply, for example, to 
an arrangement between an accountable care organization that is a VBE 
and a network provider to share savings and losses earned or owed by 
the accountable care organization, or between a VBE that has contracted 
with a payor for an episodic payment and a hospital and post-acute care 
provider that would be coordinating care for patients under the 
episodic payment. However, as proposed, this safe harbor would apply 
only to the exchange of remuneration between VBEs that have assumed 
substantial downside financial

[[Page 55717]]

risk and VBE participants that meaningfully share in the VBE's downside 
financial risk (as further described below).
    In other words, where a VBE participant agrees to spread the VBE's 
financial risk and coordinate care, additional safe harbor flexibility 
would be available. For the same reasons articulated in our discussion 
of the care coordination arrangements safe harbor, we propose that this 
safe harbor would not protect an ownership or investment interest in 
the VBE or any distributions related to an ownership or investment 
interest. We solicit comments on this approach and, in particular, 
whether this proposal presents any operational challenges with respect 
to the creation of a VBE as a separate legal entity. We are considering 
for the final rule whether this safe harbor should protect ownership or 
investment interests with respect to VBEs that must contract with a 
payor on behalf of VBE participants for purposes of value-based 
arrangements with substantial downside financial risk.
    Additionally, for the same reasons articulated in our discussion of 
the care coordination arrangements safe harbor, we propose that this 
safe harbor would not protect any remuneration funded by, or otherwise 
resulting from contributions by, an individual or entity outside of the 
applicable VBE.
    We are considering for the final rule whether, and if so, how, to 
extend this safe harbor to remuneration that passes from one VBE 
participant to another (without the risk-bearing VBE being party to the 
arrangement) when the VBE has assumed substantial downside financial 
risk from a payor. We are concerned that under many such downstream 
arrangements, the VBE participant receiving the remuneration may have 
assumed little or no financial risk and may be billing for his or her 
services on an FFS basis, thus retaining FFS incentives with respect to 
ordering or arranging for items and services for patients. We note the 
proposed care coordination arrangements safe harbor, with its 
additional safeguards, may be available for such arrangements, where 
they involve only in-kind remuneration, and the personal services and 
management safe harbor's proposed modifications for outcomes-based 
payments may be available for monetary remuneration.
    This proposed safe harbor would protect remuneration exchanged 
between a VBE and a VBE participant pursuant to a value-based 
arrangement if several standards are met. First, the VBE must have 
assumed, or be contractually obligated to assume, substantial downside 
financial risk from a payor for providing or arranging for the 
provision of items and services for a target patient population. The 
VBE can assume this risk directly if the VBE is an entity or through a 
VBE participant acting as an agent of, and accountable to, the VBE. (We 
note, to the extent a VBE participant wholly assumes risk on behalf of 
the VBE, it may act in both its capacity as a VBE participant and an 
agent of the VBE.)
    To balance the need to protect start-up arrangements while also 
limiting potential program integrity risks, this safe harbor would 
protect arrangements between the VBE and the VBE participant during the 
6 months prior to the date by which the VBE must assume substantial 
downside financial risk (as defined below). We solicit comments on 
whether 6 months is a sufficient timeframe, and if not, what longer or 
shorter timeframe would be appropriate.
    For purposes of this safe harbor, we are proposing specific 
methodologies that would qualify as substantial downside financial 
risk. Under any of our proposed methodologies, the VBE would assume 
risk from a payor for the provision of items and services to a target 
patient population for the entire term of the value-based arrangement. 
Our intent is for such risk to be of a degree likely to ensure that the 
value-based arrangements of the VBE are designed to appropriately 
reduce (or slow the growth of) costs, improve efficiencies, or improve 
health outcomes for the target patient population (and are not likely 
to increase over- or under-utilization or costs to payors or patients). 
We propose that a VBE would be at substantial downside financial risk 
if it is subject to risk pursuant to one of the following methods, 
drawn from the Department's experience: \24\
---------------------------------------------------------------------------

    \24\ For clarity, we note that we would not consider a 
prospective payment system for acute inpatient hospitals, home 
health agencies, hospice, outpatient hospitals, inpatient 
psychiatric facilities, inpatient rehabilitation facilities, long-
term-care hospitals, and SNFs, or other like payment methodologies 
to meet any of the prongs of our proposed definition of 
``substantial downside financial risk.''
---------------------------------------------------------------------------

    (i) Shared savings with a repayment obligation to the payor of at 
least 40 percent of any shared losses, where loss is determined based 
upon a comparison of costs to historical expenditures, or to the extent 
such data is unavailable, evidence-based, comparable expenditures;
    (ii) A repayment obligation to the payor under an episodic or 
bundled payment arrangement of at least 20 percent of any total loss, 
where loss is determined based upon a comparison of costs to historical 
expenditures, or to the extent such data is unavailable, evidence-
based, comparable expenditures;
    (iii) A prospectively paid population-based payment for a defined 
subset of the total cost of care of a target patient population, where 
such payment is determined based upon a review of historical 
expenditures, or to the extent such data is unavailable, evidence-
based, comparable expenditures; or
    (iv) A partial capitated payment from the payor for a set of items 
and services for the target patient population where such capitated 
payment reflects a discount equal to at least 60 percent of the total 
expected FFS payments based on historical expenditures, or to the 
extent such data is unavailable, evidence-based, comparable 
expenditures of the VBE participants to the value-based 
arrangements.\25\
---------------------------------------------------------------------------

    \25\ To afford VBE participants flexibility, we are not 
prescribing how parties may determine the basis for shared savings, 
shared losses, population-based payments, or partial capitation 
payments. However, we expect any such approach will reflect a 
legitimate compensation methodology, not one that simply manipulates 
numbers to artificially inflate savings or decrease losses, as may 
be applicable.
---------------------------------------------------------------------------

    We are soliciting comments on this proposed definition of 
``substantial downside financial risk,'' including whether: (i) These 
benchmarks should be higher or lower to ensure appropriate incentives; 
(ii) there are other methodologies not captured by this list that 
should qualify as substantial downside financial risk, such as those 
listed under 42 CFR 1001.952(u)(1)(i)(C); and (iii) some or all of 
these benchmarks should be omitted from this rule or modified to better 
capture true assumption of substantial downside financial risk for 
items and services furnished to patients. With respect to (i) through 
(iii), we are considering and solicit comments on whether the 
requirement to compare losses to, or determine payments based on, 
historical expenditures or evidence-based, comparable expenditures and 
whether additional means to establish a baseline against which to 
measure losses or payments is feasible for new or small VBEs or whether 
new or small VBEs should be allowed additional means to establish a 
baseline, such as allowing new or small VBEs to establish such 
baselines after a reasonable period of operation, such as 1 year. We 
also solicit comments on whether the assumption of substantial downside 
financial risk by the VBE as contemplated here, in combination with the 
safeguards proposed for this safe harbor, results in meaningful 
protections that will ensure that the

[[Page 55718]]

benefits of the arrangements that would be protected by this safe 
harbor outweigh any risk of misuse of the safe harbor to protect 
fraudulent or abusive arrangements.
    Lastly, we are considering for the final rule, and seek comment 
regarding, whether we should include advanced APMs and other payor 
advanced APMs, as both terms are defined at 42 CFR 414.1305, in the 
definition of ``substantial downside financial risk.'' Specifically, we 
seek comment on the following: (i) If advanced APM participants would 
likely rely on this safe harbor versus the CMS-sponsored model 
arrangements safe harbor; and if so, what barriers, if any, our 
proposed definition of ``substantial financial risk'' and 
``meaningfully share'' (as outlined in further detail below) may pose; 
and (ii) whether our current definition of ``substantial financial 
risk'' is too narrow, such that we have excluded advanced APMs or other 
payor advanced APMs that encourage participants to meaningfully assume 
downside financial risk.
    This safe harbor proposes to protect remuneration from a VBE to a 
VBE participant pursuant to a value-based arrangement. As a condition 
of this safe harbor, the terms of the value-based arrangement require 
the VBE participant to meaningfully share in the VBE's substantial 
downside financial risk for providing or arranging for items and 
services for the target patient population. This condition is intended 
to ensure that VBE participants ordering or arranging for items and 
services for patients (in other words, those making care decisions) 
closely share the VBE's goals and share in accountability if those 
goals are not achieved.
    For purposes of this condition, we propose that a VBE participant 
``meaningfully shares'' in the VBE's substantial downside financial 
risk if the value-based arrangement contains one of the following: (i) 
A risk-sharing payment pursuant to which the VBE participant is at risk 
for 8 percent of the amount for which the VBE is at risk under its 
agreement with the applicable payor (e.g., an 8-percent withhold, 
recoupment payment, or shared losses payment); (ii) a partial or full 
capitated payment or similar payment methodology (excluding the 
prospective payment systems for acute inpatient hospitals, home health 
agencies, hospice, outpatient hospitals, inpatient psychiatric 
facilities, inpatient rehabilitation facilities, long-term care 
hospitals, and SNFs or other like payment methodologies); or (iii) in 
the case of a VBE participant that is a physician, a payment that meets 
the requirements of the physician self-referral law's regulatory 
exception for value-based arrangements with meaningful downside 
financial risk at section 411.357(aa)(2).
    Under (i), the proposed percentage of the VBE's substantial 
downside financial risk in which the VBE participant must share is 
based on the 8-percent nominal risk standard under the CMS regulation 
governing advanced APM and other payor advanced APM criteria at 42 CFR 
414.1415 and 414.1420, respectively. We solicit comments on additional 
or alternative, specific thresholds we could include in the final rule 
to help ensure that the VBE participant is meaningfully engaged with 
the VBE in delivering value through its ordering and referring 
decisions, as well as data to support suggestions.
    To protect against risks of stinting on care, we further propose 
that the remuneration must not induce limitations on, or reductions of, 
medically necessary items or services furnished to any patient. We are 
considering for the final rule additional conditions to safeguard 
against risks of cherry picking or lemon dropping of patients, which 
could affect the quality of care patients receive. In addition, we are 
considering and solicit comments on whether to include a length-of-time 
requirement (e.g., 1 year) for the VBE to be at substantial downside 
financial risk to avoid gaming (as highlighted in our subsequent 
discussion of this issue in the full financial risk safe harbor).
    We are proposing to include the following conditions similar to 
certain conditions we are proposing for the care coordination 
arrangements safe harbor and would interpret these conditions, where 
applicable, as described previously in the discussion of the care 
coordination arrangements safe harbor:
    (i) The value-based arrangement must be set forth in a writing that 
contains, among other information, a description of the nature and 
extent of the VBE's substantial downside financial risk for the target 
patient population and a description of the manner in which the 
recipient meaningfully shares in the VBE's substantial downside 
financial risk;
    (ii) the VBE or VBE participant offering the remuneration does not 
take into account the volume or value of, or condition the remuneration 
on, referrals of patients outside of the target patient population or 
business not covered under the value-based arrangement;
    (iii) the value-based arrangement does not: (1) Place any 
limitation on VBE participants' ability to make decisions in the best 
interest of their patients, or (2) direct or restrict referrals to a 
particular provider, practitioner, or supplier if:
    (A) A patient expresses a preference for a different practitioner, 
provider, or supplier;
    (B) the patient's payor determines the provider, practitioner, or 
supplier; or
    (C) such direction or restriction is contrary to applicable law or 
regulations under titles XVIII and XIX of the Act;
    (iv) the value-based arrangement does not include marketing to 
patients of items or services or engaging in patient recruitment 
activities; and
    (v) the VBE or its VBE participants maintain documentation 
sufficient to demonstrate compliance with the safe harbor's conditions 
and make such records available to the Secretary upon request.
    Note that we are considering, and seek comment regarding whether we 
should include in the final rule, a condition regarding the maintenance 
of materials and records sufficient to establish compliance with the 
conditions of this safe harbor for a set period of time (e.g., at least 
6 years or 10 years).
    In addition to the foregoing standard, under this proposed safe 
harbor, the remuneration must be used primarily to engage in value-
based activities that are directly connected to the items and services 
for which the VBE is at substantial downside financial risk. For 
example, a VBE is at substantial downside financial risk through an 
agreement with a payor to assume a percentage of shared losses for 
items and services provided in connection with hip replacements to the 
target patient population. Remuneration provided by the VBE to a VBE 
participant would be protected under this proposed safe harbor only if 
the VBE participant primarily uses the remuneration to engage in value-
based activities that have a direct connection to the items and 
services provided to patients in the target patient population 
undergoing hip replacement surgery (i.e., the items and services for 
which the VBE is at substantial downside financial risk). Thus, while 
the VBE could give the VBE participant money that it uses to hire a 
staff member who primarily coordinates patients' transitions between 
care settings after undergoing hip replacement surgery, the VBE could 
not give the VBE participant money that it uses to hire a staff member 
who coordinates transitions between care settings for patient 
undergoing an array of surgical procedures. In addition, we propose 
that the remuneration exchanged must be directly connected to one or 
more of the

[[Page 55719]]

VBE's value-based purposes, at least one of which must be the 
coordination and management of care for the target patient population.
    We believe these safeguards are necessary to ensure transparency 
and accountability, as well as to reduce the potential for protected 
arrangements to be used to pay for referrals unrelated to coordinating 
care and improving health outcomes and value for programs and patients. 
For example, as with other safe harbors proposed in this rulemaking, we 
do not intend to protect arrangements nominally characterized as a care 
coordination or value-based arrangement but that in reality are schemes 
intended merely to buy or sell referrals. To further protect against 
such arrangements, we are considering including in the final rule a 
commercial reasonableness requirement and a monitoring standard, each 
of which would be similar to those included in our proposed care 
coordination arrangements safe harbor at 1001.952(ee). In addition, to 
heighten transparency of any value-based arrangements and to ensure 
that the value-based arrangement is known by and closely related to the 
VBE itself, we are considering for the final rule whether to require 
that, in advance of, or contemporaneous with, the commencement of the 
applicable value-based arrangement, the VBE's accountable body or 
responsible person make a bona fide determination that the value-based 
arrangement is directly connected to a value-based purpose, at least 
one of which must be the coordination and management of care for the 
target patient population.
    As discussed previously, we remain aware that the arrangements 
protected by the proposed substantial downside financial risk safe 
harbor would not be subject to programmatic requirements, oversight, or 
monitoring comparable to CMS-sponsored models. Accordingly, we are 
considering for the final rule including a requirement to submit 
information to the Department about the VBE, VBE participants, and the 
value-based arrangement similar to the requirement we are considering 
for the care coordination safe harbor at 1001.952(ee). As discussed in 
the care coordination arrangements safe harbor section, we also are 
considering for the final rule a condition prohibiting VBEs or VBE 
participants from billing Federal health care programs, other payors, 
or individuals for remuneration exchanged pursuant to the safe harbor; 
claiming the value of the remuneration as a bad debt for payment 
purposes under a Federal health care program; or otherwise shifting 
costs to a Federal health care program, other payors, or individuals.
    Through the substantial downside financial risk safe harbor, we 
seek to provide more flexibility for entities that assume a substantial 
amount of financial risk such that the risk incentivizes a shift from 
volume-based decision making to value-based decision making. By 
allowing parties this enhanced flexibility in exchange for assuming 
risk with respect to only a subset of items and services furnished to a 
target patient population, we are mindful of the potential for parties 
to assume financial risk for such a narrow subset of items and services 
that the offeror's risk does not equate to substantial downside 
financial risk. We solicit comments on safeguards against this risk and 
the overall approach we have taken with respect to the substantial 
downside financial risk safe harbor.

E. Value-Based Arrangements With Full Financial Risk (1001.952(gg))

    We propose to protect certain arrangements (including in-kind and 
monetary remuneration) involving VBEs that have assumed ``full 
financial risk,'' as that term is defined in the proposed regulation, 
for a target patient population. Because we recognize that VBEs that 
have assumed full financial risk present fewer traditional FFS fraud 
and abuse risks, this proposed safe harbor would include more flexible 
conditions than the proposed care coordination arrangements and 
substantial downside financial risk safe harbors, which we believe 
would reduce burden for the VBE and its VBE participants. We intend for 
the safe harbor to offer this category of VBEs the greatest ability to 
innovate with respect to coordinated care arrangements in light of 
their assumption of the highest level of risk contemplated in this 
proposed rulemaking. We propose to incorporate the definitions of 
``coordination and management of care,'' ``target patient population,'' 
``value-based activity,'' ``value-based arrangement,'' ``value-based 
enterprise,'' ``value-based purpose,'' and ``VBE participant'' found in 
proposed paragraph 1001.952(ee). For the same reasons discussed 
previously with respect to the care coordination arrangements safe 
harbor, we propose that this safe harbor would not protect an ownership 
or investment interest in the VBE or any distributions related to an 
ownership or investment interest. We solicit comments on this approach 
and, in particular, whether this proposal presents any operational 
challenges with respect to the creation of a VBE as a separate legal 
entity. We are considering for the final rule whether we should protect 
ownership or investment interests with respect to VBEs that must 
contract with a payor on behalf of VBE participants for purposes of 
value-based arrangements with full financial risk.
    We also propose, for the same reasons discussed previously with 
respect to the care coordination arrangements safe harbor, that this 
safe harbor would not protect any remuneration funded by, or otherwise 
resulting from contributions by, an individual or entity outside of the 
applicable VBE.
    We propose that a VBE would be at ``full financial risk'' for the 
cost of care of a target patient population if the VBE is financially 
responsible for the cost of all items and services covered by the 
applicable payor for each patient in the target patient population and 
is prospectively paid by the applicable payor. By ``prospective,'' we 
mean the anticipated cost of all items and services covered by the 
applicable payor for the target patient population, has been determined 
and paid in advance (as opposed to billing under the otherwise 
applicable payment systems and undergoing a retrospective 
reconciliation after items and services have been furnished).
    By way of example, a VBE would be at ``full financial risk'' if it 
received a prospective, capitated payment for all items and services 
covered by Medicare Parts A and B for a target patient population. 
Similarly, we would consider a VBE that contracts with a Medicaid 
managed care organization and receives a fixed per-patient per-month 
amount to be at full financial risk if the fixed amount covered the 
cost of all Medicaid-covered items and services furnished to the target 
patient population.
    In contrast, our proposal would not protect an entity that receives 
a partial capitated payment, be it either: (i) A capitated payment that 
covers a limited set of items or services or (ii) a payment arrangement 
where an entity receives a combination of reduced FFS and capitation 
payments for a defined set of items or services. For example, a 
hospital that participates in a bundled payment program for patients 
who receive knee replacements, and that receives an episodic payment to 
cover all costs associated with the knee replacement surgeries and 
follow-up care for 90 days, would not be eligible for protection under 
this safe harbor. The hospital is at full financial risk for the knee 
surgeries and related services but not for the patients' total cost of 
care. We note that other proposals in

[[Page 55720]]

this rulemaking may be available for such arrangements.
    We note that our proposed definition of ``full financial risk'' 
would not prohibit a VBE from entering into arrangements--like global 
risk adjustments, risk corridors, reinsurance, or stop loss 
agreements--to protect against catastrophic losses. We emphasize that 
it is our intent for such arrangements to be limited to catastrophic 
losses; a VBE may not use risk corridors or other like arrangements as 
a mechanism to shift an amount of financial risk that does not meet the 
spirit of this safe harbor. Similarly, we note that our proposed 
definition of ``full financial risk'' would not prohibit a VBE from 
conducting a ``back-end'' reconciliation, with resulting payment 
adjustments due to quality or financial performance metrics, provided 
again, that the reconciliation is not used as a mechanism to shift 
material financial risk back to the contracting payor.
    We also are considering other ways to define ``full financial 
risk'' in the final rule. For example, we are considering for purposes 
of the final rule including an actuarial equivalence standard similar 
to that used in the Medicare Part D context, and we request comments on 
the use of this potential standard. In addition, we seek comments about 
other situations that stakeholders believe should qualify as a VBE 
assuming ``full financial risk.'' We request that commenters provide 
specific examples of arrangements that they believe constitute ``full 
financial risk'' but that would not be covered by the definition 
proposed above.
    We propose to require that the VBE assume full financial risk 
either directly, or through a VBE participant with the legal authority 
to obligate the VBE. We note, to the extent a VBE participant wholly 
assumes risk on behalf of the VBE, it may act in both its capacity as a 
VBE participant and an agent of the VBE.
    In addition, we propose that this safe harbor would cover both 
value-based arrangements between a VBE and a VBE participant where the 
VBE has assumed full financial risk as of the date the VBE and VBE 
participant enter into the value-based arrangement, as well as value-
based arrangements between a VBE and a VBE participant where the VBE is 
contractually obligated to assume such risk but has not yet done so. We 
are mindful that a VBE that is contractually obligated to take on full 
financial risk may need lead time to develop and implement arrangements 
in anticipation of taking on full financial risk. However, we also are 
concerned about providing safe harbor protection for arrangements 
involving parties that have not yet assumed the risk that operates as a 
prerequisite and key safeguard for this safe harbor. To balance the 
need to protect start-up arrangements with our program integrity 
concerns, the safe harbor would protect arrangements between the VBE 
and the VBE participant only during the 6 months prior to the date by 
which the VBE must assume full financial risk. We solicit comments on 
whether 6 months is a sufficient timeframe, and if not, what an 
appropriate timeframe might be. We could include a longer or shorter 
timeframe in the final rule.
    We propose writing requirements in this safe harbor that are 
designed to promote transparency and accountability. First, we propose 
that the VBE have a signed writing with a payor that specifies the 
target patient population and contains terms sufficient to demonstrate 
that the VBE is at full financial risk for the target patient 
population for at least 1 year. Our intent in proposing a length-of-
time requirement is to minimize gaming opportunities that could arise 
if the VBE assumes full financial risk for a short time period in order 
to take advantage of the proposed safe harbor's flexibility but without 
meaningfully committing to the transition to full financial risk. 
Second, we propose that the parties set forth the material terms of the 
value-based arrangement in a signed writing, including the value-based 
activities to be undertaken by the parties, and that the arrangement 
must be for a period of at least 1 year.
    We propose that the term of the value-based arrangement must be for 
a period of at least 1 year to ensure that the VBE participant is 
committed to coordinating care for the target patient population of the 
VBE that has taken on full financial risk.
    We propose that the VBE participant cannot claim additional or 
separate payment in any form directly or indirectly from a payor for 
items or services covered under the value-based arrangement. For 
purposes of this safe harbor, we propose that the phrase ``items or 
services'' would have the meaning set forth in paragraph 
1001.952(t)(2)(iv), which defines ``items and services'' as: ``Health 
care items, devices, supplies or services or those services reasonably 
related to the provision of health care items, devices, supplies or 
services including, but not limited to, non-emergency transportation, 
patient education, attendant services, social services (e.g., case 
management), utilization review and quality assurance. Marketing and 
other pre-enrollment activities are not `items or services' for 
purposes of this section.''
    If the VBE participant is permitted to seek additional payment for 
items or services furnished to the target patient population from a 
payor, the safe harbor would not protect the value-based arrangement. 
For example, protection under the safe harbor would not extend to 
payment made by a VBE to a VBE participant for telehealth services 
furnished to the target patient population if the VBE participant could 
also claim separate payment for such services from a payor. Value-based 
arrangements that permit VBE participants to claim separate payment 
from a payor are not ``full risk.'' Such arrangements potentially 
involve mixed financial incentives for providers, and parties would 
need to seek protection for such arrangements under one of the other 
proposed safe harbors. This requirement would permit VBE participants 
to bill a payor but not claim payment (e.g., through a ``no-pay 
claim'') if required by a payor, including Medicare.
    We also propose requirements related to the remuneration. First, we 
propose that remuneration exchanged must: (i) Be used primarily to 
engage in the value-based activities set forth in the parties' signed 
writing; (ii) is directly connected to one or more of the VBE's value-
based purpose(s), at least one of which must be the coordination and 
management of care for the target patient population; and (iii) not 
induce the VBE or VBE participants to reduce or limit medically 
necessary items or services furnished to any patient. We propose to 
interpret these conditions consistent with the similar conditions in 
the proposed care coordination arrangements safe harbor at 
1001.952(ee).
    Second, we propose to require that the VBE and VBE participant must 
not take into account the volume or value of, or condition the 
remuneration exchanged on: (i) Referrals of patients who are not part 
of the target patient population or (ii) business not covered under the 
value-based arrangement. This requirement would preclude protection 
under the safe harbor for remuneration that is part of a broader 
``swapping'' arrangement to steer patients outside of the target 
patient population to the party offering the remuneration. We solicit 
comments on this condition and any additional safeguards that we should 
include in this safe harbor to mitigate the risk of problematic 
swapping arrangements in order to prevent the safe harbor from being 
used to protect payments for referrals that are not part of the value-

[[Page 55721]]

based arrangement. We would have significant concerns with a VBE 
participant entering into a purported value-based arrangement in which 
it offers the VBE a reduced rate for patients in the target patient 
population in exchange for gaining access to that VBE's other patients.
    We propose to require that the VBE provide or arrange for: (i) An 
operational utilization review program and (ii) a quality assurance 
program that protect against underutilization and specify patient 
goals, including measurable outcomes, where appropriate. These 
conditions mirror those found in the existing safe harbor at paragraph 
1001.952(u), which were derived from the then-current regulatory 
requirements for plans operating under section 1876 of the Act. We are 
considering for the final rule whether there may be other ways to frame 
this requirement that meet the spirit of the conditions in paragraph 
1001.952(u) but are updated to reflect the utilization review and 
quality assurance mechanisms in place today.
    Like the proposed care coordination arrangements and substantial 
downside financial risk safe harbors and for the reasons explained in 
connection with those proposals, we are considering for the final rule 
requiring the submission to the Department of information about VBEs, 
VBE participants, and value-based arrangements for safe harbor 
protection. We welcome comments on this. As discussed in the care 
coordination arrangements safe harbor section, we also are considering 
for the final rule a condition prohibiting VBEs or VBE participants 
from billing Federal health care programs, other payors, or individuals 
for remuneration exchanged pursuant to the safe harbor; claiming the 
value of the remuneration as a bad debt for payment purposes under a 
Federal health care program; or otherwise shifting costs to a Federal 
health care program, other payors, or individuals.
    We also propose requirements that (i) the value-based arrangement 
does not include marketing to patients of items or services or engaging 
in patient recruitment activities; and (ii) the VBE or its VBE 
participants maintain documentation sufficient to demonstrate 
compliance with the safe harbor's conditions and make such records 
available to the Secretary upon request. We are considering for the 
final rule and seek comment regarding whether we should include, in the 
final rule, a condition regarding the maintenance of materials and 
records sufficient to establish compliance with the conditions of this 
safe harbor for a set period of time (e.g., at least 6 years or 10 
years). We would interpret these requirements as described with respect 
to the care coordination arrangements safe harbor and would include 
them in this safe harbor for the reasons articulated there.
    In addition, we note that, as proposed, this safe harbor would 
apply only to remuneration exchanged between a VBE and a VBE 
participant pursuant to a value-based arrangement. The proposed full 
financial risk safe harbor would not protect remuneration exchanged 
between or among VBE participants that are part of the same VBE, 
remuneration exchanged between a VBE participant and a downstream 
contractor, or remuneration between two downstream contractors. 
However, nothing prevents these parties from turning to other available 
safe harbors for protection.
    We are considering for the final rule and solicit comments on 
whether to extend this safe harbor to remuneration that passes from a 
VBE participant to a downstream contractor (which also could be, but 
may not be required to be, a VBE participant). While we recognize that 
increased flexibility at the VBE participant level may foster 
innovation, we are concerned that these downstream arrangements present 
higher risks of fraud and abuse because the VBE participants and 
downstream contractors exchanging the remuneration may have assumed 
little or no financial risk. As such, they may continue to be subject 
to the potential risks inherent in any FFS financial arrangements, 
namely, incentives to order medically unnecessary or overly costly 
items and services. For these reasons, we are considering for the final 
rule, and solicit comments on, the following:
     In addition to the safeguards proposed in paragraph 
1001.952(gg), whether additional safeguards could be implemented under 
the full financial risk safe harbor (or a different proposed safe 
harbor) to ensure that legitimate arrangements between VBE participants 
and downstream contractors that advance the value-based purpose(s) of 
the VBE are protected.
     For purposes of protecting downstream arrangements, 
whether we should incorporate some of the safeguards proposed in the 
safe harbor for care coordination arrangements or the safe harbor for 
parties at substantial downside financial risk. If so, whether certain 
safeguards would best capture our need to protect against fraud and 
abuse risks with the recognition that we do not want to impose undue 
burden on parties to these arrangements.
     If we were to protect certain downstream arrangements, 
whether we should limit protection to arrangements between VBE 
participants that are part of the same VBE, or we should extend 
protection to arrangements between: (i) A VBE participant and a 
downstream contractor, (ii) arrangements between two downstream 
contractors, or (iii) both. We request that any comments include 
specific examples of downstream arrangements that may not be protected 
under existing safe harbors or any of the safe harbors proposed under 
this rulemaking but warrant protection under this proposed safe harbor 
because of the level of risk assumed by the VBE.

F. Arrangements for Patient Engagement and Support To Improve Quality, 
Health Outcomes, and Efficiency (1001.952(hh))

    We propose to establish a new safe harbor at proposed paragraph 
1001.952(hh) to protect certain arrangements for patient engagement 
tools and supports to improve quality, health outcomes, and efficiency 
furnished by VBE participants, as defined in proposed paragraph 
1001.952(ee), to specified patients. This safe harbor, hereinafter the 
``patient engagement and support safe harbor,'' is intended to remove 
barriers presented by the anti-kickback statute and the beneficiary 
inducements CMP \26\ to providers offering patients beneficial tools 
and supports to improve quality, health outcomes, and efficiency, by 
promoting patient engagement with their care and adherence to care 
protocols. Commenters to the OIG RFI overwhelmingly supported such a 
safe harbor, with appropriate safeguards.
---------------------------------------------------------------------------

    \26\ A practice permissible under the anti-kickback statute, 
whether through statutory exception or regulations issued by the 
Secretary, is also excepted from the beneficiary inducements CMP. 
Section 1128A(i)(6)(B) of the Act.
---------------------------------------------------------------------------

    Achieving well-coordinated care and improving value require 
patients to actively participate and engage in their preventive care, 
treatment, and general health. To prevent illness or disease or to 
manage a disease or condition effectively, patients must be involved in 
their healthcare and be empowered to make informed healthcare-related 
decisions. Appropriate patient engagement tools and supports can foster 
successful behavior modifications that improve health, ensure that 
patients receive the medically necessary care and other nonclinical, 
but health-related, items and services they need, and improve adherence 
to an appropriate treatment regimen.
    In some cases, improved care coordination may be facilitated 
through various supports, including, for

[[Page 55722]]

example, providing supports that aim to improve patients' safety at 
home or during care transitions (including discharge from facility care 
to the community) or that allow providers to communicate more 
efficiently and effectively with patients and their families and to 
monitor their patients' care. However, we also are cognizant of the 
potential for improper patient engagement tools and supports to result 
in inappropriate utilization, the steering of patients to particular 
providers, suppliers, or products that might not be in their best 
interests, increased costs to payors and patients, and anti-competitive 
effects.
    Depending on the facts and circumstances, providing patient 
engagement tools and supports may implicate the Federal anti-kickback 
statute and the beneficiary inducements CMP. Some tools and supports 
may be protected under existing safe harbors or exceptions to the 
definition of ``remuneration'' under the beneficiary inducements CMP 
(e.g., the local transportation safe harbor, 42 CFR 1001.952(bb); the 
exception for remuneration that promotes access to care and poses a low 
risk of harm to patients and Federal health care programs, 42 CFR 
1003.110; and the exception for incentives given to individuals to 
promote the delivery of preventive care, 42 CFR 1003.110). In addition, 
for CMS-sponsored models, some patient engagement tools and supports 
may qualify for protection under the Medicare Shared Savings Program's 
waiver for patient incentives \27\ or a waiver available for 
beneficiary incentives offered under an applicable Innovation Center 
model.\28\ However, under certain facts and circumstances, no safe 
harbor, exception, or waiver may be available to protect beneficial 
patient engagement tools and supports that implicate the anti-kickback 
statute, beneficiary inducements CMP, or both. These arrangements must 
be evaluated on a case-by-case basis for compliance with the statutes.
---------------------------------------------------------------------------

    \27\ Medicare Program; Final Waivers in Connection With the 
Shared Savings Program, 80 FR 66726, 66743 (Oct. 29, 2015).
    \28\ See, e.g., Notice of Waivers of Certain Fraud and Abuse 
Laws in Connection with the Bundled Payments for Care Improvement 
Advanced Model (May 25, 2018), available at https://www.cms.gov/Medicare/Fraud-and-Abuse/PhysicianSelfReferral/Downloads/BPCI-Advanced-Model-Waivers.pdf.
---------------------------------------------------------------------------

    Under the proposed patient engagement and support safe harbor at 
paragraph 1001.952(hh), ``remuneration'' under the Federal anti-
kickback statute would not include in-kind patient engagement tools or 
supports (as specified in proposed paragraph 1001.952(hh)) furnished 
directly by a VBE participant (as defined in proposed paragraph 
1001.952(ee)) to a patient in a target patient population (as defined 
in proposed paragraph 1001.952(ee)), that are directly connected to the 
coordination and management of care (as defined in proposed paragraph 
1001.952(ee)), provided that all of the conditions of proposed 
paragraph 1001.952(hh) are satisfied.
1. Limitations on Offerors
    Under this proposal, only patient engagement tools and supports 
furnished by a VBE participant, as defined in proposed paragraph 
1001.952(ee), would receive protection. Our intent in proposing to 
limit safe harbor protection to VBE participants is to align the safe 
harbor with the value-based framework set forth in this proposed 
rulemaking. We are mindful that this approach would require the offeror 
of the remuneration to be part of a VBE (of any size) as defined at 
proposed paragraph 1001.952(ee). We are soliciting comments, including 
illustrative fact patterns, about potential patient engagement tools 
and supports that would improve care coordination and health outcomes 
where the offeror does not meet the proposed definition of a VBE 
participant because the offeror is not part of a VBE.
    For example, we are considering for the final rule safe harbor 
protection for, and seek comments regarding, a hospital's or physician 
group practice's provision of patient engagement tools and supports 
that would advance coordination and management of care for a patient 
and otherwise satisfy conditions similar to those set forth in the 
proposed safe harbor, but where such hospital or physician group 
practice is not part of a VBE. We seek comments on the fraud and abuse 
risks associated with removing the requirement that the offeror is a 
VBE participant and what additional safeguards would be appropriate to 
offset those risks.
    Pharmaceutical manufacturers, distributors, and suppliers of 
DMEPOS, and laboratories are not included in the proposed definition of 
``VBE participant'' in paragraph 1001.952(ee) for the reasons described 
earlier in this preamble. In addition to the reasons for exclusion of 
pharmaceutical manufacturers in the definition of ``VBE participant'' 
previously articulated, we believe that offers of remuneration by such 
manufacturers to patients could improperly influence the patient, as 
well the patient's clinician's decision to prescribe one drug over 
another. Such remuneration could influence a patient to request a 
particular drug that is more expensive or less clinically efficacious 
than other clinically equivalent drugs. This could both improperly 
influence patient choice and increase costs to Federal health care 
programs--two factors cited by Congress to consider when developing 
safe harbors--without necessarily increasing quality.
    As noted above, we also are excluding manufacturers, distributors, 
and suppliers of DMEPOS and laboratories from the definition of a VBE 
participant. Based on long-standing enforcement and oversight 
experience, we are concerned that manufacturers, distributors, and 
suppliers of DMEPOS and laboratories may inappropriately use patient 
engagement tools and supports to market their products or divert 
patients from a more clinically appropriate item or service, provider, 
or supplier without regard to the best interests of the patient or to 
induce medically unnecessary demand for items and services.
    We are interested in comments on the impact of any such exclusions, 
if included in the final rule, for the patient engagement and support 
safe harbor in particular and any negative impact on the provision of 
potentially beneficial tools and supports. We seek comments regarding 
whether the proposed exclusion of these entities from the definition of 
``VBE participant,'' and the proposed condition at (hh)(2), limiting 
funding by and other contributions from non-VBE participants, might 
negatively impact patients' ability to receive beneficial items and 
services, including new technologies that may foster better access to 
care and improve health outcomes.
    As noted above, we also are considering whether to exclude other 
categories of suppliers and other entities, including pharmacies, PBMs, 
wholesalers, and distributors from the definition of ``VBE 
participant.'' \29\ We solicit comments on the potential impact of our 
considered exclusion of pharmacies, PBMs, wholesalers, and 
distributors, if included in the final rule, for the patient engagement 
and support safe harbor in particular.
---------------------------------------------------------------------------

    \29\ Note that, should we adopt the definition of ``applicable 
manufacturer'' as set forth in in 42 CFR 403.902, such definition 
would include distributors and wholesalers (which include re-
packagers, re-labelers, and kit assemblers) that hold title to a 
covered drug, device, biological or medical supply.
---------------------------------------------------------------------------

    We also are considering, and seek comment on, whether this proposed 
safe harbor should protect only in-kind tools and supports furnished by 
VBE participants that assume at least some

[[Page 55723]]

financial risk, so as to better align protected remuneration with 
value-based purposes. In particular, if we were to limit safe harbor 
protection to only VBE participants that assume financial risk, we are 
considering, and seek comments regarding, the appropriate level of 
financial risk to require of such VBE participants (e.g., VBE 
participants that assume at least some downside financial risk or VBE 
participants that assume substantial downside financial risk).
2. Limitations on Recipients
    This proposed safe harbor would protect patient engagement tools 
and supports furnished to patients in a target patient population (as 
defined in proposed paragraph 1001.952(ee)). We note that the scope of 
this proposed safe harbor would not be limited to Federal health care 
program beneficiaries in recognition that the VBE or VBE participants 
may define the target patient population without regard to payor type. 
We solicit comments on whether we should instead provide safe harbor 
protection for tools and supports VBE participants furnish to a broader 
universe of patients by, for example, protecting patient engagement 
tools and supports furnished by VBE participants to any patient, so 
long as the tools and supports predominantly address needs of the 
target patient population and the tools and supports have a direct 
connection to the coordination and management of care for the patient.
    We recognize that some VBEs may not be able to prospectively 
identify the individual patients in the target patient population. For 
example, in some accountable care organization (ACO) arrangements under 
CMS-sponsored models, beneficiaries are assigned to the ACO, which 
could be a VBE, retrospectively or on a preliminary prospective basis 
(e.g., for agreement periods beginning on July 1, 2019, ACOs 
participating in the Medicare Shared Savings Program may select 
preliminary prospective assignment with retrospective 
reconciliation).\30\ We are interested in stakeholder comments on the 
challenges, if any, presented by the safe harbor's protection of only 
patient engagement tools and supports furnished to patients in the 
target patient population when the VBE's assigned beneficiaries are 
identified retrospectively or on a preliminary prospective basis.
---------------------------------------------------------------------------

    \30\ 42 CFR 425.400(a)(4)(ii). We offer this as an illustrative 
example. Participants in the Medicare Shared Savings Program and 
Innovation Center ACO models have existing fraud and abuse law 
waivers and may not need new safe harbor protection.
---------------------------------------------------------------------------

3. Limitations on Type of Remuneration
    The proposed safe harbor would protect only tools or supports, as 
specified in proposed 1001.952(hh), furnished by a VBE participant to a 
patient in the target patient population. As proposed in 
1001.952(hh)(3)(i), (ii) and (iii), we would limit a patient engagement 
``tool or support'' to in-kind, preventive items, goods, or services, 
or items, goods, or services such as health-related technology, patient 
health-related monitoring tools and services, or supports and services 
designed to identify and address a patient's social determinants of 
health, that have a direct connection to the coordination and 
management of care of the target patient population. This limitation on 
tools or supports would exclude gift cards, cash, and any cash 
equivalent (e.g., a check or pre-paid debit card).
    We do not propose a specific definition of ``preventive care item 
or service'' to provide flexibility for VBE participants that seek to 
furnish preventive care items and services as a means to improve 
patient outcomes and better overall patient health.\31\ OIG is mindful 
of the evolving nature of clinical practice guidelines and 
recommendations for practices that are categorized as ``preventive 
care,'' and we intend to allow this proposed safe harbor to protect the 
provision of tools and supports that a VBE participant reasonably 
determines, within the medical judgment of the applicable practitioner 
treating the patient, to be preventive care. VBE participants would 
need to exercise caution in ensuring that tools and supports for which 
they desire safe harbor protection are reasonably considered preventive 
care.
---------------------------------------------------------------------------

    \31\ We do not intend to incorporate the definition of 
``preventive care'' found in the regulations interpreting the 
beneficiary inducements CMP, 42 CFR 1003.110. Note that the 
definitions found at 42 CFR 1003.110 apply to part 1003, not part 
1001, where the proposed 42 CFR 1001.952(hh) would be located.
---------------------------------------------------------------------------

    We solicit comments on whether the categories of patient engagement 
tools and supports listed above that would receive protection (i.e., 
health-related technology, patient health-related monitoring tools and 
services, or supports and services designed to identify and address a 
patient's social determinants of health) are sufficiently flexible but 
also sufficiently targeted to protect against the risks of fraud and 
abuse associated with providing inappropriate remuneration to patients. 
For instance, we believe ``health-related technology'' and ``patient 
health-related monitoring tools and services'' might include wearable 
monitoring devices, such as a smart watch or tracker designed to 
collect information and transmit data to a patient's physician for 
treatment or disease monitoring. We are considering for purposes of the 
final rule requiring that the VBE participant confirm that the tools 
and services provided to a patient are not duplicative of, or 
substantially the same as, tools and services the patient already has. 
For example, we are considering whether the safe harbor should protect 
the provision of a new cell phone or wireless service to a patient who 
needs an application for remote patient monitoring if the patient 
already has these products and only needs the application.
    With respect to the provision of supports and services designed to 
identify and address social determinants of health, many commenters to 
the OIG RFI urged us to consider ``social determinants of health,'' 
also described as ``health-related nonmedical'' items, goods, and 
services, that address basic needs essential to patients' health, such 
as food, shelter, safety, clothing, income, and transportation, in 
designing any proposed safe harbors. There is substantial evidence that 
unmet social needs related to these determinants of health, such as 
transportation, nutrition, and safe housing, play a critical role in 
health outcomes and expenditures.\32\ These needs must be considered 
when thinking about maximizing health outcomes and lowering healthcare 
costs.
---------------------------------------------------------------------------

    \32\ See, e.g., Michael Marmot et al., on behalf of the World 
Health Organization and Commission on Social Determinants of Health, 
Closing the gap in a generation: Health equity through action on the 
social determinants of health, 372 Lancet 9650 (2008), available at 
https:/www.thelancet.com/journals/lancet/issue/vol372no9650/PIIS0140-6736(08)X6047-7; Gayle Shier et al., Strong Social Support 
Services, Such As Transportation And Help For Caregivers, Can Lead 
To Lower Health Care Use And Costs, 32 Health Affairs 3 (2013), 
available at https://www.healthaffairs.org/doi/pdf/10.1377/hlthaff.2012.0170.
---------------------------------------------------------------------------

    Evidence indicates that efforts that target home and neighborhood-
level factors, such as healthcare accessibility for low-income 
individuals, physical and environmental obstructions to healthy living, 
and housing and case management, can lead to improved health outcomes 
for people of all ages.\33\ These improved health outcomes include 
decreased mortality, delay or prevention of preventable and chronic

[[Page 55724]]

diseases, and lowered healthcare utilization, indicating a higher 
quality of life.\34\
---------------------------------------------------------------------------

    \33\ See, e.g., J. Michael McGinnis, Pamela Williams-Russo, and 
James R. Knickman, The Case For More Active Policy Attention To 
Health Promotion, 21 HEALTH AFFAIRS 2 (Mar. 2002), available at 
https://www.healthaffairs.org/doi/10.1377/hlthaff.21.2.78.
    \34\ Marmot, supra.
---------------------------------------------------------------------------

    By addressing health disparities that emerge from the social 
determinants of health, some research suggests that the United States 
could save over $230 billion in medical care costs.\35\ Moreover, there 
is research suggesting that policy interventions that focus on the 
social determinants of health can produce an estimated economic return 
of $1.02 trillion.\36\
---------------------------------------------------------------------------

    \35\ McGinnis, supra.
    \36\ McGinnis, supra.
---------------------------------------------------------------------------

    Based on the connection of social determinants to healthcare 
outcomes and costs, we are considering for purposes of the final rule 
whether explicitly to include protection for tools and supports that 
address some social determinants of health that meet all other safe 
harbor conditions. While all social determinants have the potential to 
improve health outcomes, some social determinants may be more 
specifically aligned with preventive care and the coordination and 
management of care for patients (e.g., transportation to medical 
appointments, nutrition to address clinical conditions, safe housing 
for patients discharged to their homes) than others (e.g., a more 
general need for income through employment). We seek public input on 
which social determinants are most crucial to improving care 
coordination and transitioning to value-based care and payment, with 
respect both to needed arrangements between providers or others in a 
position to generate Federal health care program referrals between 
them, and needed arrangements between beneficiaries and providers or 
others in a position to influence the selection of providers, 
practitioners, and suppliers.
    We are considering, and solicit comments on, how the final safe 
harbor should make distinctions among the categories of social 
determinants, such as protecting some types of tools and supports but 
not others. We are considering for the final rule whether we should 
specify specific tools and supports that would be permissible, 
including whether to base such a list on the types of tools and 
supports described in CMS guidance for the Medicare and Medicaid 
programs. We are interested in illustrative examples and data 
supporting commenters' views on this topic, including data supporting 
(or not supporting) the efficacy from a quality, effectiveness, and 
cost perspective of particular types of tools and supports related to 
addressing social determinants of health. Regardless, whether a 
particular tool or support would, in fact, be protected under the safe 
harbor when offered by a VBE participant to a patient in a target 
patient population would depend on the facts and circumstances and 
whether all safe harbor conditions were satisfied.
    We solicit comments on whether, instead of using the proposed 
categories, the final rule should list specific tools and supports that 
could be protected under the safe harbor. We are interested in feedback 
on which tools and supports should be listed and how the rule could 
account for emerging tools and supports that improve patient 
engagement, care coordination, and health outcomes.
    We do not intend for tools and supports protected by this proposed 
safe harbor, which includes only in-kind items, goods, and services, to 
be limited to items or services covered by a Federal health care 
program (as the term of art, ``items or services,'' when used in the 
context of the Medicare program, could suggest).\37\ In general, the 
provision of covered items and services to patients does not require 
safe harbor protection provided that all normal billing rules are 
followed. That said, the proposed description of a permissible tool or 
support would include federally reimbursable items and services, and 
provided that the other requirements of the safe harbor are satisfied, 
the provision of federally reimbursable items and services could 
receive safe harbor protection.
---------------------------------------------------------------------------

    \37\ While OIG's regulations found at 42 CFR 1003.110 define 
``items and services or items or services,'' we do not cross-
reference such definition in this proposed safe harbor, nor do we 
propose to limit the items, goods, and services potentially 
protected by this proposed safe harbor to the items and services 
that would satisfy the definition found at 42 CFR 1003.110. Note 
also that the definitions found at 42 CFR 1003.110 apply to part 
1003, not part 1001, where the proposed 42 CFR 1001.952(hh) would be 
located.
---------------------------------------------------------------------------

    We seek comment on potential fraud and abuse risks presented by 
including items and services that could be reimbursable by a Federal 
health care program as permitted tools or supports. We are aware of, 
and deeply concerned about, fraud schemes that involve the provision of 
items and services, including prescription opioids or other drugs, that 
are not needed by patients or that are harmful to them. We do not 
propose to protect such arrangements in this rulemaking, and such 
arrangements would not be protected in any final rule. Further, as OIG 
has previously stated, we are concerned that the provision of 
potentially reimbursable items and services, for free, could result in 
steering or unfair competition or could create a seeding arrangement, 
where, for example, a physician could be influenced to prescribe an 
item or service, which may be free at some point, but would be covered 
by a third-party payor (including Federal health care programs) in the 
future.\38\ Because of the risks presented by allowing safe harbor 
protection for the provision of potentially reimbursable items and 
services, including inappropriate seeding arrangements or the provision 
of medically unnecessary or harmful items or services, we are 
considering, and seek comment on, excluding in the final rule federally 
reimbursable items and services as a protected tool or support. As 
discussed further below, the proposed patient engagement and support 
safe harbor would not protect cost-sharing waivers, and thus would not 
protect billing a Federal program while waiving the beneficiary's share 
of payment.
---------------------------------------------------------------------------

    \38\ Adv. Op. No. 18-14, available at https://oig.hhs.gov/fraud/docs/advisoryopinions/2018/AdvOpn18-14.pdf.
---------------------------------------------------------------------------

    The in-kind requirement means that the patient must receive the 
actual tool or support and not funds to purchase the tool or support. 
For example, patients may not be given cash reimbursements for items or 
goods they purchase directly. While cash reimbursements for tools and 
supports would not satisfy the in-kind requirement, we would consider a 
voucher for a particular tool or support (e.g., a meal voucher or a 
voucher for a taxi) to satisfy the in-kind requirement.
a. Cash and Cash Equivalent Incentives
    A number of commenters responding to the OIG RFI urged OIG to 
protect the distribution of cash incentives to patients as a reward for 
engaging in certain healthcare-related activities. For example, 
providers responding to the OIG RFI stated that they would like 
protection to provide cash rewards to patients both for attending 
appointments (e.g., $10 for patients who attend an initial primary care 
visit) and for engaging in activities designed to promote the adoption 
and maintenance of healthy behaviors (e.g., a $25 check offered to 
patients who complete milestones in a behavioral modification program 
related to substance use disorders). Commenters cited a number of 
studies in support of this recommendation.\39\
---------------------------------------------------------------------------

    \39\ See, e.g., Cathy J. Bradley & David Neumark, Small Cash 
Incentives Can Encourage Primary Care Visits by Low-Income People 
with New Health Care Coverage, 36 Health Affairs 8 (2017), https://www.healthaffairs.org/doi/10.1377/hlthaff.2016.1455; Scott D. 
Halpern, MD, Ph.D. et al., Randomized Trial of Four Financial-
Incentive Programs for Smoking Cessation, 372 New Eng. J. Med. 2108 
(2015), https://www.nejm.org/doi/full/10.1056/NEJMoa1414293.

---------------------------------------------------------------------------

[[Page 55725]]

    Commenters to the OIG RFI noted that incentives and supports in the 
form of cash could help improve patients' adherence to treatment plans, 
encourage participation in medically necessary care, and motivate 
patients to lead healthier lifestyles. In addition, commenters to the 
OIG RFI posited, and some research suggests, that patients prefer cash 
to in-kind items, goods, or services and that cash may be more 
effective at maintaining patient engagement and encouraging and 
reinforcing positive behavioral change. We also have observed 
congressional interest in allowing providers to offer beneficiaries 
cash through, by way of example, the recent enactment of the ACO 
Beneficiary Incentive Program, section 1899(m) of the Act. However, OIG 
historically has had significant concerns with allowing providers to 
offer cash or cash equivalents to patients, and our oversight and 
enforcement experience suggests that cash incentives can: (i) Result in 
medical identity theft and misuse of patients' Medicare numbers, (ii) 
lead to inappropriate utilization (in the form of medically unnecessary 
items and services), and (iii) cause improper steering (including 
patients selecting a provider because the provider offers the most 
valuable incentives and not because of the quality of care the provider 
furnishes).
    Notwithstanding, we are considering for the final rule, and seek 
comment on, whether to protect patient incentives and supports in the 
form of cash and cash equivalents in certain circumstances.\40\ If we 
do so, we might set a monetary limit on the aggregate amount of 
remuneration provided annually (such as up to $75 per year, or higher 
or lower amounts) \41\ or include other safeguards to prevent the 
misuse of cash incentives to steer patients to items or services to 
influence them to allow others to use their personal information to 
order unnecessary or inappropriate items and services. Further, we 
likely would limit the use of cash remuneration to reward patients for 
attending medically necessary primary care or other clinically 
prescribed treatment visits, or for successful participation in a 
clinically appropriate behavioral modification or substance use 
disorder treatment program. If we were to adopt this approach, we would 
consider requiring offerors to have an evidence-based reason for using 
cash to influence patients' adherence to a treatment regimen or 
clinical program. (This might be the case, depending on the evidence, 
with respect to a substance use disorder treatment or smoking cessation 
program.) We solicit comment on potential criteria a party may apply to 
ensure that the arrangement is evidence-based, such as ensuring the 
arrangement is supported by the Joint Commission, the Agency for 
Healthcare Research and Quality, or other independent organization that 
develops national quality standards or quality measures.
---------------------------------------------------------------------------

    \40\ OIG continues to consider items convertible to cash (such 
as a check) or that can be used like cash (such as a general purpose 
debit card) to be cash equivalents.
    \41\ The $75 amount parallels OIG's 2016 ``Office of Inspector 
General Policy Statement Regarding Gifts of Nominal Value to 
Medicare and Medicaid Beneficiaries Policy Statement,'' which 
currently sets the retail value of permissible ``inexpensive'' or 
``nominal value'' gifts at $15 per item and $75 in the aggregate per 
patient on an annual basis. See OIG, Office of Inspector General 
Policy Statement Regarding Gifts of Nominal Value to Medicare and 
Medicaid Beneficiaries (Dec. 7, 2016), available at https://oig.hhs.gov/fraud/docs/alertsandbulletins/OIG-Policy-Statement-Gifts-of-Nominal-Value.pdf.
---------------------------------------------------------------------------

b. Waiver or Reduction of Cost-Sharing Obligations
    A number of the comments we received in response to the OIG RFI 
advocated broad protection from potential anti-kickback statute and 
beneficiary inducements CMP liability for routinely waived or reduced 
cost-sharing obligations. As an initial matter, we note that the 
requirement for cost-sharing in Medicare and Medicaid is a programmatic 
matter; cost-sharing is required pursuant to statute and regulations 
set forth by CMS and State Medicaid programs. We do not believe safe 
harbors to the anti-kickback statute are the right tool to obviate 
these programmatic requirements. Our concerns regarding routine waivers 
of cost-sharing amounts are longstanding; \42\ such routine waivers may 
constitute prohibited remuneration to induce referrals. Therefore, as 
proposed, the patient engagement and support safe harbor would not 
protect the routine waiver or reduction of cost-sharing obligations 
(including coupons leading to such waivers or reductions).
---------------------------------------------------------------------------

    \42\ See, e.g., Special Fraud Alert: Routine Waiver of 
Copayments or Deductibles Under Medicare Part B, 59 FR 65372, 65374 
(Dec. 19, 1994).
---------------------------------------------------------------------------

    We are interested in comments that identify potential benefits of 
permitting in the final rule the waiver or offset of cost-sharing 
obligations where the cost-sharing waiver or offset of obligations is 
part of a value-based arrangement under our value-based framework. In 
addition, we solicit comments on any safeguards that would mitigate 
concerns that routine waivers of cost-sharing amounts might undermine 
prudent consumer incentives of cost-sharing or might allow for abusive 
``insurance-only billing'' marketing schemes targeting patients for 
unnecessary or poor-quality items or services.
    Long-standing OIG guidance allows for non-routine, good-faith 
financial need cost-sharing waivers,\43\ and several safe harbors and 
beneficiary inducements CMP exceptions already offer protection for 
certain reductions, waivers, and differentials in cost-sharing, such as 
the exception for the waiver of cost-sharing amounts found at section 
1128A(i)(6)(A) of the Act and 42 CFR 1003.110. Those safe harbors and 
exceptions remain available and unchanged by this proposal. We also are 
proposing protection for certain cost-sharing waivers or reductions 
under the CMS-sponsored model patient incentives safe harbor, proposed 
at 1001.952(ii). As noted above, many VBE participants that would avail 
themselves of the patient engagement and support safe harbor would not 
be subject to programmatic requirements, oversight, or monitoring 
comparable to CMS-sponsored models. Therefore, cost-sharing waivers or 
reductions offered and provided under the CMS-sponsored models may 
present fewer risks.
---------------------------------------------------------------------------

    \43\ See, e.g., OIG, Special Fraud Alert, 59 FR 65372, 65374 
(Dec. 19, 1994).
---------------------------------------------------------------------------

    We are aware of concerns expressed by some stakeholders about the 
collection of small beneficiary cost-sharing amounts associated with 
certain care coordination services, such as care management and remote 
monitoring, where the costs of collection exceed the amount to be 
collected. Stakeholders would like safe harbor protection for waivers 
of such cost-sharing amounts. We are considering for the final rule 
whether limited safe harbor protection for such waivers might be 
appropriate, including whether such safe harbor protection would be 
consistent with the program rules establishing such beneficiary cost-
sharing amounts. We are considering for the final rule, and seek 
comment regarding, what conditions we should include in any safe harbor 
for limited cost-sharing waivers that would protect only cost-sharing 
waivers associated with certain specified services, such as care 
management and remote monitoring. If we were to finalize such a safe 
harbor, we likely would include conditions similar to those set forth 
in proposed 1001.952(hh).
    Finally, we are aware of interest among some stakeholders in 
offering patients a share of savings the patients help generate for a 
payor. For example, a patient who selects a clinically

[[Page 55726]]

appropriate but less costly setting to obtain services (e.g., home-
based services instead of a treatment in a facility) might share in the 
savings realized from the lower cost care setting. We believe that in 
many cases, this type of program would be part of a plan's benefit 
design. The need for new safe harbor protection for this type of 
arrangement is unclear, and we solicit comments on this issue.
c. Gift Cards
    OIG has never considered gift cards to be in-kind items, goods, or 
services. The limitation of ``tool or support'' proposed in paragraph 
1001.952(hh) would be consistent with OIG's position that gift cards 
are not in-kind items, goods, and services. OIG recognizes certain 
risks attendant to providing gift cards as patient engagement tools and 
supports, some of which may make gift cards indistinguishable from cash 
(e.g., we recognize that consumers can sell or trade gift cards through 
gift card redemption sites, which could result in a gift card morphing 
into cash). Similar to cash and cash equivalents, OIG is concerned that 
tools and supports in the form of gift cards could induce patients to 
seek medically unnecessary items and services--leading to inappropriate 
utilization--and could result in providers improperly steering patients 
through offering valuable incentives in the form of gift cards.
    Nevertheless, because gift cards may be effective at promoting 
behavioral change, OIG is considering whether to include protection for 
gift cards in limited circumstances, for example, where they are 
provided to patients with certain conditions, such as substance use 
disorders and behavioral health conditions, as part of an evidence-
based treatment program, for the purpose of effecting behavioral 
change. OIG seeks comments on the potential inclusion of gift cards in 
limited circumstances such as these and requests citations to any 
recent studies assessing the positive or negative effects of gift card 
incentives on promoting behavioral change. OIG also solicits comments 
on whether and how including gift cards as allowable ``tools or 
supports'' in the circumstances described above would raise the risk of 
fraud and abuse and specifically whether it would present any anti-
competitive effects, particularly for smaller providers and suppliers. 
OIG also is considering and seeks comment on what additional 
safeguards, such as limiting protection for gift cards to those that 
are not pre-paid debit cards,\44\ we should include to the extent the 
safe harbor protects the provision of gift cards.
---------------------------------------------------------------------------

    \44\ OIG recognizes that gift cards can take a number of forms, 
including tangible gift cards, electronic gift cards, and the 
replenishment of funds available, through a smartphone application, 
to purchase items, goods, or services at a particular entity.
---------------------------------------------------------------------------

4. Additional Proposed Conditions
    The patient engagement and support safe harbor would impose a 
number of conditions on the provision of protected patient engagement 
tools and supports. The intent of these safeguards is to balance the 
potential benefits of tools and supports with safeguards that minimize 
the risk of harm to patients, payors, or both.
a. Furnished Directly to the Patient
    Under the proposed condition at 1001.952(hh)(1), the tool or 
support must be furnished directly to the patient by a VBE participant. 
The reasons for this proposed condition are two-fold. First, the 
condition would prevent entities that are excluded from participating 
in a VBE from directly or indirectly furnishing tools and supports to 
patients. Second, we believe that this condition would help patients 
understand which entity or individual is furnishing the tool or 
support, which could aid patients in deciding whether to participate in 
the program or treatment regimen offered. We are considering for the 
final rule and seek comment on whether we should include a condition in 
the final safe harbor that would require the VBE participant to provide 
any patient receiving a patient engagement tool or support a written 
notice describing: (i) The VBE participant that is giving the patient 
the tool or support; (ii) what the remuneration is; and (iii) the 
purpose of, or reason for, the remuneration. We solicit comments on 
whether we should expressly permit the VBE participant to furnish the 
tool or support through someone acting on the VBE participant's behalf 
and under the VBE participant's direction (e.g., a physician practice 
that provides the tool or support through an individual member of the 
practice or nurse employed by the practice). We also seek comments on 
the applicability of the proposed safe harbor to potential arrangements 
by which a VBE participant orders or arranges for the delivery of a 
tool or support from an independent third party.
b. Funding Limitations
    Under the proposed condition at 1001.952(hh)(2), we limit who can 
fund or otherwise contribute to patient engagement tools and supports 
furnished by a VBE participant. We propose to interpret the requirement 
at 1001.952(hh)(2) to prohibit the VBE participant from accepting or 
using funds or free in-kind items or services furnished by any 
individual or entity outside of the VBE to finance or otherwise 
facilitate its patient engagement tools, supports, or both, including 
both the cost of the tool or support and any associated operating costs 
incurred through the provision of such tool or support (e.g., staff 
time dedicated to ordering or distributing blood pressure cuffs or 
technology expenses or help desk services associated with a patient 
support). We believe this requirement is necessary to reduce the 
likelihood of undue influence that could result in inappropriate 
patient steering to specific products, providers, or suppliers.
    In addition, this proposed condition would ensure that the entities 
we propose to exclude as VBE participants would not indirectly furnish 
patient engagement tools and supports under the safe harbor. For 
example, a pharmaceutical manufacturer, manufacturer, distributor, or 
supplier of DMEPOS, or laboratory could not circumvent the proposed 
exclusion from the definition of ``VBE participant'' by providing funds 
to a third-party entity and then directing or otherwise controlling any 
aspect of the third-party entity's provision of patient engagement 
tools and supports as a VBE participant. Further, this proposed 
condition would prohibit a non-VBE participant's contribution of in-
kind items and services for a VBE participant to provide to patients as 
tools or supports. By way of example, a pharmaceutical manufacturer's 
provision of free product to a VBE participant (e.g., a physician) for 
the VBE participant's distribution to patients as free product samples 
would not be protected by this proposed safe harbor.\45\ We solicit 
comments on this approach and whether there may be defined, limited 
circumstances in which non-VBE participants should be able to 
contribute or otherwise participate in the provision of tools and 
supports eligible for safe harbor protection.
---------------------------------------------------------------------------

    \45\ For further information regarding the Federal anti-kickback 
statute and beneficiary inducements CMP implications of free product 
samples, see e.g., OIG, Compliance Program Guidance for 
Pharmaceutical Manufacturers, 68 FR 23731, 23739 (May 5, 2003); Adv. 
Op. No. 08-04, available at https://oig.hhs.gov/fraud/docs/advisoryopinions/2008/AdvOpn08-04.pdf; Adv. Op. No. 15-11, available 
at https://oig.hhs.gov/fraud/docs/advisoryopinions/2015/AdvOpn15-11.pdf.
---------------------------------------------------------------------------

    We note that this proposed safe harbor does not address, or 
otherwise

[[Page 55727]]

prohibit, arrangements between VBE participants and others (including 
vendors and manufacturers) for the purchase and sale of tools and 
supports that the VBE participant would furnish under the safe harbor. 
Such arrangements must be assessed on a case-by-case basis for 
compliance with the Federal anti-kickback statute and any other 
applicable law.
c. Prohibition on Marketing and Patient Recruitment
    Under the proposed condition at 1001.952(hh)(3)(iii), the 
remuneration must not include any in-kind item, good, or service used 
for patient recruitment or marketing of items or services to patients. 
We do not intend to protect tools or supports that serve solely as 
patient recruitment incentives. Similarly, we do not intend to protect 
tools or supports offered to patients where the party knows or should 
know that the patient would not use the item as intended under the 
arrangement and would instead resell the item.
    We seek comments on this proposed condition, and in particular, any 
benefits of permitting in the final rule some targeted marketing or 
similar outreach to the target patient population for the purposes of 
engaging them in evidence-based prevention or wellness activities, or 
in improving population health outcomes, particularly for VBEs or VBE 
participants at financial risk for the health outcomes of the target 
patient population. As with our proposal at paragraph 1001.952(ee), we 
also are interested in comments on how best to preclude marketing of 
reimbursable items and services and patient recruitment while still 
permitting beneficial educational efforts and activities that promote 
patient awareness of care coordination activities and available tools 
and supports.
d. Direct Connection
    Under the proposed condition at 1001.952(hh)(3)(i), the tool or 
support furnished to the patient must have a ``direct connection'' to 
the coordination and management of care for the patient. We interpret 
``direct connection'' to mean that the VBE has a good faith expectation 
that the tool or support will further the VBE's coordination and 
management of care for the patient, as that concept is described in the 
proposed conditions at 1001.952(ee). Where a direct connection exists, 
it should not be difficult for the VBE and the VBE participant 
providing the patient engagement tool or support to clearly articulate 
the nexus between the tool or support and a care coordination and 
management purpose of the VBE. We believe that this requirement 
effectively balances the goals of patient engagement tools and 
supports, such as patient compliance with a plan of care and adherence 
to behavior modifications to improve overall health, with the risk that 
VBE participants could use extravagant tools or supports to steer 
beneficiaries or incentivize unnecessary or inappropriate care. 
Consistent with our goals of fostering flexibility, adaptability, and 
innovation, we are not further describing specific patient engagement 
tools and supports that would be considered to have a direct connection 
to the coordination and management of care for the patient. We are 
considering for the final rule and solicit comments on whether we 
should require a ``reasonable connection'' rather than a ``direct 
connection.''
    As an alternative or in addition to this approach, we are 
considering whether, to heighten transparency of patient engagement 
tools and supports and to ensure that qualifying patient engagement 
tools and supports are known by and closely related to the VBE itself, 
we should require the VBE to make a bona fide determination that the 
VBE participant's arrangement to provide tools and supports to patients 
is directly connected to the coordination and management of care for 
the patient, as that term is used in the proposed 1001.952(ee). We 
solicit comments on this approach.
    Lastly, we are considering for the final rule, and solicit comment 
on, whether we should require that patient engagement tools and 
supports be directly connected to any of the four value-based purposes, 
as opposed to requiring a direct connection specifically to the 
coordination and management of the patient's care.
e. Medical Necessity
    Under the proposed condition at 1001.052(hh)(3)(iv), the tool or 
support furnished to the patient must not result in medically 
unnecessary or inappropriate items or services reimbursed in whole or 
in party by a Federal health care program. We believe that this is an 
important protection for patient safety and quality of care.
f. Nature of the Remuneration
    Under the proposed conditions at 1001.952(hh)(3)(vi), the tool or 
support must be recommended by the patient's licensed healthcare 
provider. This condition seeks not only to ensure that the remuneration 
is focused specifically on patient care, but also underscore the 
importance of quality of care, the healthcare provider's medical 
judgment, and the patient's relationship with his or her chosen 
healthcare providers in developing plans for treatment and care.
    We are considering and solicit comment on, whether we should 
include as a safeguard a requirement that the patient's licensed 
healthcare provider certify in writing, under 18 U.S.C. 1001 and 1519, 
that the particular item or service is recommended solely to treat a 
documented chronic condition of a patient in a target patient 
population. We solicit comments on how providers would most efficiently 
meet such a requirement and whether and how providers should be 
required to make the certification available.
    For all types of remuneration contemplated under this proposed safe 
harbor, we are considering for the final rule and seek comment on 
whether we should impose further limitations on the nature of 
remuneration furnished or other conditions to safeguard against the 
risks associated with fraud and abuse. For example, we are considering 
for the final rule and seek comment on some or all of the following 
additional safeguards:
     A requirement that VBE participants furnishing patient 
engagement tools and supports demonstrate and document the desired 
adherence to a treatment regimen, adherence to a drug regimen, 
adherence to a follow-up care plan, management of a disease or 
condition, improvement in measurable health outcomes, or patient 
safety; and
     a monitoring requirement to ensure that the patient 
engagement tools and supports do not result in diminished quality of 
care or patient harm.
    In addition, we seek specific examples of any other types of 
remuneration that stakeholders believe should be covered (or should not 
be covered) by this proposed safe harbor and why, as well as input on 
whether we can better define categories of remuneration, and any 
limitations or safeguards necessary to protect against fraud and abuse 
risks specific to such examples or categories.
g. Advancement of Specified Goals
    Under the proposed condition at 1001.952(hh)(3)(vii), the 
incentives and supports must advance specifically enumerated goals, 
namely: Adherence to a treatment regimen as determined by the patient's 
licensed healthcare provider; adherence to a drug regimen as determined 
by the patient's licensed healthcare provider; adherence to a follow-up 
care plan established by the patient's licensed healthcare provider; 
management of a disease or condition as directed by the patient's 
licensed

[[Page 55728]]

healthcare provider; improvement in evidence-based measurable health 
outcomes for a patient or the target patient population; ensuring 
patient safety; or some combination of the above.\46\ We are not 
proposing to specify which tools and supports would advance the named 
goals to provide flexibility for VBE participants and promote 
innovation. We intend for this proposed condition to protect a range of 
tools and supports. For example, an item, such as a smart pill bottle, 
that dispenses medications at preset times for a patient could meet 
this condition because it is a tool that enables the patient to access 
the right medication at the appropriate dosage and time. Offering a 
parking voucher or providing free childcare during medical appointments 
also could satisfy this condition because these supports would allow a 
patient to comply with his or her treatment regimen. Conversely, 
offering a patient movie tickets to reward compliance with a treatment 
regimen would not satisfy this condition.
---------------------------------------------------------------------------

    \46\ We note here that the word ``drug'' is synonymous with and 
inclusive of ``medication,'' neither of which terms we are defining 
for purposes of this proposed safe harbor. Similarly, ``followup 
care plan'' would include so-called ``discharge plans.''
---------------------------------------------------------------------------

    While we are concerned about the potential for abuse when patients 
are offered rewards to induce them to receive items or services, we 
also are aware that, in some circumstances, patients, or persons at 
risk of becoming patients with more serious conditions, might be 
offered tools or supports that result in lower healthcare costs 
(without compromising quality) or that promote patient wellness and 
healthcare.
h. No Diversion or Resell
    Under the proposed condition at 1001.952(hh)(4), this safe harbor 
would not protect the provision of a tool or support if the offeror of 
the remuneration knows or should know that the tool or support is 
likely to be diverted, sold, or utilized by the patient other than for 
the express purpose for which the patient engagement tool or support is 
provided. This proposed condition is designed to prevent VBE 
participants from providing tools and supports to patients if they 
likely would divert or sell or otherwise use for purposes other than 
the coordination and management of care and the goals outlined in 
(hh)(3)(vi). We seek comments on this approach.
    Notwithstanding the foregoing, for the purposes of this safe 
harbor, we would not consider a tool or support to be diverted if it is 
furnished to patients indirectly through their caregivers or family 
members or others acting on patients' behalf if the remuneration 
otherwise satisfies the conditions of the safe harbor. Specifically, if 
a patient is unable to care for herself or himself and another person 
(e.g., a family member or other caregiver) has legal authority or the 
patient's consent to act on the patient's behalf, then remuneration 
furnished to that person, on the patient's behalf and for the patient's 
benefit, would be protected if all conditions of the safe harbor are 
met. For example, if the patient is a child suffering from asthma, the 
child's parent or guardian may accept in-kind remuneration, such as a 
new air purifier for the child's bedroom, on the child's behalf without 
violating this requirement.
i. Monetary Cap
    Under the proposed condition at 1001.952(hh)(5), the aggregate 
retail value of patient engagement tools and supports furnished by a 
VBE participant to a patient could not exceed $500 on an annual basis, 
with certain limited exceptions. With this condition, we have attempted 
to strike the right balance between flexibility for beneficial patient 
tools and supports and a bright-line limit on the amount of protected 
remuneration to protect patients from being improperly influenced by 
valuable gifts; to protect the Federal health care programs from 
potential abuse through overutilization and inappropriate utilization 
due to such gifts; and to allow for innovation and beneficial 
arrangements that benefit patients and payors. As noted elsewhere in 
this preamble, our enforcement experience shows that incentives offered 
to beneficiaries can be used to coerce them into obtaining unnecessary 
services or harmful care, and this risk may be heightened when the 
value of remuneration is high or unlimited. However, we are unsure 
whether a monetary cap would present a barrier to achieving the 
intended benefits for patients envisioned by this proposed safe harbor. 
In lieu of a monetary cap, we are considering for the final rule, and 
seek comments on, whether other combinations of safeguards proposed in 
this rule would offer meaningful protection against fraud and abuse 
involving patients and programs, while still achieving the policy goal 
of promoting value-based care.
    We solicit comments on whether this proposed monetary limit of $500 
is appropriate, whether $500 per year is too low or too high, and if 
so, what other figures are more appropriate and the reasons for such 
other figures (e.g., $100, $200, $1,000, $1,500, or another amount that 
would be of sufficient magnitude to protect the most beneficial 
arrangements while also preventing the most abusive ones). For purposes 
of measuring retail value, we propose that such value be measured at 
the time the patient engagement tool or support is provided, and we are 
considering for the final rule whether to interpret ``retail value'' to 
mean the fair market value to the recipient or commercial value to the 
recipient. We also solicit comments on the proposed requirement 
applying the cap to individual VBE participants and whether the 
requirement should instead apply the annual cap to the VBE as a whole. 
Under this alternative, we are considering whether only one VBE 
participant within a VBE could offer remuneration to a patient during 
the year. If we limited the cap to the VBE instead of a VBE 
participant, we are interested in comments regarding how this might 
negatively impact opportunities for patients and providers or create 
burdensome tracking and recordkeeping obligations for a VBE or VBE 
participants. We also solicit comments on whether we should apply the 
annual cap on a value-based arrangement basis; in other words, under 
each value-based arrangement, a patient could receive aggregate 
remuneration up to the cap (whether from one or more VBE participants 
in the arrangement). We are interested in comments about any negative 
impacts or burdens from this approach.
    We propose that the cap could be exceeded for certain patients who 
lack financial resources. Specifically, the proposed condition at 
1001.952(hh)(5) provides that the aggregate retail value of patient 
engagement tools or supports furnished to a patient by a VBE 
participant may exceed $500 per year if the patient engagement tools 
and supports are furnished to a patient based on a good faith, 
individualized determination of the patient's financial need. OIG has 
existing guidance related to individualized, good faith determinations 
of financial need in the context of cost-sharing waivers, and 
accounting for financial need generally aligns with an existing 
exception under the CMP. We are not specifying any particular method of 
determining financial need because we believe what constitutes 
``financial need'' varies depending on the circumstances. However, it 
would be important for VBE participants to make determinations of 
financial need on a good faith, individualized, case-by-case basis in 
accordance with a reasonable set of income and resource guidelines

[[Page 55729]]

uniformly applied in all cases. The guidelines would need to be based 
on objective criteria and appropriate for the applicable locality. A 
patient's medical costs and liabilities could be taken into account, 
among other factors, as part of the determination. We seek comments on 
this approach as applied to the proposed safe harbor as well as whether 
we should include a cap but not allow for the cap to be exceeded.
    We seek comments regarding whether the monetary limit imposed at 
1001.952(hh)(5) is necessary and appropriate, or if alternatives that 
better protect patients and payors exist, such as a limitation on the 
frequency of such remuneration (e.g., a one-time provision of 
remuneration, once per year, or once per month), or a per-occurrence 
limitation, in place of, or in addition to, an aggregate limit. If a 
per occurrence limitation is desirable, we seek feedback on its amount 
standing alone and in relation to an aggregate cap (e.g., if the 
aggregate cap were to be $500 per year, should the per occurrence cap 
be $100, $200, or some higher or lower figure). We seek comments about, 
and supporting data for selecting, cap amounts. Finally, we seek 
comments regarding how we should treat ongoing costs associated with 
tools and supports (such as batteries, maintenance costs, or upgrades).
j. Materials and Records
    Under the proposed condition at 1001.952(hh)(6), the VBE or a VBE 
participant would be required to make available to the Secretary, upon 
request, all materials and records sufficient to establish compliance 
with the conditions of this safe harbor. We are not proposing 
particular parameters regarding the creation or maintenance of 
documentation to allow individuals and entities the flexibility to 
determine what constitutes best documentation practices but welcome 
comments on whether particular parameters are needed. In particular, we 
are considering for the final rule and seek comment regarding whether 
we should include, in the final rule, a requirement that VBE 
participants retain materials and records sufficient to establish 
compliance with the conditions of this safe harbor for a set period of 
time (e.g., at least 6 years or 10 years). Were an entity to be under 
investigation and assert this safe harbor as a defense, it would need 
to be able to demonstrate compliance with each condition of the safe 
harbor.
5. Potential Safeguards
    In addition to the proposed conditions set forth above, for the 
purposes of the proposed patient engagement and support safe harbor, we 
are considering and seek comment on additional potential safeguards for 
the final rule. We are considering and seek comment on the possible 
safeguards outlined below for this proposed safe harbor because many 
VBE participants that would avail themselves of the proposed patient 
engagement and support safe harbor would not be subject to governmental 
programmatic requirements, oversight, or monitoring comparable to CMS-
sponsored models (addressed in the proposed safe harbor at 
1001.952(ii)).
a. Prohibition on Cost-Shifting
    We are considering for the final rule, and seek comment on, a 
condition prohibiting VBE participants from billing Federal health care 
programs, other payors, or individuals for the tool or support; 
claiming the value of the tool or support as a bad debt for payment 
purposes under a Federal health care program; or otherwise shifting the 
burden of the value of the tool or support onto a Federal health care 
program, other payors, or individuals. This requirement, if included in 
any final rule, would be designed to protect against tools and supports 
resulting in inappropriately increased costs to Federal health care 
programs, other payors, and patients. We are considering, and seek 
comments on, prohibiting both: (1) Directly billing any third party, 
including patients, for the patient engagement tool or support or any 
operational costs attendant to the provision of the patient engagement 
tools and supports; and (2) claiming the cost of the patient engagement 
tool or support and any operational costs attendant to the provision of 
patient engagement tools and supports as bad debt for payment purposes 
under Medicare or a State healthcare program.
b. Consistent Provision of Patient Incentives
    We are considering for the final rule, and seek comment on, whether 
to require VBE participants to provide the same patient engagement 
tools or supports to an entire target patient population or otherwise 
consistently offer tools and supports to all patients satisfying 
specified, uniform criteria. We believe that including such a condition 
in the safe harbor would protect against a VBE participant targeting 
certain patients to receive tools and supports based on, for example, 
the patient's insurance status. We solicit comments on this issue. In 
particular, we are interested in understanding whether this proposed 
safeguard would limit certain VBE participants' ability to offer tools 
and supports due to the potential cost of furnishing the tool or 
support to an entire target patient population rather than a smaller 
subset of the target patient population. Similarly, we are interested 
in comments explaining why offering remuneration to a smaller subset of 
a target patient population instead of to the entire target population 
would be appropriate and not increase the risk of fraud and abuse, such 
as the targeting of particularly lucrative patients to receive tools 
and supports (cherry picking) or failure to provide tools and supports 
to high-cost patients (lemon dropping).
c. Monitoring Effectiveness
    We are considering adding a condition to the final rule that would 
require VBE participants to use ``reasonable efforts'' to monitor the 
effectiveness of the tool or support in achieving the intended 
coordination and management of care for the patient and would require 
the VBE or the VBE participant to have policies and procedures in place 
to address any identified material deficiencies. We believe that 
including such a condition in the safe harbor would help ensure that 
the tools and supports VBE participants furnish to patients achieve the 
stated purpose(s), and in turn, could help prevent VBE participants 
from offering patients engagement tools and supports that induce them 
to seek more, potentially unnecessary, care. We solicit comments on 
whether we should include such a monitoring provision and, if so, any 
anticipated burdens and ways OIG could minimize any burden. We would 
apply a facts and circumstances analysis to the ``reasonable efforts'' 
employed by parties under this condition, using an objective standard 
of reasonableness. We solicit comments on this approach.
d. Retrieval of Items and Goods
    We are considering for the final rule and seek comment on a 
condition that would require offerors to engage in reasonable efforts 
to retrieve an item or good furnished as a tool or support in certain 
circumstances. For example, we are considering requiring that the 
offeror make reasonable efforts to retrieve the patient engagement tool 
or support (if it is an item or good) when the patient is no longer in 
the target patient population, the VBE no longer exists, or the offeror 
is no longer a VBE participant. This would prevent the safe harbor from 
being misused to protect inducements to beneficiaries that do not 
promote value. If we were to include such a requirement, we are 
considering

[[Page 55730]]

setting a minimum value for the item or good above which offerors would 
be required to make reasonable retrieval efforts (e.g., $100, $200, 
$500 or a higher or lower amount). We believe such a provision would 
reduce the burden associated with retrieval efforts. We also are 
interested in comments regarding whether any retrieval requirement 
should be limited to tools and supports that are practicable to 
recover, such as those which are not fixtures or were for short-term 
use or an otherwise temporary benefit, and where harm to the patient or 
disproportionate expense to the VBE participant would not result.
e. Advertising
    We are considering for the final rule and seek comment on a 
condition that would require that the VBE participant does not publicly 
advertise the patient engagement tool or support (to patients or others 
who are potential referral sources). This would prohibit advertising in 
the media or posting information for public display or on websites 
about the availability of free items or services, similar to the local 
transportation safe harbor, 42 CFR 1001.952(bb). Such prohibition on 
public advertising would inhibit the use of patient engagement tools 
and supports as a marketing tool, thus keeping the focus of the safe 
harbor on improving care coordination and management of patients' care. 
We solicit comments on this potential safeguard. In particular, we are 
interested in comments on whether this condition would impose a barrier 
to the success of care coordination and value-based arrangements by 
restricting information available to patients about options for 
receiving better coordinated care.

G. CMS-Sponsored Model Arrangements and CMS-Sponsored Model Patient 
Incentives (1001.952(ii))

    OIG and CMS have jointly issued fraud and abuse waivers of certain 
provisions of the Federal anti-kickback statute, the physician self-
referral law and, for OIG only, certain CMP law authorities for 
numerous payment models established and tested by CMS under section 
1115A(d)(1) of the Act (pertaining to models tested by the Innovation 
Center) \47\ and section 1899 of the Act (pertaining to the Medicare 
Shared Savings Program).\48\ Waivers apply only to: (i) Arrangements 
described by the models and (ii) model participants and other specified 
individuals and entities. Further, any protection furnished by the 
waivers is limited in duration.
---------------------------------------------------------------------------

    \47\ See, e.g., CMS, Fraud and Abuse Waivers for Select CMS 
Models and Programs, available at https://www.cms.gov/Medicare/Fraud-and-Abuse/PhysicianSelfReferral/Fraud-and-Abuse-Waivers.html.
    \48\ See, e.g., 76 FR 67992 at 67992 (Nov. 2, 2011); 80 FR 66726 
at 66726 (Oct. 29, 2015) (Medicare Shared Savings Program is 
designed to promote the formation of accountable care organizations 
that are accountable for a Medicare patient population, coordinate 
items and services under Parts A and B, and encourage investment in 
infrastructure and redesigned care processes for high-quality and 
efficient service delivery).
---------------------------------------------------------------------------

    Commenters to the OIG RFI generally asked us to simplify and 
standardize our approach to protecting CMS-sponsored model arrangements 
under the anti-kickback statute and beneficiary inducements CMP. 
Waivers issued to date are tailored to the particular CMS model and 
CMS's design for the model, pursuant to the waiver authorities. 
Commenters requested that OIG promulgate regulatory protections that 
would provide uniformity and predictability for parties participating 
in CMS models.
    We propose to create a new anti-kickback statute safe harbor at 42 
CFR 1001.952(ii) to: (i) Permit remuneration between and among parties 
to arrangements (e.g., distribution of capitated payments, shared 
savings or losses distributions) under a model or other initiative 
being tested or expanded by the Innovation Center under section 1115A 
of the Act and the Medicare Shared Savings Program under section 1899 
of the Act (collectively, ``CMS-sponsored models'') and (ii) permit 
remuneration in the form of incentives and supports provided by CMS 
model participants and their agents under a CMS-sponsored model to 
patients covered by the CMS-sponsored model. The objective of the 
proposed safe harbor is to standardize and simplify anti-kickback 
statute compliance for CMS-sponsored model participants in models for 
which CMS has determined participants should have the protection that 
would be afforded by this safe harbor \49\ (rather than requiring 
participants to comply with the law as it would exist without this safe 
harbor) by applying uniform conditions across all models or initiatives 
sponsored by CMS.
---------------------------------------------------------------------------

    \49\ For example, CMS might specify in a participation agreement 
whether or not this safe harbor would apply to any arrangement under 
the CMS-sponsored model or to particular types of arrangements under 
the CMS-sponsored model.
---------------------------------------------------------------------------

    This proposal focuses on models under sections 1115A and 1899 of 
the Act; we are considering for the final rule, and solicit comments 
on, broadening the scope of this safe harbor to protect remuneration 
between and among parties to arrangements under CMS initiatives that 
are authorized under other sections of the Act with statutory authority 
to waive the fraud and abuse laws.
    By proposing this safe harbor, we aim to simplify application of 
the anti-kickback statute and CMP authorities for individuals and 
entities that participate in CMS-sponsored models in a manner that is 
consistent with CMS's authorities to operate and test new models and to 
reduce the need to issue model-by-model waivers of fraud and abuse 
laws. As with fraud and abuse waivers, our goal is to accommodate CMS's 
testing and operation of innovative, value-based care delivery and 
payment models that CMS has determined could improve quality of care, 
reduce growth in costs, or both, while also including program integrity 
protections against fraud and abuse. To the extent that an arrangement 
under a CMS-sponsored model implicates the anti-kickback statute or 
beneficiary inducements CMP, parties within CMS-sponsored models for 
which we have issued fraud and abuse waivers may continue to use 
applicable CMS-sponsored model waivers to protect their arrangements or 
may choose to structure arrangements to comply with this new safe 
harbor or any other applicable anti-kickback statute safe harbor or CMP 
exception.
    The degree of flexibility offered by this proposed safe harbor 
recognizes CMS's ability to oversee and monitor CMS-sponsored models 
and initiatives and to embed program integrity protections in such 
models and initiatives in ways that do not necessarily apply to 
arrangements outside the models. For this reason, this proposal does 
not extend to commercial and private insurance arrangements that may 
operate alongside, but outside, a CMS-sponsored model. However, nothing 
in this proposed safe harbor would prevent commercial and private 
insurers from implementing arrangements that cover both public and 
private patients; such arrangements could be structured to satisfy 
other proposed safe harbor protections that do not distinguish between 
public and private patient populations.
    We are proposing a number of definitions for purposes of this safe 
harbor. We propose to define a ``CMS-sponsored model party'' as a CMS-
sponsored model participant or another individual or entity that the 
CMS-sponsored model's participation documentation specifies may enter 
into a CMS-sponsored model arrangement. We propose to define 
``participation documentation'' for purposes of this safe harbor as the 
participation agreement, cooperative agreement, regulations, or model-
specific

[[Page 55731]]

addendum to an existing contract with CMS that: (i) Is currently in 
effect, and (ii) specifies the terms of a CMS-sponsored model.
    We propose to define a ``CMS-sponsored model participant'' as an 
individual or entity that is subject to, and is operating under, 
participation documentation with CMS to participate in a CMS-sponsored 
model. We propose to define a ``CMS-sponsored model arrangement'' as a 
financial arrangement between or among CMS-sponsored model parties to 
engage in activities under the CMS-sponsored model and that is 
consistent with, and is not a type of arrangement prohibited by, the 
participation documentation. Finally, we propose to define a ``CMS-
sponsored model patient incentive'' as remuneration that is not of a 
type prohibited by the participation documentation and is furnished 
consistent with the CMS-sponsored model by a CMS-sponsored model 
participant (or by an agent of the CMS-sponsored model participant 
under the CMS-sponsored model participant's direction and control) 
directly to a patient under the CMS-sponsored model.
    We would expect CMS to notify CMS-sponsored model participants, 
through participation documentation, or other public means as 
determined by CMS, when CMS-sponsored model participants may use this 
safe harbor under a CMS-sponsored model. For example, CMS may specify 
the types of CMS-sponsored model patient incentives that a CMS-
sponsored model participant may provide under the CMS-sponsored model 
within a CMS-sponsored model participation agreement. The CMS-sponsored 
model participant also must satisfy certain programmatic requirements 
imposed by CMS in connection with the use of this safe harbor. CMS also 
may require CMS-sponsored model participants to disclose to CMS when 
they use this safe harbor under a CMS-sponsored model as a condition of 
participation in the CMS-sponsored model. If this safe harbor is 
finalized and CMS determines that it be made available for a CMS-
sponsored model, the safe harbor would not be available to protect any 
remuneration that does not satisfy program requirements as may be 
imposed by CMS on CMS-sponsored model participants.
    We solicit comments on these definitions. In particular, we solicit 
comments regarding the scope of the definition of ``CMS-sponsored model 
patient incentive,'' recognizing that a CMS-sponsored model participant 
may not always know whether a particular patient is in a CMS-sponsored 
model at any given point in time. We are considering for the final rule 
and solicit comments on extending the definition of ``CMS-sponsored 
model incentive'' to include patients beyond those under a CMS-
sponsored model or, in the alternative, defining ``CMS-sponsored model 
patient'' such that a CMS-sponsored model participant could provide 
incentives to any patient (or any beneficiary) that meets the other 
conditions of the safe harbor.
    As proposed, this safe harbor would provide CMS-sponsored model 
parties an additional pathway to protection from sanctions under the 
anti-kickback statute and the beneficiary inducements CMP. An 
arrangement needs to meet the requirements of only one safe harbor to 
ensure immunity from criminal and civil prosecution under the statute. 
For example, CMS-sponsored model parties would be able to choose to 
structure an arrangement to comply with the conditions of this proposed 
safe harbor, the proposed value-based arrangements safe harbors 
(paragraphs (ee), (ff), and (gg)), the patient engagement and support 
safe harbor (paragraph (hh)), any other applicable existing safe 
harbors or exceptions, or fraud and abuse waivers issued for the CMS-
sponsored model. However, to ensure protection, an arrangement must 
meet all conditions of a particular safe harbor or waiver. We note that 
depending on the facts and circumstances, an arrangement may comply 
with fraud and abuse laws absent specific safe harbor or waiver 
protection.
1. Proposed Conditions for CMS-Sponsored Model Arrangements and CMS-
Sponsored Model Patient Incentives
    We are proposing below important safeguards to ensure that 
arrangements protected by this proposed safe harbor operate as intended 
by the CMS-sponsored models, and the CMS-sponsored models are not 
undermined by arrangements that might lead to stinting on medically 
necessary care or induce inappropriate utilization. These safeguards 
are necessary to ensure that a CMS-sponsored model party's financial 
arrangements and patient incentives are consistent with the quality, 
care coordination, and cost-reduction goals of a CMS-sponsored model 
and can be readily overseen by CMS and OIG.
    As a threshold matter, CMS would determine whether the safe harbor 
protection would be available for arrangements or patient incentives 
under the particular CMS-sponsored model. CMS may limit participation 
in a CMS-sponsored model to certain providers or entities (e.g., 
certain CMS-sponsored models may exclude pharmaceutical manufacturers 
from participating in a CMS-sponsored model or participating in 
arrangements under the CMS-sponsored model). CMS has discretion to 
determine the scope of entities, arrangements, or incentives that may 
be protected under this safe harbor on a model-by-model basis. Unlike 
the proposed safe harbors at 42 CFR 1001.952(ee), (ff), (gg) and (hh), 
which propose to exclude pharmaceutical manufacturers; manufacturers, 
distributors, and suppliers of DMEPOS; and laboratories from 
arrangements and tools and supports that would receive protection under 
the safe harbors, this proposed safe harbor would not exclude any 
entities from potential protection under the safe harbor. We do not 
propose any such exclusions to allow: (i) The Innovation Center the 
discretion to determine the scope of the models it wishes to test and 
expand and (ii) CMS the discretion to determine how to implement the 
Medicare Shared Savings Program. In addition, OIG notes that CMS-
sponsored models include programmatic rules, monitoring, and oversight 
not present in value-based arrangements and the provision of patient 
tools and supports outside of such models, which may mitigate some of 
the fraud and abuse risks presented by the inclusion of pharmaceutical 
manufacturers; manufacturers, distributors, and suppliers of DMEPOS; 
and laboratories in such models.
a. Conditions for CMS-Sponsored Model Arrangements
    Proposed paragraph (ii)(1) sets forth the terms for protection of 
certain remuneration between or among CMS-sponsored model parties under 
a CMS-sponsored model arrangement in a model for which CMS has 
determined that the safe harbor is available.
    We propose six conditions parties would need to meet to receive 
safe harbor protection. The first condition would require that CMS-
sponsored model participants reasonably determine that the CMS-
sponsored model arrangement will advance one or more goals of the CMS-
sponsored model. We intend to interpret ``reasonably determine'' to 
mean that the activities set forth in the written agreement are fairly 
and verifiably anticipated to achieve at least one or more goals of the 
CMS-sponsored model. For example, CMS-sponsored model parties may wish 
to create an implementation protocol explaining the activities and 
evidence-based processes or guidance relied upon to develop and

[[Page 55732]]

implement an arrangement that would advance a goal of a CMS-sponsored 
model through the CMS-sponsored model arrangement.
    The safe harbor would be flexible to permit parties to pursue a 
wide array of activities under the CMS-sponsored model; however, the 
arrangement must be consistent with the purposes of the CMS-sponsored 
model. As stated above, CMS determines the scope of its models and what 
is being tested. As we propose to reflect in the definition of ``CMS-
sponsored model arrangement,'' if an arrangement is a type of 
arrangement prohibited by the participation documentation, then it does 
not qualify as a CMS-sponsored model arrangement. If an arrangement 
does not qualify as a CMS-sponsored model arrangement, then it would 
not be protected by this safe harbor even if the CMS-sponsored model 
parties determined that it would advance a purpose of the CMS-sponsored 
model.
    In the second proposed condition, we specify that the exchange of 
value must not induce CMS-sponsored model parties or other providers or 
suppliers to furnish medically unnecessary items or reduce or limit 
medically necessary items or services furnished to CMS-sponsored model 
patients. We believe that this is an important protection for patient 
safety and quality of care, and it would be consistent with every CMS-
sponsored model.
    In the third proposed condition, we are incorporating a key 
safeguard that we have consistently utilized in our fraud and abuse 
waivers to prohibit remuneration that is explicitly or implicitly 
offered, paid, solicited, or received in return for, or to induce or 
reward, any referrals or other business generated outside of the CMS-
sponsored model.
    The fourth condition would require CMS-sponsored model parties, in 
advance of, or contemporaneously with the commencement of, the CMS-
sponsored model arrangement, to set forth the terms of the CMS-
sponsored model arrangement in a signed writing.
    The fifth condition would require parties to the CMS-sponsored 
model arrangement to make available to the Secretary materials and 
records sufficient to establish whether the remuneration was exchanged 
between the parties in a manner that meets the conditions of this safe 
harbor. We are not proposing particular parameters regarding 
documentation, but rather specifying only that the writing must 
describe the activities to be undertaken by the CMS-sponsored model 
parties and the nature of the remuneration to be exchanged. Therefore, 
parties under a CMS-sponsored model would have flexibility to determine 
what type of documentation would best memorialize the arrangement such 
that they could demonstrate safe harbor compliance to the Secretary or 
OIG upon request. Nothing in this proposed condition would change or 
alter any requirements related to documentation (or any other model 
feature) imposed by CMS as part of its model.
    Finally, we propose to include a condition requiring CMS-sponsored 
model participants to satisfy such other programmatic requirements as 
may be imposed by CMS in connection with the use of this safe harbor. 
Because CMS has authority to test and design models, it can also create 
programmatic requirements integral to testing and monitoring its model 
design for CMS-sponsored model participants. We are proposing this 
condition to ensure that parties comply with any additional 
programmatic requirements as may be imposed by CMS related to the 
arrangements for which they might seek safe harbor protection. We would 
expect CMS to set forth these requirements within the CMS-sponsored 
model's participation documentation or otherwise make such requirements 
publicly available.
b. Conditions for CMS-Sponsored Model Patient Incentives
    With respect to patient incentives, the proposed safe harbor would 
apply to certain incentives offered by a CMS-sponsored model 
participant or by an agent of the CMS-sponsored model participant under 
the CMS-sponsored model participant's direction and control directly to 
a patient receiving healthcare items and services under the CMS-
sponsored model that will advance one or more goals of the CMS-
sponsored model.
    CMS would determine whether the safe harbor protection would be 
available for the particular CMS-sponsored model. As stated above, CMS 
has discretion to determine which entities may avail themselves of this 
safe harbor or to determine the types of patient incentives CMS-
sponsored model parties may provide on a model-by-model basis. We would 
expect CMS to notify CMS-sponsored model participants of the scope of 
permissible patient incentives within its participation documentation 
or to make such determination publicly available.
    If CMS determines a type of incentive is prohibited, then it would 
not qualify as a CMS-sponsored model patient incentive for purposes of 
this proposed safe harbor.\50\ Similarly, some CMS-sponsored models 
might have their own requirements for giving patient incentives, and 
this proposed safe harbor would not obviate those programmatic 
requirements. For example, in making incentive payments to an assigned 
Medicare beneficiary under the ACO Beneficiary Incentive Program, ACOs 
are expected to satisfy the programmatic requirements governing such 
incentive payments at section 1899(m) of the Act and 42 CFR 425.304(c); 
if this safe harbor is finalized and CMS determines that it be made 
available for the ACO Beneficiary Incentive Program, the safe harbor 
would not be available for any incentive payment that does not satisfy 
such programmatic requirements.
---------------------------------------------------------------------------

    \50\ Unlike the patient engagement and support safe harbor 
proposed at 1001.952(hh), under the CMS-sponsored model patient 
incentives safe harbor, CMS would determine the types of patient 
incentives CMS-sponsored model parties may provide on a model-by-
model basis.
---------------------------------------------------------------------------

    Depending on the goals set forth by CMS for the CMS-sponsored 
model, we would expect a CMS-sponsored model participant would use this 
safe harbor to provide its patients with free or below-fair-market-
value incentives that advance the goals of the CMS-sponsored model, 
such as preventive care, adherence to a treatment regimen, or 
management of a disease or condition. The proposed protection would 
cover a broad range of incentives, such as, transportation, nutrition 
support, home monitoring technology, and gift cards, as determined by 
CMS through the CMS-sponsored model's design. Certain CMS-sponsored 
models or future models might permit waivers of cost-sharing amounts 
(for example, copayments and deductibles) or cash incentives to certain 
patients to promote certain clinical goals of a CMS-sponsored model. 
All of these patient incentives, when determined by CMS to be 
appropriate for the CMS-sponsored model design and not prohibited by 
the participation documentation, could fit within the proposed safe 
harbor, provided that the arrangement otherwise complies with all safe 
harbor conditions. We are proposing safeguards specific to the 
protected patient incentives.
    Under the proposed condition at paragraph (ii)(2)(i), the CMS-
sponsored model participant must reasonably determine that the patient 
incentive the CMS-sponsored model participant furnishes to its patients 
under the CMS-sponsored model will advance one or more goals of the 
CMS-sponsored model. As stated above, we would expect CMS to notify 
CMS-sponsored

[[Page 55733]]

model participants, through participation documentation, or other means 
as determined by CMS, when CMS-sponsored model participants may use 
this safe harbor under a CMS-sponsored model and the types of patient 
incentives they may offer. CMS-sponsored model participants may look to 
their participation documentation for potential descriptions or 
guidance on patient incentives that would be consistent with the goals 
of the CMS-sponsored model. For example, the participation 
documentation might specify that any incentives furnished must be 
preventive care items or services or must advance one or more clinical 
goals for patients under the CMS-sponsored model by engaging him or her 
in better managing his or her own health.
    Under the second proposed condition, we propose to require that the 
patient incentive have a direct connection to the patient's healthcare. 
We believe this condition to be consistent with the design of all CMS 
models and initiatives contemplated as part of this safe harbor. This 
condition is consistent with requirements we have imposed previously 
within our fraud and abuse waivers for a number of CMS-sponsored 
models. For the same reasons described further in our discussion of the 
proposed patient engagement and support safe harbor at proposed 
paragraph 1001.952(hh), we propose that this requirement would warrant 
a dual consideration: Whether a direct connection exists from a 
healthcare perspective and whether a direct connection exists from a 
financial perspective.
    We are not proposing specific documentation under the third 
condition for patient incentives offered by CMS-sponsored model 
participants; however, CMS-sponsored model participants must maintain 
documentation sufficient to establish whether the patient incentive was 
distributed in a manner that meets the conditions of the safe harbor. 
Under this proposed condition, CMS-sponsored model participants would 
have flexibility to determine what type of documentation would best 
establish whether the CMS-sponsored model patient incentive was 
distributed appropriately.
    Finally, as described above, if this safe harbor is finalized and 
CMS determines that it would be available for a particular CMS-
sponsored model, the safe harbor would not protect remuneration that 
does not satisfy such programmatic requirements as may be imposed by 
CMS under the CMS-sponsored model in connection with the use of this 
safe harbor.
c. Duration of Protection
    Under our proposal, as reflected in the defined terms, the duration 
of safe harbor protection aligns with the duration of the participation 
documentation under a CMS-sponsored model. For example, the proposed 
definition of ``CMS-sponsored model arrangement'' specifies that the 
protected arrangement is to ``engage in activities under the CMS-
sponsored model.'' Similarly, the proposed definition of 
``participation documentation'' specifies that it is ``currently in 
effect.'' The CMS-sponsored models, and arrangements between parties 
operating under CMS-sponsored models, have various terms, some of which 
are described in a CMS-sponsored model's participation documentation. 
In order to meet the conditions set forth in the proposed safe harbor, 
the CMS-sponsored model arrangement or a CMS-sponsored model patient 
incentive must begin and end while the parties are operating under an 
existing CMS-sponsored model.
    The safe harbor would protect arrangements during the period under 
which a CMS-sponsored model participant participates in the CMS-
sponsored model but would not extend to protect remuneration exchanged 
after participation in the CMS-sponsored model ends. In some cases, 
certain activities associated with a CMS-sponsored model may extend 
beyond the last performance period during which a CMS-sponsored model 
participant provides services under the CMS-sponsored model. For 
example, the participation documentation might provide for a certain 
period of time after a termination date or after the end of the 
performance period to conduct reconciliation or make final payment to 
providers (e.g., a shared savings distribution). This safe harbor would 
protect the last payment or exchange of value made by or received by a 
CMS-sponsored model party following the final performance period that 
the CMS-sponsored model participant that is a party to the arrangement 
participates in the CMS-sponsored model. We are considering each of the 
following options for 1001.952(ii) and may finalize one or a 
combination of these options: (i) Terminating protection after the end 
of the performance period or within a certain time period after the end 
of a performance period; (ii) terminating protection upon termination 
of the CMS-sponsored model participation documentation or within a 
certain period of time after that; and (iii) until the last payment or 
exchange of anything of value made by a CMS-sponsored model party under 
a CMS-sponsored model occurs, even if the model has otherwise 
terminated. We solicit comments on whether the final rule should allow 
safe harbor protection for one or a combination of the above options.
    Similarly, we solicit comments on whether under the final rule a 
CMS-sponsored model participant should be able to continue to provide 
the outstanding portion of any service to a patient if the service was 
initiated before its participation documentation terminated or expired. 
If we provide additional time under the final rule, we are interested 
in including conditions to prevent gaming of the length of time 
remuneration is provided after a CMS-sponsored model participant has 
been terminated from a model (or the model has terminated) to protect 
beneficiaries from improper inducements unrelated to a CMS-sponsored 
model. We note that, under our proposal, patients would be able to 
retain any incentives received prior to the termination or expiration 
of the participation documentation.

H. Cybersecurity Technology and Related Services (1001.952(jj))

    We propose a safe harbor to protect donations of certain 
cybersecurity technology and related services with appropriate 
safeguards. We believe this proposed safe harbor could help improve the 
cybersecurity posture of the healthcare industry by removing a real or 
perceived barrier that would allow parties to address the growing 
threat of cyberattacks that infiltrate data systems and corrupt or 
prevent access to health records and other information essential to the 
delivery of healthcare.
    In recent years we have received numerous comments and suggestions 
urging the creation of a safe harbor to protect donations of 
cybersecurity technology and services.\51\ The digitization of the 
healthcare delivery system and related rules designed to increase 
interoperability and data sharing in the delivery of healthcare create 
numerous targets for cyberattacks. The healthcare industry and the 
technology used to deliver healthcare have been described as an 
interconnected ``ecosystem'' where the ``weakest link'' in the system 
can compromise the entire system.\52\ Given

[[Page 55734]]

the prevalence of protected electronic health information and other 
personally identifiable information stored within these systems, as 
well as the processing and transmission of this information and other 
critical information within a given provider's systems as well as 
across the healthcare industry, the risks associated with cyberattacks 
may be most immediate for the ``weak links'' but have implications for 
the entire healthcare system.
---------------------------------------------------------------------------

    \51\ See, e.g., OIG, Semiannual Report to Congress, Apr. 1, 
2018-Sept. 30, 2018, at 84.
    \52\ See, e.g., Health Care Industry Cybersecurity Task Force, 
Report on Improving Cybersecurity in the Health Care Industry, June 
2017 (HCIC Task Force Report), available at https://www.phe.gov/preparedness/planning/cybertf/documents/report2017.pdf.
---------------------------------------------------------------------------

    In response to the OIG RFI, we received overwhelming support for a 
cybersecurity technology donation safe harbor. Many commenters 
highlighted the increasing prevalence of cyberattacks and other 
threats. Commenters noted that cyberattacks pose a fundamental risk to 
the healthcare ecosystem and that data breaches can result in patient 
harm as well as high costs to the healthcare industry. Moreover, 
disclosures of PHI through a data breach can result in identity fraud.
    Relatedly, protecting Department data, systems, and beneficiaries 
from cybersecurity threats, and otherwise securing the exchange and use 
of health information technology and data, are challenges that OIG has 
identified in the Department's annual Top Management and Performance 
Challenges for the last decade.\53\
---------------------------------------------------------------------------

    \53\ See, e.g., OIG, 2018 Top Management & Performance 
Challenges Facing HHS, available at https://oig.hhs.gov/reports-and-publications/top-challenges/2018/.
---------------------------------------------------------------------------

    The Health Care Industry Cybersecurity (HCIC) Task Force, created 
by the Cybersecurity Information Sharing Act of 2015 (CISA),\54\ was 
established in March 2016 and is comprised of government and private 
sector experts. The HCIC Task Force produced its HCIC Task Force Report 
in June 2017.\55\ The HCIC Task Force recommended, among other things, 
that Congress ``evaluate an amendment to [the physician self-referral 
law and the anti-kickback statute] specifically for cybersecurity 
software that would allow healthcare organizations the ability to 
assist physicians in the acquisition of this technology, through either 
donation or subsidy'' and noted that the regulatory exception to the 
physician self-referral law and the safe harbor for electronic health 
records technology could serve as a template for a new statutory 
exception.\56\
---------------------------------------------------------------------------

    \54\ Public Law 114-113, 129 Stat. 2242.
    \55\ HCIC Task Force Report, available at https://www.phe.gov/preparedness/planning/cybertf/documents/report2017.pdf.
    \56\ Id. at 27.
---------------------------------------------------------------------------

    However, in general, any donation of valuable technology or 
services to physicians or other sources of Federal health care program 
referrals can pose risks of fraud or abuse that may increase as the 
value of the donated technology or services increases. In some 
respects, the fraud and abuse risks posed by the donation of 
cybersecurity technology or services to physicians or other healthcare 
providers or suppliers are similar to the risks associated with the 
provision of electronic health records technology because, like 
electronic health records technology, cybersecurity technology is 
inherently valuable to recipients in terms of actual cost, avoided 
overhead, and administrative expenses. Additionally, the types of 
cybersecurity technology and services are highly variable; their costs 
and value also vary greatly. For example, cybersecurity technology or 
services may consist only of anti-virus software for a single 
workstation in a physician's office or it may include incident response 
services for several primary and specialty group practices. Further, 
adding robust cybersecurity technology and services may provide 
recipients a valuable shield from liability for fines, ransom, and 
litigation risk given the prevalence of cybersecurity threats to 
healthcare providers and breaches involving protected health 
information and electronic health records. Finally, responses to the 
OIG RFI indicate that the cost, or value, of cybersecurity technology 
and services has increased dramatically, to the point where some 
providers and suppliers are unable to adequately invest in 
cybersecurity measures.
    We believe that this proposed safe harbor would (i) minimize the 
risks inherent in any type of valuable remuneration between referral 
sources and (ii) remove an actual or perceived barrier that will allow 
the healthcare industry to take additional action to mitigate the risks 
posed by cybersecurity threats. Specifically, we believe this proposed 
safe harbor would promote increased security for interconnected and 
interoperable healthcare information technology systems without 
protecting arrangements that either serve as marketing platforms or 
inappropriately influence clinical decision-making.
    This proposed safe harbor would protect certain cybersecurity 
donations. CMS is proposing a similar exception to the physician self-
referral law. We coordinated closely with CMS to ensure as much 
consistency as possible between our proposed safe harbor and CMS's 
proposed exception, despite the differences in the respective 
underlying statutes. Because of the close nexus between this proposed 
rule and CMS's proposed rule, we may consider and take additional 
actions based on comments submitted in response to CMS's proposed rule 
in addition to those submitted in response to this rulemaking, if 
warranted.
    We propose to protect nonmonetary remuneration in the form of 
certain types of cybersecurity technology and services. Specifically, 
as explained below, we propose to define ``cybersecurity'' to mean 
``the process of protecting information by preventing, detecting, and 
responding to cyberattacks.'' We propose to include within the scope of 
covered technology, ``any software or other types of information 
technology, other than hardware.'' In an effort to foster beneficial 
cybersecurity donation arrangements without permitting arrangements 
that negatively impact beneficiaries of Federal health care programs, 
this safe harbor would impose a number of conditions on cybersecurity 
donations, as set forth below. Most notably, the first proposed 
condition of the safe harbor requires the donation to be necessary and 
used predominantly to implement and maintain effective cybersecurity.
    We also have included an alternative proposal for an additional, 
optional condition to this proposed safe harbor. The optional condition 
imposes an additional safeguard that parties can satisfy in exchange 
for protecting certain cybersecurity hardware.
1. Definitions
    We propose two definitions at 1001.952(jj)(6): ``cybersecurity'' 
and ``technology.'' These definitions are integral to understanding the 
conditions of the safe harbor, so we first elaborate on the 
definitions. For purposes of this safe harbor, we propose to define the 
terms ``cybersecurity'' and ``technology'' as follows:
     ``Cybersecurity'' means the process of protecting 
information by preventing, detecting, and responding to cyberattacks.
     ``Technology'' means any software or other types of 
information technology, other than hardware.
    This proposed definition of ``cybersecurity'' is derived from the 
National Institute for Standards and Technology (NIST) ``Framework for

[[Page 55735]]

Improving Critical Infrastructure.'' \57\ We intend for the definition 
to be broad and propose to rely on a definition in a NIST framework 
that does not apply directly to the healthcare industry but applies 
generally to any United States critical infrastructure. Our goal is to 
broadly define cybersecurity and avoid unintentionally limiting 
donations by relying on a narrow definition or a definition that might 
become obsolete over time. We solicit comment on this approach and 
whether a definition tailored to the healthcare industry would be more 
appropriate.
---------------------------------------------------------------------------

    \57\ Appendix B, Version 1.1 (Apr. 16, 2018) available at 
https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf.
---------------------------------------------------------------------------

    Similarly, the proposed definition of ``technology'' is broad, but 
for the exclusion of hardware. The intent of the safe harbor is to be 
agnostic to specific types of non-hardware cybersecurity technology. We 
intend for this safe harbor to be broad enough to include cybersecurity 
software and other information technology (e.g., an Application 
Programming Interface (API), which is neither software nor a service as 
those terms are generally used) that is available now and technology 
that may become available as the industry continues to develop.
    The proposed definition of ``technology'' excludes hardware under 
this new safe harbor. While we recognize that effective cybersecurity 
may require hardware that meets certain standards (e.g., encrypted 
endpoints, updated servers), we remain concerned that donations of 
valuable, multifunctional hardware pose a higher risk of constituting a 
disguised payment for referrals. Consistent with the proposed condition 
at 1001.952(jj)(1), we believe that donations with multiple uses 
outside of cybersecurity present a greater risk that the donation is 
being made to influence referrals. Hardware is most likely to be 
multifunctional and, as a result, would not be necessary and used 
predominantly to implement and maintain effective cybersecurity. For 
example, the safe harbor would not protect a laptop computer or tablet 
used in the general course by a physician to enter patient visit 
information into an electronic health record and respond to emails. 
However, it would protect encryption software for a laptop. This also 
is consistent with a similar exclusion of hardware in the electronic 
health record donation safe harbor at 1001.952(y), which identifies a 
similar rationale for excluding hardware from protection.\58\ We 
solicit comments on this approach.
---------------------------------------------------------------------------

    \58\ 71 FR 45110, 45120 (Aug. 8, 2006).
---------------------------------------------------------------------------

    As we describe below, however, we are not proposing a requirement 
for recipients to contribute a portion of the donor's costs. Consistent 
with the HCIC Task Force Report, we recognize that many providers do 
not have adequate resources to significantly invest in the 
cybersecurity items and services protected by this proposed safe 
harbor. Consequently, we believe that omitting a contribution 
requirement may allow providers with limited resources to receive 
protected cybersecurity donations while also using their own resources 
to invest in other technology not protected by the safe harbor, such as 
updating legacy hardware that may pose a cybersecurity risk, or simply 
investing in their own computers, phones, and other hardware that are 
core to their businesses, notwithstanding their relationship with a 
donor who contributes cybersecurity technology. We solicit comments on 
excluding donations of hardware from this safe harbor and the omission 
of a contribution requirement, and in particular, any specific 
cybersecurity risks or limitations that would result from such 
exclusion and omission.
    We are considering for the final rule adding limited protection for 
specific hardware that is necessary for cybersecurity, is stand-alone 
(i.e., is not integrated within multifunctional equipment), and serves 
only cybersecurity purposes (e.g., a two-factor authentication dongle), 
and solicit comments on what types of hardware might qualify and 
whether we should protect them under this safe harbor.
    Finally, we note that this proposed safe harbor only protects 
cybersecurity technology and services as defined. It does not extend to 
other types of cybersecurity measures outside of technology or 
services. For example, this safe harbor would not protect donations of 
installation, improvement, or repair of infrastructure related to 
physical safeguards, even if they could improve cybersecurity (e.g., 
upgraded wiring or installing high security doors). Donations of 
infrastructure upgrades are extremely valuable and have multiple 
benefits in addition to cybersecurity, together which pose an increased 
risk that one purpose of the donation is to pay for or influence 
referrals.
2. Conditions on Donation and Protected Donors
    To be protected non-monetary remuneration, donations of 
cybersecurity technology and services must meet five conditions in 
1001.952(jj)(1)-(5). The first two conditions relate to the purpose of 
the donation and prohibit donors taking into account the volume or 
value of referrals or other business generated.
    First, at 1001.952(jj)(1), we propose to limit safe harbor 
protection to donated technology and services that are necessary and 
used predominantly to implement and maintain effective cybersecurity. 
The goal of this condition is to ensure that donations are being made 
for the purposes of addressing legitimate cybersecurity needs of donors 
and recipients. Explained differently, the core function of the donated 
technology or service must be to protect information by preventing, 
detecting, and responding to cyberattacks. Our intent is to protect a 
wide range of technology and services that are specifically donated for 
the purpose of, and are necessary for, ensuring that donors and 
recipients have effective cybersecurity.
    As stated previously, our intent is to be technology agnostic, 
including as to the types and versions of software that can receive 
protection. By way of example, the types of technology protected by 
this safe harbor may include, but are not limited to, software that 
provides malware prevention, software security measures to protect 
endpoints that allow for network access control, business continuity 
software that mitigates the effect of cyberattacks, data protection and 
encryption, and email traffic filtering. We believe these examples are 
indicative of the types of technology that are necessary and used 
predominantly for effective cybersecurity. We also do not distinguish 
between cloud-based software or software that must be installed 
locally. We solicit comments on the proposed breadth of protected 
technology as well as whether we should expressly include other 
technology or categories of technology in this safe harbor.
    Similarly, we propose to protect a broad range of services. Such 
services could include, for example:
     Any services associated with developing, installing, and 
updating cybersecurity software;
     any kind of cybersecurity training services, such as 
training recipients on how to use the cybersecurity technology, how to 
prevent, detect, and respond to cyber threats, and how to troubleshoot 
problems with the cybersecurity technology (e.g., ``help desk'' 
services specific to cybersecurity);
     any kind of cybersecurity services for business continuity 
and data recovery services to ensure the recipient's operations can 
continue during and after a cyberattack;
     any kind of ``cybersecurity as a service'' model that 
relies on a third-

[[Page 55736]]

party service provider to manage, monitor, or operate cybersecurity of 
a recipient;
     any services associated with performing a cybersecurity 
risk assessment or analysis, vulnerability analysis, or penetration 
test; or
     any services associated with sharing information about 
known cyber threats, and assisting recipients responding to threats or 
attacks on their systems.
    We believe these types of services are indicative of the types of 
services that are necessary and used predominantly for effective 
cybersecurity. We solicit comments on the proposed breadth of protected 
services as well as whether we should expressly include other services 
or categories of services in this safe harbor. We note, in addition, 
that the donation of services must be non-monetary. For example, 
donating the time of a consultant to implement a cybersecurity program 
could be protected, but if an entity were to experience a cyberattack 
that involved ransomware, payment of the ransom amount on behalf of a 
recipient or paying the recipient the ransom amount would not be 
protected.
    We do not intend to protect donations of technology or services 
that have multiple, general uses outside of cybersecurity. As explained 
in our discussion of the definition of ``hardware'' above, we remain 
concerned that donations of valuable multi-use technology or services 
pose a higher risk of constituting a disguised payment for, or 
otherwise influencing, referrals. Similarly, we do not intend to 
protect donations of technology or services that are otherwise used in 
the normal course of the recipient's business (e.g., general help desk 
services related to use of a practice's information technology). We 
solicit comment on this approach and whether this proposed condition 
unintentionally limits the donation of cybersecurity technology and 
services that are vital to improving the cybersecurity posture of the 
healthcare industry.
    For the purposes of meeting the proposed condition at 
1001.952(jj)(1), we are considering for the final rule, and seek 
comment on, whether to add a deeming provision that would allow donors 
or recipients to demonstrate that donations are necessary and 
predominantly used to implement and maintain effective cybersecurity. 
This deeming provision would allow donors and recipients to demonstrate 
that the donation furthers a recipient's ability to comply with a 
written cybersecurity program that reasonably conforms to a widely 
recognized cybersecurity framework or set of standards, such as one 
developed or endorsed by NIST, another American National Standards 
Institute-accredited standards body, or an international voluntary 
standards body such as the International Organization for 
Standardization. Any such provision would not require compliance with a 
particular framework or set of standards, but rather would provide an 
option for donors to demonstrate that the donation is necessary and 
predominantly used to implement and maintain effective cybersecurity. 
We believe such a provision may provide some assurance to donors and 
recipients about how to demonstrate that donations are necessary and 
predominantly used to implement and maintain effective cybersecurity. 
If we were to finalize this deeming provision, we would add a sentence 
to 1001.952(jj)(1) that would deem a donation to meet this condition if 
the parties demonstrate that the donation furthers a recipient's 
ability to comply with a written cybersecurity program that reasonably 
conforms to a widely recognized cybersecurity framework or set of 
standards. We solicit comments on incorporating this proposed deeming 
provision in 1001.952(jj)(1).
    Regarding this proposed deeming provision, we also solicit comments 
on how donors and recipients could practically demonstrate that a 
donation furthers a recipient's ability to comply with a written 
cybersecurity program that reasonably conforms to a widely recognized 
cybersecurity framework or set of standards. We are not proposing to 
condition protection on demonstrating compliance with a specific 
framework or set of standards, but we seek to provide a practical 
method that allows parties to demonstrate that a donation meets the 
potential deeming provision we are considering for 1001.952(jj)(1).
    Understanding that our intent is not to incorporate a specific 
framework or set of standards, we seek comments on whether there are 
other ways that parties could reliably demonstrate that a donation 
meets the potential cybersecurity deeming provision in 1001.952(jj)(1). 
For instance, we are interested in comments regarding whether parties 
could demonstrate that a donation meets the cybersecurity deeming 
provision through documentation, certifications, or other methods not 
prescribed by regulation.
    Second, at 1001.952(jj)(2), we propose to require that donors do 
not directly take into account the volume or value of referrals or 
other business between the parties when determining the eligibility of 
a potential recipient for the technology or services, or the amount or 
nature of the technology or services to be donated. In addition, we 
propose that donors do not condition the donation of technology or 
services, or the amount or nature of the technology or services to be 
donated, on future referrals. In other words, we propose that a donor 
cannot require, explicitly or implicitly, that a recipient either refer 
to the donor or recommend the donor's business as a condition of 
receiving a cybersecurity donation. We understand that the purpose of 
donating cybersecurity technology and services is to guard against 
threats that come from interconnected systems, and we understand and 
expect that a donor would provide the cybersecurity technology and 
services only to individuals and entities that connect to its systems, 
which includes those that refer to it (or that receive referrals from 
it). However, this condition would restrict a donor from conditioning 
the donation on referrals or other business generated.\59\
---------------------------------------------------------------------------

    \59\ We note that, if a system is only as strong as its weakest 
link, then even a very low-referring entity poses a cybersecurity 
risk.
---------------------------------------------------------------------------

    This proposed condition would not require a donor to donate 
cybersecurity technology and services to every individual or entity 
that connects to its system. Donors would be able to use selective 
criteria for choosing recipients, provided that neither a recipient's 
eligibility, nor the amount or nature of the cybersecurity technology 
or services donated, is determined in a manner that directly takes into 
account the volume or value of referrals or other business generated 
between the parties. For example, a donor could perform a risk 
assessment of a potential recipient (or require a potential recipient 
to provide the donor with a risk assessment) before determining whether 
to make a donation, or the scope of a donation. Similarly, for example, 
if a donor is a hospital, the hospital might choose to limit donations 
to physicians who are on the hospital's medical staff. Additionally, 
selective criteria might be based on the type of connection between a 
donor and recipient, such as a simple read-only connection to a 
properly implemented, standards-based API that enables only the secure 
transmission of a copy of the patient's record at the patient's request 
to the recipient. That type of connection poses less risk to a donor's 
systems than a connection that allows for information to be written 
directly into the donor's systems. Thus, a donor contemplating allowing 
a higher-risk connection (such as a bi-directional read-write

[[Page 55737]]

connection) to a potential recipient's systems could develop selective 
criteria based on that difference in risk of the connection. We solicit 
comments on this condition.
    We have declined to propose a list of selection criteria which, if 
met, would be deemed not to directly take into account the volume or 
value of referrals or other business generated between the parties, as 
we did in the electronic health records safe harbor at 1001.952(y)(5). 
We do not believe donations of cybersecurity technology and services 
present the same types of risks as donations of electronic health 
records software and information technology. Primarily, cybersecurity 
donations are further removed from the volume and value of referrals 
than electronic health record donations. Cybersecurity donations, if 
legitimate, are more likely to be based on considerations such as 
security risks and are less likely to be based on considerations that 
are closely related to the volume and value of referrals or other 
business generated (e.g., the total number of prescriptions written by 
the recipient). Therefore, we do not believe that cybersecurity 
donations need a similar list of selection criteria to ensure that 
parties can meet the volume or value condition at 1001.952(jj)(2).
    Nonetheless, we are considering whether to add such a list in the 
final rule and whether the list should be based on the permitted 
conduct at 1001.952(y)(5)(i)-(vii). We solicit comments on this 
approach and any other conditions or permitted conduct we should 
enumerate in this safe harbor, with respect to determinations related 
to cybersecurity donations.
    Related to these two conditions, we do not propose to restrict the 
types of individuals and entities that may donate cybersecurity 
donations under this safe harbor. Although donating cybersecurity 
technology and services would relieve a recipient of a cost that it 
otherwise would incur, the fraud and abuse risks associated with 
cybersecurity are different than donations of other valuable 
technology, such as electronic health records items and services. We 
generally view donating cybersecurity technology and services to be a 
self-protective measure because a cybersecurity breach in the donor's 
system can have a devastating impact on the donor and anyone who 
maintains a connection to the donor's systems. Meanwhile, electronic 
health record donations facilitate the exchange of clinical information 
between the recipient referral source and the donor and, thus, present 
a greater risk that one purpose of the donation is for the donor to 
secure additional referrals from the recipient or otherwise influence 
referrals or other business generated.
    We are concerned that technology donations risk referral sources 
becoming beholden to the donors, and therefore we are considering 
narrowing the scope of protected donors as we have done in other safe 
harbors. We solicit comments on whether particular types of individuals 
and entities should be excluded from donating cybersecurity technology 
and services, and if so, why. Specifically, in past rulemakings we have 
distinguished between individuals and entities with direct and primary 
patient care relationships that have a central role in the healthcare 
delivery infrastructure such as hospitals and physician practices, and 
providers and suppliers of ancillary services such as pharmaceutical, 
device, and DMEPOS manufacturers, and other manufacturers or vendors 
that indirectly furnish items and services used in the care of 
patients.\60\ We seek comments as to whether our historical enforcement 
concerns and other considerations regarding direct and indirect patient 
care are present for purposes of cybersecurity donations.
---------------------------------------------------------------------------

    \60\ See OIG, Final Rule: Safe Harbors for Certain Electronic 
Prescribing and Electronic Health Records Arrangements Under the 
Anti-Kickback Statute, 71 FR 45110, 45128 (Aug. 8, 2006) (excluding 
pharmaceutical, device, DMEPOS manufacturers, or other entities that 
indirectly furnish items and services used in the care of patients 
both because ``[our] enforcement experience demonstrates that 
unscrupulous manufacturers have offered remuneration in the form of 
free goods and services to induce referrals of their products'' and 
because they lack ``a direct and central patient care role that 
justifies safe harbor protection for the provision of electronic 
health records technology'').
---------------------------------------------------------------------------

3. Conditions for Recipients
    In proposed 1001.952(jj)(3), similar to the condition at (jj)(2) on 
donors discussed previously, this proposed condition would require that 
neither a potential recipient, nor a potential recipient's practice (or 
any affiliated individual or entity), can demand, explicitly or 
implicitly, a donation of cybersecurity technology and services as a 
condition of doing business or continuing to do business with the 
donor.
    We do not propose a recipient contribution requirement as part of 
this safe harbor. As we explain above, with this proposed safe harbor 
we seek to remove a barrier to donations that improve cybersecurity 
throughout the healthcare industry in response to the critical 
cybersecurity issues identified in the HCIC Task Force Report and 
elsewhere. We propose to include only those conditions for safe harbor 
protection that we believe are critical to guarding against fraud and 
abuse. In the case of cybersecurity, we do not believe a specified 
recipient contribution to the cost is necessary or practical. We 
recognize that the level of services for each recipient might vary, and 
might be higher or lower each year, each month, or even each week. 
Similarly, donors may aggregate the cost of certain services across all 
recipients, such as cybersecurity patches and updates, on a regular 
basis, which may result in a contribution requirement becoming a 
barrier to widespread, low-cost improvements in cybersecurity because 
of the practical challenges in collecting a contribution from 
recipients. For instance, attempting to quantify the value of a 
frequent cybersecurity scans included in a vendor's suite of services 
as part of a cybersecurity donation, across dozens of recipient 
practices, and determining the pro rata share each practice must 
contribute based on the size of the practice as well as the relative 
size of the donation made to each practice, might become unworkable for 
many donors.
    Importantly, we note that our proposal to omit a contribution 
requirement as a condition of the safe harbor does not prohibit donors 
from requiring a contribution. Donors are free to require recipients to 
contribute to the cost, so long as the determination of a contribution 
requirement does not take into account the volume or value of referrals 
between the parties. For example, if a donor gave a full suite of 
cybersecurity technology and services for free to a high-referring 
practice but required a low-referring practice to contribute 20 percent 
of the cost, then the donor could violate the conditions at proposed 
paragraphs (jj)(2)(i) and (ii). In addition, we do not intend for this 
safe harbor to require that donations be solely between two parties. 
For example, two hospitals and a large multi-specialty physician 
practice might agree to jointly subsidize cybersecurity technology and 
services for smaller physician practices in their area.
    We do not propose to impose restrictions on the type of individual 
or entity that can receive donations of cybersecurity technology or 
related services. We note that, because we do not propose to restrict 
the scope of protected recipients under this safe harbor, we believe 
patients would be included as protected recipients. Donations to 
patients, just like other recipients, would only be protected if they 
precisely met all conditions of the safe harbor. As discussed 
previously, donations of multifunctional technology or services would 
not be protected

[[Page 55738]]

because all cybersecurity donations must be necessary and used 
predominately to implement and maintain effective cybersecurity.
    We anticipate that donations to patients would be more limited than 
donations to healthcare providers and suppliers (e.g., anti-malware 
tools). However, we solicit comments on what types of cybersecurity 
technology or services a donor might anticipate giving to a patient, 
whether we would need additional or different safeguards when a patient 
is the recipient, and whether patients should be protected recipients 
at all under the safe harbor. More specifically, we solicit comments on 
whether we should include additional conditions for donations of 
cybersecurity technology services to patient recipients that are 
similar to the beneficiary inducements CMP's exceptions under 42 CFR 
1003.110. For example, we are considering whether cybersecurity 
technology or service donations to patients should not be offered as 
part of any advertisement or solicitation or not be tied to the 
provision of other items or services reimbursed in whole or in part by 
the Medicare program under Title VIII or a State health care program 
(as defined in section 1128(h) of the Act).
4. Written Agreement
    At 1001.952(jj)(4), we propose to require that the donor and 
recipient enter into a signed, written agreement. While we do not 
interpret this condition to require every item of cybersecurity 
technology and every potential service to be specified in the 
agreement, we propose that the written agreement must include a general 
description of the cybersecurity technology and services to be provided 
over the term of the agreement and a reasonable estimate of the value 
of the donation. In addition, to the extent the parties share any 
financial responsibility for the cost of the cybersecurity technology 
and services, those financial terms, including the amount of the 
contribution, must be memorialized in the written agreement. We solicit 
comments on the conditions proposed here, as well as whether additional 
or different terms should be required in a written agreement.
5. Prohibition on Cost Shifting
    At 1001.952(jj)(5), we propose to prohibit donors from shifting the 
costs of any cybersecurity donations to Federal health care programs. 
For example, under this proposed condition, while a hospital's own 
cybersecurity costs could be an administrative expense on its cost 
report, donations of cybersecurity technology or services to other 
individuals or entities could not be included as an administrative 
expense on the hospital's cost report.
6. Alternative Proposed Condition for Protection of Cybersecurity 
Hardware
    We also propose and solicit comments on an alternative approach 
that would add an additional, optional safeguard to the proposed 
cybersecurity safe harbor. This alternative approach would protect 
cybersecurity hardware donations if the parties choose to meet an 
additional condition, along with the other five conditions proposed at 
1001.952(jj)(1)-(5). Under this alternative proposal, a protected 
donation could also include cybersecurity hardware that a donor has 
determined is reasonably necessary based on a risk assessment of its 
own organization and that of the potential recipient.
    The goal of this alternate proposal is to provide donors and 
recipients more flexibility regarding the types of cybersecurity 
donations that are protected, while also adding an additional safeguard 
to further ensure that the donation is necessary and used predominantly 
to implement and maintain effective cybersecurity.
    We believe this alternative proposal builds on existing legal 
requirements and best practices related to information security 
generally and the healthcare industry more specifically. For example, 
the HHS Office for Civil Rights explained that conducting a risk 
analysis is the first step in identifying and implementing safeguards 
that comply with and carry out the standards and implementation 
specifications in the HIPAA Security Rule.\61\ More generally, NIST 
Special Publication 800-30, which does not directly apply to the 
healthcare industry, but represents industry standards for information 
security practices, explains that the purpose of a risk assessment is 
to inform decision makers and support risk responses by identifying: 
(i) Relevant threats to organizations or threats directed through 
organizations against other organizations; (ii) vulnerabilities both 
internal and external to organizations; (iii) impact (i.e., harm) to 
organizations that may occur given the potential for threats exploiting 
vulnerabilities; and (iv) likelihood that harm will occur. The end 
result is a determination of risk, which is typically a function of the 
degree of harm and likelihood of harm occurring.\62\
---------------------------------------------------------------------------

    \61\ HIPAA for Professionals, Guidance on Risk Analysis (Mar. 
2017), available at https://www.hhs.gov/hipaa/for-professionals/security/guidance/guidance-risk-analysis/.
    \62\ NIST Special Publication 800-30 Revision 1, Guide for 
Conducting Risk Assessments (Sept. 2012), available at https://nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpublication800-30r1.pdf.
---------------------------------------------------------------------------

    Risk assessments are a key component to developing effective 
organization-wide risk management for information security. We believe 
that risk assessments conducted consistent with industry standards 
would provide a reasonable basis for donors to identify risks and 
threats to their organizational information security that need to be 
mitigated by donating cybersecurity hardware to other entities. 
Additionally, donations that are made in response to risk assessments 
are likely to meet the purpose of this safe harbor that donations are 
necessary and used predominantly to implement and maintain effective 
cybersecurity. Under this proposal, a donor would perform or have an 
existing risk assessment for its own organization, and would require a 
potential recipient to have, perform, or obtain a risk assessment, that 
would provide a reasonable basis to determine that the donated 
cybersecurity hardware is needed to address a risk or threat identified 
by a risk assessment.
    Consistent with the HCIC Task Force Report and comments we received 
in response to the OIG RFI, we recognize that ``[m]any organizations 
cannot afford to retain in-house information security personnel, or 
designate an information technology (IT) staff member with 
cybersecurity as a collateral duty.'' Understanding that resource 
constraint, one goal of this safe harbor is to increase the avenues 
available for all healthcare organizations to improve their 
cybersecurity practices. We believe protecting a cybersecurity hardware 
donation based on the risk assessment of a recipient would further the 
goal of increasing the avenues available to improve cybersecurity for 
all healthcare entities, regardless of their available resources.
    We recognize that a potential recipient with limited resources and 
cybersecurity experience may not be able to conduct or pay for its own 
risk assessment. As noted above, one cybersecurity service that would 
be a protected donation under the proposed safe harbor is a risk 
assessment. Under the alternative proposal, donors could then make 
additional cybersecurity hardware donations that are reasonably based 
on the risk assessments of the donor and recipients.
    We recognize that risk assessment practices vary across the 
healthcare industry and may be depend on the size

[[Page 55739]]

and sophistication of any provider or entity. We solicit comments on 
this alternative proposal to understand whether entities that are 
potential donors or recipients already conduct risk assessments that 
would provide a reasonable basis to determine that a cybersecurity 
hardware donation is reasonable and necessary. We would propose to 
define ``risk assessment'' based on NIST Special Publication 800-30 and 
solicit comment on whether that definition is sufficient for this 
cybersecurity donation safe harbor. Additionally, we solicit comments 
on whether this proposal should incorporate specific standards or 
requirements, such as NIST Special Publication 800-30.
    We are considering for the final rule, and seek comment on, adding 
safeguards to this alternate proposal. For instance, we are considering 
limiting the additional cybersecurity hardware permitted under the 
alternative proposal to certain kinds of hardware. We are interested in 
comments, particularly from providers, that explain what types of 
hardware would be necessary for effective cybersecurity under this 
alternate proposal. We note that because this alternate proposal builds 
upon the proposed conditions at proposed 1001.952(jj)(1)-(5), 
multifunctional hardware still would be prohibited because it would not 
be necessary and predominantly used to implement and maintain effective 
cybersecurity, as required under proposed 1001.952(jj)(1). If the 
donation includes hardware, we are also considering requiring a 
contribution from the recipient, similar to the electronic health 
records safe harbor at 1001.952(y)(11), and we are considering 
requiring the contribution amount to be 15 percent. We are interested 
in comments on this approach, and whether we should consider other 
contribution amounts instead, such as 5 percent, or 20 or 30 percent.
    If we add this contribution requirement, we are considering 
excepting small and rural practices, and we are interested in comments 
on this approach. Relatedly, we solicit comments on how ``small or 
rural practices'' should be defined. For example, we solicit comments 
on whether ``rural practices'' should be defined as those located in 
rural areas, as defined in the safe harbor for local transportation at 
42 CFR 1001.952(bb). We also solicit comments on whether ``small 
practices'' should be defined as those in medically underserved areas, 
as designated by the Secretary under section 330(b)(3) of the Public 
Health Service Act, or defined similarly to a ``small provider of 
services or small supplier'' as set forth in the requirements related 
to the electronic submission of Medicare claims at 42 CFR 424.32. We 
also are considering for the final rule and solicit comments on whether 
other subsets of potential recipients, for example critical access 
hospitals, should be exempted from the 15-percent contribution 
requirement because it would impose a significant financial burden on 
the recipient. Additionally, if a contribution requirement is included 
in the final rule, we are considering exempting contributions for the 
upgrades, updates, or patches of remuneration that was previously 
donated. Based on our experience with the electronic health records 
arrangements safe harbor, we recognize the practical challenges in 
collecting contributions from recipients for minor upgrades, updates, 
and patches that are necessary to keep the donated technology compliant 
with new security policies.
    If we were to finalize this alternate proposal, we would modify the 
proposed safe harbor by adding new conditions and a definition in the 
safe harbor. Primarily, we would add a new condition that would require 
a donor to perform or have an existing risk assessment for its own 
organization, and require a potential recipient to have, perform, or 
obtain a risk assessment, that provides a reasonable basis to determine 
that the donated cybersecurity hardware is needed to address a risk or 
threat identified by the donor's and recipient's risk assessments. We 
also would add definitions of hardware and risk assessment in proposed 
1001.952(jj)(6).
7. Solicitation of Comments
    The goal of the proposed safe harbor is to help improve the 
cybersecurity posture of the healthcare industry by removing a real or 
perceived barrier. To achieve this goal, we must appropriately balance 
the risk of cybersecurity threats against risks associated with 
permitting parties to donate valuable technology and services. In doing 
so, we recognize that cyberattacks are ubiquitous, dynamic, potentially 
funded by nation-states or well-funded criminal enterprises, and can 
have consequences to beneficiary health, safety, and privacy that are 
difficult to mitigate. To help improve the cybersecurity hygiene of the 
healthcare industry without comprising program integrity, it is 
important that we strike the right balance.
    We drafted the proposed safe harbor with this aim in mind, but we 
recognize that appropriately balancing these risks is a difficult task. 
We solicit comment on whether the proposed safe harbor establishes the 
right balance and if not, request comments that recommend specific 
changes to do so. Commenters should consider the safe harbor in its 
entirety, including the proposed conditions, optional deeming 
provision, alternate condition, and definitions when commenting on this 
issue. We are especially interested in comments from healthcare 
providers because they both bear the cybersecurity risks and likely 
have relevant compliance experience with other safe harbors.
    To facilitate specific comments on this issue, we ask the following 
questions: Does the proposed condition at 1001.952(jj)(1) permit the 
donation of the right types of cybersecurity technology and services 
that could meaningfully improve the cybersecurity posture of the 
healthcare industry while also ensuring that the donated technology and 
services do not pose undue risk of improperly influencing referrals? If 
not, what other standard or limitation would be appropriate to strike 
the right balance between cybersecurity risks and program integrity 
risks? Does excluding hardware from the definition of ``technology'' 
further our aim of balancing cybersecurity risks with the program 
integrity risks? If not, what other conditions should we impose to 
limit the value of remuneration protected by the proposed safe harbor, 
so it does not improperly influence referrals? For example, should the 
safe harbor impose a monetary value limit on the total amount of 
donations that a donor can make to a recipient or should the safe 
harbor require the recipient to contribute to the costs of a donation 
once the value has exceeded certain monetary thresholds?

I. Electronic Health Records (1001.952(y))

    On August 8, 2006, we published a final rule (the 2006 Final EHR 
Safe Harbor Rule) that, among other things, finalized a safe harbor 
(the EHR safe harbor) at 42 CFR 1001.952(y) protecting certain 
arrangements involving the donation of interoperable electronic health 
records software or information technology and training services. The 
EHR safe harbor was initially scheduled to sunset on December 31, 2013.
    On December 27, 2013, we published a final rule (the 2013 Final EHR 
Safe Harbor Rule) modifying the EHR safe harbor by, among other things, 
extending the expiration date of the safe harbor to December 31, 2021; 
excluding laboratory companies from the types of entities that may 
donate electronic

[[Page 55740]]

health records items and services under the safe harbor; and updating 
the provision under which electronic health records software is deemed 
interoperable.
    The present proposed rule sets forth certain proposed changes to 
the EHR safe harbor. CMS is proposing almost identical changes to the 
physician self-referral law electronic health records exception 
elsewhere in this issue of the Federal Register. We attempted to ensure 
as much consistency as possible between our proposed safe harbor 
changes and CMS's proposed exception changes, despite the differences 
in the respective underlying statutes. Because of the close nexus 
between this proposed rule and CMS's proposed rule, we may consider 
comments submitted in response to CMS's proposed rule and take 
additional actions when crafting our final rule.
1. Interoperability
    The conditions at 1001.952(y)(2) and (y)(3) require donated items 
and services to be interoperable and prohibit the donor (or someone 
acting on the donor's behalf) from taking action to limit the 
interoperability of the donated item or service. We are proposing 
changes that impact 42 CFR 1001.952(y)(2) and (3) based on the 21st 
Century Cures Act (Cures Act) and the Office of the National 
Coordinator for Health Information Technology (ONC), HHS Notice of 
Proposed Rulemaking ``21st Century Cures Act: Interoperability, 
Information Blocking, and the ONC Health IT Certification Program'' 
(ONC NPRM) that proposes to implement key provisions in Title IV of the 
Cures Act.\63\ Among other things, the ONC NPRM proposes conditions and 
maintenance of certification requirements for health information 
technology (health IT) developers under the ONC Health IT Certification 
Program (certification program) and reasonable and necessary activities 
that do not constitute information blocking for purposes of section 
3022(a)(1) of the Public Health Service Act (PHSA). These proposed 
changes, if finalized, affect the EHR safe harbor conditions at 
1001.952(y)(2), which is known as the ``deeming provision,'' and 
1001.952(y)(3) related to interoperability and ``data lock-in.''
---------------------------------------------------------------------------

    \63\ 84 FR 7424 (Mar. 4, 2019).
---------------------------------------------------------------------------

2. Deeming
    The deeming provision provides certainty to parties seeking 
protection of the EHR safe harbor by providing an optional method of 
ensuring that donated items or services meet the interoperable 
condition in 1001.952(y)(2) by deeming software to be interoperable if 
it is certified under the certification program. In the 2013 Final EHR 
Safe Harbor Rule we modified the deeming provision to reflect 
developments in the certification program and track ONC's anticipated 
regulatory cycle. By relying on the certification program and related 
updates of criteria and standards, we stated that the deeming provision 
would meet ``our objective of ensuring that software is certified to 
the current required standard of interoperability when it is donated.'' 
\64\ We propose to retain this general construct for the updated safe 
harbor. However, we propose two textual clarifications to this 
provision. Current language specifies that the software is ``deemed to 
be interoperable if, on the date it is provided to the recipient, it 
has been certified by a certifying body . . . .'' We propose to modify 
this language to clarify that, on the date the software is provided, it 
``is'' certified. In other words, the certification must be current as 
of the date of the donation, as opposed to the software having been 
certified at some point in the past but no longer maintaining 
certification on the date of the donation. We also propose to remove 
reference to ``editions'' of certification criteria to align with 
proposed changes to the certification program. We solicit comments on 
these clarifications.
---------------------------------------------------------------------------

    \64\ 78 FR 79201, 79204 (Dec. 27, 2013).
---------------------------------------------------------------------------

    As we describe in more detail below, however, we are updating the 
definition of ``interoperable.'' Although this revised definition would 
not require a textual change to this paragraph (y)(2), the revision 
would impact the deeming provision, and we solicit comments regarding 
this update.
3. Information Blocking
    The current condition at 1001.952(y)(3) prohibits the donor (or any 
person on the donor's behalf) from taking any action to limit or 
restrict the use, compatibility, or interoperability of the items or 
services with other electronic prescribing or electronic health records 
systems (including, but not limited to, health information technology 
applications, products, or services). As explained in the 2006 Final 
EHR Safe Harbor Rule and reaffirmed in the 2013 Final EHR Safe Harbor 
Rule, 1001.952(y)(3) has been designed to: (i) Prevent the misuse of 
the safe harbor that results in data and referral lock-in and (ii) 
encourage the free exchange of data (in accordance with protections for 
privacy).\65\ Since that time, significant legislative, regulatory, 
policy, and other Federal Government action defined this problem 
further (now commonly referred to as ``information blocking'') and 
established penalties for certain types of individuals and entities 
that engage in information blocking. Most notably, the 21st Century 
Cures Act added section 3022 of the PHSA, known as ``the information 
blocking provision,'' which defines conduct by healthcare providers, 
health IT developers of certified health IT, exchanges, and networks 
that constitutes information blocking. Section 3022(a)(1) of the PHSA 
defines ``information blocking'' in broad terms, while section 
3022(a)(3) authorizes and charges the Secretary to identify reasonable 
and necessary activities that do not constitute information blocking. 
The ONC NPRM would implement the statutory definition of ``information 
blocking,'' define certain terms related to the statutory definition of 
``information blocking,'' and proposes seven exceptions to the 
information blocking definition.\66\
---------------------------------------------------------------------------

    \65\ 78 FR 79213 (Dec. 27, 2013).
    \66\ 84 FR at 7602-05.
---------------------------------------------------------------------------

    We propose modifications to 1001.952(y)(3) to recognize these 
significant updates since the 2013 Final EHR Safe Harbor Rule. 
Specifically, we propose aligning the condition at 1001.952(y)(3) with 
the proposed information blocking definition and related exceptions in 
45 CFR part 171. We note that the EHR safe harbor conditions, while not 
using the term ``information blocking,'' already include concepts 
similar to those found in the 21st Century Cures Act's prohibition on 
information blocking. For example, we were concerned about donors (or 
those on the donor's behalf) taking steps to limit the interoperability 
of donated software to lock in or steer referrals, which is prohibited 
by the anti-kickback statute.\67\ These proposed modifications are not 
intended to change the purpose of this condition, but instead further 
our longstanding goal of preventing abusive arrangements that lead to 
information blocking and referral lock-in through updated 
understandings of those concepts established in the 21st Century Cures 
Act.\68\
---------------------------------------------------------------------------

    \67\ See Implementation of the 21st Century Cures Act: Achieving 
the Promise of Health Information Technology Before the S. Comm. On 
Health, Education, Labor, & Pensions, 115th Cong. 1 (2017) 
(statement of James Cannatti, Senior Counselor for Health 
Information Technology HHS OIG).
    \68\ We recognize that the ONC NPRM is not a final rule and is 
subject to change. However, we base our proposal on both the 
statutory language and the language in ONC's proposed rule for 
purposes of soliciting public input on our proposals.

---------------------------------------------------------------------------

[[Page 55741]]

    We note that health plans, which are protected donors under the EHR 
safe harbor, may not be subject to the information blocking provisions 
of the 21st Century Cures Act or the ONC NPRM. Nevertheless, health 
plans that seek the protection of this safe harbor do so voluntarily. 
We note that the definition of ``information blocking'' at PHSA section 
3022(a)(1) applies a different knowledge standard to health IT 
developers of certified health IT, health information networks, and 
health information exchanges than it does to healthcare providers. A 
healthcare provider engages in a practice of information blocking if 
such a provider ``knows that such practice is unreasonable and is 
likely to interfere with, prevent, or materially discourage access, 
exchange, or use of electronic health information.'' \69\ The EHR safe 
harbor primarily applies to healthcare providers due to the limitations 
on the types of donors permitted under 1001.952(y)(1). Therefore, most 
donors under the EHR safe harbor would be subject to the information 
blocking knowledge standard at section 3022(a)(1)(B)(ii) of the PHSA. 
Rather than have different conditions for healthcare providers and 
health plans, we believe it is reasonable to have one condition that 
applies the same information blocking knowledge standard to all parties 
who voluntarily use the safe harbor to protect donations of EHR items 
and services. For purposes of donations under this safe harbor, we 
propose to apply the knowledge standard articulated in the PHSA at 
section 3022(a)(1)(B)(ii) as applicable to both providers and health 
plans, and we seek comments on this approach.
---------------------------------------------------------------------------

    \69\ PHSA Sec.  3022(a)(1)(B)(ii).
---------------------------------------------------------------------------

    Additionally, the current condition at 1001.952(y)(3), as adopted 
in the 2006 Final EHR Safe Harbor Rule \70\ was intended to prevent 
donors, including health plans, from donating EHR software and then 
engaging in practices of information blocking that would limit the 
interoperability of the donated items, notwithstanding that we did not 
use that exact terminology. As a result, we do not believe this 
proposed modification places any additional burden on health plans that 
voluntarily seek to protect donations. We solicit comments on aligning 
the condition at 1001.952(y)(3) with the proposed information blocking 
definition in 45 CFR part 171.
---------------------------------------------------------------------------

    \70\ 71 FR 45136.
---------------------------------------------------------------------------

4. Cybersecurity
    We propose to amend the safe harbor to clarify that certain 
cybersecurity software and services have always been protected under 
this safe harbor,\71\ and to more broadly protect the donation of 
software and services related to cybersecurity. Currently, the safe 
harbor protects electronic health records software or information 
technology and training services necessary and used predominantly to 
create, maintain, transmit, or receive electronic health records. We 
propose to modify this language to include certain cybersecurity 
software and services that ``protect'' electronic health records.
---------------------------------------------------------------------------

    \71\ For instance, a secure log-in or encrypted access mechanism 
included with an EHR system or EHR software suite would be 
cybersecurity features of the EHR that are protected under the 
existing EHR safe harbor.
---------------------------------------------------------------------------

    In the 2006 Final EHR Safe Harbor Rule, we emphasized the 
requirement that software, information technology, and training 
services donated must be ``closely related to electronic health 
records'' and that the ``electronic health records functions must be 
predominant.'' We stated that ``[t]he core functionality of the 
technology must be the creation, maintenance, transmission, or receipt 
of individual patients' electronic health records,'' but, recognizing 
that the electronic health records software is commonly integrated with 
other features, we also stated that arrangements in which the software 
package included other functionality related to the care and treatment 
of individual patients would be protected. Under our proposal, the same 
criteria would apply to cybersecurity software and services: The 
predominant purpose of the software or service must be cybersecurity 
associated with the electronic health records.
    We note that we also are proposing a new safe harbor specifically 
to protect donations of cybersecurity technology and related services. 
As proposed, the cybersecurity safe harbor is broader and includes 
fewer conditions than the EHR safe harbor. However, we are proposing to 
expand the EHR safe harbor to expressly include cybersecurity software 
and services so that it is clear that an entity donating electronic 
health records software and providing training and other related 
services may also donate related cybersecurity software and services to 
protect the electronic health records. For clarity, we also propose to 
incorporate a definition of ``cybersecurity'' in this safe harbor that 
mirrors the definition we propose in the stand-alone cybersecurity safe 
harbor. A party seeking safe harbor protection needs to comply with the 
requirements of only one safe harbor. We solicit comments on this 
approach. In particular, with the addition of a stand-alone 
cybersecurity safe harbor, we solicit comments on whether it necessary 
to modify the EHR safe harbor to expressly include cybersecurity.
5. The Sunset Provision
    The EHR safe harbor originally was scheduled to sunset on December 
31, 2013. In adopting this condition of the EHR safe harbor, we 
acknowledged in the 2006 Final EHR Safe Harbor Rule ``that the need for 
a safe harbor for donations of electronic health records technology 
should diminish substantially over time as the use of such technology 
becomes a standard and expected part of medical practice.''
    In the 2013 notice of proposed rulemaking for an amendment to the 
EHR safe harbor (2013 Proposed Rule), we acknowledged that while 
electronic health record technology adoption had risen dramatically, 
use of such technology had not yet been universally adopted nation-
wide. Because continued electronic health record technology adoption 
remained an important Departmental goal, we solicited comments 
regarding an extension of the safe harbor. In response to those 
comments, in the 2013 Final EHR Safe Harbor Rule we extended the sunset 
date of the safe harbor to December 31, 2021, a date that corresponds 
to the end of the electronic health record Medicaid incentives. We 
stated our continued belief that as progress on this goal is achieved, 
the need for a safe harbor for donations should continue to diminish 
over time. Since publication of the 2013 Final EHR Safe Harbor Rule, 
however, numerous commenters have urged us to extend or make permanent 
the safe harbor at 42 CFR 1001.952(y). Specifically, commenters have 
suggested this modification in response to OIG's annual Solicitation of 
New Safe Harbors and Special Fraud Alerts, and also in response to the 
OIG RFI and the CMS RFI.
    While we acknowledge that widespread adoption of electronic health 
record technology, though not universal, largely has been achieved, we 
no longer believe that once this goal is achieved the need for a safe 
harbor for donations of such technology will diminish over time or 
completely disappear. New entrants into medical practice, coupled with 
aging EHR technology at existing practices and the emergence of new and 
better technology, necessitate the availability of this safe harbor to 
achieve the Department's policy objectives. Our experience indicates 
that the continued availability of the safe harbor plays a part in 
achieving the Department's goal

[[Page 55742]]

of promoting electronic health records technology adoption by providing 
certainty with respect to the cost of electronic health records items 
and services for recipients, and by encouraging adoption by physicians 
who are new entrants into medical practice or have postponed adoption 
based on financial concerns regarding the ongoing costs of maintaining 
and supporting an electronic health records system. Ongoing protection 
of electronic health record items and services donations would further 
new Department priorities and policies by allowing donors and 
recipients to ensure new technology is adopted that, for example, may 
improve the interoperability of electronic health information.
    We are proposing to eliminate the sunset provision at 42 CFR 
1001.952(y)(13). As an alternative to this proposed elimination of the 
sunset provision, we are considering an extension of the sunset date 
for the final rule. We seek comment on whether we should select a later 
sunset date instead of making the safe harbor permanent, and if so, 
what that date should be.
6. Definitions
    We are proposing to modify the definitions of ``interoperable'' and 
``electronic health record.'' In the 2006 Final EHR Safe Harbor Rule, 
we finalized these definitions based on then-current terminology, the 
emerging standards for electronic health records, and other resources 
cited by commenters. The following proposed modifications to these 
definitions are largely based on terms and provisions in the Cures Act 
that update or supersede terminology we used in the 2006 Final EHR Safe 
Harbor Rule.
    In the current note to paragraph (y) under 1001.952, ``electronic 
health record'' is defined as ``a repository of consumer health status 
information in computer processable form used for clinical diagnosis 
and treatment for a broad array of clinical conditions.'' We propose to 
modify the definition of ``electronic health record'' to mean: ``a 
repository of electronic health information that: (A) is transmitted by 
or maintained in electronic media; and (B) relates to the past, 
present, or future health or condition of an individual or the 
provision of healthcare to an individual.''
    The proposed revision to the definition of ``electronic health 
record'' is not intended to substantively change the scope of 
protection. We are proposing these modifications to this definition to 
reflect the term ``electronic health information'' that is used 
throughout the Cures Act and that is central to the definition of 
``interoperability'' at PHSA Sec.  3000(9) and the information blocking 
provision at PHSA Sec.  3022. Additionally, the ONC NPRM proposes a 
definition of ``electronic health information.'' \72\ We have based the 
proposed modifications, in part, on ONC's proposed definition of 
``electronic health information'' to reflect more modern terminology 
used to describe the type of information that is part of an electronic 
health record. We solicit comments on this updated definition.
---------------------------------------------------------------------------

    \72\ 84 FR 7424, 7513 (Mar. 4, 2019).
---------------------------------------------------------------------------

    In the note to paragraph (y) under 1001.952, the existing 
definition of ``interoperable'' means ``able to communicate and 
exchange data accurately, effectively, securely, and consistently with 
different information technology systems, software applications, and 
networks, in various settings, and exchange data such that the clinical 
or operational purpose and meaning of the data are preserved and 
unaltered.'' As explained in the 2006 Final EHR Safe Harbor Rule, this 
definition was based on 44 U.S.C. 3601(6) (pertaining to the management 
and promotion of electronic Government services) and several comments 
we received in response to the proposed rule that referenced emerging 
industry definitions and standards related to interoperability.\73\
---------------------------------------------------------------------------

    \73\ 71 FR 45110, 45126 (August 8, 2006).
---------------------------------------------------------------------------

    We propose to update the definition of the term ``interoperable'' 
to align with the statutory definition of ``interoperability'' added by 
the Cures Act to Section 3000(9) of the PHSA and as proposed in the ONC 
NPRM. We propose modifications to match the statutory definition and 
the ONC NPRM definition of ``interoperability.'' Consistent with PHSA 
Sec.  3000(9), we propose to define ``interoperable'' to mean able to: 
``(i) securely exchange data with, and use data from other health 
information technology without special effort on the part of the user; 
(ii) allow for complete access, exchange, and use of all electronically 
accessible health information for authorized use under applicable State 
or Federal law; and (iii) does not constitute information blocking as 
defined in 45 CFR part 171.'' The only difference between the statutory 
definition of ``interoperability'' and the definition in the ONC NPRM 
is the reference to the regulatory definition of ``information 
blocking'' in 45 CFR part 171, which we propose to adopt. We will work 
closely with ONC as they finalize the information blocking rule to 
ensure definitions align across the EHR safe harbor and the final 
information blocking regulations.
    We believe the statutory definition of ``interoperability'' 
includes similar concepts to the existing definition of 
``interoperable'' in the note to paragraph (y) (e.g., the ability to 
securely exchange data across different systems or technology). Two new 
concepts in the statutory definition are included in the proposed 
modification: (i) Interoperable means the ability to exchange 
electronic health information ``without special effort on the part of 
the user'' and (ii) interoperable expressly does not mean information 
blocking.\74\ As a practical matter, we believe these two concepts are 
not substantively different from the existing definition and only 
reflect an updated understanding of interoperability and related 
terminology. We solicit comments on the proposed definition that would 
align the definition of ``interoperable'' with the statutory definition 
of ``interoperability.''
---------------------------------------------------------------------------

    \74\ PHSA Sec.  3000(9); 42 U.S.C. 300jj(9).
---------------------------------------------------------------------------

    We also are considering linking the definition of ``interoperable'' 
with the proposed definition of ``interoperability'' at 45 CFR 170.102 
in the ONC NPRM \75\ if that proposed definition is finalized. We note 
that ONC's proposed regulatory definition of ``interoperability'' 
matches the statutory definition. However, linking the ONC regulatory 
definition of ``interoperability'' may allow for additional, future 
updates to be adopted by reference in the EHR safe harbor. We solicit 
comments on this proposal.
---------------------------------------------------------------------------

    \75\ 84 FR 7424, 7589 (Mar. 4, 2019).
---------------------------------------------------------------------------

    In the alternative, we are considering revising our regulations to 
eliminate the term ``interoperable'' and instead incorporate the term 
``interoperability'' and define this term by reference to section 
3000(9) of the PHSA and proposed in 45 CFR part 170. Under this 
alternative proposal, we would revise Sec.  1001.952(y)(2) to require 
donations of software to meet interoperability standards established 
under Title XXX of the PHSA and its implementing regulations. Software 
would be deemed to meet interoperability standards if, on the date it 
is provided to the recipient, it is certified by a certifying body 
authorized by ONC to health information technology certification 
criteria identified in 45 CFR part 170. We seek comment regarding 
whether using terminology identical to the PHSA and proposed ONC 
regulations would facilitate compliance with the requirements of the 
EHR safe harbor and reduce any regulatory burden resulting from the 
differences in the agencies'

[[Page 55743]]

different terminology related to the singular concept of 
interoperability.
    Finally, for ease of reference, we propose to amend the safe harbor 
by moving the undesignated definitions set forth in the note to 
paragraph (y) to a new paragraph (y)(14).
7. Additional Proposals and Considerations
a. 15-Percent Recipient Contribution
    In the 2006 Final EHR Safe Harbor Rule, we agreed with a number of 
commenters who suggested that cost sharing is an appropriate method to 
address some of the fraud and abuse risks inherent in unlimited 
donations of technology. Accordingly, we incorporated a requirement 
into 42 CFR 1001.952(y) that the recipient pays 15 percent of the 
donor's cost of the technology. We noted in the 2006 Final EHR Safe 
Harbor Rule that ``the 15 percent cost sharing requirement is high 
enough to encourage prudent and robust electronic health records 
arrangements, without imposing a prohibitive financial burden on 
recipients.'' Moreover, we stated, ``this approach requires recipients 
to contribute toward the benefits they may experience from the adoption 
of interoperable electronic health records (for example, a decrease in 
practice expenses or access to incentive payments related to the 
adoption of health information technology).''
    We are aware that the 15-percent contribution requirement has 
proven burdensome to some recipients and may act as a barrier to 
adoption of electronic health records technology. We understand that 
this burden may be particularly acute for small and rural practices 
that cannot afford the contribution. We also recognize that applying 
the 15-percent contribution requirement to upgrades and updates to 
electronic health record technology is restrictive and cumbersome and 
similarly may act as a barrier.
    We are not proposing specific amendments to the 15-percent 
contribution requirement at this time, and we are considering retaining 
this requirement without change in the final rule. However, we also are 
considering and solicit comments on the three alternatives to the 
existing requirement as outlined below. We solicit comment on each of 
the alternatives as separate proposed modifications to the contribution 
requirement.
    First, for purposes of the final rule, we are considering 
eliminating or reducing the percentage contribution required for small 
or rural practices. We specifically seek comment on whether and how we 
should eliminate or reduce the 15-percent contribution requirement as 
applied to a specific subset of recipients such as small or rural 
practices. In particular, we solicit comments on how ``small or rural 
practices'' should be defined. For example, we solicit comments on 
whether ``rural practices'' should be defined as those located in rural 
areas, as defined in the safe harbor for local transportation at 42 CFR 
1001.952(bb). We also solicit comments on whether ``small practices'' 
should be defined as those in medically underserved areas, as 
designated by the Secretary under section 330(b)(3) of the Public 
Health Service Act, or defined similarly to a ``small provider of 
services or small supplier'' as set forth in the requirements related 
to the electronic submission of Medicare claims at 42 CFR 424.32. We 
also are considering for the final rule and solicit comments on whether 
other subsets of potential recipients, for example critical access 
hospitals, should be exempted from the 15-percent contribution because 
it would impose a significant financial burden on the recipient.
    Second, and in the alternative, we are considering reducing or 
eliminating the 15-percent contribution requirement in this safe harbor 
for all recipients. We solicit comments regarding the impact this might 
have on the use and adoption of electronic health records technology, 
and any attendant risks of fraud and abuse. We are interested in 
specific examples of the prohibitive costs associated with the 15-
percent contribution requirement, both for the initial donation of 
electronic health records technology, and subsequent upgrades and 
updates to the technology.
    Finally, if we retain a 15-percent contribution requirement or 
reduce that contribution requirement for some or all recipients, we are 
considering modifying or eliminating the contribution requirement for 
updates to previously donated EHR software or technology. We solicit 
comments on this approach as well as what such a modification should 
entail. For example, we are considering requiring a contribution for 
the initial investment only, as well as any ``new'' modules, but not 
requiring a contribution for any update of the software already 
purchased. We solicit comments on these alternatives, or another 
similar alternative that would still involve some contribution but 
could reduce the uncertainty and administrative burden associated with 
assessing a contribution for each update.
b. Replacement Technology
    In the 2013 Final EHR Safe Harbor Rule, we highlighted one 
commenter's assertion that ``the prohibition on donating equivalent 
technology currently included in the safe harbor locks physician 
practices into a vendor, even if they are dissatisfied with the 
technology, because the recipient must choose between paying the full 
amount for a new system and continuing to pay 15 percent of the cost of 
the substandard system.'' The same commenter asserted that ``the cost 
difference between these two options is too high and effectively locks 
physician practices into electronic health record technology vendors.'' 
In the 2013 Final EHR Safe Harbor Rule, we responded that ``we continue 
to believe that items and services are not ``necessary'' if the 
recipient already possesses the equivalent items or services. We noted 
that providing equivalent items and services confers independent value 
on the recipient and noted our expectation that ``physicians would not 
select or continue to use a substandard system if it posed a threat to 
patient safety.''
    We appreciate that advancements in electronic health records 
technology are continuous, rapid, and sometimes prohibitively expensive 
for the purchaser of such technology, and that in some situations, 
replacement technology is appropriate. We are proposing to delete the 
condition that prohibits the donation of equivalent items or services 
at current 1001.952(y)(7) to allow donations of replacement electronic 
health records technology. We specifically seek comment as to whether 
deleting this condition is necessary, and in what situations 
replacement technology would be appropriate. We further solicit comment 
as to how we might safeguard against situations where donors 
inappropriately offer, or recipients inappropriately solicit, 
unnecessary technology instead of upgrading their existing technology 
for appropriate reasons.
c. Protected Donors
    We are considering expanding the group of entities that may be 
protected donors under the EHR safe harbor, for purposes of the final 
rule. As background, in the preamble to the 2006 Final EHR Safe Harbor 
Rule for the EHR safe harbor, we were mindful that broad safe harbor 
protection would significantly further the important public policy goal 
of promoting electronic health records, and thus concluded that the 
safe harbor should protect any donor that is an individual

[[Page 55744]]

or entity that provides patients with healthcare items or services 
covered by a Federal health care program and submits claims or requests 
for payment for those items or services (directly or pursuant to 
reassignment) to Medicare, Medicaid, or other Federal health care 
programs (and otherwise meets the safe harbor conditions).\76\ 
Notwithstanding this conclusion, we indicated that ``[w]e remain 
concerned about the potential for abuse by laboratories, durable 
medical equipment suppliers, and others'' and noted that ``[w]e intend 
to monitor the situation. If abuses occur, we may revisit our 
determination.'' \77\
---------------------------------------------------------------------------

    \76\ 71 FR 45127.
    \77\ Id. at 45128.
---------------------------------------------------------------------------

    In the 2013 Final EHR Safe Harbor Rule, we finalized a proposal to 
remove laboratory companies from the scope of protected donors under 
the safe harbor to address, among other things, potential abuse 
identified by some of the commenters involving potential recipients 
conditioning referrals for laboratory services on the receipt of, or 
redirecting referrals for laboratory services following, donations from 
laboratory companies, and general misuse of donations by donors to 
secure referrals.
    We remain concerned about the potential for fraud and abuse by 
certain donors that we articulated in the 2006 Final EHR Safe Harbor 
Rule and the 2013 Final EHR Safe Harbor Rule. However, in light of the 
Department's continued objective to advance the adoption of electronic 
health records technology, particularly as related to the Regulatory 
Sprint, and in response to certain comments received to the OIG RFI, we 
are considering expanding the scope of protected donors by eliminating 
or revising the requirement in 42 CFR 1001.952(y)(1)(i) that protected 
donors be limited to those who ``submit[ ] claims or requests for 
payment, either directly or through reassignment, to the Federal health 
care program.'' If we were to revise rather than eliminate the 
restriction, we are considering broadening it in the final rule to 
entities with indirect responsibility for patient care. This expansion 
would protect as donors, for example, entities like health systems or 
accountable care organizations that neither are health plans nor submit 
claims for payment. Certain commenters to the OIG RFI also recommended 
permitting any risk-bearing entity that participates in an Advanced APM 
entity under the Medicare Quality Payment Program (QPP) to be a donor. 
We are interested in understanding other types of entities and 
potential donors who would avail themselves of a broadening of the 
protected donors. In addition, we specifically solicit comments 
regarding the removal of this restriction and whether and how removal 
would impact the widespread adoption of electronic health records 
technology as well as comments regarding any attendant risks of fraud 
and abuse.

J. Personal Services and Management Contracts and Outcomes-Based 
Payment Arrangements (1001.952(d))

    We propose to modify the existing safe harbor for personal services 
and management contracts at 42 CFR 1001.952(d) to: (i) Substitute, for 
the requirement that aggregate compensation under these agreements be 
set in advance, a requirement that the methodology for determining 
compensation be set in advance; (ii) eliminate the requirement that, if 
an agreement provides for the services of an agent on a periodic, 
sporadic or part-time basis, the contract must specify the schedule, 
length, and the exact charge for such intervals; (iii) create a new 
paragraph (d)(2) to protect certain outcomes-based payments, as defined 
below; and (iv) to make certain technical changes. These proposals seek 
to modernize the safe harbor and respond to comments in response to the 
RFI that existing safe harbor requirements present barriers to certain 
care coordination and value-based arrangements.
1. Elimination of Requirement To Set Aggregate Compensation in Advance
    The existing safe harbor for personal services and management 
contracts requires that such agreements be for a term of at least 1 
year, and that the aggregate compensation be set in advance. In 
addition, the compensation must be consistent with fair market value in 
arm's-length transactions. Consistent with our existing safe harbor, 
compensation under personal services and management contracts may not 
be determined in a manner that takes into account the volume or value 
of any referrals or business otherwise generated between the parties 
for which payment may be made in whole or in part under Medicare, 
Medicaid or other Federal health care programs. Also, the aggregate 
services performed under the agreement must not exceed those which are 
reasonably necessary to accomplish the commercially reasonable business 
purpose of the services.\78\ The purpose of these requirements is to 
limit the opportunity to provide financial incentives in exchange for 
referrals.
---------------------------------------------------------------------------

    \78\ 42 CFR 1001.952(d)(4), (5) and (7).
---------------------------------------------------------------------------

    To provide the healthcare industry enhanced flexibility to 
undertake innovative arrangements, we are proposing to revise the safe 
harbor to remove the requirement at 42 CFR 1001.952(d)(5) that the 
``aggregate'' amount of compensation paid over the term of the 
agreement must be set forth in advance. To mitigate the risk of parties 
to the agreement periodically adjusting the compensation to reward 
referrals or unnecessary utilization, the proposed modification to the 
safe harbor would require the parties to an arrangement to determine 
the arrangement's compensation methodology in advance of the initial 
payment under the arrangement. In addition, under (d)(1) of our 
proposal, the safe harbor would continue to require that the 
compensation reflect fair market value, be commercially reasonable, and 
not take into account the volume or value of referrals or business 
otherwise generated between the parties.
    We anticipate this proposal would more closely align this safe 
harbor with the personal service arrangements exception to the 
physician self-referral law, 42 CFR 411.357(d).
2. Elimination of Requirement To Specify Schedule of Part-Time 
Arrangements
    We propose to eliminate the requirements set forth at 42 CFR 
1001.952(d)(3) relating to agreements for services provided on a 
periodic, sporadic, or part-time basis. This paragraph of the safe 
harbor requires contracts that provide for services on such a basis to 
specify ``exactly the schedule of such intervals, their precise length, 
and the exact charge for such intervals.'' Removing this requirement 
would afford parties additional flexibility in designing bona fide 
business arrangements, including care coordination and quality-based 
arrangements, where parties provide legitimate services as needed.
    The existing safe harbor requires part-time contractual 
arrangements between healthcare providers to specify their timing or 
duration because of our concern that such arrangements are especially 
vulnerable to abuse. Specifically, part-time arrangements could be 
readily modified based on changing referral patterns between the 
parties. However, we believe that existing safeguards under (d)(1) of 
our proposal would provide sufficient safeguards against the 
manipulation of these arrangements to reward referrals, namely: The 
term of the arrangement

[[Page 55745]]

must be not less than 1 year; the compensation terms must reflect fair 
market value, be commercially reasonable, and not take into account the 
volume or value of any referrals or business otherwise generated 
between the parties; and the methodology for determining compensation 
must be set in advance.
    As with our first proposal, we anticipate this proposal would more 
closely align this safe harbor with the personal service arrangements 
exception to the physician self-referral law, 42 CFR 411.357(d).
3. Proposal To Protect Outcomes-Based Payments
    We propose to protect outcomes-based payment arrangements in 
certain circumstances under proposed new paragraph (d)(2) and (d)(3). 
Our proposal is in response to the evolution of new payment models, 
such as shared savings, shared losses, episodic payments, gainsharing, 
and pay-for-performance, and recognizes that such arrangements may 
facilitate care coordination, encourage provider engagement across care 
settings, and promote the shift to value.
a. Outcomes-Based Payments
    We propose to define ``outcomes-based payment'' as payments from a 
principal to an agent that: (i) Reward the agent for improving (or 
maintaining improvement in) patient or population health by achieving 
one or more outcome measures that effectively and efficiently 
coordinate care across care settings; or (ii) achieve one or more 
outcome measures that appropriately reduce payor costs while improving, 
or maintaining the improved, quality of care for patients.
    We further propose that such payments would exclude any payments 
made, directly or indirectly, by a pharmaceutical manufacturer; a 
manufacturer, distributor, or supplier of DMEPOS; or a laboratory. Such 
payments would also exclude any payment that relates solely to the 
achievement of internal cost savings for the principal. We solicit 
comments on potential alternative definitions of the term ``outcomes-
based payment'' that would be consistent with the goals described in 
the preceding paragraphs of this preamble section. For example, we are 
considering for the final rule defining the term by reference to 
specific types of payments, such as those described as examples of 
outcomes-based payments below.
    Examples of outcomes-based payment arrangements could include 
shared savings payments, shared losses payments, gainsharing payments, 
pay-for-performance payments, or episodic or bundled payments. We are 
considering and solicit comments on whether, if we take this approach, 
we should further define specific types of payment arrangements that 
would qualify for this safe harbor in the final rule. To the extent we 
further define such arrangements, we are considering basing potential 
definitions on arrangements defined in various Innovation Center models 
and the Medicare Shared Savings Program. Such terms might include:
     ``Shared savings payment'' could be defined to mean a 
payment from a payor to a principal or the downstream payment by the 
principal to the agent of a share of payor savings realized from the 
agent's activities for a specified patient population. Shared savings 
payments encourage the use of the lowest cost service for the patient 
population to achieve certain desired health outcomes.
     ``Shared losses payment'' could be defined to mean a 
payment from a principal to a payor or from a downstream agent to a 
principal to repay the payor for a portion of the payor's losses 
incurred with respect to a specific patient population under a shared 
savings arrangement when a principal's expenditures for the patient 
population for the applicable performance period exceed specific 
performance benchmarks.
     ``Gainsharing payment'' could be defined to mean a payment 
from a principal to an agent to incentivize the agent to appropriately 
reduce healthcare costs (other than solely the principal's internal 
costs) for a specified patient population while achieving certain 
outcome measures in accordance with a principal's arrangement with a 
payor.
     ``Episodic or bundled payment'' could be defined to mean a 
payment from a payor to a principal or from a principal to a downstream 
agent for an episode of care across care settings for a specified 
patient population. This could include a retrospective bundled payment 
arrangement where actual healthcare expenditures of the payor and 
principal for the patient population are reconciled against a target 
price for an episode of care and a portion of such payment to the 
principal may be made to the agent or a prospectively determined 
bundled payment from the payor to the principal or a portion of such 
payment to the principal made to the agent that encompasses all 
healthcare services furnished by the principal and agent for the 
patient population during the episode of care.
     ``Pay-for-performance arrangement'' could be defined to 
mean a payment from a principal to an agent (or a payor to a principal) 
for the achievement of a legitimate cost, quality, or operational 
performance metric (e.g., bonus payment) on behalf of the principal for 
a specified patient population.
    We anticipate such outcomes-based payment arrangements would 
largely mirror, in concept, similar arrangements used in various 
Innovation Center models and the Medicare Shared Savings Program and 
would, more specifically, encompass examples like the following: (i) An 
ACO makes a ``shared savings'' payment to its member physicians, with 
such payments representing a percentage of payor savings generated by 
the ACO as a result of its members' efforts to reduce total patient 
care costs and improve quality; (ii) where an ACO incurs financial loss 
and is obligated to pay money to its payor, a hospital makes ``shared 
losses'' payments to the ACO, representing an agreed upon percentage of 
the ACO's loss; and (iii) a hospital and group of physicians and post-
acute care providers agree collectively to be paid by a payor for an 
episode of care (e.g., inpatient stay and 90 days post-discharge) and 
share among themselves the savings or losses generated against a 
benchmark. In some cases involving reconciliation, the hospital might 
be responsible for sharing any savings among its partners; in others, 
the hospital might be responsible for paying its partners for the 
services they furnish the patients under the episode.
    As noted previously, our proposed definition of ``outcomes-based 
payment'' excludes arrangements that relate solely to achievement of 
internal cost savings for the principal. For example, outcomes-based 
payment arrangements would not include arrangements that involve 
sharing in financial risk or gain only as it relates to the prospective 
payment systems for acute inpatient hospitals, home health agencies, 
hospice, outpatient hospitals, inpatient psychiatric facilities, 
inpatient rehabilitation facilities, long-term care hospitals, or SNFs. 
Although arrangements reimbursed by Federal health care programs under 
the prospective payment systems may create internal cost savings for a 
provider, the savings under the arrangement would not accrue to the 
payor.
    Thus, and for example, this safe harbor would not protect an 
outcomes-based payment arrangement between a hospital and physician 
group, where the parties share financial risk or gain only with respect 
to items or services

[[Page 55746]]

reimbursed to the hospital under the Medicare prospective payment 
system for acute inpatient hospitals. However, an outcomes-based 
payment arrangement that involves a hospital and physician group 
sharing financial risk or gain realized across care settings would be 
protected (e.g., for a patient's inpatient stay and the 60-day post-
discharge period), provided all safe harbor requirements were met.
b. Entities Not Included
    Based on our enforcement and oversight experience and as explained 
with respect to a similar exclusion in the definition of VBE 
participant in this proposed rule, we are proposing to exclude 
pharmaceutical manufacturers; manufacturers, distributors, and 
suppliers of DMEPOS; and laboratories from the proposed safe harbor for 
outcomes-based payments. As stated previously, we are concerned that 
these types of entities, which are heavily dependent upon practitioner 
prescriptions and referrals, might use outcomes-based payments 
primarily to market their products to providers and patients.
    As with the proposed definition of a VBE participant, we are also 
considering for the final safe harbor at 1001.952(d)(2) excluding 
pharmacies (including compounding pharmacies), PBMs, wholesalers, and 
distributors. We solicit comments about these proposed exclusions, as 
well as illustrative examples of beneficial or problematic outcomes-
based payment arrangements that might be excluded or included if we 
finalize some or all of these exclusions.
    We also are considering whether to more specifically target the 
final safe harbor on outcomes-based payment arrangements that further 
value-based care or care coordination by limiting protection for 
outcomes-based payment arrangements to VBE participants, as that term 
is defined in (ee)(12)(vi) of this proposed rule.
c. Collaboration and Outcomes-Based Payments
    As proposed, under the safe harbor conditions, all outcomes-based 
payments must be made between or among parties that are collaborating 
to measurably improve quality of patient care appropriately and 
materially reduce costs while maintaining quality, or both. Moreover, 
if specific services are to be performed, the agreement must specify 
all of the services the parties perform (or refrain from performing) to 
qualify for the outcomes-based payments. We are mindful that with some 
value-based payment arrangements, there may not be a direct correlation 
between the level or value of services provided by a particular 
recipient of payments and that party's share of savings or outcomes-
based payments (e.g., shared savings payments may be distributed on a 
basis unrelated to actual services provided). While the two 
requirements described do not expressly require that the outcomes-based 
payment arrangement include the provision of services (merely that the 
parties collaborate, and to the extent the parties' arrangement 
includes services, that they be documented), we anticipate that many 
arrangements would include a service component.
d. Safe Harbor Conditions
    Our proposal for outcomes-based payment arrangements includes safe 
harbor conditions, some of which mirror program integrity safeguards 
set forth in the existing personal services and management contracts 
safe harbor and some of which are new safeguards specific to outcomes-
based payment arrangements. As detailed below, our proposed safe harbor 
conditions are based on our experience with these types of arrangements 
through the advisory opinion process and the development of waivers for 
CMS models.
e. Goal of the Outcomes-Based Payment Arrangement
    As stated above, all outcomes-based payments must be made between 
or among parties that are collaborating to measurably improve quality 
of patient care (or maintain improvement); appropriately and materially 
reduce costs to, or growth in expenditures of, payors while improving 
or maintaining the improved quality of care; or both. We propose to 
limit safe harbor protection to outcomes-based payment arrangements 
that foster these two goals because we believe that such arrangements 
may best facilitate care coordination, encourage provider engagement 
across care settings, and promote the shift to value.
f. Outcome Measures
    We propose to require the parties to an arrangement to establish 
one or more specific evidence-based, valid outcome measures that the 
agent must satisfy to receive the outcomes-based monetary remuneration. 
This requirement largely mirrors the outcome-measure requirement in the 
proposed care coordination arrangements safe harbor at paragraph (ee), 
and we refer readers to the discussion of this requirement in the 
preamble above. That being said, we note certain key differences, such 
as: This proposed safe harbor requires satisfaction of an outcome 
measure to receive an outcomes-based payment, whereas the care 
coordination arrangements safe harbor requires monitoring and 
assessment related to such outcome measures; and the achievement of 
outcomes measures is not a prerequisite to the provision or use of in-
kind remuneration under the proposed safe harbor at paragraph (ee). 
Such differences are deliberate and due to the variations in type and 
scope of potential remuneration that could be exchanged under the 
respective safe harbors.
    For the proposed outcomes-based payment arrangements amendments to 
the safe harbor, outcome measures must relate to improving quality of 
patient care; appropriately and materially reducing costs to, or growth 
in expenditures of, payors while improving, or maintaining the improved 
quality of care for patients; or both. As an additional safeguard, 
parties must select outcome measures based upon clinical evidence or 
credible medical support.
    Any outcome measures established pursuant to the parties' 
arrangement must be measurable and valid, and such measures must 
promote improved quality or efficiencies in the delivery of care, or 
appropriate cost reduction. Measures that simply seek to reward the 
status quo would not meet this requirement. In some circumstances, we 
acknowledge that payment for the maintenance of high quality may be low 
risk (e.g., where an established ACO that has made demonstrable quality 
improvements over the course of several years seeks to reward its 
members to maintain such improvements). We solicit comments on whether, 
and if so how, we should protect such arrangements in the final rule 
without protecting arrangements that may be disguised payments for 
referrals. We are concerned that arrangements that reward the status 
quo are more likely to be mere payments for referrals.
    Because we believe the provision of monetary remuneration presents 
a higher risk of fraud and abuse than the provision of in-kind 
remuneration, we are considering for the final rule, and solicit 
comments on, whether to impose a different, potentially stricter 
standard for outcome measures in this proposed safe harbor than in the 
proposed care coordination arrangements safe harbor at paragraph (ee). 
To mitigate this risk, we propose to require the parties to regularly 
monitor and assess the agent's performance on each outcome measure 
under the agreement. This condition is similar to the assessment and

[[Page 55747]]

monitoring requirements in the care coordination arrangements safe 
harbor at paragraph (ee). For example, regularly monitoring and 
assessing the agent's performance could include: (i) Determining 
whether the arrangement has measurably improved quality of patient 
care, (ii) evaluating any deficiencies in the delivery of quality care, 
and (iii) measuring the agent's satisfaction of the specific, evidence-
based, valid outcome measure(s) in the outcomes-based arrangement.
    We recognize that outcomes-based payment arrangements may vary in 
structure and strive to provide flexibility for parties to design 
arrangements to achieve appropriate quality of patient care as well as 
appropriate efficiency and cost savings goals. However, we are 
proposing to include an express requirement that parties rebase the 
benchmark or outcome measure for outcomes-based payments periodically 
in outcomes-based payment arrangements where rebasing is feasible under 
paragraph (d)(2)(vii)(B). By ``rebasing'' we mean resetting the 
benchmark used to determine whether payments will be made to take into 
account improvements already achieved. We anticipate periodic 
``rebasing'' will prevent parties from inappropriately carrying over 
savings from previous performance periods or from receiving payments 
that do not reflect legitimate achievement of outcomes.
    This proposed requirement is intended to address a concern that 
``evergreen'' outcomes-based payment arrangements, in which outcome 
measures are not properly monitored or assessed, could be used as a 
vehicle to reward referrals well after the desired provider behavior 
change or savings benchmark has been met. Such perpetual arrangements 
might also fail to meet the proposed requirement that the measures be 
evidence-based. We are considering for the final rule, and solicit 
comments on, whether a specific timeframe within a specified 
performance period under the arrangement (e.g., 3 years) or a shorter 
(e.g., 1-year) or longer (e.g., 5-year) timeframe is appropriate and 
realistic for requiring parties to rebase the benchmarks for outcomes-
based payments. We solicit comments on the definition of ``rebase'' and 
when and how frequently rebasing would be necessary and appropriate to 
ensure that outcomes-based payments are based on valid, measurable 
outcomes, reducing the risk that the payments would be mere payments 
for referrals.
g. Methodology
    To increase transparency of outcomes-based payment arrangements, we 
propose that the methodology for determining the aggregate compensation 
(including any outcomes-based payments) paid between or among the 
parties over the term of the agreement is: Set in advance; commercially 
reasonable; consistent with fair market value; and not determined in a 
manner that directly takes into account the volume or value of any 
referrals or business otherwise generated between the parties for which 
payment may be made in whole or in part by a Federal health care 
program. We view these conditions as essential safeguards to ensuring 
any outcomes-based payment arrangement is not a vehicle to reward 
referrals and generate revenue but rather reflects a deliberate, 
collaborative effort by the parties to the arrangement to realize 
improved outcomes, cost savings to payors, or both.
    Because our proposed set-in-advance and commercially reasonable 
requirements are consistent with our existing personal services 
arrangement and management contracts safe harbor (as proposed to be 
amended with respect to the set-in-advance requirement), we do not 
address these requirements here in further detail. We discuss our 
proposed fair market value and volume or value conditions below.
i. Fair Market Value
    We propose that the methodology for determining the aggregate 
compensation (including any outcomes-based payments) paid between or 
among the parties over the term of the agreement be consistent with 
fair market value. We acknowledge our proposed aggregate fair market 
value requirement may pose challenges to the extent there are not 
industry standards yet developed to determine fair market value for 
some outcomes-based payment arrangements in the value-based care arena 
and because we understand that some of the outcomes-based payment 
arrangements we propose to protect do not necessarily correlate 
payments with actual services performed (and in some cases, reward not 
performing services).
    Nonetheless, we anticipate the industry will evolve and adapt to 
assess fair market value for value-driven outcomes-based payment 
arrangements, even where the provision of traditional services may be a 
less prominent component. We solicit comments on this approach. We are 
considering for the final rule whether we should take a different 
approach (including whether to value outcomes-based payments separately 
from other compensation or whether to substitute the fair market value 
requirement with a different safeguard that would help ensure that 
payments are for legitimate participation in arrangements that drive 
value-based care and are not merely disguised payments for referrals).
ii. Volume or Value of Referrals
    We propose to require that the compensation methodology for 
determining the outcomes-based payment not be determined in a manner 
that directly takes into account the volume or value of referrals or 
other business generated between the parties. We recognize that to 
incentivize care coordination and appropriate behavioral changes 
through outcomes-based payments, parties may need to establish payment 
methodologies that at least indirectly take into account the volume or 
value of referrals or other business generated between the parties. We 
believe it should be possible to structure payments so that they do not 
directly take into account the volume or value of referrals of other 
business.
h. Writing and Monitoring
    We propose that the outcomes-based payment be made between or among 
parties that are collaborating, pursuant to a written agreement signed 
by the parties in advance of, or contemporaneous with, the commencement 
of the terms of the outcomes-based payment arrangement. We further 
propose that the written agreement specify all of the services the 
parties would perform for the term of the agreement. As detailed in the 
above section, while this does not mandate that parties to an outcomes-
based payment arrangement include services, if services are furnished 
pursuant to the parties' arrangement, such services must be documented 
in writing.
    We further propose to require that the written agreement include 
the outcome measure(s), the evidence-based data or information upon 
which the parties relied to select the outcome measure(s), and the 
schedule for the parties to regularly monitor and assess the outcome 
measure(s). In addition to the writing requirements set forth in 
(d)(2)(viii), parties may consider documenting and retaining such 
documentation necessary to demonstrate compliance with each prong of 
this safe harbor. For example, the parties may document payments made 
pursuant to the outcomes-based payment arrangement and data showing the 
agent's achievement of the outcome measure(s).

[[Page 55748]]

i. Impact on Patient Quality of Care
    Properly structured and operated, outcomes-based payments hold the 
potential to improve the delivery of care; however, when improperly 
structured and operated, they hold the potential to incentivize 
behavior harmful to patients, such as stinting on care 
(underutilization), cherry picking lucrative or adherent patients, or 
lemon dropping costly or noncompliant patients.\79\ Accordingly, we are 
proposing to require that the agreement neither limits any party's 
ability to make medically appropriate decisions for patients, nor 
induces the reduction of medically necessary services.
---------------------------------------------------------------------------

    \79\ We note that section 1128A(b)(1) of the Act (the 
``Gainsharing CMP'') prohibits a hospital from knowingly making 
payments, directly or indirectly, to a physician to induce the 
physician to reduce or limit medically necessary services to 
Medicare or Medicaid beneficiaries who are under the physician's 
direct care. Hospitals that make (and physicians who receive) 
payments prohibited by this provision are liable for civil money 
penalties for each patient for which the prohibited payment was 
made. However, our proposed condition is in recognition that other 
parties, besides hospitals and physicians, may seek protection under 
this safe harbor.
---------------------------------------------------------------------------

j. Additional Safeguards
    We propose that the term of the agreement is not less than 1 year 
and that the services performed under the agreement do not involve the 
counseling or promotion of a business arrangement or other activity 
that violates any State or Federal law. These conditions are identical 
to those included in the personal services and management contracts 
safe harbor.
k. Technical Modifications
    Due to the proposed additions of paragraphs (d)(2) and (d)(3), 
setting forth provisions on outcomes-based payments and definitions, we 
propose to move the existing personal services and management contracts 
provisions, as proposed to be amended in this rulemaking, to a new 
paragraph (d)(1).

K. Warranties (1001.952(g))

    In an effort to update the existing safe harbor for warranties at 
42 CFR 1001.952(g) and to promote higher value items covered by 
warranties, we propose to modify the safe harbor to: (i) Protect 
warranties for one or more items and related services upon certain 
conditions; (ii) exclude beneficiaries from the reporting requirements 
applicable to buyers; and (iii) define ``warranty'' directly and not by 
reference to 15 U.S.C. 2301(6). We also propose to make a technical 
correction to paragraph (3)(i) to change the text from ``paragraphs 
(a)(1) and (a)(2) of this section'' to ``paragraphs (g)(1) and (g)(2) 
of this section.'' For ease of reference, we propose to amend the safe 
harbor by moving the undesignated definition at the end of the safe 
harbor to a new paragraph (g)(7).
1. Bundled Warranties
    The warranties safe harbor protects remuneration consisting of 
``any payment or exchange of anything of value under a warranty 
provided by a manufacturer or supplier of an item to the buyer (such as 
a health care provider or beneficiary) of the item,'' as long as the 
buyer and seller comply with the safe harbor's requirements.\80\ We 
confirmed in Advisory Opinion No. 18-10 that this safe harbor applies 
only to warranties for a single item and not to bundled items.\81\ We 
received comments in response to the OIG RFI requesting revisions to 
the warranties safe harbor to protect warranty arrangements that 
pertain to bundled items and services. Commenters suggested that such 
revisions would promote beneficial and innovative arrangements. Based 
on these comments, other input OIG has received, and our own 
consideration of the potential benefits of expanding the warranties 
safe harbor to foster value, we propose to revise the safe harbor to 
protect bundled warranties for one or more items and related services, 
when certain conditions are met. This modification would allow 
manufacturers and suppliers to warrant that a bundle of items or one or 
more items in combination with related services, such as product 
support services, will meet a specified level of performance under a 
warranty agreement.
---------------------------------------------------------------------------

    \80\ 42 CFR 1001.952(g).
    \81\ Adv. Op. No. 18-10, available at https://www.oig.hhs.gov/fraud/docs/advisoryopinions/2018/AdvOpn18-10.pdf.
---------------------------------------------------------------------------

    We believe this proposed modification could promote beneficial 
arrangements between sellers and buyers by allowing them to enter into 
warranty arrangements conditioned on the collective value of the 
warranted items and related services. We also believe this proposed 
modification could enhance the use and utility of warranted items by 
protecting warranties that encompass services, such as support and 
educational services. For example, this proposed modification would 
protect arrangements such as the one at issue in Advisory Opinion No. 
01-08, where the requestor operated a warranty program covering wound 
care products and certain related support services, such as access to a 
wound specialist and an online wound documentation system, that the 
requestor made available to buyers of its products.\82\
---------------------------------------------------------------------------

    \82\ Adv. Op. No. 01-08, available at https://www.oig.hhs.gov/fraud/docs/advisoryopinions/2001/ao01-08.pdf. OIG acknowledged that 
the arrangement at issue in advisory opinion number 01-08 implicated 
the anti-kickback statute and did not fit in the warranties safe 
harbor but approved the arrangement on the basis that it presented a 
sufficiently low risk of fraud and abuse under the anti-kickback 
statute.
---------------------------------------------------------------------------

a. Inclusion of Services in Bundled Warranties
    We are proposing to protect warranty arrangements that apply to one 
or more items and services (provided the warranty covers at least one 
item). This modification would allow manufacturers and suppliers to 
warrant that certain services, in combination with one or more items, 
will result in a specified level of performance.\83\ We are mindful 
that the provision of certain warranted services, such as medication 
adherence services by manufacturers and suppliers, could increase the 
risk of patient harm and inappropriate utilization because 
manufacturers and many suppliers do not necessarily have direct patient 
care responsibilities and thus may not have the same patient safety 
considerations that physicians and providers with direct patient care 
responsibilities have. Using medication adherence services offered by 
drug manufacturers as an example, we are concerned that manufacturers 
may promote patients' adherence to

[[Page 55749]]

prescribed medications, even when a patient is experiencing harmful 
side effects, or the medication is not achieving the purpose for which 
it was prescribed. Because manufacturers have financial incentives for 
patients to use and reorder their medications but do not have the 
medical expertise the prescribing physicians have to determine whether 
continued use of medications is clinically appropriate for a specific 
patient, medication adherence services offered by manufacturers, such 
as phone or message communications directing patients to take their 
medications, could result in patient harm or inappropriate utilization 
of drugs.
---------------------------------------------------------------------------

    \83\ We clarify that our proposed changes would not protect free 
or reduced-price items or services that sellers provide either as 
part of a bundled warranty agreement or ancillary to a warranty 
agreement. Whether a seller's provision of free or reduced-price 
items or services in connection with a warranty arrangement would 
implicate and potentially violate the anti-kickback statute would 
depend on whether other safe harbor protection exists for the 
arrangement, and if not, whether those items or services have 
independent value to a buyer other than for purposes of determining 
whether the terms of a warranty have been met. For example, 
laboratory testing required for patient care may be necessary to 
determine if a warranted outcome was achieved, but the laboratory 
test would have independent value to the buyer. A seller's provision 
of laboratory testing for free or at a reduced charge as part of a 
warranty agreement would implicate the anti-kickback statute. 
Additionally, the provision of medication adherence services for 
free or below fair market value would implicate the anti-kickback 
statute. In contrast, if sellers provide items and services with no 
independent value to a buyer, other than to determine whether the 
conditions of a warranty have been satisfied, the items and services 
may not constitute remuneration under the anti-kickback statute, and 
thus, may not implicate the statute. See OIG Compliance Program 
Guidance for Pharmaceutical Manufacturers, 68 FR 23731, 23735 (May 
5, 2003), for a discussion of pharmaceutical manufacturers' 
provision of limited support services tailored to the manufacturers' 
products that may not implicate the anti-kickback statute.
---------------------------------------------------------------------------

    We are considering safeguards we could include in the final rule to 
protect against these risks, such as a safeguard that would prohibit 
direct patient outreach by a seller offering a warranty but that would 
allow the seller to pay an independent intermediary to perform services 
that require direct patient outreach, as long as compensation for the 
patient outreach services is not tied to the volume or value of any 
warranted item used by the patient.
    Our proposed expansion of this safe harbor does not protect 
warranties covering only services. We believe warranties for services 
that are not tied to one or more related items could present heightened 
fraud and abuse risks. Manufacturers and suppliers could warrant that 
services will achieve certain clinical goals and offer remuneration to 
induce referrals from referral sources under the guise of warranty 
remedies. The services manufacturers and suppliers may offer could take 
many different forms, and it may be difficult to verify whether 
services, which can more subjective in nature than items, failed to 
achieve the clinical goals established by a warranty arrangement. 
Additionally, because the services subject to a warranty may not be 
federally reimbursable, it may be difficult to determine whether the 
services being warranted are bona fide services or sham services 
offered as part of a warranty agreement and designed to transfer 
remuneration to referral sources upon the failure of such services to 
achieve the warranted result. If physicians, for example, could warrant 
that their services will achieve certain clinical results, the 
potential to receive money as a warranty remedy may induce patients to 
select physicians offering warranties over other physicians, 
particularly where the clinical results being warranted are not easily 
achievable, regardless of which physician a patient selects. We are 
considering for the final rule extending safe harbor protection for 
warranties applying only to services if sufficient safeguards exist to 
mitigate these risks, and we are soliciting comments on the potential 
fraud and abuse risks that may arise if we expand the safe harbor to 
include services-only warranties and potential safeguards to mitigate 
these risks.
b. Conditions on Bundled Warranties
    We propose to impose the following conditions on bundled warranty 
arrangements: (i) All federally reimbursable items and services subject 
to bundled warranty arrangements must be reimbursed by the same Federal 
health care program and in the same payment; (ii) a manufacturer or 
supplier must not pay any individual (other than a beneficiary) or 
entity for any medical, surgical, or hospital expense incurred by a 
beneficiary other than for the cost of the items and services subject 
to the warranty; and (iii) manufacturers and suppliers cannot condition 
bundled warranties on the exclusive use of one or more items or 
services or impose minimum-purchase requirements of any items or 
services. We believe these requirements would promote beneficial 
arrangements while protecting beneficiaries and the Federal health care 
programs from harmful practices, such as inappropriate utilization and 
product steering, as explained below.
c. Requirement for Federally Reimbursable Items and Services Subject to 
Bundled Warranty Arrangements To Be Reimbursed by the Same Federal 
Health Care Program and in the Same Payment
    Under a new paragraph (5), we propose to require that all federally 
reimbursable items and services subject to the bundled warranty be 
reimbursed by the same Federal health care program and in the same 
payment. This requirement would be satisfied when federally 
reimbursable items and services subject to a bundled warranty are 
reimbursed by, for example, the same Part A Medicare Severity-Diagnosis 
Related Group (MS-DRG) payment, the same Medicare Part B ambulatory 
payment classification payment, or the same Medicaid managed care 
payment. Allowing sellers to bundle items and services reimbursed by 
different Federal health care program payments could create incentives 
for overutilization or inappropriate utilization of items and services 
included in the bundle. Unlike bundled payments, such as MS-DRG 
payments, payments that reimburse providers separately for each item 
and service they order do not incentivize providers to contain their 
costs because the providers would receive reimbursement for each 
discrete item and service they order, regardless of whether those items 
and services present the best value. Without cost-containment 
incentives, providers may order devices or drugs subject to a bundled 
warranty, regardless of whether lower-cost, equally effective devices 
or drugs are available, because providers would be reimbursed 
separately for each item and reimbursable service and could be eligible 
to receive the full cost of the separately billed items and 
reimbursable services in the bundle if even one item or reimbursable 
service fails to perform as expected.
    We believe these risks are mitigated when bundled warranties apply 
only to federally reimbursable items and services that are reimbursed 
by the same Federal health care program payment, such as under an MS-
DRG payment. However, we are aware that bundled warranties could result 
in barriers to entry for certain manufacturers and suppliers that 
cannot offer bundled warranties, and we are considering for the final 
rule, and solicit comments on, additional safeguards we should include 
to limit the potential anti-competitive effects that bundled warranties 
may have in the drug and device markets. Additionally, we solicit 
specific examples where the protections we propose would not be 
sufficient to protect against anti-competitive conduct.
    We recognize that the proposed requirement above might inhibit 
warranties conditioned on the collective performance of warranted items 
across a patient population (population-based warranties) because these 
items would not be reimbursed in the same payment. We are considering 
whether, and if so, how, we might craft the safe harbor to allow for 
population-based warranties without creating risks of increased costs 
to the Federal health care programs, as described above. For example, 
we are considering for the final rule whether we could require that all 
items and services be reimbursed according to the same payment 
methodology, but not necessarily the same payment, to allow for 
population-based warranties. We solicit comments on this approach and 
the potential benefits and fraud and abuse risks it may present. We 
note that retrospective reconciliation payments, such as those often 
used under the Innovation Center payment models, would not constitute 
one payment, as required under our proposal, when the reconciliation 
payments are paid to one entity but are not direct payment for

[[Page 55750]]

items and services provided only by that entity.
    In addition, we are considering for the final rule, and seek 
comments on, whether we should include any exceptions to the 
requirement that all federally reimbursable items and services subject 
to a bundled warranty be paid by the same payment, such as when bundled 
items are reimbursed according to the same payment under the Medicare 
program but are reimbursed separately under Medicaid. For example, in 
Advisory Opinion No. 18-10, we noted that the items subject to the 
requestor's warranty program were reimbursable under the same MS-DRG 
payment but potentially were separately reimbursable under certain 
states' Medicaid programs. We encourage commenters to provide specific 
examples where an exception may be needed.
2. Capped Amount of Warranty Remedies; Prohibition on Exclusivity and 
Minimum-Purchase Requirements
    We propose to modify paragraph (4) of the safe harbor by limiting 
the remuneration a manufacturer or supplier may pay to any individual 
(other than a beneficiary) or entity for any medical, surgical, or 
hospital expense incurred by a beneficiary to the cost of the items and 
services subject to the warranty. We view this limitation as an 
important protection against manufacturers and suppliers providing 
excessive remuneration to induce further business. In a new paragraph 
(6), we also propose to prohibit manufacturers and suppliers from 
conditioning warranties on the exclusive use of one or more items or 
services and from imposing minimum-purchase requirements of any items 
or services. We view such steering practices as highly problematic and 
solicit comments on the prevalence of these practices in warranty 
arrangements. We also solicit comments on the effectiveness of the 
proposed safeguards in preventing or mitigating fraud and abuse risks, 
as well as additional safeguards we could impose.
3. Reporting Requirements
    Stakeholders have expressed concern that the reporting requirements 
under the safe harbor may not allow for outcomes-based warranty 
arrangements in which buyers could receive return payments from 
manufacturers over several years if a therapy does not meet clinical 
outcomes at designated points in time. We solicit comments on any 
burden the current reporting requirements impose and the need for more 
flexible reporting requirements under the safe harbor to better 
facilitate warranties tied to clinical outcomes. We understand that 
delayed reporting may be necessary when, for example, the efficacy of a 
drug therapy may not be known for several years after the initial 
purchase. We are considering ways in which we could modify the 
reporting requirements under the safe harbor to accommodate outcomes-
based warranty arrangements while protecting the Government's interest 
in having an accurate and timely report of any price reductions a 
seller offers a buyer under a warranty arrangement protected by the 
safe harbor. We also propose to expressly exclude beneficiaries from 
the reporting requirement applicable to other buyers since 
beneficiaries do not report costs to the Government.
4. Definition of ``Warranty''
    We propose to define ``warranty'' directly and not by reference to 
15 U.S.C. 2301(6). The Magnuson-Moss Act enacted 15 U.S.C. 2301, which 
in paragraph (6) defines ``written warranty'' in connection with the 
sale of a ``consumer product.'' However, courts have held that an item 
regulated under the Federal Food, Drug, and Cosmetic Act is not a 
``consumer product'' for purposes of the Magnuson-Moss Act.\84\ The 
reference to 15 U.S.C. 2301(6) in the definition of ``warranty'' 
therefore creates unintentional ambiguity as to whether the safe harbor 
covers warranties for drugs and devices regulated under the Federal 
Food, Drug, and Cosmetic Act. We propose revisions to the definition of 
``warranty'' to clarify that the warranties safe harbor applies to FDA-
regulated drugs and devices.
---------------------------------------------------------------------------

    \84\ See, e.g., Kanter v. Warner-Lambert Co., 99 Cal. App. 4th 
780, 798 (2002); Goldsmith v. Mentor Corp., 913 F. Supp. 56, 63 
(D.N.H. 1995); Kemp v. Pfizer, Inc., 835 F. Supp. 1015, 1024-25 
(E.D. Mich. 1993).
---------------------------------------------------------------------------

    We propose a definition for ``warranty'' that largely models the 
definition in 15 U.S.C. 2301(6) but replaces references to a 
``product,'' where applicable, with ``item or bundle of items, or 
services in combination with one or more related items,'' to allow for 
single-item and bundled warranties. Additionally, the proposed 
definition substitutes references to the ``material'' of a product with 
``quality'' to reflect the inclusion of warranted services in addition 
to items. The proposed definition of ``warranty'' continues to include 
a ``written affirmation of fact or written promise [that] affirms or 
promises that [items and services] . . . will meet a specified level of 
performance over a specified period of time.'' We interpret this 
provision to provide protection for warranty arrangements conditioned 
on clinical outcome guarantees, provided the warranty arrangements meet 
all the safe harbor's requirements.

L. Local Transportation (1001.952(bb))

    Increasingly, experts are recognizing the important role 
transportation plays in patient access to care, quality of care, 
healthcare outcomes, and effective coordination of care for patients, 
particularly for patients who lack their own transportation or who live 
in ``transportation deserts.'' As part of this rulemaking, we are 
revisiting certain provisions of the existing safe harbor for local 
transportation at 42 CFR 1001.952(bb) and, as described above, 
proposing new safe harbor protection for certain patient engagement 
tools and supports. The proposed patient engagement and support safe 
harbor would include transportation services for patients that meet the 
proposed safe harbor requirements.
    We propose to modify the existing safe harbor for local 
transportation at 42 CFR 1001.952(bb) to: (i) Expand the distance which 
residents of rural areas may be transported; and (ii) remove any 
mileage limit on transportation of a patient from a healthcare facility 
from which the patient has been discharged to the patient's residence.
    For purposes of clarification, we also provide guidance on the 
application of the safe harbor to transportation through ride-sharing 
services. We are not proposing to amend the safe harbor to explicitly 
include such services, because we believe that nothing in the existing 
language excludes them from protection.
    Finally, for ease of reference, we propose to amend the safe harbor 
by moving the undesignated definitions set forth in the note to 
paragraph (bb) to a new paragraph (bb)(3).
1. Expansion of Mileage Limit for Patients Residing in Rural Areas
    The safe harbor provides that transportation is protected if 
provided ``[w]ithin 25 miles of the health care provider or supplier to 
or from which the patient would be transported, or within 50 miles if 
the patient resides in a rural area, as defined in this paragraph 
(bb).'' \85\ In response to the OIG RFI, some commenters stated that 
the 50-mile limit for residents of rural areas is insufficient, as many 
rural residents need to travel more than 50 miles to obtain medically 
necessary services. Accordingly, we are proposing to increase the limit 
on transportation of residents of rural communities to 75

[[Page 55751]]

miles, but we solicit comments on whether an increase to 75 miles is 
sufficient. We urge commenters to provide data or other evidence to 
support the most appropriate distance for the purposes of this 
rulemaking. We request that commenters provide specific information, if 
available, about the patients within the commenters' communities or 
service areas who cannot obtain care within the existing distance 
limits. We also seek comments on how an entity would provide 
transportation over distances in excess of 50 miles (e.g., by shuttle, 
as defined in the existing safe harbor), ride-sharing programs, 
reimbursement of mileage, reimbursement of bus or taxi fare, or other 
means. Such information will assist us in determining whether an 
increased distance limit is necessary and practical and whether it is 
likely to be subject to abuse. While the current safe harbor does not 
require any showing of need on the part of patients, we solicit 
comments on whether the final rule should protect transportation in 
excess of the current limits only where there is a demonstration of 
financial, medical, or transportation need. We also solicit comments on 
what safeguards would be necessary to prevent abuse of an expansion of 
these limits for rural or other patients.
---------------------------------------------------------------------------

    \85\ 42 CFR 1001.952(bb)(1)(iv)(B).
---------------------------------------------------------------------------

2. Elimination of Distance Limit on Transportation of Discharged 
Patients
    Comments on the OIG RFI and other information raise concerns about 
patients discharged from healthcare facilities who do not have a ride 
home. In some cases, these patients have been brought to the facility 
from a great distance. Some patients in behavioral health facilities 
are brought to the facility over long distances by law enforcement 
personnel. Commenters urged that the local transportation safe harbor 
be expanded to protect facilities that want to provide safe 
transportation home.
    We agree that transportation home after discharge from an inpatient 
facility does not pose the same level of risk of inducing patient 
referrals as transportation to the facility. Accordingly, we are 
proposing to eliminate any distance limit on transportation of a 
patient who has been discharged from a facility after admission as an 
inpatient, regardless of whether the patient resides in an urban or 
rural area, if the transportation is to the patient's residence, 
another residence of the patient's choice (such as the residence of a 
friend or relative who is caring for the patient post-discharge). We 
are also considering protecting transportation to any location of the 
patient's choice, including to another healthcare facility. We are 
soliciting comment on the fraud and abuse risks that may arise from 
permitting transportation to another healthcare facility. In addition, 
we are considering for the final rule whether, and under what 
circumstances, transportation home or to another facility should be 
protected when a patient has not been admitted to an inpatient 
facility. For example, we are soliciting comments on whether 
transportation should be protected after a patient has been seen in the 
emergency room, under observation status at a hospital for an extended 
period, but not admitted, or after a procedure at an ambulatory surgery 
center (ASC). If transportation is protected under these circumstances, 
we welcome comments on what limitations should be imposed (e.g., 
observation status at a hospital for at least 24 hours, or a procedure 
at an ASC or medical condition evaluated or treated at an emergency 
department that results in a patient being unable to travel home safely 
unaccompanied).
    The safe harbor does not require an entity to offer transportation 
to patients, and an entity may impose its own mileage limits on any 
transportation offer, as long as it imposes such limits consistently 
and makes the transportation available without regard to the volume or 
value of Federal health care program business. For example, the entity 
sponsoring the transportation cannot offer the transportation only to 
facilities affiliated with it.
    As with our proposal to increase the mileage limit for 
transportation of rural patients, we solicit comments on whether 
transportation of discharged patients, if in excess of otherwise 
applicable safe harbor mileage limits, should be limited to patients 
with demonstrated need (either financial need or transportation need), 
and if so, what standards should apply to such demonstration of need. 
Finally, we solicit comments on whether, if this proposal to eliminate 
any mileage limit for discharged patients is adopted, there remains a 
need to increase the distance limit for transportation of patients who 
reside in rural areas.
3. Local Transportation for Health-Related, Non-Medical Purposes
    In the preamble to the final rule establishing the local 
transportation safe harbor, we declined to extend safe harbor 
protection to transportation for purposes other than to obtain 
medically necessary items or services, although we noted that a shuttle 
service protected by the safe harbor could make stops at locations that 
do not relate to a particular patient's medical care. We also stated 
that we would consider in a future rulemaking whether permitting 
transportation to non-medical services that are part of care 
coordination arrangements or are related to improving healthcare would 
be appropriate.\86\
---------------------------------------------------------------------------

    \86\ See 81 FR 88368, 88384 (Dec. 7, 2016).
---------------------------------------------------------------------------

    In response to the OIG RFI, we received comments suggesting that 
the local transportation safe harbor should protect transportation for 
non-medical purposes that may nevertheless improve or maintain health. 
Such transportation might be to food stores or food banks, social 
services facilities (such as to apply for food stamps or housing 
assistance), exercise facilities, or chronic disease support groups, 
for example. In many cases, such transportation might help address both 
patients' health outcomes as well as social determinants of health, 
such as transportation, nutrition, and housing. We are considering 
including non-medical purposes in the final safe harbor, and we seek 
comments on whether and how the safe harbor could be expanded in this 
manner to foster innovative arrangements that are likely to improve 
health outcomes and address non-medical needs that significantly 
influence those outcomes, without creating an unacceptable risk of 
fraud and abuse, such as inducing beneficiaries to receive unnecessary 
healthcare items and services. We are considering whether such 
expansion of the safe harbor should be limited to certain beneficiary 
populations, such as chronically ill patients, or to patients who are 
being discharged from a hospital or other facility. Responses to this 
solicitation of comments will inform our consideration of potentially 
extending this safe harbor in the final rule to include these 
arrangements or potentially protecting arrangements in the patient 
engagement and support safe harbor, if finalized.
    Elsewhere in this rulemaking, we are proposing a new safe harbor 
for patient engagement tools and supports provided by VBE participants, 
which could include transportation for health-related, non-medical 
purposes. The protection of this safe harbor would not be available 
outside the context of a VBE, however, since the proposed safe harbor 
limits protection to patient engagement tools and supports furnished by 
VBE participants. We refer commenters to the standards and safeguards 
proposed for the separate safe harbor for patient engagement tools and 
supports (proposed at

[[Page 55752]]

1001.952(hh)), and we solicit comments on whether these standards and 
safeguards are also appropriate for the local transportation safe 
harbor, to the extent that were to apply to transportation for non-
medical purposes. In addition, we seek comments on whether an extension 
of the local transportation safe harbor in this manner is needed or 
appropriate, if the proposed separate safe harbor for patient 
engagement and support offered by VBE participants is adopted (proposed 
1001.952(hh)).
4. Use of Ride-Sharing Services
    We are aware that some entities are providing transportation for 
medical items and services through the use of ride-sharing services. As 
we understand the use of these services, a hospital, for example, could 
arrange with a ride-sharing service to provide rides for its patients, 
for which the hospital would be billed. We are aware that some members 
of the public may be uncertain about the application of the safe harbor 
in these circumstances.
    In the preamble to the final rule establishing the local 
transportation safe harbor, we noted the possibility that patient 
transportation would be provided via taxi.\87\ Although we did not 
explicitly refer to ride-sharing services, we see no difference between 
these services and taxis, for purposes of the safe harbor. We believe 
that nothing in the language of the safe harbor precludes their use. 
(By the same logic, the safe harbor does not preclude transportation 
via self-driving cars or other similar technology that serve as a taxi 
service, should they become available.) We invite any commenters who 
disagree to provide comments explaining the possible basis for the 
exclusion of ride-sharing programs from protection from the existing 
safe harbor. If we find such comments persuasive, we will consider an 
amendment to the safe harbor to explicitly protect transportation 
through ride-sharing programs.
---------------------------------------------------------------------------

    \87\ 81 FR at 88387.
---------------------------------------------------------------------------

    We note, however, that the same safe harbor requirements that apply 
to other forms of transportation also apply to transportation provided 
by ride-sharing services. These include the requirement that the 
availability of free or discounted transportation not be advertised. A 
taxi company, ride-sharing service, or other provider of transportation 
could advertise that it provides transportation to medical appointments 
and suggest contacting medical providers to determine if free or 
discounted transportation is available to their facilities. It cannot, 
however, advertise that it provides free or discounted transportation 
to a particular healthcare provider or group of providers. Such 
customer-specific advertising is within the control of the customer to 
prohibit, and therefore would be imputed to the customer (i.e., the 
entity paying for the transportation, regardless of whether that entity 
pays for the advertising), thus disqualifying the arrangement from safe 
harbor protection.
    To the extent that the ride-sharing service provides services other 
than transportation for the purpose of obtaining medical care, such 
services would not be protected by the safe harbor. Like a taxi driver, 
a ride-share driver could assist a patient in getting from a residence 
into a vehicle and from a vehicle into a medical provider's facility, 
and this could include assisting the patient with a wheelchair, oxygen 
equipment, or the like. This would be considered part of the 
transportation service. In addition, a ride-sharing driver, taxi 
driver, or shuttle could, for example, provide the patient with 
transportation from a physician's office or hospital to a pharmacy, for 
the purpose of obtaining a prescription (a medically necessary item) 
before taking the patient home. As noted in the preamble to the 2016 
final rule establishing this safe harbor, a shuttle could also include 
a food store among its stops.\88\ However, transportation to a food 
store or any other location not for the purpose of obtaining medically 
necessary items or services, when provided on a patient-specific basis 
(i.e., not by a shuttle), is not protected by this safe harbor. Such 
transportation may be protected by the proposed safe harbor for value-
based arrangements, as discussed elsewhere in this proposed rule.
---------------------------------------------------------------------------

    \88\ 81 FR 88384.
---------------------------------------------------------------------------

    Finally, we note that, as with all safe harbors, the local 
transportation safe harbor applies only to the Federal anti-kickback 
statute (and the beneficiary inducements CMP). Providers of 
transportation remain subject to all other federal, state and local 
laws and regulations that may be applicable to their activities and 
arrangements.

M. ACO Beneficiary Incentive Program

1. Overview of Medicare Shared Savings Program and Provisions of the 
Budget Act of 2018 for ACO Beneficiary Incentive Programs
    Section 1899 of the Act established the Medicare Shared Savings 
Program, which promotes accountability for a patient population, 
fosters coordination of items and services under Medicare Parts A and 
B, encourages investment in infrastructure and redesigned care 
processes for high-quality and efficient healthcare service delivery, 
and promotes higher value care. The Medicare Shared Savings Program is 
a voluntary program that encourages groups of doctors, hospitals, and 
other healthcare providers to come together as an ACO to lower growth 
in expenditures and improve quality. An ACO agrees to be held 
accountable for the quality, cost, and experience of care of an 
assigned Medicare FFS beneficiary population. ACOs that successfully 
meet quality and savings requirements share a percentage of the 
achieved savings with Medicare.
    Section 1899(m)(1)(A) of the Act, as added by section 50341 of the 
Budget Act of 2018,\89\ permits ACOs under certain two-sided models to 
operate CMS-approved beneficiary incentive programs to provide 
incentive payments to assigned beneficiaries who receive qualifying 
primary care services. According to CMS, and as intended by section 
1899(m)(1)(A) of the Act, the beneficiary incentive programs will 
encourage beneficiaries assigned to certain ACOs to obtain medically 
necessary primary care services while requiring such ACOs to comply 
with program integrity and other requirements.\90\ CMS, in a final rule 
establishing regulations governing ACO Beneficiary Incentive Programs 
states that the agency ``believe[s] that such amendments will empower 
individuals and caregivers in care delivery.'' \91\
---------------------------------------------------------------------------

    \89\ Public Law 115-123, 132 Stat. 64.
    \90\ Medicare Program; Medicare Shared Savings Program; 
Accountable Care Organizations--Pathways to Success and Extreme and 
Uncontrollable Circumstances Policies for Performance Year 2017, 83 
FR 67816, 67823 (Dec. 31, 2018).
    \91\ Id. at 67980.
---------------------------------------------------------------------------

    Specifically, the Budget Act of 2018 added section 1899(m)(1)(A) of 
the Act, which allows ACOs to apply to operate an ACO Beneficiary 
Incentive Program. The Budget Act of 2018 also added a new subsection 
(m)(2) to section 1899 of the Act, which provides clarification 
regarding the general features, implementation, duration, and scope of 
approved ACO Beneficiary Incentive Programs. In addition, the Budget 
Act of 2018 added section 1899(b)(2)(I) of the Act, which requires ACOs 
that seek to operate a beneficiary incentive program to apply to 
operate the program at such time, in such manner, and with such 
information as the Secretary may require.\92\
---------------------------------------------------------------------------

    \92\ For additional background information on section 1899(m) 
and 1899(b)(2)(I), see Medicare Program; Medicare Shared Savings 
Program; Accountable Care Organizations--Pathways to Success and 
Extreme and Uncontrollable Circumstances Policies for Performance 
Year 2017, 83 FR 67816 (Dec. 31, 2018).

---------------------------------------------------------------------------

[[Page 55753]]

    In order to implement the changes set forth in section 1899(b)(2) 
and (m) of the Act, CMS added regulation text at 42 CFR 425.304(c) that 
allows ACOs participating under certain two-sided models to establish 
CMS-approved beneficiary incentive programs to provide incentive 
payments to assigned beneficiaries who receive qualifying services.
2. ACO Beneficiary Incentives Program Statutory Exception and Proposed 
Safe Harbor (1001.952(kk))
    Section 50341(b) of the Budget Act of 2018, which added section 
1128B(b)(3)(K) of the Act, states that ``illegal remuneration'' under 
the anti-kickback statute does not include ``. . . an incentive payment 
made to a Medicare fee-for-service beneficiary by an ACO under an ACO 
Beneficiary Incentive Program established under subsection (m) of 
section 1899, if the payment is made in accordance with the 
requirements of such subsection and meets such other conditions as the 
Secretary may establish.''
    We propose to codify the statutory exception to the definition of 
``remuneration'' at section 1128B(b)(3)(K) of the Act in our 
regulations at proposed paragraph 1001.952(kk). We propose to adopt 
regulatory language nearly identical to the statutory language, with 
two exceptions. First, the text of the proposed safe harbor would make 
it clear that an ACO may furnish incentive payments only to assigned 
beneficiaries. Second, the safe harbor would modify the statutory 
language stating, ``if the payment is made in accordance with the 
requirements of such subsection,'' to ``if the incentive payment is 
made in accordance with the requirements found in such subsection.'' 
Note that we do not propose the establishment of any additional safe 
harbor conditions that incentive payments made by an ACO to an assigned 
beneficiary under an ACO Beneficiary Incentive Program established 
under section 1899(m) of the Act must satisfy.
    The ACO Beneficiary Incentive Program statutory exception, found at 
section 1128B(b)(3)(K) of the Act, requires that ``the payment is made 
in accordance with the requirements of [section 1899(m)].'' We read 
this provision to broadly incorporate all of the requirements found in 
section 1899(m) as requirements of the ACO Beneficiary Incentive 
Program statutory exception to the definition of ``remuneration'' under 
the Federal anti-kickback statute. In other words, we believe that for 
an incentive payment to satisfy the ACO Beneficiary Incentive Program 
statutory exception, and the corresponding safe harbor proposed at 
paragraph 1001.952(kk), all of the requirements enumerated at section 
1899(m)--related both to ACO Beneficiary Incentive Programs and 
incentive payments made pursuant to such programs--must, and would be 
required to, be satisfied.
    While section 1899(m) of the Act also includes a provision that 
states, ``[t]he Secretary shall permit such an ACO to establish such a 
program at the Secretary's discretion and subject to such requirements, 
including program integrity requirements, as the Secretary determines 
necessary,'' \93\ we do not interpret the statutory exception found at 
section 1128B(b)(3)(K) of the Act to require satisfaction of any 
requirements found outside of section 1899(m) (e.g., the regulatory 
requirements established by CMS implementing the ACO Beneficiary 
Incentive Program, found at 42 CFR 425.304(c)).\94\ In other words, OIG 
interprets the statutory exception found at section 1128B(b)(3)(K) of 
the Act and would interpret the corresponding safe harbor proposed at 
paragraph 1001.952(kk), to require that the incentive payment is made 
in accordance with the requirements found in section 1899(m) of the 
Act.
---------------------------------------------------------------------------

    \93\ Section 1899(m)(1)(A) of the Act.
    \94\ CMS, in the final rule establishing the ACO Beneficiary 
Incentive Program, determined that the ACO Beneficiary Incentive 
Program required additional program integrity safeguards. CMS 
included several requirements at 42 CFR 425.304(c) to help mitigate 
the program integrity risks associated with ACO Beneficiary 
Incentive Programs. Under 42 CFR 425.304(c)(4)(iv), for example, 
ACOs are prohibited from offering an incentive payment as part of an 
advertisement or solicitation to beneficiaries.
---------------------------------------------------------------------------

    Given the requirements imposed on ACO Beneficiary Incentive 
Programs and incentive payments made pursuant to an ACO Beneficiary 
Incentive Program, found in section 1899(m), at this time, we do not 
believe it is necessary to create additional conditions under the 
proposed ACO Beneficiary Incentives Program safe harbor, paragraph 
1001.952(kk). However, we are considering and seek comment on whether 
OIG should include additional conditions in this safe harbor.

IV. Provisions of the Proposed Rule: Beneficiary Inducements CMP 
Exception

    This proposed rule would amend 42 CFR 1003.110 by codifying 
amendments that were enacted in the Budget Act of 2018. This proposed 
rule would add an exception for the provision of certain telehealth 
technologies related to in-home dialysis services to the definition of 
``remuneration'' applicable to the beneficiary inducements CMP, which 
prohibits offering inducements to Medicare or Medicaid beneficiaries 
that the offeror knows or should know are likely to influence the 
selection of particular providers, practitioners or suppliers.

A. Statutory Exception for Telehealth Technologies for In-Home Dialysis

    As part of the Creating High-Quality Results and Outcomes Necessary 
to Improve Chronic Care Act of 2018, section 50302 of the Budget Act of 
2018 amends section 1881(b)(3) of the Act to permit an individual with 
ESRD receiving home dialysis to elect to receive their monthly ESRD-
related clinical assessments via telehealth, if certain other 
conditions are met.\95\ Section 50302(c) of the Budget Act of 2018 
creates a new exception to the definition of ``remuneration'' in the 
beneficiary inducements CMP. Specifically, section 50302(c) of the 
Budget Act of 2018 adds the following exception as new section 
1128A(i)(6)(J) of the Act:
---------------------------------------------------------------------------

    \95\ Section 50302(b) of the Budget Act of 2018 made additional 
changes related to the provision of telehealth services to ESRD 
patients, such as the inclusion of a renal dialysis facility and the 
home of an individual as telehealth originating sites but only for 
the purposes of the monthly ESRD-related clinical assessments 
furnished through telehealth provided under section 1881(b)(3)(B) of 
the Act. For additional information, see Medicare Program; Revisions 
to Payment Policies Under the Physician Fee Schedule and Other 
Revisions to Part B for CY 2019; Medicare Shared Savings Program 
Requirements; Quality Payment Program; Medicaid Promoting 
Interoperability Program; Quality Payment Program-Extreme and 
Uncontrollable Circumstance Policy for the 2019 MIPS Payment Year; 
Provisions From the Medicare Shared Savings Program-Accountable Care 
Organizations-Pathways to Success; and Expanding the Use of 
Telehealth Services for the Treatment of Opioid Use Disorder Under 
the Substance Use-Disorder Prevention That Promotes Opioid Recovery 
and Treatment (SUPPORT) for Patients and Communities Act 83 FR 
59452, 59495 (Nov. 23, 2018), available at https://www.govinfo.gov/content/pkg/FR-2018-11-23/pdf/2018-24170.pdf. See also 42 CFR 
410.78, 414.65.
---------------------------------------------------------------------------

    The provision of telehealth technologies (as defined by the 
Secretary) on or after January 1, 2019, by a provider of services or a 
renal dialysis facility (as such terms are defined for purposes of 
title XVIII) to an individual with end stage renal disease who is 
receiving home dialysis for which payment is being made under part B of 
such title, if:

[[Page 55754]]

    (i) The telehealth technologies are not offered as part of any 
advertisement or solicitation;
    (ii) the telehealth technologies are provided for the purpose of 
furnishing telehealth services related to the individual's end stage 
renal disease; and
    (iii) the provision of the telehealth technologies meets any other 
requirements set forth in regulations promulgated by the Secretary.
    This exception would be available only for telehealth technologies, 
as defined below, furnished by a provider of services or a renal 
dialysis facility to patients with ESRD who receive in-home dialysis 
that is payable by Medicare Part B. We propose to interpret this 
exception, in our proposed condition (i), to require that the 
telehealth technologies be furnished to the individual by the provider 
of services or the renal dialysis facility (as those terms are defined 
in title XVIII of the Act) that is currently providing the in-home 
dialysis, telehealth visits, or other ESRD care to the patient. The 
underlying intent of this proposed condition (i) is to prevent 
arrangements where providers and suppliers offer telehealth 
technologies to patients with whom they do not have a prior clinical 
relationship in an attempt to steer patients to a particular provider 
or supplier. We seek comment on this proposed condition (i), and in 
particular, any challenges this condition would create. In addition, 
while we are aware of the increasing proliferation of telehealth 
services, and the likely desire of other healthcare industry 
stakeholders to furnish telehealth technologies to patients receiving 
telehealth services, the statutory exception, and therefore, this 
proposal, is limited to a subset of patients receiving in-home dialysis 
and certain, enumerated providers in the statutory exception. We 
further note that the provision of telehealth technologies might 
qualify for protection under other existing or proposed exceptions or 
safe harbors, including the proposed safe harbor for patient engagement 
and support, paragraph 1001.952(hh). That being said, we seek comment 
on whether we should, for purposes of the final rule, interpret the 
statutory exception to apply not only to the ``provider of services or 
the renal dialysis facility (as those terms are defined in tile XVIII 
of the Act),'' but also suppliers, as defined in title XVIII of the 
Act. We solicit comments on this issue, in recognition of the 
underlying congressional intent and policy goals set forth in Section 
50302(b) of the Budget Act of 2018: Expanding patient access to in-home 
dialysis care, furnished by their physician.
    The first criterion included in the statutory exception provides 
that protected items or services may not be offered as part of any 
advertisement or solicitation. We are including this requirement in our 
proposed regulation at proposed condition (ii). As we have said in 
other rulemakings, we propose that stakeholders interpret the terms 
``advertisement'' and ``solicitation'' consistent with their common 
usage in the healthcare industry.\96\
---------------------------------------------------------------------------

    \96\ See, e.g., 81 FR 88368, 88373 (Dec. 7, 2016).
---------------------------------------------------------------------------

    The second criterion included in the statutory exception requires 
the telehealth technologies to be provided for the purpose of 
furnishing telehealth services related to the individual's ESRD. At 
proposed condition (iii), we propose to interpret ``for the purpose of 
furnishing telehealth services related to the individual's end stage 
renal disease'' to mean that the technology contributes substantially 
to the provision of telehealth services related to the individual's 
ESRD, is not of excessive value, and is not duplicative of technology 
that the beneficiary already owns if that technology is adequate for 
the telehealth purposes. We would consider technology to be of 
excessive value if the retail value of the technology is substantially 
more than is required for the telehealth purpose. For example, if a 
readily available $300 smartphone would adequately run the telehealth 
technology, the safe harbor would not protect a donation of a $600 
smartphone. To ensure that this proposed safe harbor protects the 
provision of telehealth technologies ``for the purpose of furnishing 
telehealth services related to the individual's end stage renal 
disease'' and not to induce referrals, we are also considering for the 
final rule, and seek comment on, a condition that would require the 
provider or facility to retain ownership of any hardware and make 
reasonable efforts to retrieve the hardware once the beneficiary no 
longer needs it for the permitted telehealth purposes (such that the 
hardware is loaned to the beneficiary).
    We remain concerned that the provision of telehealth technology 
with substantial independent value to the beneficiary might serve to 
induce the beneficiary to choose a particular provider or facility. We 
are considering, and solicit comments about, whether the final rule 
should interpret ``for the purpose of furnishing telehealth services 
related to the individual's end stage renal disease'' in a more 
restrictive manner. For example, we are considering for the final rule 
and seek comments on whether the exception should protect telehealth 
technologies that provide the beneficiary with no more than a de 
minimis benefit for any purpose other than furnishing telehealth 
services related to the individual's ESRD. We also are considering for 
the final rule and seek comments on another standard that would protect 
telehealth technologies only when furnished predominantly for the 
purpose of furnishing telehealth services related to the individual's 
ESRD.
    We propose to interpret ``telehealth services related to the 
individual's end stage renal disease'' to mean only those telehealth 
services paid for by Medicare Part B. CMS maintains a list of services 
payable under the Medicare Physician Fee Schedule when furnished via 
telehealth. We solicit comments on this interpretation.
    The statutory exception's third criterion allows the Secretary to 
develop additional requirements not specified in the statutory 
exception and requires the Secretary to define ``telehealth 
technologies.'' Below we propose a definition of ``telehealth 
technologies'' and further enumerate requirements under the new 
exception to the definition of ``remuneration'' for the beneficiary 
inducements CMP.

B. Additional Proposed Conditions for the Telehealth Technologies 
Exception

    Under proposed condition (iv), a person must not bill Federal 
health care programs, other payors, or individuals for the telehealth 
technologies, claim the value of the item or service as a bad debt for 
payment purposes under a Federal health care program, or otherwise 
shift the burden of the value of the telehealth technologies onto a 
Federal health care program, other payors, or individuals. This 
proposed requirement is designed to protect against the telehealth 
technologies resulting in inappropriately increased costs to Federal 
health care programs, other payors, and patients. In this requirement, 
we propose to prohibit claiming the cost of the telehealth technologies 
and any operational costs attendant to providing telehealth 
technologies as bad debt for payment purposes under Medicare or a State 
healthcare program or otherwise shifting the burden of the cost of the 
telehealth technologies and any operational costs attendant to the 
provision of patient incentives to Medicare, a State healthcare 
program, other payors, or individuals. We seek comments on this 
proposed condition.

[[Page 55755]]

C. Defining Telehealth Technologies

    We propose to define ``telehealth technologies'' for the purposes 
of the definition of the term ``remuneration'' as set forth in 42 CFR 
1003.110 and the telehealth technologies exception to section 50302(c) 
of the Budget Act of 2018. In proposing such definition, we consulted 
with CMS and solicited comments in the OIG RFI regarding how OIG should 
define ``telehealth technologies'' and if the definition should include 
``services.'' Based on the collective input we received, we propose to 
adopt, as part of our definition of ``telehealth technologies,'' the 
definition of ``interactive telecommunications system'' found at 42 CFR 
410.78. Under 42 CFR 410.78, Medicare Part B pays for covered 
telehealth services included on the telehealth list when furnished 
using an ``interactive telecommunications system'' if certain 
conditions are met. 42 CFR 410.78(a)(3) defines an ``interactive 
telecommunications system'' to mean ``multimedia communications 
equipment that includes, at a minimum, audio and video equipment 
permitting two-way, real-time interactive communication between the 
patient and distant site physician or practitioner. Telephones, 
facsimile machines, and electronic mail systems do not meet the 
definition of an interactive telecommunications system.''
    For the purposes of this exception, we propose to define 
``telehealth technologies'' as the following: ``multimedia 
communications equipment that includes, at a minimum, audio and video 
equipment permitting two-way, real-time interactive communication 
between the patient and distant site physician or practitioner used in 
the diagnosis, intervention or ongoing care management--paid for by 
Medicare Part B--between a patient and the remote healthcare provider. 
Telephones, facsimile machines, and electronic mail systems do not meet 
the definition of `telehealth technologies.' '' For the purposes of our 
definition of ``telehealth technologies,'' smart phones that allow for 
two-way, real-time interactive communication through secure, video 
conferencing applications would not be considered ``telephones.'' We 
solicit comments this definition, and are interested in comments that 
explain whether, and why, this definition would be too narrow, or too 
broad, and elaborate upon any attendant risks of fraud and abuse 
associated with the adoption of this definition. We also solicit 
comments on whether ``[t]elephones, facsimile machines, and electronic 
mail systems,'' as used in in 42 CFR 410.78(a)(3), should be excluded 
from our definition of ``telehealth technologies.'' We are also 
considering for the final rule, and seek comment on, whether to define 
``telehealth technologies'' to include technologies such as software, a 
webcam, data plan, or broadband internet access that facilitates the 
telehealth encounter. This might include, for example, software that 
allows a patient to use his or her existing smartphone, tablet, or 
computer to receive telehealth consultations. We are interested in 
comments on whether and how broadening the exception to include these 
kinds of technologies might impact access to medically necessary care 
for beneficiaries. We are further interested in comments on whether 
such broadening would create an undue risk of remuneration that would 
inappropriately steer beneficiaries to particular providers or 
suppliers to obtain federally reimbursable items and services, and 
whether there would be limitations or conditions on the provision of 
telehealth technologies that we could include in an exception to curb 
potential abuses, such as a limitation on the value of the remuneration 
(e.g., a cap on the retail value of the telehealth technologies 
furnished, such as $100, $200, $500, or another amount that would be of 
sufficient magnitude to protect the most beneficial arrangements while 
also preventing the most abusive ones).

D. Other Potential Safeguards

1. Consistent Provision of Telehealth Technologies
    In addition to the proposed conditions set forth above, we are 
considering for the final rule and seek comment on whether, as a 
condition of safe harbor protection, parties should be prohibited from 
discriminating in the offering of telehealth technologies. Such a safe 
harbor condition would require providers and renal dialysis facilities 
to provide the same telehealth technologies to any Medicare Part B 
eligible patient receiving in-home dialysis, or to otherwise 
consistently offer telehealth technologies to all patients satisfying 
specified, uniform criteria. This potential condition could reduce the 
likelihood that telehealth technologies would be offered selectively 
based on whether the patient generates other billable business for the 
provider or facility. We solicit comments on this issue. In particular, 
we are interested in understanding whether this proposed safeguard 
would limit providers of services' or renal dialysis facilities' 
ability to offer incentives due to the potential cost of furnishing the 
incentive to all qualifying patients rather than a smaller subset. 
Similarly, we are interested in why offering remuneration to a smaller 
subset of qualifying patients might be appropriate and not increase the 
risk of fraud and abuse.
2. Necessary Technology
    For purposes of the final rule, we are considering allowing a 
person to furnish telehealth technologies under the safe harbor only 
after making a good faith determination that the individual to whom the 
technology is furnished does not already have the necessary telehealth 
technology, and that such technology is necessary for the telehealth 
services provided. For instance, if an application on a patient's 
existing phone would be sufficient, but the patient is furnished a new 
tablet, this would be considered duplicative or unnecessary. Should the 
recipient already possess technology that allows the telehealth visit 
to occur, we are concerned that a person may furnish additional 
valuable or duplicative technology for inappropriate purposes (e.g., to 
induce a patient to select a particular provider for in-home dialysis, 
or to seek other items and services from that provider). We seek 
comment on this potential safeguard. We also are considering, and seek 
comment regarding, a condition in the final rule that would require the 
person who furnishes the telehealth technologies to take reasonable 
steps to limit the use of the telehealth technologies by the individual 
to the telehealth services described on the Medicare telehealth list.
3. Notice to Patients
    One commenter to the OIG RFI noted that patients may be confused by 
the technology, or the reason they are receiving a piece of technology, 
and unaware of costs associated with telehealth visits. We are 
considering adding in the final rule a condition that requires 
providers or facilities to provide a written explanation of the reason 
for the technology and any potential ``hidden'' costs associated with 
the telehealth services to any patient who elects to receive telehealth 
technology. We solicit comments on these perceived risks to patients, 
and whether to include a written notice requirement in the final rule, 
and if so, what that notice should state.
4. Patient Freedom of Choice
    We also are considering finalizing a condition that is designed to 
preserve patient freedom of choice among

[[Page 55756]]

healthcare providers and the manner in which he or she receives 
dialysis services under arrangements that would use the proposed 
exception. In particular, we are considering a condition in the 
exception that would require offerors of telehealth technologies to 
advise patients when they receive such technology that they retain the 
freedom to choose any provider or supplier of dialysis services and to 
receive dialysis in any appropriate setting. We are also concerned that 
some patients may be persuaded to opt for telehealth visits due to the 
generous telehealth technologies and services being offered, rather 
than clinical appropriateness. We solicit comments on including this 
potential safeguard, and whether adding freedom of choice language to a 
patient notification would reduce this concern.
5. Materials and Records Requirement
    The proposed exception would not include a materials and records or 
other documentation requirement given the somewhat narrow scope of the 
remuneration that would be excepted from the definition of 
``remuneration'' and consistent with other exceptions to the definition 
of ``remuneration'' set forth in 42 CFR 1003.110. We solicit comments 
on this approach and any fraud and abuse risks presented by not 
including a condition related to materials and records.

V. Regulatory Impact Statement

    As set forth below, we have examined the impact of this proposed 
rule as required by Executive Order 12866, the Regulatory Flexibility 
Act (RFA) of 1980, the Unfunded Mandates Reform Act of 1995, Executive 
Order 13132, and Executive Order 13771. We provide additional 
supporting analyses in sections F, G, and H.

A. Executive Order 12866

    Executive Order 12866 directs agencies to assess all costs and 
benefits of available regulatory alternatives and if regulations are 
necessary, to select regulatory approaches that maximize net benefits 
(including potential economic, environmental, public health and safety 
effects; distributive impacts; and equity). A regulatory impact 
analysis must be prepared for major rules with economically significant 
effects (i.e., $100 million or more in any given year). This proposed 
rule would codify a new CMP exception and implement new or revised 
anti-kickback statute safe harbors. The vast majority of providers and 
Federal health care programs would be minimally impacted from an 
economic perspective, if at all, by these proposed revisions. The 
changes to the safe harbors and CMP exceptions would allow providers to 
enter into certain beneficial arrangements. In doing so, this 
regulation would impose no requirements on any party. Providers would 
be allowed to voluntarily seek to comply with these provisions so that 
they would have assurance that participating in certain arrangements 
would not subject them to liability under the anti-kickback statute and 
the beneficiary inducements CMP. These safe harbors and exceptions 
facilitate providers' ability to provide important healthcare and 
related services to communities in need. We believe that the aggregate 
economic impact of the changes to these regulations would be minimal 
and would have no effect on the economy or on Federal or State 
expenditures. Accordingly, we believe that the likely aggregate 
economic effect of these regulations would be significantly less than 
$100 million. However, this rule is considered significant under 
Executive Order 12866. Notwithstanding our determination that the 
aggregate economic impact of the changes to these regulations would be 
minimal and would have no effect on the economy or on Federal or State 
expenditures, we solicit comments on whether stakeholders believe there 
would be increases or decreases in utilization or costs savings or 
expenses to the Government as a result of this proposed rule. We are 
interested in potential behavioral changes as well.

B. Regulatory Flexibility Act

    The RFA and the Small Business Regulatory Enforcement and Fairness 
Act of 1996, which amended the RFA, require agencies to analyze options 
for regulatory relief of small businesses. For purposes of the RFA, 
small entities include small businesses, nonprofit organizations, and 
Government agencies. Most providers are considered small entities by 
having revenues of $7 million to $35.5 million or less in any one year. 
For purposes of the RFA, most physicians and suppliers are considered 
small entities. We estimate the changes to the CMP exceptions and the 
anti-kickback statute safe harbors would not significantly affect small 
providers, as these changes would not impose any requirement on any 
party. As a result, we have concluded that this proposed rule likely 
will not have a significant impact on a substantial number of small 
providers and that a regulatory flexibility analysis is not required 
for this rulemaking. In addition, section 1102(b) of the Act requires 
us to prepare a regulatory impact analysis if a rule under Titles XVIII 
or XIX or section B of Title XI of the Act may have a significant 
impact on the operations of a substantial number of small rural 
hospitals. For the reasons stated above, we do not believe that any 
provisions or changes finalized here would have a significant impact on 
the operations of rural hospitals. Thus, an analysis under section 
1102(b) of the Act is not required for this rulemaking.

C. Unfunded Mandates Reform Act

    Section 202 of the Unfunded Mandates Reform Act of 1995, Public Law 
104-4, also requires that agencies assess anticipated costs and 
benefits before issuing any rule that may result in expenditures in any 
one year by State, local, or Tribal Governments, in the aggregate, or 
by the private sector, of $100 million, adjusted for inflation. We 
believe that no significant costs would be associated with these 
proposed revisions that would impose any mandates on State, local, or 
Tribal Governments or the private sector that would result in an 
expenditure of $154 million (after adjustment for inflation) in any 
given year.

D. Executive Order 13132

    Executive Order 13132 establishes certain requirements that an 
agency must meet when it promulgates a rule that imposes substantial 
direct requirements or costs on State and local Governments, preempts 
State law, or otherwise has Federalism implications. In reviewing this 
rule under the threshold criteria of Executive Order 13132, we have 
determined that this proposed rule would not significantly affect the 
rights, roles, and responsibilities of State or local Governments.

E. Executive Order 13771

    Executive Order 13771 (January 30, 2017) requires that the costs 
associated with significant new regulations ``to the extent permitted 
by law, be offset by the elimination of existing costs associated with 
at least two prior regulations.'' This proposed rule has been 
designated a significant regulatory action as defined by Executive 
Order 12866 but imposes no more than de minimis costs. The designation 
of this rule, if finalized, will be informed by public comments 
received; however, this proposed rule, if finalized as proposed, would 
be neither a regulatory nor a deregulatory action under Executive Order 
13771.

F. Statement of Need

    The Department has identified the broad reach of the Federal anti-
kickback

[[Page 55757]]

statute and beneficiary inducements CMP as potentially inhibiting 
beneficial arrangements that would advance the ability of providers, 
suppliers, and others to transition more effectively and efficiently to 
value-based care and to better coordinate care among providers, 
suppliers, and others in both the Federal health care programs and 
commercial sectors. Industry stakeholders have informed us that, 
because the consequences of potential noncompliance with the Federal 
anti-kickback statute and beneficiary inducements CMP could be 
significant, providers, suppliers, and others may be discouraged from 
entering into innovative arrangements that could improve quality 
outcomes, produce health system efficiencies, and lower healthcare 
costs (or slow their rate of growth). To the extent providers are 
discouraged from entering into these innovative arrangements, patient 
care may not be provided as efficiently as possible. In addition, the 
potential consequences of noncompliance with these statutes may impede 
the ability of providers, suppliers, and others, including small 
providers and suppliers or those serving rural or medically underserved 
populations, to raise capital to invest in the transition to value-
based care or to obtain infrastructure necessary to coordinate patient 
care, including technology. This unnecessarily slows the transition 
toward more efficient patient care. This proposed rule attempts to 
address these concerns by removing unnecessary impediments to the 
transformation of the healthcare system into one that better pays for 
and delivers value.
    To remove regulatory barriers to care coordination and support 
value-based arrangements, we faced the challenge of designing safe 
harbor protections for emerging healthcare arrangements, the optimal 
form, design, and efficacy of which remain unknown or unproven. These 
arrangements will be driven by the determinations and experiences of a 
wide range of providers, suppliers, and others as they innovate in 
delivering value-based care. This challenge is further complicated by 
the substantial variation in care coordination and value-based 
arrangements contemplated by the healthcare industry and others 
(meaning that one-size-fits-all safe harbor designs may not be 
optimal), variation among patient populations and provider 
characteristics, emerging health technologies and data capabilities, 
the still-developing science of quality and performance measurement, 
and our desire not to chill beneficial innovations.
    It is difficult to gauge the effects of this regulatory action in a 
rapidly evolving and diverse healthcare ecosystem of substantial 
innovation, experimentation, and deployment of technology and digital 
data. For example, it is difficult to gauge reductions in wasteful 
healthcare spending and improved health outcomes as a result of new 
arrangements made possible by this proposed rule. It is also difficult 
to quantify savings or losses that could occur as a result of new 
fraudulent or abusive conduct that could increase costs or lead to poor 
outcomes as a result of new arrangements. In some cases, innovations 
and the availability of more actionable, transparent data may enhance 
program integrity and protect against fraud and abuse, reducing costs 
and increasing benefits. There is a compelling concern that uncertainty 
and regulatory barriers under current regulations could prevent the 
best and most efficacious innovations from emerging and being tested in 
the marketplace. Our goal is to finalize safe harbors that protect 
arrangements that foster beneficial arrangements and promote value, 
while also protecting programs and beneficiaries against harms cause by 
fraud and abuse.

G. Anticipated Effects

    This proposed rule would add a new CMP exception and anti-kickback 
statute safe harbors and modify existing anti-kickback statute safe 
harbors. Specifically, we propose to add several new safe harbor 
protections for certain value-based arrangements, including care 
coordination arrangements, arrangements with varying levels of downside 
financial risk, as well as outcomes-based payment arrangements, and 
protection for certain remuneration provided to Federal health care 
program beneficiaries in the form of incentives and supports.
    We anticipate that the proposed rule would have potential relevance 
to the majority of the types of providers and suppliers participating 
in Federal health care programs and others in commercial sectors, as 
well as the Federal health care programs and Federal health care 
program beneficiaries. We note that certain categories of providers, 
suppliers, and others are not eligible to use the proposed rule: 
Pharmaceutical manufacturers; manufacturers, distributors, and 
suppliers of DMEPOS; and laboratories. To estimate the number of 
providers and suppliers affected by this rule, we use US Census data. 
According to the US Census, there were 7,370 medical, dental, and 
hospital equipment and supplies merchant wholesaler firms; 482,522 
ambulatory healthcare service firms; 3,293 hospital firms; and 9,153 
nursing care facility firms operating in the US in 2015.\97\ We request 
public comment on the entities affected by the rule.
---------------------------------------------------------------------------

    \97\ U.S. Census Bureau, 2015 SUSB Annual Data Tables by 
Establishment Industry, https://www.census.gov/data/tables/2015/econ/susb/2015-susb-annual.html.
---------------------------------------------------------------------------

    We anticipate that a growing proportion of such providers and 
suppliers would be interested in reviewing and using these voluntary 
rules over time. Because compliance with safe harbors and CMP 
exceptions is voluntary and an arrangement need not fit in a safe 
harbor or exception to be legal, we anticipate that not all providers 
and suppliers would review the new regulations and use them. We 
estimate that 5 percent of affected entities that would be eligible to 
use the proposed rules may be interested in exploring value-based 
arrangements made possible by the rule in each of the first 10 years 
following publication of the final rule, leading those entities to 
review the rule. We estimate that reviewing the final rule will require 
an average of one hour of time each from a compliance officer and a 
lawyer. To estimate the costs associated with this review, we use a 
2018 wage rate of $34.86 for compliance officers and $69.34 for lawyers 
from the Bureau of Labor Statistics,\98\ and we double those wages to 
account for overhead and benefits. As a result, we estimate total 
regulatory review costs of $5.2 million in each of the first 10 years 
following finalization of the rule. We note that these costs are 
divided among approximately 25,000 entities each year, and therefore 
should be considered de minimis from the perspective of affected 
entities. We seek public comment on these assumptions.
---------------------------------------------------------------------------

    \98\ U.S. Department of Labor, Bureau of Labor Statistics, May 
2018 National Occupational Employment and Wage Estimates United 
States, https://www.bls.gov/oes/2018/may/oes_nat.htm.
---------------------------------------------------------------------------

    The Department does not collect data regarding the number of 
providers, suppliers, and other individuals and entities that have 
entered into an arrangement that meets an existing safe harbor. 
Compliance with safe harbors is voluntary, and generally the question 
whether an arrangement complies with a safe harbor arises in the 
context of a defense raised by a defendant in an enforcement matter. 
Therefore, we cannot quantify with certainty the number of arrangements 
or number of healthcare providers, suppliers, and others who may avail 
themselves of these protections. For this reason, it is

[[Page 55758]]

difficult, if not impossible, to assess the costs and benefits of these 
proposals, and to estimate changes in the number of arrangements that 
meet new or existing safe harbors. We seek public comment on the effect 
of this rule on changes in the number of agreements or arrangements 
that meet new or existing safe harbors.
    Many affected providers and suppliers currently incur costs related 
to structuring arrangements to comply with existing fraud and abuse 
laws. While these proposals may not result in a reduction in 
compliance-related costs, we do not expect this rulemaking to increase 
total incremental costs. Rather, we expect that providers and suppliers 
interested in taking advantage of these new arrangements in order to 
more efficiently deliver care will shift resources currently devoted to 
complying with existing requirements to create and analyze new 
arrangements under these proposals. By way of example only, should a 
hospital expend resources to review--from a Federal anti-kickback 
statute perspective--a financial arrangement with a skilled nursing 
facility, any newly promulgated or revised safe harbors would be 
unlikely to change the amount of resources necessary to conduct such a 
review. As another example, should a hospital already document--by a 
written agreement--any financial arrangement with a skilled nursing 
facility, any newly promulgated or revised safe harbors would be 
unlikely to change the amount of resources necessary to enter into that 
written agreement. We seek public comment on these assumptions.
    We also propose to add or revise safe harbor protections under the 
Federal anti-kickback statute for donations of cybersecurity 
technology, EHR arrangements, warranties, and local transportation. The 
new proposed safe harbor for cybersecurity technology and related 
services would be available to any provider, supplier, or other 
individual or entity. We expect broad use of this proposed safe harbor, 
with reduced costs for smaller and less well-equipped providers and 
overall savings for the national health system in reduced costs from 
cyberattacks, ransomware, and similar threats. Proposed modifications 
to the EHR safe harbor are modest and would clarify that protection for 
certain cybersecurity technology is included as part of an electronic 
health records arrangement, update provisions regarding 
interoperability to align with newer CMS and ONC standards in a manner 
that is not expected to increase costs as a result of this rulemaking 
and remove the sunset date. The EHR safe harbor would continue to be 
available to health plans and any individuals or entities, other than 
laboratories, that provide services covered by, and submit claims or 
requests for payment to, a Federal health care program. We would expect 
the same entities that are currently using the EHR safe harbor to 
continue to use the safe harbor with minimal, if any, additional 
regulatory review or compliance costs above current levels. We seek 
public comment on these assumptions.
    We propose to modify the existing local transportation safe harbor 
slightly to expand mileage limits for rural areas and for 
transportation for discharged patients. This would primarily expand 
protection under the AKS for hospitals and physician practices in rural 
areas voluntarily to transport patients to necessary medical 
appointments or to their homes following a hospital stay. We anticipate 
no incremental regulatory costs to hospitals or others from the 
proposed rule, which changes only the distance traveled and no other 
regulatory requirements. This safe harbor would continue to be 
available only to established patients and eligible entities, which do 
not include individuals or entities (or family members or others acting 
on their behalf) that primarily supply healthcare items.
    Further, the proposed rule would add a new safe harbor to protect 
certain arrangements and patient incentives provided by and among 
parties participating in CMS-sponsored models. CMS and OIG 
collectively, and OIG individually, have issued fraud and abuse waivers 
for 14 of these models. This proposed safe harbor would reduce the need 
for issuance of waivers, saving OIG 1,040 employee hours per year.
    We expect that CMS, including the Innovation Center, will continue 
to test these models and others in the future. The purpose of this safe 
harbor is to streamline participation in existing and future CMS-
sponsored models to reduce complexity and the administrative burden on 
participants that seek protection under the fraud and abuse laws while 
participating in a CMS-sponsored model. Although we cannot calculate 
the number of arrangements that CMS-sponsored model participants and 
CMS-sponsored model parties would undertake in the future, we expect 
this proposal would reduce the burden of documentation and the time, 
effort, and financial resources necessary to implement CMS-sponsored 
model arrangements and to provide CMS-sponsored model patient 
incentives. The proposal also would result in uniform requirements 
under the anti-kickback statute and beneficiary inducements CMP for 
those models that qualify, further reducing burden on entities, such as 
hospitals and physician practices, that participate in multiple models 
that currently have different conditions for each waiver. We seek 
public comment on the extent to which these provisions will affect 
these models.
    Finally, the proposed rule would add a new safe harbor related to 
beneficiary incentives under the Medicare Shared Savings Program and a 
new CMP exception for certain telehealth technologies offered to 
patients receiving in-home dialysis, pursuant to the Budget Act of 
2018. Although we cannot calculate the number of ACOs and their 
participants who would enter into arrangements that may qualify for 
protection under this safe harbor, we believe that this regulatory 
action would not create incremental costs for ACOs because it would 
reduce the amount of compliance resources ACOs currently use to provide 
beneficiary incentives. For example, we believe this action would 
reduce time, effort, and financial resources ACOs typically would incur 
to provide these beneficiary incentives under the applicable fraud and 
abuse waivers. We believe that the proposed telehealth technologies 
exception would reduce barriers to the use of in-home dialysis and 
could encourage increased use of home dialysis for beneficiaries. This 
could result in increased use of in-home dialysis for patients who 
would benefit relative to other treatment options. Ultimately, this 
could result in improved quality of care for beneficiaries with end-
stage renal disease and overall cost savings to Federal health care 
programs because dialysis providers will have certainty that their 
arrangements will not result in CMP liability. This will also reduce 
burden by eliminating unnecessary travel costs for patients where in-
home dialysis is more appropriate. We do not anticipate that this 
proposed rule will add any incremental costs to the regulatory costs 
dialysis providers already incur to comply with the new program rules 
under the Budget Act of 2018 because our requirements closely track CMS 
program rules. We seek public comment on the proposed rule's effects on 
in-home dialysis.
    Given the information we have, including comments we received from 
the OIG RFI, we believe these proposals present the best approach to 
removing potential barriers to designing care coordination and other 
value-based arrangements that result in greater efficiency and improved 
care outcomes,

[[Page 55759]]

while minimizing the potential for the costs associated with fraud, 
waste, and abuse. We believe that the proposed rule would, on average, 
result in a net benefit to the healthcare industry, beneficiaries, and 
Federal health care programs and could alleviate the concerns expressed 
above. We believe there would be no incremental costs to providers and 
suppliers that already spend resources reviewing arrangements for 
compliance with fraud and abuse laws. Moreover, by adding flexibility 
to engage in certain innovative business arrangements without risk of 
liability under the statutes, we believe that these proposed 
regulations reduce the stringency of the existing regulatory scheme as 
it would otherwise apply to certain value-based arrangements; in 
addition, by offering new pathways to protect value-based arrangements, 
the proposed regulations would reduce inefficient behaviors, 
particularly industry behaviors that drive volume-based healthcare.
    We would benefit from public input and information during the 
comment period regarding whether these proposals likely would have a 
net benefit on the industry and whether different or modified proposals 
would better facilitate the goals outlined in this proposed rule.

H. Alternatives Considered

    We carefully considered the option of not pursuing regulatory 
action. However, based on comments to the OIG RFI, responses to OIG's 
annual Solicitation of New Safe Harbors and Special Fraud Alerts, and 
other industry feedback, we believe a need for regulatory reform exists 
in order to provide stakeholders with the flexibility necessary for 
innovative care delivery and payment redesign.
    We also considered several other alternative approaches to the 
proposed safe harbors, revisions to safe harbors, and proposed 
exception as explained in great detail in the preceding preamble. For 
example, our proposals endeavor to distinguish between beneficial care 
coordination arrangements and payment-for-referral schemes that do not 
serve, and may be contrary to, the goals of coordinated care and the 
shift to value. We considered, and would benefit from public comment 
on, the benefits of our proposals and efficient ways we may distinguish 
payments to reward or induce referrals from remuneration provided to 
promote or support legitimate care coordination activities.
    We also considered not using the value-based terms, definitions, 
and framework for proposed safe harbors (ee), (ff), (gg), and (hh), but 
we concluded that the fraud and abuse risks of protecting arrangements 
without the guardrails created by the value-based framework were too 
high. We believe these risks are significant because our proposed safe 
harbors in (ee) and (hh) could potentially protect arrangements under 
which providers and suppliers are paid on a fee-for-service basis by 
Medicare, which rewards the volume of services performed and items 
furnished.

VI. Paperwork Reduction Act

    This document does not impose information collection and 
recordkeeping requirements. Consequently, it need not be reviewed by 
the Office of Management and Budget under the authority of the 
Paperwork Reduction Act of 1995.

List of Subjects

42 CFR Part 1001

    Administrative practice and procedure, Fraud, Grant programs--
health, Health facilities, Health professions, Maternal and child 
health, Medicaid, Medicare, Social Security.

42 CFR Part 1003

    Fraud, Grant programs--health, Health facilities, Health 
professions, Medicaid, Reporting and recordkeeping.

    For the reasons set forth in the preamble, the Office of Inspector 
General, Department of Health and Human Services, proposes to amend 42 
CFR parts 1001 and 1003 as follows:

PART 1001--PROGRAM INTEGRITY--MEDICARE AND STATE HEALTH CARE 
PROGRAMS

0
1. The authority citation for part 1001 continues to read as follows:

    Authority: 42 U.S.C. 1302, 1320a-7, 1320a-7a, 1320a-7b, 1320a-
7d, 1395u(j), 1395u(k), 1395w-104(e)(6), 1395y(d), 1395y(e), 
1395cc(b)(2)(D), (E) and (F), and 1395hh; and sec. 2455, Pub. L. 
103-355, 108 Stat. 3327 (31 U.S.C. 6101 note).

0
2. Section 1001.952 is amended by:
0
a. Revising paragraphs (d), (g) introductory text, (g)(1), (g)(3)(i), 
and (g)(4);
0
b. Adding paragraphs (g)(5) and (6) before the undesignated text at the 
end of paragraph (g);
0
c. Designating the undesignated text at the end of paragraph (g) as 
paragraph (g)(7) and revising it;
0
d. Revising paragraph (y) introductory text, the second sentence of 
paragraph (y)(2), and paragraph (y)(3);
0
e. Removing and reserving paragraphs (y)(7) and (13);
0
f. Designating the note to paragraph (y) as paragraph (y)(14) and 
revising it;
0
g. Revising paragraphs (bb)(1)(iv)(B) and (bb)(2)(iii);
0
h. Designating the note to paragraph (bb) as paragraph (bb)(3) and 
revising it;
0
i. Adding reserved paragraphs (cc) and (dd); and
0
j. Adding paragraphs (ee), (ff), (gg), (hh), (ii), (jj), and (kk).
    The revisions and additions read as follows:


Sec.  1001.952  Exceptions.

* * * * *
    (d) Personal services and management contracts and outcomes-based 
payment arrangements.
    (1) As used in section 1128B of the Act, ``remuneration'' does not 
include any payment made by a principal to an agent as compensation for 
the services of the agent, as long as all of the following standards 
are met:
    (i) The agency agreement is set out in writing and signed by the 
parties.
    (ii) The agency agreement covers all of the services the agent 
provides to the principal for the term of the agreement and specifies 
the services to be provided by the agent.
    (iii) The term of the agreement is not less than 1 year.
    (iv) The methodology for determining the compensation paid to the 
agent over the term of the agreement is set in advance, is consistent 
with fair market value in arm's-length transactions and is not 
determined in a manner that takes into account the volume or value of 
any referrals or business otherwise generated between the parties for 
which payment may be made in whole or in part under Medicare, Medicaid, 
or other Federal health care programs.
    (v) The services performed under the agreement do not involve the 
counseling or promotion of a business arrangement or other activity 
that violates any State or Federal law.
    (vi) The aggregate services contracted for do not exceed those 
which are reasonably necessary to accomplish the commercially 
reasonable business purpose of the services.
    (2) As used in section 1128B of the Act, ``remuneration'' does not 
include any outcomes-based payment as long as all of the standards in 
paragraphs (d)(2)(i) through (ix) of this section are met:
    (i) The outcomes-based payment is made between or among parties 
that are collaborating to:
    (A) Measurably improve (or maintain improvement in) quality of 
patient care; or
    (B) Appropriately and materially reduce costs to, or growth in 
expenditures of, payors while improving, or maintaining the improved, 
quality of care for patients.

[[Page 55760]]

    (ii) To receive an outcomes-based payment, the agent satisfies one 
or more specific evidence-based, valid outcome measures that are:
    (A) Related to:
    (1) Measurably improving, or maintaining the improved, quality of 
patient care;
    (2) Appropriately and materially reducing costs to, or growth in 
expenditures of, payors while improving, or maintaining the improved 
quality of care for patients; or
    (3) Both; and
    (B) Selected based upon clinical evidence or credible medical 
support.
    (iii) The methodology for determining the aggregate compensation 
(including any outcomes-based payments) paid between or among the 
parties over the term of the agreement is: Set in advance; commercially 
reasonable; consistent with fair market value; and not determined in a 
manner that directly takes into account the volume or value of any 
referrals or business otherwise generated between the parties for which 
payment may be made in whole or in part by a Federal health care 
program.
    (iv) The agreement neither limits any party's ability to make 
decisions in their patients' best interest nor induces any party to 
reduce or limit medically necessary items or services.
    (v) The term of the agreement is not less than 1 year.
    (vi) The services performed under the agreement do not involve the 
counseling or promotion of a business arrangement or other activity 
that violates any State or Federal law.
    (vii) For each outcome measure under the agreement, the parties:
    (A) Regularly monitor and assess the agent's performance, including 
the impact of the outcomes-based payment arrangement on patient quality 
of care; and
    (B) Periodically rebase during the term of the agreement, to the 
extent applicable.
    (viii) The parties set forth in a signed writing, in advance of, or 
contemporaneous with, the commencement of the terms of the outcomes-
based payment arrangement. The writing states, at a minimum: The 
services to be performed by the parties for the term of the agreement; 
the outcome measure(s) the agent must satisfy to receive an outcomes-
based payment; the clinical evidence or credible medical support relied 
upon by the parties to select the outcome measure(s); and the schedule 
for the parties to regularly monitor and assess the outcome measure(s).
    (ix) The principal has policies and procedures to promptly address 
and correct identified material performance failures or material 
deficiencies in quality of care resulting from the outcomes-based 
payment arrangement.
    (3) For purposes of this paragraph (d):
    (i) An agent of a principal is any person, other than a bona fide 
employee of the principal, who has an agreement to perform services 
for, or on behalf of, the principal.
    (ii) Outcomes-based payments are limited to payments from a 
principal to an agent that:
    (A) Reward the agent for improving (or maintaining improvement in) 
patient or population health by achieving one or more outcome measures 
that effectively and efficiently coordinate care across care settings; 
or
    (B) Achieve one or more outcome measures that appropriately reduce 
payor costs while improving, or maintaining the improved quality of 
care for patients.
    (iii) Outcomes-based payments exclude any payments:
    (A) Made, directly or indirectly, by a pharmaceutical manufacturer; 
a manufacturer, distributor, or supplier of durable medical equipment, 
prosthetics, orthotics, or supplies; or a laboratory; or
    (B) That relate solely to the achievement of internal cost savings 
for the principal.
* * * * *
    (g) Warranties. As used in section 1128B of the Act, 
``remuneration'' does not include any payment or exchange of anything 
of value under a warranty provided by a manufacturer or supplier of one 
or more items and services (provided the warranty covers at least one 
item) to the buyer (such as a healthcare provider or beneficiary) of 
the items and services, as long as the buyer complies with all of the 
following standards in paragraphs (g)(1) and (2) of this section and 
the manufacturer or supplier complies with all of the following 
standards in paragraphs (g)(3) through (6) of this section:
    (1) The buyer (unless the buyer is a Federal health care program 
beneficiary) must fully and accurately report any price reduction of an 
item or service (including a free item or service) that was obtained as 
part of the warranty, in the applicable cost reporting mechanism or 
claim for payment filed with the Department or a State agency.
* * * * *
    (3) * * *
    (i) The manufacturer or supplier must fully and accurately report 
any price reduction of an item or service (including free items and 
services) that the buyer obtained as part of the warranty on the 
invoice or statement submitted to the buyer and inform the buyer of its 
obligations under paragraphs (g)(1) and (2) of this section.
* * * * *
    (4) The manufacturer or supplier must not pay any remuneration to 
any individual (other than a beneficiary) or entity for any medical, 
surgical, or hospital expense incurred by a beneficiary other than for 
the cost of the items and services subject to the warranty.
    (5) If a manufacturer or supplier offers a warranty for more than 
one item or one or more items and related services, the federally 
reimbursable items and services subject to the warranty must be 
reimbursed by the same Federal health care program and in the same 
Federal health care program payment.
    (6) The manufacturer or supplier must not condition a warranty on a 
buyer's exclusive use of, or a minimum purchase of, any of the 
manufacturer's or supplier's items or services.
    (7) For purposes of this paragraph (g), the term warranty means:
    (i) Any written affirmation of fact or written promise made in 
connection with the sale of an item or bundle of items, or services in 
combination with one or more related items, by a manufacturer or 
supplier to a buyer, which affirmation of fact or written promise 
relates to the nature of the quality or workmanship and affirms or 
promises that such quality or workmanship is defect free or will meet a 
specified level of performance over a specified period of time;
    (ii) Any undertaking in writing in connection with the sale by a 
manufacturer or supplier of an item or bundle of items, or services in 
combination with one or more related items, to refund, repair, replace, 
or take other remedial action with respect to such item or bundle of 
items in the event that such item or bundle of items, or services in 
combination with one or more related items, fails to meet the 
specifications set forth in the undertaking, which written affirmation, 
promise, or undertaking becomes part of the basis of the bargain 
between a seller and a buyer for purposes other than resell of such 
item or bundle of items; or
    (iii) A manufacturer's or supplier's agreement to replace another 
manufacturer's or supplier's defective item or bundle of items (which 
is covered by an agreement made in accordance with this paragraph (g)), 
on terms equal to the agreement that it replaces.
* * * * *
    (y) Electronic health records items and services. As used in 
section 1128B

[[Page 55761]]

of the Act, ``remuneration'' does not include nonmonetary remuneration 
(consisting of items and services in the form of software or 
information technology and training services, including certain 
cybersecurity software and services) necessary and used predominantly 
to create, maintain, transmit, receive, or protect electronic health 
records, if all of the conditions in paragraphs (y)(1) through (13) of 
this section are met:
* * * * *
    (2) * * * For purposes of this paragraph (y)(2), software is deemed 
to be interoperable if, on the date it is provided to the recipient, it 
is certified by a certifying body authorized by the National 
Coordinator for Health Information Technology to electronic health 
record certification criteria identified in 45 CFR part 170.
    (3) The donor (or any person on the donor's behalf) does not engage 
in a practice constituting information blocking, as defined in 45 CFR 
part 171, in connection with the donated items or services.
* * * * *
    (7) [Reserved]
* * * * *
    (13) [Reserved]
* * * * *
    (14) For purposes of this paragraph (y), the following definitions 
apply:
    (i) Cybersecurity means the process of protecting information by 
preventing, detecting, and responding to cyberattacks;
    (ii) Health plan shall have the meaning set forth at Sec.  
1001.952(l)(2);
    (iii) Interoperable shall mean able to:
    (A) Securely exchange data with, and use data from other health 
information technology without special effort on the part of the user;
    (B) Allow for complete access, exchange, and use of all 
electronically accessible health information for authorized use under 
applicable State or Federal law; and
    (C) Does not constitute information blocking as defined in 45 CFR 
part 171; and
    (iv) Electronic health record shall mean a repository of electronic 
health information that:
    (A) Is transmitted by or maintained in electronic media; and
    (B) Relates to the past, present, or future health or condition of 
an individual or the provision of healthcare to an individual.
* * * * *
    (bb) * * *
    (1) * * *
    (iv) * * *
    (B) Within 25 miles of the healthcare provider or supplier to or 
from which the patient would be transported, or within 75 miles if the 
patient resides in a rural area, as defined in this paragraph (bb), 
except that, if the patient is being discharged from an inpatient 
facility and transported to the patient's residence, or another 
residence of the patient's choice, the mileage limits in this paragraph 
(bb)(1)(iv)(B) shall not apply; and
* * * * *
    (2) * * *
    (iii) The eligible entity makes the shuttle service available only 
within the eligible entity's local area, meaning there are no more than 
25 miles from any stop on the route to any stop at a location where 
healthcare items or services are provided, except that if a stop on the 
route is in a rural area, the distance may be up to 75 miles between 
that stop and any providers or suppliers on the route;
* * * * *
    (3) For purposes of this paragraph (bb), the following definitions 
apply:
    (i) An eligible entity is any individual or entity, except for 
individuals or entities (or family members or others acting on their 
behalf) that primarily supply healthcare items;
    (ii) An established patient is a person who has selected and 
initiated contact to schedule an appointment with a provider or 
supplier, or who previously has attended an appointment with the 
provider or supplier;
    (iii) A shuttle service is a vehicle that runs on a set route, on a 
set schedule;
    (iv) A rural area is an area that is not an urban area, as defined 
in paragraph (bb)(3)(v) of this section; and
    (v) An urban area is:
    (A) A Metropolitan Statistical Area (MSA) or New England County 
Metropolitan Area (NECMA), as defined by the Executive Office of 
Management and Budget; or
    (B) The following New England counties, which are deemed to be 
parts of urban areas under section 601(g) of the Social Security 
Amendments of 1983 (Pub. L. 98-21, 42 U.S.C. 1395ww (note)): Litchfield 
County, Connecticut; York County, Maine; Sagadahoc County, Maine; 
Merrimack County, New Hampshire; and Newport County, Rhode Island.
    (cc)-(dd) [Reserved]
    (ee) Care coordination arrangements to improve quality, health 
outcomes, and efficiency. As used in section 1128B of the Act, 
``remuneration'' does not include the exchange of anything of value 
pursuant to a value-based arrangement if all of the standards in 
paragraphs (ee)(1) through (12) of this section are met:
    (1) The VBE participants establish one or more specific evidence-
based, valid outcome measures against which the recipient will be 
measured and which the parties reasonably anticipate will advance the 
coordination and management of care of the target patient population.
    (2) The value-based arrangement is commercially reasonable, 
considering both the arrangement itself and all value-based 
arrangements within the VBE.
    (3) In advance of, or contemporaneous with, the commencement of the 
value-based arrangement or any material change to the value-based 
arrangement, the offeror of the remuneration and any recipient(s) of 
such remuneration have set forth the terms of the value-based 
arrangement in a signed writing. The writing states, at a minimum:
    (i) The value-based activities to be undertaken by the parties to 
the value-based arrangement;
    (ii) The term of the value-based arrangement;
    (iii) The target patient population;
    (iv) A description of the remuneration;
    (v) The offeror's cost for the remuneration;
    (vi) The percentage of the offeror's cost contributed by the 
recipient;
    (vii) If applicable, the frequency of the recipient's contribution 
payments for ongoing costs; and
    (viii) The specific evidence-based, valid outcome measure(s) 
against which the recipient will be measured.
    (4) The remuneration exchanged:
    (i) Is in-kind;
    (ii) Is used primarily to engage in value-based activities that are 
directly connected to the coordination and management of care for the 
target patient population;
    (iii) Does not induce VBE participants to furnish medically 
unnecessary items or services or reduce or limit medically necessary 
items or services furnished to any patient; and
    (iv) Is not funded by, and does not otherwise result from the 
contributions of, any individual or entity outside of the applicable 
VBE.
    (5) The offeror of the remuneration does not take into account the 
volume or value of, or condition the remuneration on:
    (i) Referrals of patients who are not part of the target patient 
population; or
    (ii) Business not covered under the value-based arrangement.
    (6) The recipient pays at least 15 percent of the offeror's cost 
for the in-kind remuneration. If a one-time cost, the recipient makes 
such contribution in advance of receiving the in-kind

[[Page 55762]]

remuneration. If an ongoing cost, the recipient makes such contribution 
at reasonable, regular intervals.
    (7) The value-based arrangement:
    (i) Is directly connected to the coordination and management of 
care of the target patient population;
    (ii) Does not place any limitation on VBE participants' ability to 
make decisions in the best interest of their patients;
    (iii) Does not direct or restrict referrals to a particular 
provider, practitioner, or supplier if:
    (A) A patient expresses a preference for a different practitioner, 
provider, or supplier;
    (B) The patient's payor determines the provider, practitioner, or 
supplier; or
    (C) Such direction or restriction is contrary to applicable law or 
regulations under titles XVIII and XIX of the Act; and
    (iv) Does not include marketing to patients of items or services or 
engaging in patient recruitment activities.
    (8) The VBE, a VBE participant in the value-based arrangement 
acting on the VBE's behalf, or the VBE's accountable body or 
responsible person monitors and assesses, and reports such monitoring 
and assessment to the VBE's accountable body or responsible person as 
applicable, no less frequently than annually or at least once during 
the term of the value-based arrangement for arrangements with terms of 
less than 1 year:
    (i) The coordination and management of care for the target 
population in the value-based arrangement;
    (ii) Any deficiencies in the delivery of quality care under the 
value-based arrangement; and
    (iii) Progress toward achieving the evidence-based, valid outcome 
measure(s) in the value-based arrangement.
    (9) The parties terminate the arrangement within 60 days if the 
VBE's accountable body or responsible person determines that the value-
based arrangement:
    (i) Is unlikely to further the coordination and management of care 
for the target patient population;
    (ii) Has resulted in material deficiencies in quality of care; or
    (iii) Is unlikely to achieve the evidence-based, valid outcome 
measure(s).
    (10) The offeror does not, and should not, know that the 
remuneration is likely to be diverted, resold, or used by the recipient 
for an unlawful purpose.
    (11) The VBE or VBE participant makes available to the Secretary, 
upon request, all materials and records sufficient to establish 
compliance with the conditions of this paragraph (ee).
    (12) For purposes of this paragraph (ee), the following definitions 
apply:
    (i) Coordination and management of care (or coordinating and 
managing care) means, for purposes of the anti-kickback statute safe 
harbors at Sec.  1001.952, the deliberate organization of patient care 
activities and sharing of information between two or more VBE 
participants or VBE participants and patients, tailored to improving 
the health outcomes of the target patient population, in order to 
achieve safer and more effective care for the target patient 
population.
    (ii) Target patient population means an identified patient 
population selected by the VBE or its VBE participants using legitimate 
and verifiable criteria that:
    (A) Are set out in writing in advance of the commencement of the 
value-based arrangement; and
    (B) Further the value-based enterprise's value-based purpose(s).
    (iii) Value-based activity
    (A) Means any of the following activities, provided that the 
activity is reasonably designed to achieve at least one value-based 
purpose of the value-based enterprise:
    (1) The provision of an item or service;
    (2) The taking of an action; or
    (3) The refraining from taking an action.
    (B) Does not include the making of a referral.
    (iv) Value-based arrangement means an arrangement for the provision 
of at least one value-based activity for a target patient population 
between or among:
    (A) The value-based enterprise and one or more of its VBE 
participants; or
    (B) VBE participants in the same value-based enterprise.
    (v) Value-based enterprise or VBE means two or more VBE 
participants:
    (A) Collaborating to achieve at least one value-based purpose;
    (B) Each of which is a party to a value-based arrangement with the 
other or at least one other VBE participant in the value-based 
enterprise;
    (C) That have an accountable body or person responsible for 
financial and operational oversight of the value-based enterprise; and
    (D) That have a governing document that describes the value-based 
enterprise and how the VBE participants intend to achieve its value-
based purpose(s).
    (vi) Value-based enterprise participant or VBE participant means an 
individual or entity that engages in at least one value-based activity 
as part of a value-based enterprise. VBE participant does not include a 
pharmaceutical manufacturer; a manufacturer, distributor, or supplier 
of durable medical equipment, prosthetics, orthotics, or supplies; or a 
laboratory.
    (vii) Value-based purpose means:
    (A) Coordinating and managing the care of a target patient 
population;
    (B) Improving the quality of care for a target patient population;
    (C) Appropriately reducing the costs to, or growth in expenditures 
of, payors without reducing the quality of care for a target patient 
population; or
    (D) Transitioning from healthcare delivery and payment mechanisms 
based on the volume of items and services provided to mechanisms based 
on the quality of care and control of costs of care for a target 
patient population.
    (ff) Value-based arrangements with substantial downside financial 
risk. As used in section 1128B of the Act, ``remuneration'' does not 
include the exchange of payments or anything of value between a VBE and 
a VBE participant pursuant to a value-based arrangement if all of the 
standards in paragraphs (ff)(1) through (8) of this section are met:
    (1) The VBE (directly or through a VBE participant acting on the 
VBE's behalf) has assumed (or is contractually obligated to assume in 
the next 6 months) substantial downside financial risk (as defined in 
this paragraph (ff)) from a payor for providing or arranging for the 
provision of items and services for a target patient population.
    (2) Under the value-based arrangement, the VBE participant 
meaningfully shares in the VBE's substantial downside financial risk 
for providing or arranging for the provision of items and services for 
the target patient population. For purposes of this paragraph (ff), a 
VBE participant meaningfully shares in the VBE's substantial downside 
financial risk if the value-based arrangement provides that the VBE 
participant is subject to risk under one of the following three 
methodologies:
    (i) A risk-sharing payment pursuant to which the VBE participant is 
at risk for 8 percent of the amount for which the VBE is at risk under 
its agreement with the applicable payor;
    (ii) A partial or full capitation payment or similar payment 
methodology, excluding the Medicare inpatient prospective payment 
system or other like payment methodology; or
    (iii) In the case of a VBE participant that is a physician, a 
payment that meets the requirements of the regulatory exception for 
value-based arrangements with meaningful downside financial risk at 
Sec.  411.357(aa)(2) of this title.

[[Page 55763]]

    (3) The remuneration provided by, or shared among, the VBE and VBE 
participant:
    (i) Is used primarily to engage in value-based activities that are 
directly connected to the items and services for which the VBE is at 
substantial downside financial risk and that are set forth in writing 
pursuant to paragraph(ff)(4) of this section;
    (ii) Is directly connected to one or more of the VBE's value-based 
purposes, at least one of which must be the coordination and management 
of care for the target patient population;
    (iii) Does not induce VBE participants to reduce or limit medically 
necessary items or services furnished to any patient;
    (iv) Does not include the offer or receipt of an ownership or 
investment interest in an entity or any distributions related to such 
ownership or investment interest; and
    (v) Is not funded by, and does not otherwise result from the 
contributions of, any individual or entity outside of the VBE.
    (4) In advance of, or contemporaneous with, the commencement of the 
value-based arrangement or any material change to the value-based 
arrangement, the VBE and VBE participant set forth in a signed writing 
the terms of the value-based arrangement. The writing states all 
material terms of the value-based arrangement, including: A description 
of the nature and extent of the VBE's substantial downside financial 
risk for the target patient population; a description of the manner in 
which the recipient meaningfully shares in the VBE's substantial 
downside financial risk; the value-based activities; the target patient 
population; and the type and the offeror's cost of the remuneration.
    (5) The VBE or VBE participant offering the remuneration does not 
take into account the volume or value of, or condition the remuneration 
on:
    (i) Referrals of patients who are not part of the target patient 
population; or
    (ii) Business not covered under the value-based arrangement.
    (6) The value-based arrangement does not:
    (i) Place any limitation on VBE participants' ability to make 
decisions in the best interest of their patients;
    (ii) Direct or restrict referrals to a particular provider, 
practitioner, or supplier if:
    (A) A patient expresses a preference for a different practitioner, 
provider, or supplier;
    (B) The patient's payor determines the provider, practitioner, or 
supplier; or
    (C) Such direction or restriction is contrary to applicable law or 
regulations under titles XVIII and XIX of the Act; or
    (iii) Include marketing to patients of items or services or 
engaging in patient recruitment activities.
    (7) The VBE or VBE participant makes available to the Secretary, 
upon request, all materials and records sufficient to establish 
compliance with the conditions of this paragraph (ff).
    (8) For purposes of this paragraph (ff), the following definitions 
apply:
    (i) Substantial downside financial risk means risk, for the entire 
term of the value-based arrangement, in the form of:
    (A) Shared savings with a repayment obligation to the payor of at 
least 40 percent of any shared losses, where loss is determined based 
upon a comparison of costs to historical expenditures, or to the extent 
such data is unavailable, evidence-based, comparable expenditures;
    (B) A repayment obligation to the payor under an episodic or 
bundled payment arrangement of at least 20 percent of any total loss, 
where loss is determined based upon a comparison of costs to historical 
expenditures, or to the extent such data is unavailable, evidence-
based, comparable expenditures;
    (C) A prospectively paid population-based payment for a defined 
subset of the total cost of care of a target patient population, where 
such payment is determined based upon a review of historical 
expenditures, or to the extent such data is unavailable, evidence-
based, comparable expenditures; or
    (D) A partial capitated payment from the payor for a set of items 
and services for the target patient population, where such capitated 
payment reflects a discount equal to at least 60 percent of the total 
expected fee-for-service payments based on historical expenditures, or 
to the extent such data is unavailable, evidence-based, comparable 
expenditures of the VBE participants to the value-based arrangement.
    (ii) Coordination and management of care, target patient 
population, value-based activity, value-based arrangement, value-based 
enterprise, value-based purpose, and VBE participant shall have the 
meaning set forth in paragraph (ee) of this section.
    (gg) Value-based arrangements with full financial risk. As used in 
section 1128B of the Act, ``remuneration'' does not include the 
exchange of payments or anything of value between the VBE and a VBE 
participant pursuant to a value-based arrangement if all of the 
standards in paragraphs (gg)(1) through (8) of this section are met:
    (1) The VBE (directly or through a VBE participant acting on behalf 
of the VBE) has assumed (or is contractually obligated to assume in the 
next 6 months) full financial risk from a payor and has a signed 
writing with the payor that specifies the target patient population and 
contains terms evidencing that the VBE is at full financial risk for 
that population for a period of at least 1 year.
    (2) The value-based arrangement is set out in a writing signed by 
the parties that specifies the material terms of the value-based 
arrangement, including the value-based activities to be undertaken by 
the parties, and is for a period of at least 1 year.
    (3) The VBE participant does not claim payment in any form directly 
or indirectly from a payor for items or services covered under the 
value-based arrangement.
    (4) The remuneration exchanged between the VBE and a VBE 
participant:
    (i) Is used primarily to engage in the value-based activities set 
forth in writing pursuant to paragraph (gg)(2) of this section;
    (ii) Is directly connected to one or more of the VBE's value-based 
purposes, at least one of which must be the coordination and management 
of care for the target patient population;
    (iii) Does not induce the VBE or VBE participants to reduce or 
limit medically necessary items or services furnished to any patient;
    (iv) Does not include the offer or receipt of an ownership or 
investment interest in an entity or any distributions related to such 
ownership or investment interest; and
    (v) Is not funded by, and does not otherwise result from the 
contributions of, any individual or entity outside of the VBE.
    (5) The VBE or VBE participant does not take into account the 
volume or value of, or condition the remuneration on:
    (i) Referrals of patients who are not part of the target patient 
population; or
    (ii) Business not covered under the value-based arrangement.
    (6) The VBE provides or arranges for:
    (i) An operational utilization review program; and
    (ii) A quality assurance program that protects against 
underutilization and specifies patient goals, including measurable 
outcomes, where appropriate.
    (7) The value-based arrangement does not include marketing to 
patients of items or services or engaging in patient recruitment 
activities.
    (8) The VBE or VBE participant makes available to the Secretary, 
upon request,

[[Page 55764]]

all materials and records sufficient to establish compliance with the 
conditions of this paragraph (gg).
    (9) For purposes of this paragraph (gg), the following definitions 
apply:
    (i) Full financial risk means the VBE is financially responsible 
for the cost of all items and services covered by the applicable payor 
for each patient in the target patient population and is prospectively 
paid by the applicable payor;
    (ii) Items and services shall have the meaning set forth in Sec.  
1001.952(t)(2)(iv); and
    (iii) Coordination and management of care, target patient 
population, value-based activity, value-based arrangement, value-based 
enterprise, value-based purpose, and VBE participant shall have the 
meaning set forth in paragraph (ee) of this section.
    (hh) Arrangements for patient engagement and support to improve 
quality, health outcomes, and efficiency. As used in section 1128B of 
the Act, ``remuneration'' does not include a patient engagement tool or 
support furnished by a VBE participant to a patient in a target patient 
population if all of the conditions in paragraphs (hh)(1) through (6) 
of this section are met:
    (1) The patient engagement tool or support is furnished directly to 
the patient by a VBE participant.
    (2) No individual or entity outside of the applicable VBE funds or 
otherwise contributes to the provision of the patient engagement tool 
or support.
    (3) The patient engagement tool or support:
    (i) Is an in-kind preventive item, good, or service, or an in-kind 
item, good, or service such as health-related technology, patient 
health-related monitoring tools and services, or supports and services 
designed to identify and address a patient's social determinants of 
health;
    (ii) That has a direct connection to the coordination and 
management of care of the target patient population;
    (iii) Does not include any gift card, cash, or cash equivalent;
    (iv) Does not include any in-kind item, good, or service used for 
patient recruitment or marketing of items or services to patients;
    (v) Does not result in medically unnecessary or inappropriate items 
or services reimbursed in whole or in part by a Federal health care 
program;
    (vi) Is recommended by the patient's licensed healthcare provider; 
and
    (vii) Advances one or more of the following goals:
    (A) Adherence to a treatment regimen determined by the patient's 
licensed healthcare provider.
    (B) Adherence to a drug regimen determined by the patient's 
licensed healthcare provider.
    (C) Adherence to a follow-up care plan established by the patient's 
licensed healthcare provider.
    (D) Management of a disease or condition as directed by the 
patient's licensed healthcare provider.
    (E) Improvement in measurable evidence-based health outcomes for 
the patient or for the target patient population.
    (F) Ensuring patient safety.
    (4) The offeror does not, and should not, know that the 
remuneration is likely to be diverted, sold, or utilized by the patient 
other than for the express purpose for which the patient engagement 
tool or support is provided.
    (5) The aggregate retail value of patient engagement tools and 
supports furnished to a patient by a VBE participant on an annual basis 
does not exceed $500 unless such patient engagement tools and supports 
are furnished to patients based on a good faith, individualized 
determination of the patient's financial need.
    (6) The VBE participant makes available to the Secretary, upon 
request, all materials and records sufficient to establish that the 
patient engagement tool or support was distributed in a manner that 
meets the conditions of this paragraph (hh).
    (7) For purposes of this paragraph (hh), coordination and 
management of care, target patient population, value-based purpose, 
VBE, and VBE participant shall have the meaning set forth in paragraph 
(ee) of this section.
    (ii) CMS-sponsored model arrangements and CMS-sponsored model 
patient incentives.
    (1) As used in section 1128B of the Act, ``remuneration'' does not 
include an exchange of anything of value between or among CMS-sponsored 
model parties under a CMS-sponsored model arrangement in a model for 
which CMS has determined that this safe harbor is available if all of 
the following conditions are met:
    (i) The CMS-sponsored model parties reasonably determine that the 
CMS-sponsored model arrangement will advance one or more goals of the 
CMS-sponsored model;
    (ii) The exchange of value does not induce CMS-sponsored model 
parties or other providers or suppliers to furnish medically 
unnecessary items or services or reduce or limit medically necessary 
items or services furnished to any patient;
    (iii) The CMS-sponsored model parties do not offer, pay, solicit, 
or receive remuneration in return for, or to induce or reward, any 
Federal health care program referrals or other Federal health care 
program business generated outside of the CMS-sponsored model;
    (iv) The CMS-sponsored model parties, in advance of, or 
contemporaneous with the commencement of, the CMS-sponsored model 
arrangement, set forth the terms of the CMS-sponsored model arrangement 
in a signed writing. The writing must specify, at a minimum, the 
activities to be undertaken by the CMS-sponsored model parties and the 
nature of the remuneration to be exchanged under the CMS-sponsored 
model arrangement;
    (v) The parties to the CMS-sponsored model arrangement make 
available to the Secretary, upon request, all materials and records 
sufficient to establish whether the remuneration was exchanged in a 
manner that meets the conditions of this safe harbor; and
    (vi) The CMS-sponsored model parties satisfy such programmatic 
requirements as may be imposed by CMS in connection with the use of 
this safe harbor.
    (2) As used in section 1128B of the Act, ``remuneration'' does not 
include a CMS-sponsored model patient incentive under a model for which 
CMS has determined that this safe harbor is available, if all of the 
conditions of paragraph (ii)(2)(i) through (v) are met of this section:
    (i) The CMS-sponsored model participant reasonably determines that 
the CMS-sponsored model patient incentive will advance one or more 
goals of the CMS-sponsored model;
    (ii) The CMS-sponsored model patient incentive has a direct 
connection to the patient's healthcare;
    (iii) The CMS-sponsored model participant makes available to the 
Secretary, upon request, all materials and records sufficient to 
establish whether the CMS-sponsored model patient incentive was 
distributed in a manner that meets the conditions of this paragraph; 
and
    (iv) The CMS-sponsored model participant satisfies such 
programmatic requirements as may be imposed by CMS in connection with 
the use of this safe harbor.
    (v) For purposes of this paragraph (ii)(2), a patient may retain 
any incentives received prior to the termination or expiration of the 
participation documentation of the CMS-sponsored model participant.
    (3) For purposes of this paragraph (ii), the following definitions 
apply:
    (i) CMS-sponsored model means:
    (A) A model being tested under section 1115A(b) of the Act or a 
model

[[Page 55765]]

expanded under section 1115A(c) of the Act; or
    (B) The Medicare shared savings program under section 1899 of the 
Act;
    (ii) CMS-sponsored model arrangement means an arrangement between 
or among CMS-sponsored model parties to engage in activities under the 
CMS-sponsored model and that is consistent with, and is not a type of 
arrangement prohibited by, the participation documentation;
    (iii) CMS-sponsored model participant means an individual or entity 
that is subject to, and is operating under, participation documentation 
with CMS to participate in a CMS-sponsored model;
    (iv) CMS-sponsored model party means:
    (A) A CMS-sponsored model participant; or
    (B) Other individual or entity who the participation documentation 
specifies may enter into a CMS-sponsored model arrangement;
    (v) CMS-sponsored model patient incentive means remuneration not of 
a type prohibited by the participation documentation and is furnished 
consistent with the CMS-sponsored model by a CMS-sponsored model 
participant (or by an agent of the CMS-sponsored model participant 
under the CMS-sponsored model participant's direction and control) 
directly to a patient under the CMS-sponsored model; and
    (vi) Participation documentation means the participation agreement, 
cooperative agreement, regulations, or model-specific addendum to an 
existing contract with CMS that:
    (A) Is currently in effect, and
    (B) Specifies the terms of a CMS-sponsored model.
    (jj) Cybersecurity technology and related services. As used in 
section 1128B of the Act, ``remuneration'' does not include nonmonetary 
remuneration (consisting of certain types of cybersecurity technology 
and services), if all of the conditions in paragraphs (jj)(1) through 
(5) of this section are met:
    (1) The technology and services are necessary and used 
predominantly to implement and maintain effective cybersecurity.
    (2) The donor does not:
    (i) Directly take into account the volume or value of referrals or 
other business generated between the parties when determining the 
eligibility of a potential recipient for the technology or services, or 
the amount or nature of the technology or services to be donated; or
    (ii) Condition the donation of technology or services, or the 
amount or nature of the technology or services to be donated, on future 
referrals.
    (3) Neither the recipient nor the recipient's practice (or any 
affiliated individual or entity) makes the receipt of technology or 
services, or the amount or nature of the technology or services, a 
condition of doing business with the donor.
    (4) The arrangement is set forth in a written agreement that:
    (i) Is signed by the parties;
    (ii) Describes the technology and services being provided and the 
amount of the recipient's contribution, if any; and
    (5) The donor does not shift the costs of the technology or 
services to any Federal health care program.
    (6) For purposes of this paragraph (jj) the following definitions 
apply:
    (i) Cybersecurity means the process of protecting information by 
preventing, detecting, and responding to cyberattacks.
    (ii) Technology means any software or other types of information 
technology, other than hardware.
    (kk) ACO Beneficiary Incentive Program. As used in section 1128B of 
the Act, ``remuneration'' does not include an incentive payment made by 
an ACO to an assigned beneficiary under a beneficiary incentive program 
established under section 1899(m) of the Act, as amended by Congress 
from time to time, if the incentive payment is made in accordance with 
the requirements found in such subsection.

PART 1003--CIVIL MONEY PENALTIES, ASSESSMENTS AND EXCLUSIONS

0
3. The authority citation for part 1003 continues to read as follows:

    Authority:  42 U.S.C. 262a, 1302, 1320-7, 1320a-7a, 1320b-10, 
1395u(j), 1395u(k), 1395cc(j), 1395w-141(i)(3), 1395dd(d)(1), 
1395mm, 1395nn(g), 1395ss(d), 1396b(m), 11131(c), and 11137(b)(2).

0
4. Section 1003.110 is amended by adding paragraph (10) to the 
definition of ``remuneration'' and adding in alphabetical order a 
definition for ``telehealth technologies'' to read as follows:


Sec.  1003.110  Definitions.

* * * * *
    Remuneration * * *
* * * * *
    (10) The provision of telehealth technologies by a provider of 
services or a renal dialysis facility (as such terms are defined for 
purposes of title XVIII of the Act) to an individual with end stage 
renal disease who is receiving home dialysis for which payment is being 
made under part B of such title, if--
    (i) The telehealth technologies are furnished to the individual by 
the provider of services or the renal dialysis facility that is 
currently providing the in-home dialysis, telehealth visits, or other 
end stage renal disease care to the patient;
    (ii) The telehealth technologies are not offered as part of any 
advertisement or solicitation;
    (iii) The telehealth technologies contribute substantially to the 
provision of telehealth services related to the individual's end stage 
renal disease, is not of excessive value, and is not duplicative of 
technology that the beneficiary already owns if that technology is 
adequate for the telehealth purposes; and
    (iv) The provider of services or a renal dialysis facility does not 
bill Federal health care programs, other payors, or individuals for the 
telehealth technologies, claim the value of the telehealth technologies 
as a bad debt for payment purposes under a Federal health care program, 
or otherwise shift the burden of the value of the telehealth 
technologies onto a Federal health care program, other payors, or 
individuals.
* * * * *
    Telehealth technologies, for purposes of the definition of the term 
``remuneration'' as set forth in this section and the telehealth 
technologies exception to section 50302(c) of the Bipartisan Budget Act 
of 2018, which adds an exception as new section 1128A(i)(6)(J) of the 
Act, means multimedia communications equipment that includes, at a 
minimum, audio and video equipment permitting two-way, real-time 
interactive communication between the patient and distant site 
physician or practitioner used in the diagnosis, intervention, or 
ongoing care management--paid for by Medicare Part B--between a patient 
and the remote healthcare provider. Telephones, facsimile machines, and 
electronic mail systems are not telehealth technologies.
* * * * *

    Dated: September 30, 2019.
 Alex M. Azar II,
 Secretary.
Joanne M. Chiedi,
Acting Inspector General.
[FR Doc. 2019-22027 Filed 10-9-19; 4:15 pm]
 BILLING CODE 4152-04-P