OIG and CMS issue long-awaited value-based safe harbors and exceptions; now what?

By Jason E. Christ, Anjali N. Downs, and Victoria Sheridan

Jason E. Christ (jchrist@ebglaw.com) and Anjali N. Downs (adowns@ebglaw.com) are Members of the Washington, DC, office of Epstein Becker & Green, and Victoria Sheridan (vsheridan@ebglaw.com) is a Member of the firm’s New Jersey office.

This article was authored in significant collaboration with Arthur Fried.

On December 2, 2020, the Centers for Medicare & Medicaid Services (CMS)[1] and the Office of Inspector General (OIG)[2] of the Department of Health & Human Services published long-awaited companion final rules modifying and updating the federal Physician Self-Referral Law (commonly referred to as the Stark Law), the federal healthcare program’s Anti-Kickback Statute (AKS), and the federal Civil Monetary Penalties Law. These companion final rules comprise more than 400 pages of discussion and regulation and bring to a close Department of Health & Human Services’ Regulatory Sprint to Coordinated Care, an initiative ostensibly designed to remove regulatory barriers to coordinated and value-based care, and follow the proposed rules that were issued by both CMS[3] and OIG[4] in 2019. The final rules make changes to the existing regulatory framework, including through the modification and clarification of existing AKS safe harbors and Stark Law exceptions as well as the promulgation of new safe harbors and exceptions. These changes became effective January 19, 2021 (with one exception related to certain modifications of the Stark Law’s “group practice” rules, which become effective January 1, 2022).[5]

Notable changes to the AKS regulations finalized by OIG include:[6]

  • A new safe harbor for patient engagement and support that protects remuneration provided in the form of in-kind patient engagement tools and supports to patients in a defined target patient population.

  • New safe harbors for certain remuneration provided in connection with a CMS-sponsored model and for donation of cybersecurity technology and services, which modifies four existing safe harbors.

  • Modifications to the safe harbor for personal services and management contracts to: (1) ease the requirement that the aggregate compensation be set in advance and (2) protect outcomes-based payments that are tied to the achievement of legitimate and measurable outcomes.

Notable changes to the Stark Law regulations finalized by CMS include:[7]

  • A new de minimus exception that protects “nonabusive business practices” that result in remuneration of up to $5,000 per calendar year paid to a physician for providing items and services if certain requirements are met.[8]

  • Similar to OIG, a new exception to protect the donation of cybersecurity technology.

  • Significant amendments and clarifications to key definitions and requirements that are instrumental in the application of the Stark regulatory exceptions, including addressing concepts related to “volume and value,” “fair market value,” “commercially reasonable,” and “set in advance.”

In addition to the changes noted above, among the most consequential steps taken by both agencies are those related to the adoption of new regulatory protection for value-based arrangements. Specifically, the OIG promulgated three new value-based safe harbors, and CMS promulgated three new Stark Law exceptions. Given the changes that these final rules make to the current AKS and Stark Law regulatory framework, this article focuses on the long-awaited protections for value-based arrangements and, more specifically, the Stark Law exceptions.

According to CMS, value-based healthcare delivery “shifts the paradigm” of analysis under the Stark Law, and fewer “traditional” requirements are needed to ensure that value-based arrangements, and particularly arrangements that have downside risk, do not pose a risk of program or patient abuse, because “a value-based health care delivery and payment system, by design, provides safeguards against harms such as overutilization, care stinting, patient steering, and negative impacts on the medical marketplace.”[9] The new exceptions appear to be based in substantial part on the premise that the more financial risk the parties assume, the more likely they are to self-regulate the risks or concerns that were historically addressed by the Stark Law. This viewpoint is logical and largely consistent with CMS’ approach to managed care–related exceptions. CMS has long treated risk-bearing entities more favorably, especially where arrangements have downside risk associated with utilization and medical spend.

The new value-based exceptions apply only to “compensation arrangements” and not other types of financial relationships to which the Stark Law applies (i.e., ownership or investment interests). However, they broadly apply to any compensation arrangement that meets the elements of a value-based exception, regardless of whether the value-based arrangement is focused on care that is reimbursed by Medicare or a commercial payer. In addition, CMS has finalized specific rules related to indirect value-based arrangements.

The three new exceptions for arrangements that facilitate value-based healthcare delivery and payment are differentiated based upon the level of financial risk undertaken within the value-based arrangement, from full risk to no risk, as follows:

  1. Remuneration paid under a value-based arrangement with full financial risk,

  2. Value-based arrangement with meaningful downside financial risk to the physician, and

  1. Value-based arrangement.

These exceptions were finalized in much the same form as they were proposed. As the level of financial risk taken on by physicians decreases, the requirements/program safeguards for satisfying the exception become more extensive. The tiered structure of the exceptions recognizes that there are wide variations within the healthcare industry of providers and suppliers who have different levels of resources, infrastructure, financial stability, and risk tolerance to move from primarily fee-for-service reimbursement to primarily value-based reimbursement.

Fundamental to all three of the new value-based exceptions are several key definitions and central requirements, as well as one essential question.

Key definitions

The following definitions form the core elements of each exception, playing a significant role in how each exception is applied (and align with corresponding terms used by the OIG in its final rule):

  • Value-based enterprise (VBE) means two or more VBE participants that are “collaborating to achieve at least one value-based purpose,” “each of which is a party to a value-based arrangement with the other or at least one other VBE participant.”[10] The VBE is required to have an accountable body and a governing document.

  • Value-based arrangement means an arrangement to provide “at least one value-based activity for a target patient population to which the only parties are” (i) the VBE and one or more VBE participants or (ii) two or more VBE participants in the same VBE.

  • Target patient population means an identified patient population selected by the VBE or its VBE participants using legitimate and verifiable criteria that are set out in writing in advance of the commencement of the value-based arrangement and further the VBE’s value-based purpose.

  • Value-based activity is defined as providing an item or service, or taking or refraining from taking an action, that is reasonably designed to achieve at least one of the VBE’s value-based purposes. A value-based activity does not include the making of a referral.

  • VBE participant means “an individual or entity that engages in at least one value-based activity as part of a value-based enterprise.”

  • Value-based purpose means “(1) Coordinating and managing the care of a target patient population; (2) improving the quality of care for a target patient population;” (3) appropriately reducing costs without compromising quality; or (4) transitioning from healthcare delivery mechanisms based on volume to mechanisms based on value.

Central requirements

There are several requirements that are common to all three of the new value-based exceptions:

  • Remuneration “is for or results from value-based activities undertaken by the recipient of the remuneration for patients in the target patient population.”[11]

  • Remuneration “is not an inducement to reduce or limit medical necessary items or services to any patient.”

  • Remuneration “is not conditioned on referrals of patients who are not part of the target patient population or business not covered under the value-based arrangement.”

  • “Records of the methodology for determining and the actual amount of remuneration paid under the value-based arrangement must be maintained for a period of at least 6 years and made available to the Secretary upon request.”

Essential question

To determine whether one of the three value-based exceptions is available to protect a particular value-based arrangement, the VBE participants must ask one essential question: Do the value-based activities at the core of the value-based arrangement further one of the four enumerated “value-based purposes”? The determination regarding whether a value-based activity is reasonably designed to achieve at least one value-based purpose is a fact-specific determination, which, although commonplace under AKS, seems counterintuitive to a strict-liability statute. Parties to the value-based arrangement must have a good-faith belief that the value-based activity will achieve or lead to the achievement of at least one value-based purpose—the purpose, however, need not actually be achieved.

Full financial risk

The first exception is for value-based enterprises accepting “full financial risk” from a payer. The exception defines “full financial risk” to mean that the value-based enterprise is financially responsible on a prospective basis for “the cost of all patient care items and services covered by the applicable payor for each patient in the target patient population for a specified period of time”[12] (emphasis added). “Prospective basis” means that “the value-based enterprise has assumed financial responsibility for the cost of all patient care items and services covered by the…payor prior to providing patient care items and services to patients in the target patient population”[13] (emphasis added). CMS states that, for payment to be prospective, there can be no additional payment to cover costs for specific patient care items or services furnished, nor can payment be claimed from the payer for such items or services. However, payment can be made to “offset losses incurred…above those prospectively agreed to by the parties,” and also for “shared savings or other incentive payments for achieving quality, performance, or other benchmarks.”

According to CMS, full financial risk may take the form of capitation payments or a global budget payment from a payer and would not prohibit other approaches to full financial risk. With respect to Medicare patients, CMS emphasizes that full financial risk requires the VBE to be financially responsible for all items and services covered under Medicare Parts A and B.

The time frame to become fully financially responsible is 12 months after commencement of the value-based arrangement,[14] which should be very helpful to start-ups or practices going through a conversation from fee-for-service to at-risk population management

Meaningful downside financial risk to the physician

The second exception is for value-based arrangements that involve “meaningful downside financial risk to the physician.” This exception recognizes that not all providers are prepared to accept full financial risk but will consider participating in alternative payment models that provide for undertaking some downside financial risk. Although CMS believes that downside financial risk curbs the influence of traditional fee-for-service payments; contains inherent protections against program and patient abuse; and has great potential to shape behavior to improve outcomes, eliminate waste, and reduce cost, CMS nonetheless includes additional guardrails beyond those set forth in the full financial risk exception. Thus, three key differences between the “full risk” and “meaningful risk” exceptions are as follows.

First, “meaningful downside financial risk” is defined as requiring the physician to be “responsible to repay or forgo no less than 10 percent of the total value of the remuneration the physician receives under the value-based arrangement.”[15] The 10% risk of repayment would apply to in-kind remuneration as well, such as infrastructure or care coordination services. Second, there must be a writing describing the nature and extent of the downside financial risk, whereas the full financial risk exception does not require a writing. Third, like many other Stark exceptions, the methodology used to determine the amount of the remuneration to the physician must be set in advance, prior to the commencement of the value-based arrangement. The remuneration methodology may be changed during the life of the arrangement, so long as the change is prospectively effective only.

Value-based arrangements exception

The third exception is for value-based arrangements, in general, in which there is no transfer or acceptance of financial or downside risk by physicians. This exception is designed to be available to the largest number of entities regardless of risk, size, and sophistication. However, because this exception contains the most extensive and complex safeguards, more akin to traditional Stark requirements, it may well deter participation of precisely those entities it desires to include.

Unsurprisingly, this exception incorporates the same central safeguards found in the prior meaningful value-based financial risk exception. Where this exception differs, however, is that there are numerous additional, more formalized administrative, tracking, measurement, and documentation requirements that serve to both evidence the value-based purpose of the parties as well as monitor its success. The totality of these requirements and the possibility of a value-based arrangement being deemed “ineffective” and therefore falling out of compliance with the exception may very well limit its adoption and use.

The exception for general value-based arrangements tracks most closely with historic self-referral exceptions by requiring that the arrangement be set forth in writing and signed by the parties. Here, the writing must be comprehensive, including a description of: (1) the “value-based activities to be undertaken under the arrangement;” (2) how “the value-based activities are expected to further the value-based purpose(s) of the value-based enterprise;” (3) the “target patient population for the arrangement;” (4) the “type or nature of the remuneration;” (5) the “methodology used to determine the amount of the remuneration;” and (5) the “outcome [performance and quality] measures against which the recipient of the remuneration is assessed, if any.”[16] Undoubtedly, parties and their compliance and legal counsel will spend a significant amount of time and attention determining how they intend to measure and monitor success based on the outcomes of the activities.

Although success is not a required element, if the value-based activities are not achieving the value-based purpose, the arrangement will have to be modified or terminated. The proactive and continuous monitoring element of this exception requires the parties to monitor, in real time, whether the value-based activities required under the arrangement have actually been furnished; the progress toward attainment of the outcome measurements; and whether and how continuation of the value-based activities is expected to further the purposes. Based upon this analysis, the parties must, if warranted, take appropriate measures to modify or terminate the ineffective activity, or risk compensating a physician during a period of noncompliance in violation of Stark. Monitoring must occur, by the enterprise or one or more of the parties to the arrangement, not less than annually, or at least once during the term of the arrangement if the arrangement has a duration of less than one year. The question remains, however—how long can such a value-based arrangement exist without achieving success?

Accordingly, these arrangements are thus not “set it and forget it” arrangements that can evergreen or renew with few modifications. They require active compliance monitoring and documentation that they are meeting their stated value-based purposes and goals. Absent persistent and meaningful oversight, this is an area of potentially significant risk, in our estimation. Failure to appropriately monitor these value-based arrangements could lead to their activities no longer supporting the value-based goal, resulting in a conclusion that the remuneration under the arrangement is no longer protected by the exception. Even the quality of the monitoring could be brought into question. Was the entity’s monitoring and oversight reasonable and adequate? Did the entity know or should it have known that the value-based activity was not achieving its intended purpose? When did the physician become aware or should have become aware of such failure? Given the strict-liability nature of Stark, if one party conceals the failure of the program from the other, will both be held accountable? It’s possible that CMS may provide further clarification. But, as is often the case, health regulatory counsel and enforcement actions may ultimately determine what is considered to be reasonable under the circumstances.

Elimination of common limitations on compensation

In a notable and welcome decision, CMS explicitly declined to incorporate common Stark limitations on compensation into any of the three new value-based exceptions. When describing the benefit of the value-based exceptions, CMS noted that unlike other exceptions to Stark, it elected to not include requirements such as that compensation must be set in advance, fair market value, and not determined in any manner that takes into account the volume or value of a physician’s referrals or the other business generated by the physician. Instead, CMS is relying on the value-based safeguards outlined in the definitions and believes that to include the traditional Stark exception elements would “conflict with [the agency’s] goal of addressing regulatory barriers to value-based care transformation.”[17] Nonetheless, CMS is requiring that “the compensation arrangement [be] commercially reasonable.”

What about the Anti-Kickback Statute?

OIG and CMS collaborated throughout the rulemaking process, particularly with respect to the adoption of the new value-based protections. However, although the agencies attempted to align terminology and conditions where possible, there are many instances where the two rules do not align. For example, the AKS final rules exclude certain entities[18] —pharmaceutical manufacturers, distributors, and wholesalers; pharmacy benefit managers; laboratory companies; pharmacies that primarily compound drugs or primarily dispense compounded drugs; manufacturers of devices or medical supplies; entities that sell or rent durable medical equipment, prosthetics, orthotics, and supplies; and medical device distributors and wholesalers—from the value-based arrangements and patient engagement and support safe-harbor protections, while the CMS final rules do not exclude any individuals or entities from participating in a protected value-based arrangement. In addition, the Stark Law exceptions contain fewer conditions and seemingly apply to a broader array of arrangements and types of compensation. The agencies indicate that these differences are intentional and are largely due to the Stark Law’s status as a strict-liability statute, requiring all arrangements that implicate the Stark Law to satisfy an exception in order to avoid liability. Conversely, the AKS is an intent-based statute, and compliance with a safe harbor is not required for compliance. Thus, in crafting these new regulations, the OIG and CMS noted that the AKS will serve as “backstop” protection against abusive relationships.[19] As a result, the AKS safe harbors have more requirements and seemingly apply to a narrower set of relationships.

Conclusion

The final rules leave a lot of room for interpretation, and we are left wondering whether CMS removed regulatory barriers or further muddied the waters. In adopting these regulations, CMS states that it did not want “compliance with the physician self-referral law [to be] the driver of innovation or the barrier to innovation.”[20] Given this perspective, if parties implement a good-faith value-based design that is contemporaneously documented and is structured to align with the requisite criteria, there should be a level of comfort that the arrangement is defensible. Given the purpose and structure of these new rules, we would think that the regulatory authorities would be hard pressed to second-guess good-faith application by providers of this exception. While many in the industry might view these final rules as a step in the right direction, only time will tell how these new safe harbors and exceptions are interpreted and enforced.

Takeaways

  • Given the historical significance of fair market value in legitimizing arrangements, although not required, parties may want to consider fair market value when assessing value-based arrangements. Also, there are other suspect abusive elements that parties in a value-based arrangement still need to consider (e.g., underutilization, cherry-picking, lemon-dropping, and manipulation of data).

  • Although Stark is a strict-liability statute, the final rules discuss conducting a facts-and-circumstances analysis through the value-based exceptions and beyond.

  • Developing and maintaining contemporaneous documentation will help support the facts and circumstances of a value-based arrangement.

  • Compliance with a value-based exception will require parties to implement a constantly evolving process, which will require iterative planning, implementation, and assessment.

  • Although successful achievement of a value-based purpose is not required, parties must clearly define success in order to meet both explicit and implicit monitoring requirements.

 
1 Medicare Program; Modernizing and Clarifying the Physician Self-Referral Regulations, 85 Fed. Reg. 77,492 (December 2, 2020).
2 Medicare and State Health Care Programs: Fraud and Abuse; Revisions to Safe Harbors Under the Anti-Kickback Statute, and Civil Monetary Penalty Rules Regarding Beneficiary Inducements, 85 Fed. Reg. 77,684 (December 2, 2020).
3 Medicare Program; Modernizing and Clarifying the Physician Self-Referral Regulations, 84 Fed. Reg. 66,766 (October 17, 2019).
4 Medicare and State Healthcare Programs: Fraud and Abuse; Revisions To Safe Harbors Under the Anti-Kickback Statute, and Civil Monetary Penalty Rules Regarding Beneficiary Inducements, 84 Fed. Reg. 55,694 (October 17, 2019).
5 Medicare Program; Modernizing and Clarifying the Physician Self-Referral Regulations, 85 Fed. Reg. 77, 492.
6 Medicare and State Health Care Programs: Fraud and Abuse; Revisions to Safe Harbors Under the Anti-Kickback Statute, and Civil Monetary Penalty Rules Regarding Beneficiary Inducements, 85 Fed. Reg. 77,684.
7 Medicare Program; Modernizing and Clarifying the Physician Self-Referral Regulations, 85 Fed. Reg. 77,492.
8 Medicare Program; Modernizing and Clarifying the Physician Self-Referral Regulations, 85 Fed. Reg. 77,624.
9 Medicare Program; Modernizing and Clarifying the Physician Self-Referral Regulations, 85 Fed. Reg. 77,506
10 Medicare Program; Modernizing and Clarifying the Physician Self-Referral Regulations, 85 Fed. Reg. 77,497.
11 Medicare Program; Modernizing and Clarifying the Physician Self-Referral Regulations, 85 Fed. Reg. 77,680.
12 Medicare Program; Modernizing and Clarifying the Physician Self-Referral Regulations, 85 Fed. Reg. 77,510.
13 Medicare Program; Modernizing and Clarifying the Physician Self-Referral Regulations, 85 Fed. Reg. 77,511.
14 Medicare Program; Modernizing and Clarifying the Physician Self-Referral Regulations, 85 Fed. Reg. 77,510.
15 Medicare Program; Modernizing and Clarifying the Physician Self-Referral Regulations, 85 Fed. Reg. 77,517.
16 Medicare Program; Modernizing and Clarifying the Physician Self-Referral Regulations, 85 Fed. Reg. 77,681.
17 Medicare Program; Modernizing and Clarifying the Physician Self-Referral Regulations, 85 Fed. Reg. 77,507.
18 Medicare and State Health Care Programs: Fraud and Abuse; Revisions to Safe Harbors Under the Anti-Kickback Statute, and Civil Monetary Penalty Rules Regarding Beneficiary Inducements, 85 Fed. Reg. 77,705.
19 Medicare Program; Modernizing and Clarifying the Physician Self-Referral Regulations, 85 Fed. Reg. 77,495.
20 Medicare Program; Modernizing and Clarifying the Physician Self-Referral Regulations, 85 Fed. Reg. 77,507.
This publication is only available to members. To view all documents, please log in or become a member.
Become a Member Login

About SCCE

The Society of Corporate Compliance and Ethics (SCCE) is a non-profit, member-based professional association. SCCE supports our members' work with education, news, and discussion forums. We are a community of leaders, defining and shaping the corporate compliance environment across a wide range of industries and geographic regions. In developing and maintaining effective ethics and compliance programs, our members strengthen and protect their companies.

952.933.4977

About HCCA

The Health Care Compliance Association (HCCA), is a 501(c)6 non-profit, member-based professional association. HCCA was established in 1996 and is headquartered in Minneapolis, MN. We provide training, certification, and other resources to over 10,000 members. Our members include compliance officers and staff from a wide range of organizations, including hospitals, research facilities, clinics and technology service providers.

952.988.0141

Facebook Twitter LinkedIn
Copyright © 2024 by Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA). No claim to original US Government works. All rights reserved. All information provided through this site, including without limitation all information such as the “look and feel” of the site, data files, graphics, text, photographs, drawings, logos, images, sounds, music, video or audio files on this site, is owned and/or licensed by SCCE & HCCA or its suppliers and is subject to United States and international copyright, trademark and other intellectual property laws. Any third party logos and/or content provided herein is owned by such third parties and is used by permission herein. Your use of this site to is subject to our Terms Of Use and Privacy Statement.
Cookie settings