[Federal Register Volume 85, Number 232 (Wednesday, December 2, 2020)]
[Rules and Regulations]
[Pages 77684-77895]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2020-26072]



[[Page 77683]]

Vol. 85

Wednesday,

No. 232

December 2, 2020

Part III





Department of Health and Human Services





-----------------------------------------------------------------------





Office of Inspector General





-----------------------------------------------------------------------





42 CFR Parts 1001 and 1003





Medicare and State Health Care Programs: Fraud and Abuse; Revisions to 
Safe Harbors Under the Anti-Kickback Statute, and Civil Monetary 
Penalty Rules Regarding Beneficiary Inducements; Final Rule

  Federal Register / Vol. 85, No. 232 / Wednesday, December 2, 2020 / 
Rules and Regulations  

[[Page 77684]]


-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES

Office of Inspector General

42 CFR Parts 1001 and 1003

RIN 0936-AA10


Medicare and State Health Care Programs: Fraud and Abuse; 
Revisions to Safe Harbors Under the Anti-Kickback Statute, and Civil 
Monetary Penalty Rules Regarding Beneficiary Inducements

AGENCY: Office of Inspector General (OIG), Department of Health and 
Human Services (HHS).

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: This final rule amends the safe harbors to the Federal anti-
kickback statute by adding new safe harbors and modifying existing safe 
harbors that protect certain payment practices and business 
arrangements from sanctions under the anti-kickback statute. This rule 
is issued in conjunction with the Department of Health and Human 
Services' (HHS's) Regulatory Sprint to Coordinated Care and focuses on 
care coordination and value-based care. This rule also amends the civil 
monetary penalty (CMP) rules by codifying a revision to the definition 
of ``remuneration'' added by the Bipartisan Budget Act of 2018 (Budget 
Act of 2018).

DATES: These regulations are effective January 19, 2021.

FOR FURTHER INFORMATION CONTACT: Stewart Kameen or Samantha Flanzer, 
Office of Counsel to the Inspector General, (202) 619-0335.

SUPPLEMENTARY INFORMATION: 

------------------------------------------------------------------------
       Social Security Act  citation         United States Code citation
------------------------------------------------------------------------
1128B, 1128D, 1102, 1128A.................  42 U.S.C. 1320a-7b, 42
                                             U.S.C. 1320a-7d, 42 U.S.C.
                                             1302, 42 U.S.C. 1320a-7a.
------------------------------------------------------------------------

I. Executive Summary

A. Purpose of the Regulatory Action

    The Secretary of HHS (the Secretary) has identified transforming 
the U.S. health care system to one that pays for value as a top 
priority. Unlike the traditional fee-for-service (FFS) payment system, 
which rewards providers for the volume of care delivered, a value-
driven health care system is one that pays for health and outcomes. 
Delivering better value from the health care system will require the 
transformation of established practices and enhanced collaboration 
among providers and other individuals and entities. The purpose of this 
rulemaking is to finalize modifications to existing safe harbors to the 
Federal anti-kickback statute and finalize the addition of new safe 
harbors and a new exception to the civil monetary penalty provision 
prohibiting inducements to beneficiaries, ``Beneficiary Inducements 
CMP,'' to remove potential barriers to more effective coordination and 
management of patient care and delivery of value-based care.
    The Department launched the Regulatory Sprint with the express 
purpose of removing potential regulatory barriers to care coordination 
and value-based care created by certain key health care laws and 
associated regulations, including the Federal anti-kickback statute and 
Beneficiary Inducements CMP.\1\ Through the Regulatory Sprint, HHS aims 
to encourage and improve patients' experience of care, providers' 
coordination of care, and information sharing to facilitate efficient 
care and preserve and protect patients' access to data.
---------------------------------------------------------------------------

    \1\ The Federal anti-kickback statute is codified at 42 U.S.C. 
1320a-7b(b); the Beneficiary Inducements CMP is codified at 42 
U.S.C. 1320a-7a(a)(5). Additionally, the Regulatory Sprint includes 
the physician self-referral law, 42 U.S.C. 1395nn, 42 CFR part 2, 
and provisions of the Health Insurance Portability and 
Accountability Act of 1996 (HIPAA).
---------------------------------------------------------------------------

    The Federal anti-kickback statute is an intent-based, criminal 
statute that prohibits intentional payments, whether monetary or in-
kind, in exchange for referrals or other Federal health care program 
business. Safe harbor regulations describe various payment and business 
practices that, although they potentially implicate the Federal anti-
kickback statute, are not treated as offenses under the statute. 
Compliance with a safe harbor is voluntary. The Beneficiary Inducements 
CMP is a civil, administrative statute that prohibits knowingly 
offering something of value to a Medicare or State health care program 
beneficiary to induce them to select a particular provider, 
practitioner, or supplier.
    Stakeholders have raised concerns that these statutes have chilling 
effect on innovation and value-based care because arrangements in which 
providers and others coordinate the care of patients with other 
providers, share resources among themselves to facilitate better care 
coordination, share in the benefits of more efficient care delivery, 
and engage and support patients can implicate these statutes.

B. The Proposed Rule

    On October 17, 2019, OIG published a notice of proposed rulemaking 
\2\ (OIG Proposed Rule) to add or amend various regulatory protections 
under the Federal anti-kickback statute and Beneficiary Inducements CMP 
with the goal of proposing protections for certain value-based 
arrangements that would improve quality, outcomes, and efficiency. The 
proposals focused on arrangements to advance the coordination and 
management of patient care, with an aim to support innovative methods 
and novel arrangements, including the use of digital health technology 
such as remote patient monitoring and telehealth. We proposed safe 
harbors for value-based arrangements where the parties assume full 
financial risk, substantial downside financial risk, and no or lower 
risk. The proposed safe harbors offered more flexibility for 
arrangements where the parties assumed more financial risk. Consistent 
with OIG's law enforcement mission and section 1128D(a)(2)(I) of the 
Act, the proposals included safeguards tailored to protect Federal 
health care programs and beneficiaries from the risks of fraud and 
abuse associated with kickbacks, such as overutilization and 
inappropriate patient steering, as well as risks associated with risk-
based payment mechanisms, such as stinting on care.
---------------------------------------------------------------------------

    \2\ 84 FR 55694 (Oct. 17, 2019). In connection with the 
Regulatory Sprint, and to help develop the proposals in the OIG 
Proposed Rule, OIG published a Request for Information (OIG RFI) 
seeking input on new or modified safe harbors to promote care 
coordination and value-based care and protect patients and taxpayer 
dollars from harms cause by fraud and abuse. 83 FR 43607 (Aug. 27, 
2018).
---------------------------------------------------------------------------

    The OIG Proposed Rule proposed new terminology to define the 
universe of value-based arrangements that could qualify for the new 
safe harbors, proposing to require that providers, suppliers, 
practitioners, and others would form value-based enterprises (VBEs) to 
collaborate to achieve value-based purposes, such as coordinating and 
managing a target patient population, improving quality of care for a 
target patient population, and reducing costs. VBEs could be large or 
small. VBEs could be formal corporate structures or looser 
affiliations. Under the proposed definition, VBEs would be required to 
have an accountable body and transparent governance. We proposed that 
some types of entities would not be eligible to use the value-based 
safe harbors because of heightened fraud risk and because the entities 
did not play a central, frontline role in coordinating and managing 
patient care.

[[Page 77685]]

    The OIG Proposed Rule proposed to modify existing safe harbors that 
advance coordinated care for patients, including information sharing. 
OIG proposed modifications to existing safe harbors for local 
transportation, electronic health records arrangements, and personal 
services and management contracts. Further, the OIG Proposed Rule 
proposed new protections for outcomes-based payments, cybersecurity 
technology and services arrangements, remuneration in connection with 
CMS-sponsored models (largely supplanting the need for separate OIG 
fraud and abuse waivers for these models), telehealth technologies for 
in-home dialysis patients (statutory), and Medicare Shared Savings 
Program ACO beneficiary incentives (statutory). For each new safe 
harbor or exception, OIG proposed a set of conditions designed to 
ensure that the safe harbor or exception protected beneficial 
arrangements and reduced risks of fraud and abuse.
    Taken as a whole, the OIG Proposed Rule proposed significant new 
flexibilities for value-based arrangements and modernization of the 
safe harbor regulations to account for the ongoing evolution of the 
health care delivery system. OIG developed its proposals in 
coordination with the Centers for Medicare & Medicaid Services (CMS), 
which concurrently issued proposed regulations in connection with the 
Regulatory Sprint (CMS NPRM).\3\ OIG solicited comments on the wide 
range of issues raised by the proposals. We received 337 timely 
comments, 327 of which were unique, from a broad range of stakeholders.
---------------------------------------------------------------------------

    \3\ 84 FR 55766 (Oct. 17, 2019).
---------------------------------------------------------------------------

C. The Final Rule

    We are finalizing the proposed new and modified anti-kickback 
statute safe harbors and exception to the Beneficiary Inducements CMP, 
with modifications and clarifications explained in the preamble to this 
rule. Stakeholder reaction was largely positive, although many 
commenters raised concerns and expressed preferences about specific 
provisions. Some commenters raised concerns about potential risks of 
fraud and impacts on competition.
    In this final rule, we sought to strike the right balance between 
flexibility for beneficial innovation and better coordinated patient 
care with necessary safeguards to protect patients and Federal health 
care programs. Many beneficial arrangements do not implicate the anti-
kickback statute and do not need protection. For example, the parties 
may be exchanging nothing of value between them or the arrangements 
might involve no Federal health care program patients or business. 
Other beneficial arrangements might implicate the statute (for example, 
the arrangement might involve parties that are exchanging something of 
value and are in a position to refer Federal health care program 
business between them) but will not fit in these or other available 
safe harbors. Arrangements are not necessarily unlawful because they do 
not fit in a safe harbor. Arrangements that do not fit in a safe harbor 
are analyzed for compliance with the Federal anti-kickback statute 
based on the totality of their facts and circumstances, including the 
intent of the parties. Some care coordination and value-based 
arrangements can be structured to fit in existing safe harbors.
    Flexibilities to engage in new business, care delivery, and digital 
health technology arrangements with lowered compliance risk may assist 
industry stakeholders in their response to and recovery from the 
current public health emergency resulting from the novel coronavirus 
disease 2019 (COVID-19) pandemic. The final rule may also help 
providers and others develop sustainable value-based care delivery 
models for the future.
1. Final Anti-Kickback Statute Safe Harbors
    We are finalizing the following regulations, as explained in 
section III of this preamble.
    Terminology and Framework. We are finalizing, with modifications, 
the proposed terminology that describes VBEs and VBE participants 
eligible to use the value-based safe harbors and the tiered framework 
of three value-based safe harbors that vary based on the level of risk 
assumed by the parties, with more flexibility associated with 
assumption of more risk. See section III.2.1-2 for further discussion.
    Safe Harbors for Value-Based Arrangements. We are finalizing, with 
modifications, three new safe harbors for remuneration exchanged 
between or among participants in a value-based arrangement (as further 
defined) that fosters better coordinated and managed patient care:
    (i) Care coordination arrangements to improve quality, health 
outcomes, and efficiency (paragraph 1001.952(ee)) without requiring the 
parties to assume risk;
    (ii) value-based arrangements with substantial downside financial 
risk (paragraph 1001.952(ff)); and,
    (iii) value-based arrangements with full financial risk (paragraph 
1001.952(gg)).
    These safe harbors address a broad range of potential value-based 
arrangements for care coordination activities, including use of digital 
health technology. We discuss each safe harbor in more detail in 
section III.B.3-5. The value-based safe harbors vary, among other ways, 
by the types of remuneration protected (in-kind or in-kind and 
monetary), the types of entities eligible to rely on the safe harbors, 
the level of financial risk assumed by the parties, and the types of 
safeguards included as safe harbor conditions. By design, these safe 
harbors offer flexibility for innovation and customization of value-
based arrangements to the size, resources, needs, and goals of the 
parties to them. The safe harbors allow for emerging arrangements that 
reflect up-to-date understandings in medicine, science, and technology.
    These three new safe harbors are not the exclusive, available safe 
harbors for care coordination or value-based arrangements. All three 
value-based safe harbors offer protection for in-kind remuneration, 
such as technology or services. However, only the safe harbors for 
value-based arrangements with substantial assumption of risk 
(paragraphs 1001.952(ff) and (gg)) protect monetary remuneration. The 
care coordination arrangements safe harbor at paragraph 1001.952(ee), 
which requires little or no assumption of risk, does not. However, 
parties to arrangements involving monetary remuneration, such as shared 
savings or performance bonus payments, may be eligible for the new 
protection for outcomes-based payments at paragraph 1001.952(d)(2). 
Parties to arrangements under CMS-sponsored models may prefer to look 
to the new safe harbor specifically for those models at paragraph 
1001.952(ii).
    As explained at section III.B.2.e below, entities ineligible to use 
the value-based safe harbors are: Pharmaceutical manufacturers, 
distributors, and wholesalers; pharmacy benefit managers (PBMs); 
laboratory companies; pharmacies that primarily compound drugs or 
primarily dispense compounded drugs; manufacturers of devices or 
medical supplies; entities or individuals that sell or rent durable 
medical equipment, prosthetics, orthotics and supplies (DMEPOS) (other 
than a pharmacy or a physician, provider, or other entity that 
primarily furnishes services); and medical device distributors and 
wholesalers. However, the care coordination arrangements safe harbor 
includes a separate pathway, with specific conditions, that protects 
digital technology arrangements (as

[[Page 77686]]

defined at paragraph 1001.952(ee)(14)) involving manufacturers of 
devices or medical supplies and DMEPOS.
    Patient Engagement and Support Safe Harbor. We are finalizing, with 
modifications, a new safe harbor (paragraph 1001.952(hh)) for patient 
engagement tools and supports furnished by a participant in a value-
based enterprise to a patient in a target patient population (discussed 
in section III.B.6). This safe harbor uses the same ineligible entities 
list as the value-based safe harbors, above, but includes a pathway for 
manufacturers of devices or medical supplies to provide digital health 
technology.
    CMS-Sponsored Models Safe Harbor. We are finalizing, with 
modifications, a new safe harbor (paragraph 1001.952(ii)) for CMS-
sponsored model arrangements and CMS-sponsored model patient incentives 
that would require OIG fraud and abuse waivers. This safe harbor 
(discussed at section III.B.7) is intended to provide greater 
predictability model participants and uniformity across models. It will 
reduce the need for separate OIG fraud and abuse waivers for new CMS-
sponsored models.
    Cybersecurity Technology and Services Safe Harbor. We are 
finalizing, with modifications, a new safe harbor (paragraph 
1001.952(jj)) for remuneration in the form of cybersecurity technology 
and services (discussed at section III.B.8). This safe harbor will 
facilitate improved cybersecurity in health care and is available to 
all types of individuals and entities.
    Electronic Health Records Safe Harbor. We are finalizing our 
proposal to modify the existing safe harbor for electronic health 
records items and services (paragraph 1001.952(y)). We are finalizing, 
with modifications, changes to update and remove provisions regarding 
interoperability, remove the sunset provision and prohibition on 
donation of equivalent technology, and clarify protections for 
cybersecurity technology and services included in an electronic health 
records arrangement (discussed at section III.B.9).
    Personal Services and Management Contracts and Outcomes-Based 
Payments. We are finalizing our proposal to modify the existing safe 
harbor for personal services and management contracts (paragraph 
1001.952(d)(1)). We are finalizing, without modification, changes to 
increase flexibility for part-time or sporadic arrangements and 
arrangements for which aggregate compensation is not known in advance. 
We are also a finalizing, with modifications, new protection for 
outcomes-based payments (paragraph 1001.952(d)(2)). These changes are 
discussed at section III.B.10. The new safe harbor for outcomes-based 
payments protects payments tied to achieving measurable outcomes that 
improve patient or population health or appropriately reduce payor 
costs. It makes ineligible the same entities that are ineligible for 
the value-based safe harbors.
    Warranties. We are finalizing our proposal to modify the existing 
safe harbor for warranties (paragraph 1001.952(g)). We are finalizing, 
without modification, revisions to the definition of ``warranty'' and 
to provide protection for warranties for one or more items and related 
services (discussed at section III.B.11). This safe harbor is available 
to any type of entity.
    Local Transportation. We are finalizing our proposal to modify the 
existing safe harbor for local transportation furnished to 
beneficiaries (paragraph 1001.952(bb)). We are finalizing, with 
modifications, changes to expand mileage limits for rural areas (up to 
75 miles) and eliminate mileage limits for transportation to convey 
patients discharged from the hospital to their place of residence 
(discussed at section III.B.12). We also clarify that the safe harbor 
is available for transportation provided through rideshare 
arrangements.
    ACO Beneficiary Incentives. We are codifying, without modification 
to our proposal, the statutory exception to the definition of 
``remuneration'' at section 1128B(b)(3)(K) of the Act related to ACO 
Beneficiary Incentive Programs for the Medicare Shared Savings Program 
(paragraph 1001.952(kk)) (discussed at section III.B.13).
2. Beneficiary Inducements CMP
    The final rule amends the Beneficiary Inducements CMP regulations 
at 42 CFR 1003 as follows:
    Telehealth Technologies for In-Home Dialysis Patients. We are 
codifying the statutory exception for ``telehealth technologies'' 
furnished to certain in-home dialysis patients, pursuant to section 
50302(c) of the Budget Act of 2018 (discussed at section III.C.1). We 
are finalizing our proposal with modifications.
    By operation of law, arrangements that fit in the new and modified 
Federal anti-kickback statute safe harbors for patient engagement and 
support, paragraph 1001.952(hh), and local transportation, paragraph 
1001.952(bb), are also protected under the Beneficiary Inducements CMP.

II. Background

A. Purpose and Need for Regulatory Action

    HHS's Regulatory Sprint aims to remove potential regulatory 
barriers to care coordination and value-based care created by four key 
health care laws and associated regulations: (i) The physician self-
referral law, (ii) the Federal anti-kickback statute, (iii) the Health 
Insurance Portability and Accountability Act of 1996 (HIPAA),\4\ and 
(iv) rules under 42 CFR part 2 related to substance use disorder 
treatment.
---------------------------------------------------------------------------

    \4\ Public Law 104-191, 110 Stat. 1936.
---------------------------------------------------------------------------

    Through the Regulatory Sprint, HHS aims to encourage and improve:
     A patient's ability to understand treatment plans and make 
empowered decisions;
     providers' alignment on end-to-end treatment (i.e., 
coordination among providers along the patient's full care journey);
     incentives for providers to coordinate, collaborate, and 
provide patients tools and supports to be more involved in their own 
care; and
     information sharing among providers, facilities, and other 
stakeholders in a manner that facilitates efficient care while 
preserving and protecting patient access to data.
    Since the enactment in 1972 of the Federal anti-kickback statute, 
there have been significant changes in the delivery of, and payment 
for, health care items and services both within the Medicare and 
Medicaid programs and also for non-Federal payors and patients. Such 
changes include modifications to traditional FFS Medicare (i.e., 
Medicare Parts A and B), Medicare Advantage, and States' Medicaid 
programs. The Department has a longstanding commitment to aligning 
Medicare payment with quality of care delivered to Federal health care 
program beneficiaries.
    The Department identified the broad reach of the Federal anti-
kickback statute \5\ and the CMP law provision prohibiting inducements 
to beneficiaries, the ``Beneficiary Inducements CMP'' \6\ as 
potentially inhibiting beneficial arrangements that would advance the 
transition to value-based care and improve the coordination of patient 
care among providers and across care settings in both the Federal 
health care programs and commercial sectors.
---------------------------------------------------------------------------

    \5\ 42 U.S.C. 1320a-7b(b).
    \6\ 42 U.S.C. 1320a-7a(a)(5).

---------------------------------------------------------------------------

[[Page 77687]]

B. Federal Anti-Kickback Statute and Safe Harbors

    Section 1128B(b) of the Act, (42 U.S.C. 1320a-7b(b), the anti-
kickback statute), provides for criminal penalties for whoever 
knowingly and willfully offers, pays, solicits, or receives 
remuneration to induce or reward the referral of business reimbursable 
under any of the Federal health care programs, as defined in section 
1128B(f) of the Act (42 U.S.C. 1320a-7b(f)). The offense is classified 
as a felony and is punishable by fines of up to $100,000 and 
imprisonment for up to 10 years. Violations of the Federal anti-
kickback statute also may result in the imposition of CMPs under 
section 1128A(a)(7) of the Act (42 U.S.C. 1320a-7a(a)(7)), program 
exclusion under section 1128(b)(7) of the Act (42 U.S.C. 1320a-
7(b)(7)), and liability under the False Claims Act (31 U.S.C. 3729-33).
    The types of remuneration covered specifically include, without 
limitation, kickbacks, bribes, and rebates, whether made directly or 
indirectly, overtly or covertly, in cash or in kind. In addition, 
prohibited conduct includes not only the payment of remuneration 
intended to induce or reward referrals of patients but also the payment 
of remuneration intended to induce or reward the purchasing, leasing, 
or ordering of, or arranging for or recommending the purchasing, 
leasing, or ordering of, any good, facility, service, or item 
reimbursable by any Federal health care program.
    Because of the broad reach of the statute and concerns that some 
relatively innocuous business arrangements were covered by the statute 
and therefore potentially subject to criminal prosecution, Congress 
enacted section 14 of the Medicare and Medicaid Patient and Program 
Protection Act of 1987, Public Law 100-93 (note to section 1128B of the 
Act; 42 U.S.C. 1320a-7b). This provision specifically requires the 
development and promulgation of regulations, the so-called safe harbor 
provisions, that would specify various payment and business practices 
that would not be subject to sanctions under the anti-kickback statute, 
even though they potentially may be capable of inducing referrals of 
business for which payment may be made under a Federal health care 
program.
    Section 205 of HIPAA established section 1128D of the Act (42 
U.S.C. 1320a-7d), which includes criteria for modifying and 
establishing safe harbors. Specifically, section 1128D(a)(2) of the Act 
provides that, in modifying and establishing safe harbors, the 
Secretary may consider whether a specified payment practice may result 
in:
     An increase or decrease in access to health care services;
     an increase or decrease in the quality of health care 
services;
     an increase or decrease in patient freedom of choice among 
health care providers;
     an increase or decrease in competition among health care 
providers;
     an increase or decrease in the ability of health care 
facilities to provide services in medically underserved areas or to 
medically underserved populations;
     an increase or decrease in costs to Federal health care 
programs;
     an increase or decrease in the potential overutilization 
of health care services;
     the existence or nonexistence of any potential financial 
benefit to a health care professional or provider, which benefit may 
vary depending on whether the health care professional or provider 
decides to order a health care item or service or arranges for a 
referral of health care items or services to a particular practitioner 
or provider; or
     any other factors the Secretary deems appropriate in the 
interest of preventing fraud and abuse in Federal health care programs.
    In giving the Department the authority to protect certain 
arrangements and payment practices under the anti-kickback statute, 
Congress intended the safe harbor regulations to be updated 
periodically to reflect changing business practices and technologies in 
the health care industry.\7\ Since July 29, 1991, there have been a 
series of final regulations published in the Federal Register 
establishing safe harbors in various areas.\8\ These safe harbor 
provisions have been developed to limit the reach of the statute 
somewhat by permitting certain non-abusive arrangements, while 
encouraging beneficial or innocuous arrangements.\9\
---------------------------------------------------------------------------

    \7\ H.R. Rep. No. 100-85, Pt. 2, at 27 (1987).
    \8\ Medicare and State Health Care Programs: Fraud and Abuse; 
OIG Anti-Kickback Provisions, 56 FR 35952 (July 29, 1991); Medicare 
and State Health Care Programs: Fraud and Abuse; Safe Harbors for 
Protecting Health Plans, 61 FR 2122 (Jan. 25, 1996); Federal Health 
Care Programs: Fraud and Abuse; Statutory Exception to the Anti-
Kickback Statute for Shared Risk Arrangements, 64 FR 63504 (Nov. 19, 
1999); Medicare and State Health Care Programs: Fraud and Abuse; 
Clarification of the Initial OIG Safe Harbor Provisions and 
Establishment of Additional Safe Harbor Provisions Under the Anti-
Kickback Statute, 64 FR 63518 (Nov. 19, 1999); 64 FR 63504 (Nov. 19, 
1999); Medicare and State Health Care Programs: Fraud and Abuse; 
Ambulance Replenishing Safe Harbor Under the Anti-Kickback Statute, 
66 FR 62979 (Dec. 4, 2001); Medicare and State Health Care Programs: 
Fraud and Abuse; Safe Harbors for Certain Electronic Prescribing and 
Electronic Health Records Arrangements Under the Anti-Kickback 
Statute, 71 FR 45109 (Aug. 8, 2006); Medicare and State Health Care 
Programs: Fraud and Abuse; Safe Harbor for Federally Qualified 
Health Centers Arrangements Under the Anti-Kickback Statute, 72 FR 
56632 (Oct. 4, 2007); Medicare and State Health Care Programs: Fraud 
and Abuse; Electronic Health Records Safe Harbor Under the Anti-
Kickback Statute, 78 FR 79202 (Dec. 27, 2013); and Medicare and 
State Health Care Programs: Fraud and Abuse; Revisions to the Safe 
Harbors Under the Anti-Kickback Statute and Civil Monetary Penalty 
Rules Regarding Beneficiary Inducements, 81 FR 88368 (Dec. 7, 2016).
    \9\ Medicare and State Health Care Programs: Fraud and Abuse; 
OIG Anti-Kickback Provisions, 56 FR at 35958 (July 21, 1991).
---------------------------------------------------------------------------

    Health care providers and others may voluntarily seek to comply 
with final safe harbors so that they have the assurance that their 
business practices would not be subject to any anti-kickback 
enforcement action. Compliance with an applicable safe harbor insulates 
an individual or entity from liability under the Federal anti-kickback 
statute and the Beneficiary Inducements CMP only; individuals and 
entities remain responsible for complying with all other laws, 
regulations, and guidance that apply to their businesses.

C. Civil Monetary Penalty Authorities

1. Overview of OIG Civil Monetary Penalty Authorities
    In 1981, Congress enacted the CMP law, section 1128A of the Act, 42 
U.S.C. 1320a-7a, as one of several administrative remedies to combat 
fraud and abuse in Medicare and Medicaid. The law authorized the 
Secretary to impose penalties and assessments on persons who defrauded 
Medicare or Medicaid or engaged in certain other wrongful conduct. The 
CMP law also authorized the Secretary to exclude persons from Federal 
health care programs (as defined in section 1128B(f) of the Act, 42 
U.S.C. 1320a-7b(f)) and to direct the appropriate State agency to 
exclude the person from participating in any State health care programs 
(as defined in section 1128(h) of the Act, 42 U.S.C. 1320a-7(h)). 
Congress later expanded the CMP law and the scope of exclusion to apply 
to all Federal health care programs, but the CMP applicable to 
beneficiary inducements remains limited to Medicare and State health 
care program beneficiaries. Since 1981, Congress has created various 
other CMP authorities covering numerous types of fraud and abuse.
2. The Definition of ``Remuneration''
    Section 1128A(a)(5) of the Act, 42 U.S.C. 1320a-7a(a)(5), the 
``Beneficiary Inducements CMP,'' provides for the

[[Page 77688]]

imposition of civil monetary penalties against any person who offers or 
transfers remuneration to a Medicare or State health care program 
(including Medicaid) beneficiary that the benefactor knows or should 
know is likely to influence the beneficiary's selection of a particular 
provider, practitioner, or supplier of any item or service for which 
payment may be made, in whole or in part, by Medicare or a State health 
care program (including Medicaid). Section 1128A(i)(6) of the Act, 42 
U.S.C. 1320a-7a(i)(6), defines ``remuneration'' for purposes of the 
Beneficiary Inducements CMP as including transfers of items or services 
for free or for other than fair market value. Section 1128A(i)(6) of 
the Act also includes a number of exceptions to the definition of 
``remuneration.''
    Pursuant to section 1128A(i)(6)(B) of the Act, any practice 
permissible under the anti-kickback statute, whether through statutory 
exception or safe harbor regulations issued by the Secretary, is also 
excepted from the definition of ``remuneration'' for purposes of the 
Beneficiary Inducements CMP. However, no parallel exception exists in 
the anti-kickback statute. Thus, the exceptions in section 1128A(i)(6) 
of the Act apply only to the definition of ``remuneration'' applicable 
to section 1128A.
    Relevant to this rulemaking, the Budget Act of 2018 created a new 
exception to the definition of ``remuneration'' for purposes of the 
Beneficiary Inducements CMP. This statutory exception applies to 
``telehealth technologies'' provided on or after January 1, 2019, by a 
provider of services or a renal dialysis facility to an individual with 
end stage renal disease (ESRD) who is receiving home dialysis for which 
payment is being made under Medicare Part B.

D. Summary of the OIG Proposed Rule

    On October 17, 2019, OIG published a proposed rule in the Federal 
Register (84 FR 55694) setting forth certain proposed amendments to the 
safe harbors under the anti-kickback statute and a proposed amendment 
to the Beneficiary Inducements CMP exceptions (the OIG Proposed Rule). 
With respect to the anti-kickback statute, we proposed seven new safe 
harbors and modifications to four existing safe harbors. Specifically, 
we proposed new protection for:
     A safe harbor for care coordination arrangements to 
improve quality, health outcomes, and efficiency (1001.952(ee));
     A safe harbor for value-based arrangements with 
substantial downside financial risk (1001.952(ff));
     A safe harbor for value-based arrangements with full 
financial risk (1001.952(gg));
     A safe harbor for arrangements for patient engagement and 
support to improve quality, health outcomes, and efficiency 
(1001.952(hh));
     A safe harbor for CMS-sponsored model arrangements and 
CMS-sponsored model patient incentives (1001.952(ii));
     A safe harbor for cybersecurity technology and related 
services (1001.952(jj)); and
     A safe harbor that would codify the statutory exception to 
the definition of ``remuneration'' at section 1128B(b)(3)(K) of the Act 
related to ACO Beneficiary Incentive Programs for the Medicare Shared 
Savings Program (1001.952(kk)).
     An exception to the Beneficiary Inducements CMP for 
telehealth technologies for in-home dialysis patients (1003.110).
    We proposed to modify:
     The safe harbor for personal services and management 
contracts and outcomes-based payment arrangements (1001.952(d));
     The safe harbor for warranties (1001.952(g));
     The safe harbor for electronic health records items and 
services (1001.952(y)); and
     The safe harbor for local transportation (1001.952(bb)).
    An overarching goal of our proposals was to develop final rules 
that protect low-risk, beneficial arrangements without opening the door 
to fraudulent or abusive conduct that increases Federal health care 
program costs or compromises quality of care for patients or patient 
choice. We solicited comments on our proposed policies to obtain the 
benefit of public input from affected stakeholders.
    Our proposals are summarized in greater detail in section III of 
this preamble, organized by topic, along with summaries of the final 
decisions, and summaries of the related comments and our responses.

E. Summary of the Final Rulemaking

    In this final rule, we modify existing as well as add new safe 
harbors pursuant to our authority under section 14 of the Medicare and 
Medicaid Patient and Program Protection Act of 1987 by specifying 
certain payment practices that will not be subject to prosecution under 
the anti-kickback statute. We intend to protect practices that pose a 
low risk to Federal health care programs and beneficiaries, as long as 
specified conditions are met. In doing so, we considered the factors 
cited by Congress in granting statutory authority to the Secretary 
under Section 1128D(a)(2) of the Social Security Act.\10\ Specifically, 
the new and modified safe harbors are designed to further the goals of 
access, quality, patient choice, appropriate utilization, and 
competition, while protecting against increased costs, inappropriate 
steering of patients, and harms associated with inappropriate 
incentives tied to referrals. We also codify into our regulations a 
statutory safe harbor for patient incentives offered by accountable 
care organizations (ACOs) to assigned beneficiaries under ACO 
Beneficiary Incentive Programs and an exception to the definition of 
``remuneration'' in 42 CFR 1003.110 for certain telehealth technologies 
for in-home dialysis.
---------------------------------------------------------------------------

    \10\ 42 U.S.C. 1320a-7d(a)(2).
---------------------------------------------------------------------------

    To facilitate review of the new and modified safe harbors and 
exception in context, we summarize the proposals and final regulations 
by topic in section III.B below. The following are the safe harbors and 
the exception that we are finalizing, together with the citation to 
where they appear in our regulations and a reference to the preamble 
section of this final rule where they are discussed in greater detail:
     Modifications to the existing safe harbor for personal 
services and management contracts, including outcomes-based payments, 
at paragraph 1001.952(d) (preamble section III.B.10);
     modifications to the existing safe harbor for warranties 
at paragraph 1001.952(g) (preamble section III.B.11);
     modifications to the existing safe harbor for electronic 
health records items and services at paragraph 1001.952(y) (preamble 
section III.B.9);
     modifications to the existing safe harbor for local 
transportation at paragraph 1001.952(bb) (preamble section III.B.12)
     a new safe harbor for care coordination arrangements to 
improve quality, health outcomes, and efficiency at paragraph 
1001.952(ee) (preamble sections III.B.1, III.B.2, and III.B.3);
     a new safe harbor for value-based arrangements with 
substantial downside financial risk at paragraph 1001.952(ff) (preamble 
sections III.B.1, III.B.2, and III.B.4);
     a new safe harbor for value-based arrangements with full 
financial risk at paragraph 1001.952(gg) (preamble sections III.B.1, 
III.B.2, and III.B.5);
     a new safe harbor for arrangements for patient engagement 
and support to improve quality, health outcomes, and

[[Page 77689]]

efficiency at paragraph 1001.952(hh) (preamble section III.B.6);
     a new safe harbor for CMS-sponsored model arrangements and 
CMS-sponsored model patient incentives at paragraph 1001.952(ii) 
(preamble section III.B.7);
     a new safe harbor for cybersecurity technology and related 
services at paragraph 1001.952(jj) (preamble section III.B.8);
     a new safe harbor for accountable care organization (ACO) 
beneficiary incentive program at paragraph 1001.952(kk) (preamble 
section III.B.13); and
     an exception for telehealth technologies for in-home 
dialysis at paragraph 1003.110 (preamble section III.C.1)

III. Summary of Final Provisions, Public Comments, and OIG Responses

A. General

    OIG received 337 comments, 327 of which were unique, in response to 
the OIG Proposed Rule. A range of individuals and entities submitted 
these comments, including: Physicians and other types of clinicians, 
hospitals and health systems, other health care providers (e.g., post-
acute providers, laboratories, durable medical equipment suppliers, and 
dialysis providers), accountable care organizations, pharmaceutical and 
medical device manufacturers, health technology entities, pharmacies, 
third-party payors, trade associations, law firms, and consumer and 
patient advocacy groups.
    As a general matter, most commenters strongly supported the 
proposed safe harbors and the need for regulatory reform to the safe 
harbors and exceptions to the definition of ``remuneration'' under the 
Beneficiary Inducements CMP. While the majority of commenters 
recommended various revisions to the proposed safe harbors to increase 
regulatory flexibility, some commenters acknowledged that increased 
regulatory flexibility could increase the risk of harms associated with 
fraud and abuse and recommended revisions to add or strengthen 
safeguards in the safe harbor proposals. A few did not support the 
proposed safe harbor protections for value-based arrangements as 
proposed in paragraphs 1001.952(ee), (ff), (gg), primarily citing fraud 
and abuse risks. We have considered these comments carefully in 
developing the final rule, as described in more detail in responses to 
comments.
1. Alignment With CMS
    Several of the final safe harbors intersect with the physician 
self-referral law exceptions that CMS is finalizing as part of the 
Regulatory Sprint: The three new safe harbors for value-based 
arrangements at paragraphs 1001.952(ee), (ff), and (gg), the new 
cybersecurity safe harbor at paragraph 1001.952(jj), and the 
modifications to the electronic records safe harbor at paragraph 
1001.952(y).
    Comment: We received comments asking OIG and CMS to align our final 
rules in connection with the Regulatory Sprint to the greatest extent 
possible. Some commenters believed that the CMS and OIG proposals would 
perpetuate a dual regulatory environment (where, e.g., an arrangement 
could potentially violate one law but meet the requirements for 
protection under the other) and that a lack of consistency would make 
it more challenging for entities to navigate an already-complex 
regulatory framework. Some commenters suggested that the OIG Proposed 
Rule was too narrow compared to the CMS NPRM and requested that OIG 
protect what they described as a broader universe of arrangements that 
would be protected under the CMS proposals. Another commenter asked 
that OIG clarify in the final rule that compliance with the physician 
self-referral law would rebut any implication of intent under Federal 
anti-kickback statute.
    Response: We are mindful of reducing burden on providers and other 
industry stakeholders, and we have sought to align value-based 
terminology and safe harbor conditions with those being adopted by CMS 
in its physician self-referral regulations as part of the Regulatory 
Sprint wherever possible (CMS Final Rule).\11\ However, complete 
alignment is not feasible because of fundamental differences in 
statutory structures and sanctions across the two laws. As 
aforementioned, the Federal anti-kickback statute is an intent-based, 
criminal statute that covers all referrals of Federal health care 
program business (including, but not limited to, physician referrals). 
In contrast, the physician self-referral law is a civil, strict-
liability statute that prohibits payment by CMS for a more limited set 
of services referred by physicians who have certain financial 
relationships with the entity furnishing the services. As a result, the 
value-based exceptions adopted by CMS do not need to contemplate the 
broad range of conduct that implicates the Federal anti-kickback 
statute.
---------------------------------------------------------------------------

    \11\ The CMS Final Rule is being published elsewhere in this 
version of the Federal Register.
---------------------------------------------------------------------------

    Federal anti-kickback statute safe harbors and physician self-
referral law exceptions also operate differently. Because the physician 
self-referral law is a strict-liability statute, when an arrangement 
implicates the law, compliance with an exception is the only option to 
avoid overpayment liability. In other words, the exceptions define the 
full universe of acceptable arrangements that implicate the physician 
self-referral law. Even minor or erroneous deviations from the specific 
terms of a physician self-referral law exception can result in non-
compliance and, because of the statute's strict liability, 
overpayments. In contrast, compliance with an anti-kickback statute 
safe harbor is voluntary, and there are many arrangements that do not 
fit in a safe harbor that are lawful under the anti-kickback statute. 
Deviating from a safe harbor does not mean that an arrangement violates 
the anti-kickback statute. For arrangements that do not fit in a safe 
harbor, liability is determined based on the totality of facts and 
circumstances, including the intent of the parties.
    Because the Federal anti-kickback statute is not a strict liability 
law, the value-based safe harbors we are adopting need not capture the 
full universe of value-based arrangements that are legal under the 
Federal anti-kickback statute in order to accomplish the goals of 
removing barriers to more effective coordination and management of 
patient care. Thus, in designing our safe harbors, rather than mirror 
CMS's exceptions, we have included safe harbor conditions designed to 
ensure that protected arrangements are not disguised kickback schemes. 
We recognize that, for purposes of those arrangements that implicate 
both the physician self-referral law and the Federal anti-kickback 
statute, the value-based safe harbors may therefore protect a narrower 
universe of such arrangements than CMS's exceptions.
    To protect Federal health care programs and beneficiaries, we 
believe that it is important for the Federal anti-kickback statute to 
serve as ``backstop'' protection against abusive arrangements that 
involve the exchange of remuneration intended to induce or reward 
referrals and that might be protected by the physician self-referral 
law exceptions. In this way, the OIG and CMS rules, operating together, 
create pathways for parties entering into value-based arrangements that 
are subject to both laws to develop and implement value-based 
arrangements that avoid strict liability for technical noncompliance, 
while ensuring that the Federal Government can pursue those parties 
engaging in arrangements that are intentional kickback schemes.

[[Page 77690]]

    Further, many requirements of the final safe harbors and exceptions 
are consistent, particularly in the cybersecurity and electronic health 
records areas. In addition, the value-based terminology that describes 
the value-based enterprises and value-based arrangements that are 
eligible for protection under a value-based safe harbor under the anti-
kickback statute or a value-based exception under the physician self-
referral law are aligned in nearly all respects, except with respect to 
the definition of ``value-based activities'' and where slightly 
different language was required to integrate the new rules into the 
existing regulatory structures (points of difference are discussed 
later in this preamble). As a practical matter, this means that the 
same value-based enterprise or value-based arrangement can seek 
protection under both regulatory schemes, provided the relevant 
conditions of a safe harbor and an exception are satisfied.
    In sum, because of statutory distinctions, compliance with a value-
based safe harbor may require satisfaction of conditions additional to, 
or different from, those in a corresponding physician self-referral law 
exception. This is by design. We have endeavored to ensure that an 
arrangement that fits in a value-based safe harbor has a viable pathway 
for protection under a physician self-referral law exception. However, 
an arrangement that fits under a physician self-referral law exception 
might not fit in an anti-kickback statute safe harbor or might not fit 
unless additional features are added to the arrangement. That said, it 
is the Department's belief that compliance with one regulatory 
structure should not preclude compliance with the other.
    We disagree that compliance with the physician self-referral law 
rebuts any implication of intent under the Federal anti-kickback 
statute. Indeed, it is possible, depending on the facts and 
circumstances, that an arrangement may comply with an exception to the 
physician self-referral law but violate the Federal anti-kickback 
statute. The fact that a party complies with the requirements of the 
physician self-referral law is not evidence that the party does or does 
not have the intent to induce or reward referrals for purposes of the 
Federal anti-kickback statute. Parties may achieve compliance with an 
applicable exception to the physician self-referral law regardless of 
the intent of the parties. In addition, other differences between the 
physician self-referral law and Federal anti-kickback statute could 
lead to compliance with the physician self-referral law but not with 
the Federal anti-kickback statute. For example, parties may conclude 
that there are no ``referrals,'' as that term is defined for purposes 
of the physician self-referral law, but such assessment is inconclusive 
with respect to whether there are referrals, or the requisite intent to 
induce or reward referrals, for purposes of the Federal anti-kickback 
statute.
2. Comments Outside the Scope of the Rulemaking
    We received some comments that were outside the scope of this 
rulemaking. In some cases, comments (e.g., a request to update the 
physician self-referral law's in-office ancillary services exception) 
were outside the scope of our authority. Other comments and suggestions 
were outside the scope of this rulemaking but could be considered for 
future guidance or rulemaking. For example, some commenters urged OIG 
to modify existing safe harbors or develop entirely new safe harbors 
that were not related to the safe harbors and modifications proposed in 
the OIG Proposed Rule (e.g., an amendment to the referral services safe 
harbor, new safe harbors specific to Indian health care providers, and 
a new safe harbor specific to value-based contracting with 
manufacturers for the purchase of pharmaceutical products). Others 
requested sub-regulatory guidance outside the rule, such as a 
Frequently Asked Question feature to respond to specific questions or 
common scenarios from stakeholders. These or other topics that are 
outside the scope of this particular rulemaking are not summarized or 
discussed in detail in this final rule.
    In the next sections of this preamble, we summarize each proposal 
from the OIG Proposed Rule (full detail of the proposals can be found 
at 84 FR 55694); summarize the final rule, including significant 
changes from the proposals; and respond to public comments.

B. Federal Anti-Kickback Statute Safe Harbors

1. Value-Based Framework for Value-Based Arrangements
    Summary of OIG Proposed Rule: We proposed a set of value-based 
terminology, detailed in the next section, to describe the universe of 
value-based arrangements that would, as a threshold matter, be eligible 
to seek safe harbor protection under three safe harbors specific to 
value-based arrangements between VBEs and one or more of their VBE 
participants or between or among VBE participants: (i) The care 
coordination arrangements to improve quality, health outcomes, and 
efficiency safe harbor at 42 CFR 1001.952(ee), (ii) the value-based 
arrangements with substantial downside financial risk safe harbor at 42 
CFR 1001.952(ff), (iii) and the full financial risk safe harbor at 42 
CFR 1001.952(gg) (collectively referred to as the ``value-based safe 
harbors''). The value-based safe harbors would offer greater 
flexibilities to parties as they assume more downside financial risk.
    We proposed this tiered structure to support the transformation of 
industry payment systems and in recognition that arrangements involving 
higher levels of downside financial risk for those in a position to 
make referrals or order products or services could curb, at least to 
some degree, FFS incentives to order medically unnecessary or overly 
costly items and services.
    Summary of Final Rule: We are finalizing the tiered value-based 
framework of three safe harbors that vary based on risk assumption of 
the parties. Modifications to specific value-based terminology are 
discussed in the next section.
    Comment: Many commenters expressed support for our value-based 
framework. For example, a commenter stated that OIG had achieved a 
proper balance between flexibility for beneficial innovation and 
safeguards to protect patients and Federal health care programs against 
fraud and abuse risks. Others commended OIG for embracing the 
transition from no risk to downside financial risk as a central 
component of the value-based framework. In particular, commenters 
supported OIG's proposal under the care coordination arrangements safe 
harbor to afford protection to value-based arrangements in which 
parties had yet to take on downside financial risk.
    Response: We have finalized the value-based framework of three safe 
harbors, as proposed. We have made modifications to some of the value-
based terminology as discussed in Section III.B.2 below. We explain the 
specific reasons for the modifications to the value-based terminology 
in responses to comments in section III.B.2.
    Comment: Several commenters expressed general support for the 
proposed value-based safe harbors, while also recommending that OIG 
proceed with caution. For example, a payor urged us to maintain in the 
final rule the level of rigor reflected in the proposed value-based 
safe harbor and not increase the leniency provided under the proposed 
regulations.

[[Page 77691]]

Similarly, a trade association suggested that OIG take a limited 
``phased-in'' approach to the safe harbors to facilitate identification 
of appropriate patient protection and program integrity guardrails. 
Another commenter recommended that, at least once every 3 years, OIG 
assess and report on the effects of the value-based safe harbors, e.g., 
review clinical benefits, analyze cost savings, and solicit stakeholder 
input. A commenter also cautioned that giving more flexible safe harbor 
protection to value-based arrangements that include greater risk may 
push providers into assuming risk before they are ready to do so.
    Response: With this final rule, we have sought to find the 
appropriate balance between the policy goals of the Regulatory Sprint 
and the need to protect both patients and Federal health care programs. 
We decline to adopt the commenters' specific recommendations related to 
a potential phased-in approach or the regular publication of related 
reports, but we note that we may undertake future reviews of value-
based arrangements in Federal health care programs as part of our 
oversight mission. We have included robust safeguards in the value-
based safe harbors to address the commenters' concerns. We note that we 
are affording greater flexibilities under the substantial downside and 
full financial risk safe harbors in recognition of parties' assumption 
of the requisite level of downside financial risk. Others who may not 
be ready or willing to assume risk, or who are only ready or willing to 
assume risk at a level below that required by the substantial downside 
financial risk or full financial risk safe harbors, may look to the 
care coordination arrangements safe harbor, which does not require the 
assumption of risk, structure arrangements to fit in another safe 
harbor that might apply, or enter into arrangements that are not 
protected by a safe harbor, given that structuring an arrangement to 
satisfy a safe harbor is voluntary.
    Comment: Other commenters expressed concerns about potential fraud 
and abuse, with several asserting that the value-based safe harbors 
would foster an environment vulnerable to fraud and anticompetitive 
effects. Commenters had varying rationales for their position, 
including, for example, that existing safe harbors would be sufficient 
to advance value-based models; evaluation was warranted before 
finalizing these safe harbors; and the care coordination focus of the 
value-based safe harbors would lead to further industry consolidation. 
A state health department broadly asserted that the proposals lacked 
sufficient detail and, if finalized, would pose enforcement challenges. 
That commenter requested that we add more detail in our rulemaking, 
rather than through sub-regulatory guidance, to assist the state with 
developing comprehensive policies to support the rule.
    Several radiology trade associations expressed concern that the 
safe harbors omitted the guiding principle of fair market value and the 
restriction on determining the amount or nature of the remuneration 
based on the volume or value of referrals, and consequently, the value-
based arrangements could be abused or used as a means for referring 
providers to pay less for radiology or imaging services. Generally, 
these commenters supported the creation of value-based safe harbors 
only to the extent parties to a value-based arrangement had assumed 
significant downside financial risk. They recommended that each value-
based safe harbor include provisions prohibiting referring VBE 
participants from underpaying for radiology and imaging services within 
a VBE or otherwise leveraging their ability to direct referrals.
    Response: The commenters raise important concerns about potential 
harms resulting from fraud and abuse; we considered these harms 
carefully in developing the final rule. In response to comments, 
throughout this final rule we have clarified regulatory text to 
minimize confusion; offered additional explanations in preamble to 
expound upon OIG's interpretation of provisions in the value-based safe 
harbors; and provided illustrative examples for the value-based 
terminology, which we believe will aid in both enforcement and 
compliance. Parties also may request an advisory opinion from OIG to 
determine whether an arrangement meets the conditions of a safe harbor 
or is otherwise sufficiently low risk under the Federal anti-kickback 
statute to receive prospective immunity from administrative sanctions 
by OIG.
    This final rule aims to protect value-based arrangements that 
enhance patient care and deliver value, and we have included safeguards 
designed to preclude from protection arrangements that lead to 
medically unnecessary care, might involve coercive marketing, or limit 
clinical decision-making. These safeguards are described in greater 
detail below and throughout this preamble. In addition, certain 
entities that present heightened program integrity risk and are less 
likely to be at the front lines of care coordination are not eligible 
to rely on the value-based safe harbors or subject to additional 
safeguards. We believe the potential benefits of the final value-based 
safe harbors (e.g., facilitating the transition to value-based care and 
encouraging greater care coordination) outweigh the potential risks 
related to fraud and competition.
    The value-based safe harbors, as finalized, do not include the 
traditional fraud and abuse safeguards of fair market value or a broad 
prohibition on taking into account the volume or value of any 
referrals. However, we have included other safeguards in each of the 
value-based safe harbors that are intended to address potential fraud 
and abuse risks, e.g., a prohibition on taking into account the volume 
or value of referrals outside the target patient population, limits on 
directed referrals, and others described elsewhere in this preamble. 
The risk sharing required by the substantial downside financial risk 
and full financial risk safe harbors reduces some fraud and abuse 
concerns associated with a traditional fee-for-service payment system. 
We also included safeguards specific to the care coordination 
arrangements safe harbor, e.g., a contribution requirement for 
recipients, in recognition, in part, of the fact that this value-based 
safe harbor does not require parties to assume financial risk or meet 
certain traditional safeguards, such as a fair market value 
requirement. The care coordination arrangements safe harbor does not 
protect monetary payments, including payments for services such as 
radiology or imaging. Nothing in the risk-based safe harbors prevents 
parties from negotiating fair market value arrangements for services or 
from using the personal services and management contracts and outcomes-
based payments safe harbor at paragraph 1001.952(d), which includes 
fair market value requirements.
    While existing safe harbors could protect many care coordination 
arrangements, comments we received in response to the OIG RFI reflected 
that existing safe harbors are insufficient to protect the range of 
care coordination arrangements envisioned by the Regulatory Sprint. For 
example, apart from employment, there is no existing safe harbor 
protection for the sharing of personnel or infrastructure at below-
market-value rates. Thus, the value-based safe harbors will provide 
protection to a broader range of care coordination arrangements than is 
presently available under existing safe harbors. With respect to the 
commenter that suggested evaluation was warranted prior to implementing 
the value-based safe harbors, we solicited feedback on the anticipated 
approach for rulemaking

[[Page 77692]]

in the RFI and solicited comments on specific safe harbors, an 
exception, and relevant considerations in the OIG Proposed Rule. We do 
not believe further evaluation is needed to inform the issuance of this 
final rule; indeed, further formal evaluation could delay regulatory 
flexibilities designed to facilitate innovative value-based care and 
care coordination arrangements.
    With respect to concerns regarding industry consolidation, it is 
not the intent of this final rule to foster industry consolidation. The 
rule aims to increase options for parties to create a range of care 
coordination and value-based arrangements eligible for safe harbor 
protection, whether through employment, ownership, or contracts among 
otherwise unaffiliated, independent entities that wish to coordinate 
care. As explained elsewhere, the definition of a ``value-based 
enterprise'' is flexible, allowing for a broad range of participation 
and business structures. In addition, ``value-based arrangements'' are 
defined such that they can be among many participants or as few as two. 
The safe harbors are available to large and small systems and to rural 
and urban providers. We intend for this flexibility to ensure that 
smaller providers still have the opportunity to develop and enter into 
care coordination arrangements.
    Comment: Several commenters highlighted the potential harms the 
proposed value-based safe harbors could pose to patients, e.g., cherry-
picking, provision of medically unnecessary care, or stinting on care. 
Commenters also expressed concern that the safe harbors could 
negatively impact patient freedom of choice or impinge on the patient-
physician relationship. To address these concerns, commenters had 
varying suggestions. For example, some commenters urged OIG to insert 
patient transparency requirements in the value-based safe harbor that 
would mirror similar requirements in the Medicare Shared Savings 
Program. One such commenter stated transparency is necessary to ensure 
public confidence that the benefits of a value-based arrangement would 
not be exclusive to those party to the agreement.
    Response: We share the commenters' interests in protecting patients 
against cherry-picking, the provision of medically unnecessary care, 
stinting on care, patient steering, and any inappropriate infringement 
on the patient-doctor relationship. Accordingly, we have finalized 
safeguards in each of the three value-based safe harbors related to 
these issues. We did not propose patient transparency or notice 
requirements in the OIG Proposed Rule for the value-based safe harbors 
because we believed it potentially would impose undue administrative 
burden on providers, and we are not including any such condition in 
this final rule.
    Comment: We received a number of comments stating that our approach 
to the value-based safe harbors was not bold enough and would act as a 
barrier to advancing the coordination and management of care. For 
example, a commenter stated that the proposals, as drafted, would not 
advance care coordination and better quality outcomes because the OIG 
sets too many limits and boundaries within the value-based safe 
harbors. In addition, several commenters asserted that our definitions 
of certain key terms, such as value-based enterprise and VBE 
participant, were overly prescriptive. Other commenters asserted that 
our view of financial risk was too narrow and failed to recognize, 
among other things, that providers are already at substantial financial 
risk under existing financial incentives and penalties created by 
payment structures.
    Response: We disagree with those commenters who stated that our 
definitions are too narrow or prescriptive and that the proposed value-
based safe harbors are not bold enough because they would impose limits 
on the types of arrangements that are protected.
    As discussed in section III.B.2, we have defined the value-based 
terminology to allow for a wide range of individuals and entities to 
participate in value-based arrangements. The value-based safe harbors 
do not attempt to cover the entire universe of potentially beneficial 
arrangements, nor the entire universe of what may constitute risk. 
Indeed, we acknowledged in the OIG Proposed Rule, and confirm here, 
that we understood that participants in value-based arrangements might 
assume certain types of risk other than downside financial risk for 
items and services furnished to a target patient population (e.g., 
upside risk, clinical risk, operational risk, contractual risk, or 
investment risk).\12\ We continue to believe our focus on downside 
financial risk is warranted because the assumption of downside 
financial risk incentivizes those making the referral and ordering 
decisions to control costs and deliver efficient care in a way the 
other types of risk may not.
---------------------------------------------------------------------------

    \12\ 84 FR 55699 (Oct. 17, 2019).
---------------------------------------------------------------------------

    Further, the care coordination arrangements safe harbor requires no 
assumption of downside risk by parties to a value-based arrangement. 
Accordingly, parties that do not meet the definition of taking on 
``substantial downside financial risk'' or ``full financial risk'' may 
seek protection for certain value-based arrangements under the care 
coordination arrangements safe harbor. They may also look to the new 
safe harbor protection for outcomes-based payments at paragraph 
1001.952(d)(2).
    We have included parameters in the value-based safe harbors to 
protect against risks of fraud and abuse, such as overutilization, 
inappropriate patient steering, or stinting on care. Nothing in the 
rulemaking changes the premise of safe harbors themselves: They offer 
protection to certain arrangements that meet safe harbor conditions, 
but they do not purport to define all lawful arrangements. Parties with 
arrangements that do not fit in a value-based safe harbor may look to 
other safe harbors or the language of the statute itself. Parties also 
may request an advisory opinion from OIG to determine whether an 
arrangement meets the conditions of a safe harbor or is otherwise 
sufficiently low risk under the Federal anti-kickback statute to 
receive prospective immunity from administrative sanctions by OIG.
    Comment: Multiple commenters recommended that, in lieu of a tiered 
approach to the value-based framework (i.e., three value-based safe 
harbors, based upon the level of risk assumed by parties), OIG should 
create a single value-based arrangements safe harbor. The commenters 
asserted that such an approach would reduce the complexity of the 
value-based safe harbors.
    Response: We appreciate the commenters' suggestion regarding ways 
to reduce complexity; however, we disagree with the commenters' 
recommendations to develop a single value-based arrangements safe 
harbor. The tiered approach we are finalizing in this rule supports the 
policy goals of the Regulatory Sprint regarding the transformation to 
value and offers parties flexibility to undertake arrangements that 
suit their needs. We do not believe that a one-size-fits-all approach 
would be feasible or effective to promote the transformation to value 
because we recognize there are many dimensions of value in health care 
that may look different for various stakeholders. To support the 
transformation to value, reflect that program integrity vulnerabilities 
change as parties assume more risk, and prevent unscrupulous behavior, 
we have adopted a tiered approach where the safeguards included in each 
of the value-based safe harbors are tailored according to, among other 
things, the

[[Page 77693]]

degree of downside financial risk assumed by the parties.
    Comment: In response to our solicitation of comments on whether to 
define the term ``value,'' we received varying comments. Some 
commenters supported our proposal to use the term in a non-technical 
way, with one asserting the term ``value'' is not a one-size-fits-all 
term of art. Others suggested that we reference--in the final 
definitions or otherwise--financial arrangements under advanced 
alternative payment models (APMs) to make clear that value-based 
arrangements in CMS-sponsored programs would receive protection under 
the value-based safe harbors.
    Response: We agree with those commenters that noted that ``value'' 
is not a one-size-fits all term. We decline to use or define the term 
``value'' for the purposes of these safe harbors because we believe 
industry stakeholders and those participating in value-based 
arrangements potentially protected by these safe harbors are best-
positioned to determine value. Notably, however, we define other terms 
critical to the value-based safe harbors, including ``value-based 
purpose,'' ``value-based activity,'' and ``value-based arrangement.'' 
These defined terms adequately capture the concept of value without 
prescriptively defining ``value,'' which could inhibit flexibility and 
innovation. We also are not adopting the commenters' suggestion to 
define any term by referencing financial arrangements under advanced 
APMs. Financial arrangements under CMS-sponsored APMs may satisfy the 
definition of ``value-based arrangement'' and may serve as one of many 
sources for considering value in the delivery of care. In addition, 
organizations already participating in CMS-sponsored models may wish to 
look to the new safe harbor for those models at paragraph 1001.952(ii).
    Comment: Several commenters requested that we offer additional 
clarity on key terms and concepts used throughout the value-based 
framework. For example, some commenters encouraged OIG to issue sub-
regulatory guidance with respect to the value-based safe harbors, while 
others requested specific examples of the types of value-based 
arrangements that could be protected. Another commenter suggested that, 
in order to avoid confusion, OIG more closely align its value-based 
safe harbors with the requirements in the Medicare Shared Savings 
Program fraud and abuse waivers (e.g., governing body approval of 
protected arrangements). Collectively, these commenters expressed 
concern that without further guidance from OIG, individuals and 
entities would remain too risk-averse to leverage the new safe harbors 
for value-based arrangements or would incur significant time and 
expense in creating a value-based enterprise that might not meet the 
required standards.
    Response: Based on these comments, throughout this final rule, we 
have endeavored to provide additional clarity and examples of key terms 
and concepts. Parties also may use OIG's advisory opinion process to 
obtain a legal opinion on the application of OIG's fraud and abuse 
authorities to a particular arrangement. Regarding the request for 
greater alignment with the Medicare Shared Savings Program, we note 
that we drew from our experience with the waivers issued for the 
Medicare Shared Savings Program in drafting the value-based safe 
harbors, but we do not believe alignment with the waiver conditions 
would be appropriate for a number of reasons. First, CMS provides 
programmatic oversight of the Medicare Shared Savings Program that it 
would not provide to all value-based enterprises under this final rule. 
In addition, the waivers apply to certain remuneration related to one 
type of alternative payment model, whereas the safe harbors finalized 
in this final rule apply to a broader range of arrangements focused on 
value-based care. Finally, as discussed in more detail below, all 
individuals and entities can be VBE participants, whereas participation 
in the Medicare Shared Savings Program is more limited. Parties 
participating in CMS-sponsored models may wish to look at the new safe 
harbor for those models at paragraph 1001.952(ii), which is closely 
aligned with model requirements and takes into account CMS's oversight 
of those models and the Medicare Shared Savings Program.
    Comment: Multiple commenters requested that OIG speak to the 
intersection of the proposed value-based safe-harbors with existing: 
(i) Financial arrangements that may not meet the four corners of the 
value-based safe harbors, despite otherwise being similar in concept; 
(ii) safe harbors; and (iii) state law and corporate practice of 
medicine requirements.
    Response: By promulgating value-based safe harbors, we are not 
opining, directly or indirectly, on the legality of existing financial 
arrangements that may be similar in concept to value-based arrangements 
that may be protected under the new value-based safe harbors. 
Arrangements that do not meet all conditions of an applicable safe 
harbor are not protected by that safe harbor. Whether such an 
arrangement violates the Federal anti-kickback statute is a fact-
specific inquiry. In addition, and as stated in the OIG Proposed Rule, 
parties to value-based arrangements may choose whether to protect such 
arrangements under existing safe harbors or under the new value-based 
safe harbors finalized in this final rule.
    We have attempted to create significant flexibility under the 
Federal anti-kickback statute while recognizing that parties still must 
comply with applicable State laws. Nothing in these safe harbors 
preempts any applicable State law (unless such State law incorporates 
the Federal law by reference).
    Comment: We received several comments that touched upon the 
applicability of the value-based safe harbors to commercial 
arrangements. For example, at least two commenters expressed support 
for extending the value-based safe harbor protections to participants 
in arrangements involving only commercial payor patients. Another 
commenter strongly recommended that OIG clarify in the final rule that 
the Federal anti-kickback statute is not implicated if a financial 
arrangement is strictly limited to commercial payor patients.
    Response: Generally speaking, the Federal anti-kickback statute is 
not implicated for financial arrangements limited solely to patients 
who are not Federal health care program beneficiaries. However, to the 
extent the offer of remuneration pursuant to an arrangement involving 
only non-Federal health care program beneficiaries is intended to pull 
through referrals of Federal health care program beneficiaries or 
business, the Federal anti-kickback statute would be implicated and 
potentially violated. While nothing in the value-based safe harbors 
precludes financial arrangements limited solely to patients who are not 
Federal health care program beneficiaries, the parties would need to 
meet all requirements of the applicable value-based safe harbor, and a 
pull-through arrangement would not meet the requirement, in each value-
based safe harbor found at (ee), (ff), and (gg), that the offeror of 
remuneration does not take into account the volume or value of, or 
condition the remuneration of referrals of, patients who are not part 
of the target patient population, or business not covered under the 
value-based arrangement.
    Comment: A commenter recommended that OIG apply the value-based 
safe harbors retrospectively.
    Response: As stated in the OIG Proposed Rule, the value-based safe

[[Page 77694]]

harbors will be prospective only and will be effective as of 60 days 
from the date this rule is published in the Federal Register. It is 
neither feasible nor desirable to confer safe harbor protection 
retrospectively under a criminal statute. Conduct is evaluated under 
the statute and regulations in place at the time of the conduct.
    Comment: A commenter supported OIG addressing value-based 
contracting and outcomes-based contracting for the purchase of 
pharmaceutical products in future rulemaking, including rules around 
medication adherence. Another commenter urged OIG to promulgate a safe 
harbor in this final rule specific to value-based arrangements with 
manufacturers for the purchase of pharmaceutical products (as well as 
medical devices and related services).
    Response: We did not propose, and thus are not finalizing, a safe 
harbor specifically for value-based arrangements with manufacturers for 
the purchase of their products. We may consider this topic, along with 
value-based contracting and outcomes-based contracting, for future 
rulemaking.
    Comment: Separate and apart from outcomes-based contracting, a 
handful of commenters requested that we create new safe harbors or 
issue certain guidance. For example, a hospital association urged us to 
create a safe harbor to facilitate non-CMS advanced payment models. 
Another commenter suggested we issue guidance affording parties 
additional regulatory flexibility to the extent their financial 
arrangements are consistent with the goals of the value-based safe 
harbors but do not otherwise satisfy all conditions.
    Response: We did not propose and are not finalizing a safe harbor 
specific to non-CMS advanced payment models. However, we refer the 
commenter to our substantial downside financial risk safe harbor at 
paragraph 1001.952(ff), as remuneration exchanged by the parties to the 
advanced payment model arrangement may be eligible for protection under 
that safe harbor.
    We likewise are not issuing guidance to provide parties with 
additional regulatory flexibility to protect financial arrangements 
that are consistent with the goals of, but do not meet the requirements 
of, a value-based safe harbor. An arrangement must meet all conditions 
of the applicable value-based safe harbor for remuneration exchanged 
pursuant to the arrangement to receive protection.
    Comment: A commenter asserted that the value-based safe harbors do 
not satisfy the requirements set forth in section 1128D of the Act for 
the promulgation of new safe harbors. Specifically, the commenter 
asserted that the value-based safe harbors do not specify payment 
practices that are protected under the Federal anti-kickback statute, 
as required by section 1128D, because they only outline a set of 
general principles.
    Response: We disagree with the commenter. Section 1128D of the Act 
requires the Secretary to publish a notice soliciting proposals for, 
among other things, additional safe harbors specifying payment 
practices that shall not be treated as a criminal offense under section 
1128B(b) and shall not serve as the basis for an exclusion under 
section 1128(b)(7) and to publish proposed additional safe harbors, if 
appropriate, after considering such proposals. Consistent with that 
authority, the value-based safe harbors specify payment practices that 
will be protected if they meet a series of specific, enumerated 
requirements. Although a value-based safe harbor may protect 
remuneration exchanged pursuant to a diverse universe of value-based 
arrangements, all value-based arrangements within that universe share 
the features required by the applicable safe harbor.
    For example, the payment practice specified in the care 
coordination arrangements safe harbor is the exchange of in-kind 
remuneration pursuant to value-based arrangement, where, among several 
other requirements, the parties establish legitimate outcome measures 
to advance the coordination and management of care for the target 
patient population; the arrangement is commercially reasonable; and the 
recipient contributes at least 15 percent of either the offeror's cost 
or the fair market value of the remuneration. If an arrangement fails 
to meet any one of the safe harbor's requirements, it cannot receive 
protection under the safe harbor. This approach is consistent with the 
approach taken in other safe harbors that are not specific as to the 
type of arrangement. For example, the personal services and management 
contracts safe harbor protects any payments from a principal to an 
agent, as long as a series of standards are met.
    Comment: Numerous commenters requested that OIG and CMS seek 
greater alignment across their respective value-based rules. According 
to some of these commenters, further alignment would reduce 
administrative burden, confusion, and regulatory uncertainty. 
Commenters were generally in favor of OIG revising its proposed value-
based safe harbors to more closely parallel CMS's proposed value-based 
exceptions to the physician self-referral law. Commenters suggested 
that CMS's proposed value-based exceptions would protect a broader 
universe of beneficial innovative arrangements, without greater fraud 
and abuse risk. Accordingly, commenters urged OIG to create a safe 
harbor for any value-based arrangement that otherwise met a physician 
self-referral law exception or, alternatively, state that compliance 
with the physician self-referral law would rebut any implication of 
intent under the Federal anti-kickback statute. Commenters also 
advocated that OIG adopt certain CMS proposed definitions, e.g., CMS's 
``volume or value'' definition.
    Response: As explained in more detail in section III.A.1 of this 
preamble, we are mindful of reducing burden on providers and other 
industry stakeholders, and we have sought to align value-based 
terminology and safe harbor conditions with those being adopted by CMS 
as part of the Regulatory Sprint wherever possible. However, complete 
alignment is not feasible because of fundamental differences in 
statutory structures and penalties across the two laws, as well as 
differences in how anti-kickback statute safe harbors and physician 
self-referral law exceptions operate. For example, the physician self-
referral law applies to referrals by physicians for specified 
designated health services, whereas the anti-kickback statute applies 
to referrals by anyone of any Federal health care program business. 
Fitting in an exception to the physician self-referral law is 
mandatory, whereas using safe harbors is voluntary. In designing our 
safe harbors, we have included conditions designed to ensure that 
protected arrangements are not disguised kickback schemes, and we 
recognize that, for purposes of those arrangements that implicate both 
the physician self-referral law and the Federal anti-kickback statute, 
the value-based safe harbors may therefore protect a narrower universe 
of arrangements than CMS's exceptions.
    We do not agree as a matter of law that compliance with the 
physician self-referral law would rebut any implication of intent under 
the Federal anti-kickback statute. We did not propose to, and do not, 
adopt CMS's proposed interpretation of the term ``takes into account 
the volume or value of referrals or other business generated.'' We have 
aligned terminology used in the value-based framework and set forth at 
paragraph 1001.952(ee) in our rule, as described below.
    2. Value-Based Terminology (42 CFR 1001.952(ee))

[[Page 77695]]

    We proposed to define at paragraph 1001.952(ee)(12) the following 
terms: ``value-based enterprise'' (``VBE''), ``value-based 
arrangement,'' ``target patient population,'' ``value-based activity,'' 
``VBE participant,'' ``value-based purpose,'' and ``coordination and 
management of patient care.'' We summarize the proposal for each of 
these definitions and the final rule in turn below. These definitions 
are now located at paragraph 1001.952(ee)(14) of the final rule and 
cross-referenced in the safe harbors at paragraphs 1001.952(ff), (gg), 
and (hh). In this final rule, we have added definitions at paragraph 
1001.952(ee)(14) for the following terms that are used in connection 
with determining eligibility of certain types of entities to use the 
safe harbors at paragraphs 1001.952(d)(2), (ee), (ff), (gg), and (hh): 
``limited technology participant,'' ``digital health technology,'' and 
``manufacturer of a device or medical supply.'' These definitions are 
discussed in section III.B.2.e.
a. Value-Based Enterprise (VBE)
    Summary of OIG Proposed Rule: We proposed to define the term 
``value-based enterprise'' or ``VBE'' as two or more VBE participants: 
(i) Collaborating to achieve at least one value-based purpose; (ii) 
each of which is a party to a value-based arrangement with the other or 
at least one other VBE participant in the value-based enterprise; (iii) 
that have an accountable body or person responsible for financial and 
operational oversight of the value-based enterprise; and (iv) that have 
a governing document that describes the value-based enterprise and how 
the VBE participants intend to achieve its value-based purpose(s).
    Summary of Final Rule: We are finalizing, with modification, the 
definition of ``value-based enterprise.''
i. General
    Comment: Multiple commenters supported the definition of ``value-
based enterprise,'' as proposed, and the flexibility the definition 
offers. A commenter appeared to ask OIG to revise the definitions of 
``value-based enterprise,'' ``value-based arrangement,'' and ``value-
based activity'' so that they do not incorporate and rely on other 
defined terms. Another commenter suggested a broader definition of 
``VBE'' that would allow affiliates of a VBE to participate within the 
VBE without becoming VBE participants.
    Response: The definition of ``value-based enterprise'' is intended 
to be broad and flexible to encompass a wide range of VBEs, from 
smaller VBEs comprised of only two or three parties to large VBEs, such 
as entities that function similar to ACOs. We decline to expand the 
definition further to allow affiliates of VBE participants to 
participate in a VBE without becoming VBE participants. We designed the 
value-based framework, including the requirement for parties to be 
either a VBE or a VBE participant, to ensure the remuneration that the 
safe harbors protect is exchanged pursuant to a value-based arrangement 
where all parties are striving to achieve value-based purposes. VBE 
participants can continue to enter into arrangements with affiliates 
and other non-VBE participants and may look to other available safe 
harbors for potential protection for those arrangements.
    We also decline to revise the definitions of ``value-based 
enterprise,'' ``value-based arrangement,'' and ``value-based activity'' 
to omit references to other defined terms. The value-based terminology 
we are finalizing works in concert to explain the universe of value-
based arrangements under which the exchange of remuneration may receive 
safe harbor protection. For example, because the terms ``VBE 
participant,'' ``value-based purpose,'' and ``value-based arrangement'' 
are fundamental to the definition of ``value-based enterprise,'' we are 
finalizing a definition of ``value-based enterprise'' that references 
those terms.
    Comment: A commenter asked whether parties could prove 
collaboration to achieve one or more value-based purposes by measuring 
the amount of time a VBE participant has been taking part in a value-
based activity.
    Response: To accommodate a broad range of VBEs, from small to 
large, this final rule does not prescribe how VBE participants prove 
that they are collaborating to achieve at least one value-based 
purpose, as required by the definition of ``value-based enterprise''; 
it is incumbent on the VBE participants to demonstrate that they are 
meeting this requirement. For example, time spent on value-based 
activities, records of collaboration between parties, and participation 
in applicable meetings, could all be relevant factors, depending on the 
unique nature and circumstance of the VBE and the arrangements among 
the VBE participants.
    Comment: A commenter expressed concern that the costs of forming a 
VBE could be prohibitive for small and rural providers and providers 
serving underserved populations, and it appeared to ask OIG to create 
an online portal that parties could use to create VBEs. Another 
commenter asked OIG to state expressly that a VBE may add individual 
physicians and other clinicians as VBE participants on an ongoing basis 
and still meet the definition of ``VBE.''
    Response: The definition of ``VBE'' is intended to be both broad 
and flexible to accommodate providers, suppliers, and other entities of 
varying sizes and financial means seeking to participate in value-based 
arrangements. The definition, as finalized, will allow small and rural 
providers and providers serving underserved populations to form VBEs 
that correspond in scope and design with the VBE participants' 
resources. For example, we anticipate that parties could form a VBE 
with a single value-based arrangement, and a VBE could be comprised of 
only two VBE participants. We did not propose to create an online 
portal for the creation of VBEs, and we are therefore not establishing 
an online portal in this final rule. We also confirm that VBE 
participants may join and leave a VBE throughout the existence of the 
VBE, but we note that a VBE always must have two or more VBE 
participants to meet the definition of ``value-based enterprise.''
    Comment: A commenter recommended that we require a value-based 
enterprise to utilize electronic health records so that each entity 
participating in the value-based enterprise has a strong data platform 
to track and evaluate the VBE's inputs and outcomes. According to the 
commenter, data from the EHR systems is critical to care delivery and 
care coordination.
    Response: We agree that EHR systems can help individuals and 
entities within the VBE facilitate the coordination and management of 
care but did not propose to require, and thus are not requiring, VBEs 
or VBE participants to use them. Moreover, we intend for entities of 
varying sizes and with different levels of funding and access to 
technology to be able to utilize the value-based safe harbors. While we 
continue to support the Department's goal of continued adoption and use 
of interoperable EHR technology that benefits patient care, we are 
concerned that requiring utilization of EHR may unduly limit the 
ability of some entities to form a VBE. Donations of EHR by VBEs to VBE 
participants can be protected by the value-based safe harbors if all 
conditions are met. Alternatively, VBE and VBE participants may use the 
EHR safe harbor that this final rule makes permanent.
    Comment: Commenters asked how the definition of ``value-based 
enterprise'' would apply to integrated delivery systems, with a 
commenter specifically inquiring as to how entities within a

[[Page 77696]]

larger integrated delivery system that enter into arrangements with a 
payor for shared savings and losses could subsequently share such 
savings or losses with downstream contracted or employed physicians. 
The commenter asked whether each party offering or receiving 
remuneration would be required to be a party to an agreement with the 
payor or if separate agreements between the downstream entities would 
suffice. Another commenter asked OIG to confirm whether an already 
existing integrated delivery system, ACO, or similar entity could meet 
the requirements of a VBE or whether that entity must establish a new 
value-based enterprise to use the value-based safe harbors. A commenter 
asserted that the value-based definitions and safe harbors should 
include integrated delivery systems, accountable care, team-based care, 
coordinated care (including for dual eligible beneficiaries), bundled 
payments, payments linked to quality or outcomes, Medicaid waiver 
programs, and Medicare managed care, value-based, or delivery system 
reform directed payments. A commenter recommended that the final rule 
deem an existing ACO to be compliant with the requirements of an 
applicable safe harbor to help retain ACOs as a central organizational 
structure, reduce regulatory burden, reduce risk of whistleblower or 
regulatory challenges, and minimize the need for creation of 
arrangements outside the ACOs. For each value-based safe harbor the 
commenter made specific suggestions: That OIG deem ACO outcome measures 
to meet the outcome measures requirement for care coordination 
arrangements; and for the substantial downside financial risk and full 
financial risk safe harbors, that all safe harbor conditions would be 
deemed met if the requisite level of downside financial risk were 
present.
    Response: The final rule, including the value-based terminology, 
value-based safe harbors, and other safe harbors we are finalizing, 
offers several potential pathways for protection for the types of 
arrangements noted by the commenters, provided all applicable 
definitions and safe harbor conditions are satisfied. An existing 
integrated delivery system, ACO, or comparable entity could potentially 
qualify as a ``value-based enterprise'' and meet all of the 
requirements of the definition to use the value-based safe harbors we 
are finalizing. Arrangements for shared savings or losses and certain 
bundled payments could be protected under the substantial downside and 
full financial risk safe harbors, which protect in-kind and monetary 
remuneration exchanged between a VBE and a VBE participant. Under these 
safe harbors, a hospital that is a VBE participant could enter into a 
value-based arrangement with a VBE, pursuant to which the VBE shares 
savings or losses with the hospital VBE participant. However, this 
arrangement could not be protected under the care coordination 
arrangements safe harbor, which does not protect the exchange of 
monetary remuneration. Monetary remuneration, including payments linked 
to outcomes, could qualify for protection under the safe harbor for 
personal services and management contracts and outcomes-based payments 
at paragraph 1001.952(d)(2). Neither the substantial downside financial 
risk safe harbor nor the full financial risk safe harbor protects the 
exchange of remuneration between entities downstream of the VBE (i.e., 
between VBE participants, a VBE participant and a downstream 
contractor, or downstream contractors). Apart from the value-based safe 
harbors, some managed care arrangements could be structured to fit in 
the existing managed care safe harbors at paragraphs 1001.952(t) and 
1001.952(u). ACOs and others in CMS-sponsored models could use the new 
safe harbor at paragraph 1001.952(ii).
    We did not propose and are not adopting a deeming provision for 
ACOs, as recommended by the commenter. Under the final value-based safe 
harbors, ACOs would need to meet all applicable safe harbor conditions. 
We have designed the value-based terminology and safe harbors to be 
flexible to accommodate a range of VBE types, structures, and 
arrangements, including ACOs. Moreover, when participating in a CMS-
sponsored model, an ACO might rely on an existing fraud and abuse 
waiver or the new safe harbor for CMS-sponsored models at paragraph 
1001.952(ii), rather than a value-based safe harbor.
    To the commenter's question regarding separate agreements, although 
the substantial downside financial risk and full financial risk safe 
harbors would not protect any shared savings or losses (or other 
remuneration) between the hospital VBE participant and its downstream 
employed or contracted physicians, the VBE could enter into value-based 
arrangements directly with physicians who are VBE participants in order 
to share savings or losses with the physicians. We note, however, that, 
consistent with all other safe harbors, compliance with the value-based 
safe harbors is not compulsory. Parties may enter into lawful 
arrangements for value-based care that do not meet a safe harbor. Other 
safe harbors may be relevant to protect remuneration exchanged in a 
value-based arrangement, such as the personal services and management 
contracts safe harbor or a managed care safe harbor, depending on the 
circumstances. The OIG advisory opinion process also remains available.
    Comment: A commenter asked whether VBEs must undergo a formal 
process to receive protection under the new safe harbors.
    Response: All safe harbors to the Federal anti-kickback statute, 
including the new safe harbors we are finalizing in this final rule, 
are voluntary, and parties do not need to undergo any process or 
receive any affirmation from the Federal Government in order to receive 
protection. We note that qualifying as a value-based enterprise is not 
sufficient to obtain protection under the value-based safe harbors. To 
be protected, the remuneration exchanged between or among parties to 
the VBE must squarely meet all conditions of an available safe harbor. 
Parties that wish for OIG to opine on whether an arrangement satisfies 
the criteria of a safe harbor may submit an advisory opinion request.
    Comment: A commenter stated that an entity that qualifies as a VBE 
should be deemed to meet the Federal Trade Commission (FTC) and 
Department of Justice (DOJ) requirements for clinical integration.
    Response: Whether a value-based enterprise meets the FTC and DOJ 
requirements for clinical integration is outside the scope of this 
rulemaking and thus the issue raised by the commenter is not addressed 
in this rule.
    Comment: Several commenters asked OIG to include references to free 
clinics, charitable clinics, and charitable pharmacies in the 
definition of ``value-based enterprise,'' stating that hospitals 
otherwise will remain risk averse to establishing or continuing 
partnerships with such entities. Another commenter asked OIG to confirm 
that the terms ``value-based enterprise,'' ``value-based arrangement,'' 
and ``value-based activity'' apply exclusively to the new safe harbors 
and not in other contexts, such as state Medicaid programs, to ensure 
the new value-based terminology does not disrupt the administration of 
existing value-based arrangements.
    Response: We do not believe it is necessary to include references 
to any specific entities in the definition of ``value-based 
enterprise.'' While the commenter requested that we reference these 
entities in the definition of ``VBE,'' we note that under this final 
rule all individuals and entities are eligible to

[[Page 77697]]

be VBE participants (other than a patient acting in their capacity as a 
patient). The definitions we are finalizing for the value-based 
terminology, including the terms ``value-based enterprise,'' ``value-
based arrangement,'' and ``value-based activity,'' do not apply outside 
of the safe harbors being finalized in this rule. Given OIG's limited 
authority in the context of this rulemaking, we do not purport to 
define these terms for other purposes, including for State Medicaid 
programs; however, the safe harbors could protect remuneration 
resulting from value-based arrangements involving Medicaid 
beneficiaries (to the extent that all applicable safe harbor conditions 
are satisfied). CMS is using the same terminology for its new value-
based exceptions under the physician self-referral law.
    Comment: A commenter asserted that the proposed definitions of 
``value-based enterprise,'' ``value-based arrangement,'' ``value-based 
activity,'' and ``VBE participant'' apply only to the care coordination 
arrangements safe harbor and not to the substantial downside financial 
risk safe harbor or the full financial risk safe harbor.
    Response: The commenter's apparent confusion arises from the 
language in proposed paragraph 1001.952(ee) that states, ``[f]or 
purposes of this paragraph (ee), the following definitions apply.'' 
Notwithstanding this language, the substantial downside financial risk 
safe harbor and the full financial risk safe harbor expressly 
incorporate the definitions of ``value-based enterprise,'' ``value-
based arrangement,'' ``value-based activity,'' and ``VBE participant'' 
set forth in paragraph 1001.952(ee).
    Comment: While supporting the proposed definition of ``value-based 
enterprise,'' several commenters requested that OIG and CMS align any 
modifications to the final definition of ``VBE.'' According to the 
commenter, identical definitions would allow stakeholders to place more 
focus on the delivery of value-based care because they would not need 
to navigate different legal frameworks under the Federal anti-kickback 
statute and the physician self-referral law.
    Response: We are finalizing a definition of ``value-based 
enterprise'' that remains aligned with the definition finalized by CMS.
    Comment: Some commenters asserted that Indian health programs 
should be deemed to meet the definition of ``value-based enterprise'' 
even if they do not meet each requirement of the definition because 
Tribes, as sovereign governments, do not enter into agreements in which 
another entity has governing authority or control over any part of the 
Tribe. In addition, they explained that Indian health programs have 
several features of the proposed definition (e.g., Indian health 
programs are held accountable by the governing body of the Tribe or the 
United States Congress, in the case of IHS-run programs). Such 
commenters asserted that requiring Indian health programs to meet any 
additional requirements would exclude or unnecessarily burden those 
programs.
    Similarly, several commenters requested that OIG address whether 
Indian health programs could be a VBE participant and recommended that 
the definition expressly state that Indian health programs may be VBE 
participants. Another commenter expressed concern that Indian health 
programs may not meet the proposed definition of VBE participant 
because Tribes are sovereign nations that will not enter into 
agreements with another entity with authority over the Tribe.
    Response: Indian health programs, as well as other individuals and 
entities, may themselves constitute VBEs or may form VBEs if they meet 
all requirements in the definition of such term. We are not 
promulgating any exceptions to the requirement that parties form a VBE 
in order to use one of the value-based safe harbors or the patient 
engagement and support safe harbor because we believe the definition of 
``value-based enterprise'' is sufficiently broad and flexible to allow 
Indian health programs to qualify as or form VBEs.
    In addition, under our revised definition of a ``VBE participant,'' 
all types of entities can be VBE participants, including Indian health 
programs and Indian health care providers that engage in at least one 
value-based activity as part of a VBE.
ii. Accountable Body
    Comment: Multiple commenters supported the proposed requirement 
that a VBE have an accountable body that is responsible for financial 
and operational oversight of the VBE, while some expressed concerns 
regarding the requirement. For example, some commenters asserted that 
parties would incur significant legal expenses to create an accountable 
body, which could discourage participation in VBEs, and questioned 
whether small or rural practices have the resources necessary to 
implement an accountable body. A commenter suggested OIG exempt smaller 
VBEs from the requirement to have an accountable body, particularly 
where the VBE is comprised only of individuals or small physician 
practices. Another noted that the requirement to have an accountable 
body could create tension between VBE participants when determining who 
will assume such role.
    Response: We do not believe the requirement for a VBE to have an 
accountable body or responsible person places an undue financial or 
administrative burden on VBEs or VBE participants, particularly because 
the definition of ``value-based enterprise'' affords parties the 
flexibility to create VBEs and accountable bodies that range in scope 
and complexity. We are not exempting small or other VBEs from the 
requirement to have an accountable body or responsible person. We do 
not expect that small VBEs would have the same resources as larger VBEs 
for this function or would structure the function in the same way. A 
VBE should have an accountable body or responsible person that is 
appropriate for its size and resource and is capable of carrying out 
the associated responsibilities. Any potential for conflict among VBE 
participants is a matter for the parties to address in their private 
contractual or other arrangements and does not warrant an exception to 
the accountable body requirement, which serves an important oversight 
and accountability function in the VBE.
    Comment: Commenters generally supported the flexibility for parties 
to tailor the accountable body to the complexity and sophistication of 
the VBE. Multiple commenters requested additional clarification on the 
nature and composition of the accountable body, including how and by 
whom the accountable body would be organized and whether the 
accountable body must be comprised of at least one representative from 
each VBE participant.
    A commenter asked OIG to clarify whether ACOs that already have 
governing bodies in place need to establish an additional accountable 
body or responsible person to meet the definition of ``VBE.'' Another 
commenter asked whether the safe harbor conditions applicable to 
accountable bodies are at least as rigorous as the conditions 
applicable to governing bodies in the fraud and abuse waivers issued 
for purposes of the Medicare Shared Savings Program.
    Response: We are not prescribing how VBE participants or VBEs form 
or otherwise designate an accountable body or responsible person in 
order to give parties flexibility to do so in a manner conducive to the 
scope and objectives of the VBE and its resources. For instance, a 
representative from each VBE participant in a VBE could, but is not 
required to, be part of the VBE's

[[Page 77698]]

accountable body. Where parties already have a governing body that 
constitutes an accountable body or responsible person, such parties are 
not required to form a new accountable body or designate a responsible 
person for purposes of creating a VBE. While the requirements for the 
accountable body or responsible person are not as stringent as the 
requirements for an ACO's governing body in the fraud and abuse waivers 
issued for purposes of the Medicare Shared Savings Program, we have 
concluded that the safe harbor requirements for the accountable body 
strike the right balance between allowing for needed flexibility for 
parties wanting to form and operate VBEs and providing for appropriate 
VBE oversight and accountability.
    Comment: Multiple commenters supported a range of additional 
requirements for VBE participants related to the accountable body, 
including requirements to: (i) Recognize the oversight role of the 
accountable body affirmatively; (ii) agree in writing to cooperate with 
the accountable body's oversight efforts; and (iii) report data to the 
accountable body to enable it to access and verify VBE participant data 
related to performance under value-based arrangements. Another 
commenter opposed additional requirements on VBE participants, stating 
that they would be unnecessary formalities that would constrain use of 
the value-based safe harbors for existing arrangements that might 
otherwise meet a value-based safe harbor's terms. Other commenters also 
asked what, if any, oversight OIG would expect from VBE participants, 
themselves, in addition to the oversight conducted by the accountable 
body.
    Response: It is important for the parties to a value-based 
arrangement to support and cooperate with the accountable body or 
responsible person. However, we are not finalizing requirements for VBE 
participants to recognize affirmatively the oversight role of the 
accountable body, agree in writing to cooperate with its oversight 
efforts, or report data. On balance, such requirements would introduce 
a level of unnecessary administrative detail and impose unnecessary 
administrative burden on many VBEs, particularly small or rural 
entities. Parties can themselves establish mechanisms to ensure the 
ability of the accountable body or responsible person to fulfill its 
obligations through, by way of example only, a term in arrangements 
between the VBE and its VBE participants that requires VBE participants 
to cooperate with the accountable body or responsible person's 
oversight efforts.
    Whether VBE participants must conduct additional oversight depends 
on the applicable safe harbor. Parties relying on safe harbor 
protection may want to ensure all applicable safe harbor requirements, 
including those related to oversight, are met because failure to 
satisfy these requirements would result in the loss of safe harbor 
protection for the remuneration at issue. Notwithstanding this fact, 
where a VBE participant or VBE has done everything that it reasonably 
could to comply with the safe harbor requirements applicable to that 
party but the remuneration exchanged loses safe harbor protection as a 
result of another party's noncompliance, the compliant party's efforts 
to take all reasonable steps would be relevant in a determination of 
whether such party had the requisite intent to violate the Federal 
anti-kickback statute.
    Comment: We received support for, and opposition to, a requirement 
for the accountable body to have more specific responsibilities for 
overseeing certain aspects of the VBE, including utilization of items 
and services; cost; quality of care; patient experience; adoption of 
technology; and quality, integrity, privacy, and accuracy of data 
related to each value-based arrangement. However, several commenters 
cautioned against overly prescriptive oversight obligations, with many 
commenters noting that the appropriate scope, methodology, and risk 
areas for monitoring and oversight will vary significantly based on the 
activities an entity is undertaking. According to several commenters, 
the program integrity benefits of any additional requirements on the 
accountable body would be outweighed by increased administrative 
burden.
    Response: We are not requiring more specific oversight 
responsibilities for the accountable body. The type of data the 
accountable body should monitor and assess could vary by VBE and by 
value-based arrangement, and therefore we are not imposing more 
prescriptive requirements on the accountable body with respect to its 
oversight responsibilities. However, in the full financial risk safe 
harbor, we are finalizing a requirement that the VBE provide or arrange 
for a quality assurance program for services furnished to the target 
patient population that protects against underutilization and assesses 
the quality of care furnished to the target patient population.
    Comment: Multiple commenters supported a requirement for VBEs to 
institute a compliance program to facilitate the accountable body's or 
responsible person's obligation to identify program integrity issues, 
with some also favoring requirements for periodic review of patient 
medical records to ensure compliance with clinical standards or for the 
designation of a compliance officer to oversee the VBE and its value-
based arrangements. One commenter recommended that VBE participants 
agree to a code of ethics related to compliance oversight.
    In contrast, multiple commenters opposed a requirement for the VBE 
to have a compliance program. Some asserted it would create an 
additional burden on VBEs without substantially reducing the risk of 
fraud and abuse. Commenters expressed concern that a compliance program 
requirement could result in inconsistent policies or duplicative 
administrative obligations if VBE participants already have compliance 
programs in place. Another commenter stated that such a requirement is 
unnecessary because VBEs are independently at risk for safe harbor 
compliance. A commenter recommended that, if OIG requires a VBE to have 
a compliance program, OIG should permit the VBE to meet such a 
requirement by: (i) Developing a compliance program specific to the VBE 
and its VBE participants, (ii) adopting an existing compliance program 
held by one of the VBE participants, or (iii) requiring an attestation 
from each VBE participant that it has a compliance program and conducts 
annual compliance reviews. Another commenter recommended that OIG 
provide model compliance provisions that could be included in 
agreements between parties in a VBE.
    Response: For purposes of these safe harbors, we are not requiring 
the VBE or its accountable body or responsible person to have a 
compliance program or to review patient medical records periodically. 
We also are not requiring an attestation or other agreements from each 
VBE participant that it has a compliance program and conducts annual 
compliance reviews. Compliance programs are an important tool for, 
among other things, monitoring arrangements, identifying fraud and 
abuse risks, and, where necessary, implementing corrective action 
plans. While it is our view that robust compliance programs are a best 
practice for all VBEs and VBE participants, we are not including 
specific compliance program requirements or providing model compliance 
provisions because VBEs of varying sizes and scopes may have and need 
different types of compliance programs. We anticipate many VBE 
participants already have compliance programs and may want to

[[Page 77699]]

consider updating these programs to reflect any new arrangements 
entered into as part of the VBE.
    A compliance program requirement for VBEs would necessitate that we 
articulate specific compliance program criteria, which we do not 
believe would be feasible or desirable, particularly in light of the 
expected variation of VBEs. We also are not requiring the VBE to 
designate an individual to serve as a compliance officer. For purposes 
of this rule, the accountable body or responsible person acts as an 
oversight body that performs a compliance function. In this respect, 
and as we stated in the OIG Proposed Rule, we believe the accountable 
body or responsible person would be well-positioned to identify program 
integrity issues and to initiate action to address them, as necessary 
and appropriate. VBEs may elect to have designated compliance officers 
if they so wish.
    Comment: A commenter asked whether the accountable body and VBE 
participants should expect a higher degree of auditing and oversight 
from OIG than entities not involved in a value-based enterprise.
    Response: OIG provides independent and objective oversight of the 
programs and operations of the Department. We anticipate that 
individuals and entities that are part of a value-based enterprise will 
be subject to OIG's program integrity and oversight activities to the 
same extent as other individuals and entities that receive Federal 
health care program funds or treat Federal health care program 
beneficiaries.
    Comment: Some commenters supported a requirement for the 
accountable body or responsible person to have a duty of loyalty to the 
VBE, particularly for accountable bodies serving larger VBEs. The 
commenters asserted that a duty of loyalty would be appropriate given 
the lack of programmatic oversight as compared to CMS-sponsored models 
and would help reduce certain risks (e.g., stinting on care or 
providing medically unnecessary care). Other commenters suggested that 
the accountable body should have a duty of loyalty to the patients 
within the VBE.
    Multiple commenters opposed requiring the accountable body or 
responsible person to have a duty of loyalty to the VBE, stating that 
it would create conflicts of interest for accountable body members that 
are, or are employed by, a VBE participant. Some commenters asserted 
that a duty of loyalty would necessitate the use of a third-party 
entity to serve as the accountable body, which could be cost 
prohibitive for small and rural providers, while others noted that 
large VBE participants may be unwilling to cede oversight 
responsibilities to an independent third party. A commenter proposed an 
alternative requirement for the accountable body or responsible person 
to act in furtherance of the VBE's value-based purpose(s).
    Response: We are not requiring the accountable body or responsible 
person to have a duty of loyalty to the VBE because we agree with 
commenters that a duty of loyalty often could create conflicts of 
interest for VBE participants and employees of VBE participants who 
otherwise would serve as members of the accountable body. We also agree 
that a duty of loyalty requirement could necessitate the use of 
independent third parties to serve as the accountable body, which could 
be cost prohibitive for smaller VBEs. While we are not implementing a 
requirement for the accountable body or responsible person to have a 
duty of loyalty or to act in furtherance of the VBE's value-based 
purpose(s), we believe the accountable body or responsible person 
necessarily must act in furtherance of the VBE's value-based purpose(s) 
to fulfill its oversight responsibilities. Parties are free to include 
this duty in their contractual arrangements.
    Comment: A commenter asked OIG to require the accountable body to 
submit data to the Department to demonstrate continued compliance with 
the applicable safe harbor and progress in improving outcomes and 
reducing costs. A commenter also asserted that OIG should require the 
accountable body or responsible person to implement a process for 
patients to express concerns and for the VBE to resolve such concerns, 
and others recommended that OIG ensure that VBE participants secure 
informed consent for each patient treated within a VBE.
    Response: We are not requiring accountable bodies or responsible 
persons to submit data to the Department for purposes of safe harbor 
compliance because we do not think the program integrity benefits of 
requiring data submission for safe harbor compliance would outweigh the 
administrative burden on both the government and the individuals and 
entities serving as accountable bodies or responsible persons. 
Notwithstanding the foregoing, we remind readers that OIG provides 
independent, objective oversight of HHS programs. Nothing in this rule 
changes OIG's authorities to request data for its oversight purposes. 
In addition, and as explained further below in section III.3.n.v, OIG 
will continue to evaluate whether to modify the care coordination 
arrangements safe harbor in the future to include a requirement that 
the VBE affirmatively submit certain data or information.
    Due to administrative burden concerns, we are not requiring the 
accountable body or responsible person to implement a process for 
patients to express concerns or ensure that VBE participants secure 
informed consent for each patient treated within a VBE. Such 
requirements may be useful processes for VBEs to consider in ensuring 
safe harbor compliance.
iii. Governing Document
    Comment: Commenters expressed general support for a governing 
document requirement. Some commenters asked whether the written 
document forming the value-based arrangement could also constitute the 
governing document, and another commenter questioned whether an 
existing payor contract could serve as a governing document. Another 
commenter requested that OIG permit a collection of documents to 
constitute a governing document.
    Response: A single document could constitute both the VBE's 
governing document and the writing required for a value-based 
arrangement so long as it includes all of the requisite requirements 
for each writing. In addition, an existing payor contract could qualify 
as a governing document so long as it describes the value-based 
enterprise and how the VBE participants intend to achieve the VBE's 
value-based purpose(s). However, we decline to permit a governing 
document for a VBE to be set forth in multiple writings. We permit the 
writing requirement in each new value-based safe harbor to be satisfied 
by a collection of writings because each party to a value-based 
arrangement must sign the writing; in contrast, the governing document 
of the VBE does not require any signatures. Creation of one governing 
document, that may be amended over time as the value-based activities, 
VBE participants, or other features of the VBE evolve, will help ensure 
that there is a clearly identifiable governance structure for the VBE.
    Comment: Some commenters expressed concern that the requirement for 
a VBE to have a governing document could be burdensome, particularly 
for small and rural practices and practices serving underserved areas. 
Another commenter requested a checklist or model terms for a governing 
document, and another commenter asked for clarification of requirements 
for the document.
    Response: We appreciate commenters' concerns regarding the burden 
that

[[Page 77700]]

developing a governing document may place on certain individuals or 
entities. We are finalizing the proposed definition of ``value-based 
enterprise,'' which does not prescribe a specific format or content for 
the governing document, other than it must describe the VBE and how the 
VBE participants intend to achieve its value-based purpose(s). This 
definition is designed to be flexible so that small and rural practices 
and practices serving underserved areas wishing to establish VBEs can 
craft governing documents appropriate to their size and the nature of 
their VBE. We anticipate that VBEs of different sizes and purposes will 
have different types of governing documents with different terms. The 
core requirement is that the governing document must describe the 
value-based enterprise and how the VBE participants intend to achieve 
the VBE's value-based purpose(s), regardless of the format of the 
document. This definition offers parties significant flexibility to 
craft a value-based enterprise and a governing document commensurate 
with the scope and sophistication of the VBE.
    As we stated in the preamble to the OIG Proposed Rule, the 
governing document requirement provides transparency regarding the 
structure of the VBE, the VBE's value-based purpose(s), and the VBE 
participants' roadmap for achieving the purpose(s). We do not believe a 
checklist for creating a governing document is necessary because the 
requirements for the governing document are set forth in the definition 
of ``value-based enterprise,'' itself. In addition, we decline to 
provide model terms because they could inhibit parties from developing 
terms that appropriately reflect the unique nature and circumstances of 
their value-based enterprises.
b. Value-Based Arrangement
    Summary of OIG Proposed Rule: We proposed to define the term 
``value-based arrangement'' to mean an arrangement for the provision of 
at least one value-based activity for a target patient population 
between or among: (i) The value-based enterprise and one or more of its 
VBE participants; or (ii) VBE participants in the same value-based 
enterprise. This proposed definition reflected our intent to ensure 
that each value-based arrangement is aligned with the VBE's value-based 
purpose(s) and is subject to its financial and operational oversight. 
It further reflected our intent for the value-based arrangement's 
value-based activities to be undertaken with respect to a target 
patient population.
    We noted in the OIG Proposed Rule that we were considering whether 
to address a concern about potentially abusive practices that could be 
characterized as the coordination and management of care by precluding 
some or all protection under the proposed value-based safe harbors for 
arrangements between entities that have common ownership, either 
through refinements to the definition of ``value-based arrangement'' or 
by adding restrictions on common ownership to one or more of the 
proposed safe harbors at paragraphs 1001.952(ee), (ff), or (hh).
    Summary of Final Rule: We are finalizing, with modification, the 
definition of ``value-based arrangement.'' We are modifying the 
regulatory text to clarify that only the value-based enterprise and one 
or more of its VBE participants, or VBE participants in the same value-
based enterprise, may be parties to a value-based arrangement. We are 
not precluding protection for arrangements between entities that have 
common ownership in the definition of ``value-based arrangement,'' nor 
in the individual safe harbors.
    Comment: Many commenters supported the proposed definition of 
``value-based arrangement'' and, in particular, appreciated the 
flexibility afforded by the definition, which the commenters posited 
will allow parties to design a range of arrangements that may qualify 
for protection under the value-based safe harbors, including 
arrangements between two providers that include only a single value-
based activity. Commenters also supported our proposal in the OIG 
Proposed Rule that the definition covers commercial and private insurer 
arrangements.
    Response: We reiterate in this final rule that the definition of 
``value-based arrangement'' is broad enough to capture commercial and 
private insurer arrangements. The definition is intended to afford 
parties significant flexibility. In addition, in response to comments, 
we are modifying the definition text to clarify our intent that 
``value-based arrangement'' capture arrangements for care coordination 
and certain other value-based activities among VBE participants within 
the same VBE, as indicated in the OIG Proposed Rule,\13\ by revising 
the definition so that the value-based arrangement may only be between: 
(i) The value-based enterprise and one or more of its VBE participants; 
or (ii) VBE participants in the same value-based enterprise.
---------------------------------------------------------------------------

    \13\ 84 FR 55702 (Oct. 17, 2019).
---------------------------------------------------------------------------

    We emphasize that qualification as a value-based arrangement is 
necessary, but not sufficient, to protect remuneration exchanged 
pursuant to that arrangement; all conditions of an applicable safe 
harbor must be met.
    Comment: A commenter opposed the definition of ``value-based 
arrangement,'' expressing concern that it is too broad and vague and 
could be used as a mechanism to force the exclusive use of a particular 
product or particular provider. In addition, the commenter believed the 
definition could allow health care entities to engage in abusive 
practices by using a value-based safe harbor to funnel remuneration 
under the guise of a value-based arrangement.
    Response: We have addressed the commenter's concern with respect to 
exclusive use through a condition in the care coordination arrangements 
safe harbor at paragraph 1001.952(ee). We acknowledge and agree with 
the commenter's concern that parties might engage in abusive practices 
under the guise of a value-based arrangement; to that end, we have 
included robust safeguards in each value-based safe harbor to mitigate 
these concerns.
    Comment: A commenter requested clarification as to whether current 
arrangements would be affected and would need to be restructured to 
meet the definition of a ``value-based arrangement.''
    Response: There is nothing in this final rule that requires parties 
to an existing arrangement to restructure that arrangement to meet the 
new definition of a ``value-based arrangement.'' Parties to an existing 
arrangement that wish to rely on the protection of one of the value-
based safe harbors may want to review their arrangement to assess 
whether it fully meets the definition of a ``value-based arrangement'' 
and, thus, could be eligible for protection under a value-based safe 
harbor if all safe harbor conditions are met.
    Comment: Several commenters requested clarification regarding the 
statement in the OIG Proposed Rule that the definition of ``value-based 
arrangement'' is intended to capture arrangements for care coordination 
and certain other value-based activities among VBE participants within 
the same VBE.\14\ Specifically, commenters requested clarification 
regarding how this statement corresponds with the requirement in each 
proposed value-based safe harbor that the value-based arrangement have 
as a value-based

[[Page 77701]]

purpose the coordination and management of care.
---------------------------------------------------------------------------

    \14\ 84 FR 55702 (Oct. 17, 2019).
---------------------------------------------------------------------------

    Response: The definition of ``value-based arrangement'' and the 
requirements for protection under the value-based safe harbors are 
consistent when read together. The term ``value-based arrangement'' 
means an arrangement for the provision of at least one ``value-based 
activity'' for a target patient population. The definition does not 
specify which value-based purpose(s) the value-based activity (or 
activities) must be designed to achieve. In this respect, the 
definition of ``value-based arrangement'' is broader than the 
requirements of some of the value-based safe harbors.
    Value-based arrangements are not de facto safe harbor protected. 
Rather, an arrangement that meets the definition of a ``value-based 
arrangement'' is eligible to seek protection in a value-based safe 
harbor. For safe harbor protection, it must squarely satisfy all safe 
harbor conditions. For reasons explained elsewhere in this preamble, 
the care coordination arrangements safe harbor requires a direct 
connection to the first value-based purpose, the coordination and 
management of patient care, which is a central focus of this 
rulemaking. The substantial downside financial risk arrangements safe 
harbor requires a direct connection to any one of the first three 
value-based purposes, and the full financial risk arrangements safe 
harbor requires a connection to any one of the four value-based 
purposes, in recognition of the parties' assumption of risk and the 
lower risk of traditional fee-for-service fraud. The substantial 
downside financial risk safe harbor and the full financial risk safe 
harbor, as finalized, do not require a direct connection to the 
coordination and management of care for the target patient population.
    In addition, the definition of ``value-based arrangement'' is 
consistent with the definition used in CMS's final rule. We anticipate 
this alignment may ease compliance burden for parties.
    Comment: A commenter asserted that neither VBEs nor VBE 
participants should be prohibited from entering into non-disclosure 
agreements with parties to a value-based arrangement because otherwise 
parties could use information learned in an arrangement against another 
party in an anticompetitive manner.
    Response: Neither the definition of ``value-based arrangement'' nor 
other safe harbor provisions in this final rule preclude parties to a 
value-based arrangement from entering into non-disclosure agreements.
    Comment: Most commenters opposed our proposal to preclude entities 
under common ownership from protecting remuneration that they exchange 
under the value-based safe harbors, whether through a change to the 
definition of ``value-based arrangement'' or by adding restrictions to 
one or more of the value-based safe harbors. Commenters asserted that 
entities under common ownership (e.g., through an integrated delivery 
system) are often best positioned to improve health outcomes and lower 
costs through coordinated care. Several commenters also asserted that 
such a requirement may preclude protection for entities participating 
in large value-based models, like clinically integrated networks or 
accountable care organizations. Some commenters also explained that 
rural and Indian health care providers are frequently operated through 
common ownership models. Others noted that hospitals in states that 
restrict direct physician employment often have arrangements with 
medical groups under common ownership, and another commenter raised 
concerns about the impact on physician-owned hospitals.
    Response: We appreciate commenters' responses. To address 
commenters' concerns, we are not limiting protection for entities under 
common ownership in this final rule. We continue to be concerned that 
there is potential for entities under common ownership to use value-
based arrangements to effectuate payment-for-referral schemes, but we 
also believe that the combinations of safeguards we are adopting in the 
safe harbors should mitigate these risks. For example, the requirement 
in the care coordination arrangements safe harbor that the value-based 
arrangement is commercially reasonable, considering both the 
arrangement itself and all value-based arrangements within the VBE, 
helps to ensure that the arrangements, taken as a whole, are calibrated 
to achieve the parties' legitimate business purposes.
    Comment: A commenter raised concerns about the timing of VBE 
participants entering into value-based arrangements and recommended 
that VBE participants not be prevented from providing value-based care 
to patients before a formal value-based arrangement has been executed. 
The same commenter recommended that we adopt a 90-day grace period for 
situations of technical non-compliance related to the timing of VBE 
participants entering into value-based arrangements.
    Response: First, we remind readers that failure to comply with a 
safe harbor provision (or any attendant, defined term) does not mean 
that an arrangement is per se illegal. Consequently, the value-based 
safe harbors do not prevent a physician, clinician, or other VBE 
participant from providing value-based care to patients prior to 
entering into a value-based arrangement, or at any other time. In 
addition, the Federal anti-kickback statute, which focuses on the 
knowing and willful offer, solicitation, payment, or receipt of 
remuneration in exchange for Federal health care program business, 
likely would not be implicated by the provision of only clinical care 
to patients. OIG appreciates that many physicians and others currently 
furnish value-based care to patients, and nothing in this rule changes 
their ability to do so. Stakeholders should assess whether arrangements 
that do not satisfy the definition of ``value-based arrangement,'' as 
defined in paragraph 1001.952(ee), implicate the statute. Any 
arrangements that are not value-based arrangements, as defined, would 
not qualify for protection under the value-based safe harbors, but 
could qualify under other safe harbors, depending on the facts and 
circumstances, or they might not need safe harbor protection. As 
finalized in this rule, a provider or other individual or entity 
furnishing value-based care may also become a VBE participant, but the 
value-based arrangements in which it participates might not need safe 
harbor protection if they do not implicate the statute.
    We are not adopting a 90-day grace period to execute value-based 
arrangements because it is our belief that it is not necessary. When a 
VBE participant must execute a value-based arrangement to receive safe 
harbor protection is based on the writing requirements of each safe 
harbor. For example, in the care coordination arrangements safe harbor 
as finalized at paragraph 1001.952(ee), the writing that documents the 
value-based arrangement must be set forth in advance of, or 
contemporaneous with, the commencement of the value-based arrangement 
and any material change to the value-based arrangement. Additionally, 
the writing may be a collection of documents. These flexibilities allow 
VBE participants to document their participation in a value-based 
arrangement with minimal burden. A VBE can add a new VBE participant to 
an existing arrangement in a separate document that becomes part of the 
collection of documents for that value-based arrangement.
c. Target Patient Population
    Summary of OIG Proposed Rule: We proposed to define ``target 
patient population'' as an identified patient

[[Page 77702]]

population selected by the VBE or its VBE participants using legitimate 
and verifiable criteria that: (i) Are set out in writing in advance of 
the commencement of the value-based arrangement; and (ii) further the 
value-based enterprise's value-based purpose(s). The proposal would 
protect only those value-based arrangements that serve an identifiable 
patient population for whom the value-based activities likely would 
improve health outcomes or lower costs (or both). In the OIG Proposed 
Rule, we noted that the definition was not limited to Federal health 
care program beneficiaries but could encompass, for example, all 
patients with a particular disease state.
    Summary of Final Rule: We are finalizing, without modification, the 
definition of ``target patient population.''
    Comment: Many commenters supported our proposed definition of 
``target patient population,'' including our requirement that the 
identified patient population be selected by the VBE or its VBE 
participants using ``legitimate and verifiable criteria.'' However, we 
received numerous comments about the use of the term ``legitimate'' to 
describe the criteria used to identify the target patient population in 
the proposed regulatory text, as well as the alternative proposal in 
the preamble to use the term ``evidence-based.'' Some commenters 
expressed support for the legitimate criteria standard and stated, for 
example, that it facilitated a holistic focus on patients' health. This 
category of commenters generally expressed opposition to the 
alternative evidence-based standard, arguing that it is too restrictive 
and would chill innovative value-based arrangements.
    Other commenters opposed the use of the term ``legitimate,'' 
stating that the term is ambiguous. Another commenter suggested that 
OIG enumerate the types of specific behavior that it wishes to preclude 
in lieu of using the term ``legitimate''; as an example, the commenter 
recommended that we state expressly in the definition of ``target 
patient population'' that it would preclude selection criteria designed 
to avoid costly or non-compliant patients. Multiple commenters 
requested that OIG provide additional clarification on the scope and 
application of the term, such as whether it could encompass criteria 
based on social determinants of health.
    Response: We are finalizing the definition of ``target patient 
population,'' as proposed, including the ``legitimate and verifiable 
criteria'' standard. As stated in the OIG Proposed Rule, we used this 
standard, and in particular, the term ``legitimate,'' to ensure the 
target patient population selection process is based upon bona fide 
criteria that further a value-based arrangement's value-based 
purpose(s), and we confirm that, depending on the facts and 
circumstances, legitimate criteria could be based on social 
determinants of health, such as safe housing or transportation needs. 
We are not including an exhaustive list of legitimate or non-legitimate 
selection criteria because there are various types of criteria that 
parties could use to select a target patient population; moreover, some 
criteria may be legitimate for some value-based arrangements but not 
for others. For example, as we stated in the OIG Proposed Rule, VBE 
participants seeking to enhance access to, and usage of, primary care 
services for patients concentrated in a certain geographic region might 
base the target patient population on ZIP Code or county of residence. 
In contrast, a value-based arrangement focused on enhancing care 
coordination for patients with a particular chronic disease might 
identify the target patient population based on patients who have been 
diagnosed with that disease. Other VBE participants, such as a social 
service organization working in conjunction with a pediatric practice, 
may identify their target patient population using income and age 
criteria, e.g., pediatric patients who have a household income below 
200 percent of the Federal poverty level and who are below the age of 
18, in an effort to boost pediatric vaccination rates in a given 
community.
    We are adopting the proposed ``legitimate and verifiable'' standard 
in lieu of the alternative we proposed, which would have required the 
use of ``evidence based'' criteria, because we believe requiring 
``legitimate and verifiable'' criteria will afford parties 
comparatively greater flexibility in determining the target patient 
population and aligns with CMS's definition of the same term.
    Comment: We received at least two comments requesting that we 
expressly state in regulatory text that establishing criteria in a 
manner that leads to cherry-picking or lemon-dropping would not 
constitute ``legitimate and verifiable'' selection criteria. These 
commenters expressed concern that the mere promise by VBE participants 
not to engage in such behavior would be sufficient to meet the 
definition of ``target patient population'' and receive safe harbor 
protection. Another commenter urged that OIG clarify the regulatory 
language to directly address concerns about cherry-picking or lemon-
dropping certain patient populations, in order to avoid unnecessary 
litigation and legal expense.
    Response: In response to the commenters' concerns, we confirm that 
if VBE participants establish criteria to target particularly lucrative 
patients (``cherry-picking'') or avoid high-cost or unprofitable 
patients (``lemon-dropping''), such criteria would not be legitimate 
for purposes of the target patient population definition. As we stated 
in the OIG Proposed Rule, if VBE participants selectively include 
patients in a target patient population for purposes inconsistent with 
the objectives of a properly structured value-based arrangement, we 
would not consider such a selection process to be based on legitimate 
and verifiable criteria that further the VBE's value-based purposes, as 
required by the definition.\15\ We are not adopting further 
modifications to the proposed definition because the definition's 
requirement that the criteria be legitimate and verifiable is clear and 
would not include VBE participants that establish criteria to cherry-
pick or lemon-drop patients.
---------------------------------------------------------------------------

    \15\ See 84 FR 55702 (Oct. 17, 2019).
---------------------------------------------------------------------------

    Comment: The vast majority of commenters on this topic opposed our 
statement in the OIG Proposed Rule that we were considering narrowing 
the definition of ``target patient population'' to patients with a 
chronic condition, patients with a shared disease state, or both. 
Commenters stated that such an approach would restrict the ability of 
value-based arrangements to adapt to different communities and patient 
needs and would ignore the importance of preventive care interventions. 
For example, a commenter highlighted the fact that many underserved and 
at-risk patient populations are defined not by chronic conditions or 
shared disease states but instead are identified by socio-economic, 
geographic, and other demographic parameters that are synonymous with 
need, poor outcomes, or increased cost.
    Response: We are retaining our proposed definition of ``target 
patient population'' and are not narrowing the definition to include 
only individuals with chronic conditions or shared disease states. We 
agree with commenters that were we to narrow the definition, we might 
exclude underserved and at-risk patient populations who would likely 
benefit from care coordination and management activities. We also 
recognize and acknowledge that finalizing our proposed definition will 
allow for

[[Page 77703]]

value-based arrangements that focus on important preventive care 
interventions.
    Comment: We received a variety of comments on the role of payors in 
identifying or selecting a target patient population. While some 
commenters supported requiring payors to select the target patient 
population, the majority of commenters urged OIG to make their 
involvement optional. For example, a commenter expressed concern that 
if OIG were to make payor involvement a requirement, it would impede 
collaboration between payors and providers. Others expressed 
uncertainty as to how a requirement that payors select or approve the 
target patient population would be implemented for Medicare fee-for-
service patients and questioned whether CMS would need to affirmatively 
approve each VBE's or value-based arrangement's target patient 
population selection criteria.
    Response: We are persuaded by commenters that it would not be 
operationally feasible to require payor involvement in the target 
patient population selection process. Not all value-based enterprises 
will include a payor as a VBE participant. Accordingly, while we 
encourage payor involvement in the target patient population selection 
process, it is not a requirement in this final rule. It is a 
requirement that the target patient population be selected by a VBE or 
its VBE participant.
    Comment: We received comments requesting wholesale changes to our 
proposed definition. For example, a commenter recommended that ``target 
patient population'' be defined as any set or subset of patients in 
which the accountable party of a VBE takes significant or full downside 
risk and is focusing efforts to improve their health and well-being. 
Another suggested that we eliminate the ``target patient population'' 
definition altogether and make the value-based safe harbors provider-, 
not patient-population-, specific.
    Response: We are not adopting the commenter's alternative 
definition of ``target patient population,'' which we did not propose 
and which would be too narrow to address the use of the term across all 
of our value-based safe harbors, one of which does not require the VBE 
participants to take on, or meaningfully share in, any risk. We are 
also not eliminating the ``target patient population'' definition in 
favor of making the value-based safe harbors provider-, not patient-
population-, specific because orienting the value-based safe harbors 
around patients is consistent with the goals of value-based care.
    Comment: At least two commenters requested that the definition of 
``target patient population'' afford parties the flexibility to modify 
the target patient population over time. Another commenter sought 
clarification that the definition could include patients retroactively 
attributed to the target patient population. Another commenter urged 
OIG to adopt a flexible definition but suggested that if OIG narrows 
its definition, the term should include underserved patients, such as 
uninsured and low-income patients; patients with social risk factors; 
and those with limited English proficiency.
    Response: The definition of ``target patient population'' requires, 
among other criteria, that parties identify a patient population using 
legitimate and verifiable criteria in advance of the commencement of 
the value-based arrangement. The selection criteria--not the individual 
patients--must be identified in advance. Whereas parties seeking to 
modify their selection criteria may only make such modifications 
prospectively (and upon amending their existing value-based 
arrangement), no amendment would be required to attribute patients 
retroactively to the target patient population, provided such patients 
meet the selection criteria established prior to the commencement of 
the value-based arrangement.
    Comment: Several commenters sought clarification as to whether a 
VBE participant's entire patient population could meet the definition 
of ``target patient population.''
    Response: Nothing in the definition precludes the parties to a 
value-based arrangement from identifying the target patient population 
as the entire patient population that a VBE participant serves. We 
recognize that, in limited cases, such broad selection criteria may be 
appropriate. For example, a VBE may identify all patients in a ZIP Code 
in order to address an identified population health need specific to 
that ZIP Code, and it may be that a practice also draws most or all 
patients from that ZIP Code. Certain specialists, such as 
geriatricians, might also identify all or most of their patients as 
needing improved care coordination and management due to their multiple 
comorbidities and complex care needs. In circumstances where a VBE has 
assumed full financial risk, as defined in paragraph 1001.952(gg), a 
VBE might select an even broader target patient population comprised of 
all patients served by its VBE participants in an effort to more 
meaningfully control payor costs.
    However, we caution that, depending on the value-based arrangement, 
selecting a target patient population by selecting the parties' entire 
patient population would need to be closely scrutinized for compliance 
with the definition to ensure that such broad selection criteria is 
``legitimate'' and necessary to achieve the arrangement's value-based 
purpose.
    Comment: Multiple commenters requested that OIG address whether 
specific categories of patients would be covered by the definition of 
``target patient population'' or provide examples of permissible target 
patient populations. For example, commenters requested confirmation 
that a target patient population could include all patients covered by 
a certain payor, such as Medicare. Another commenter expressed concern 
that transient patient populations who may have different providers in 
different geographic locations would not be covered by the definition.
    Response: As described above, a target patient population based on 
patients who have been diagnosed with a particular disease could, based 
on the specific selection criteria, be a permissible target patient 
population. Whether a particular patient population, including 
transient patient populations with different providers in different 
geographic locations, meets the definition of ``target patient 
population'' is a fact-specific determination that turns on whether the 
VBE participants used legitimate and verifiable selection criteria and 
met the other requirements set forth in the definition. While there may 
be circumstances, e.g., the assumption of full financial risk (as 
defined in paragraph 1001.952(gg)), where a VBE identifies all of the 
patients of a particular payor as the target patient population, we 
caution that relying on this criterion, without sufficient 
justification for such a broad approach, could raise questions 
regarding whether it is legitimate or, instead, is a way to capture 
referrals of, for example, Medicare business.
d. Value-Based Activity
    Summary of OIG Proposed Rule: We proposed to define ``value-based 
activity'' as any of the following activities, provided that the 
activity is reasonably designed to achieve at least one value-based 
purpose of the value-based enterprise: (i) The provision of an item or 
service; (ii) the taking of an action; or (iii) the refraining from 
taking an action. We further proposed that the making of a referral is 
not a value-based activity.
    Summary of Final Rule: We are finalizing, without modification, the 
definition of ``value-based activity.''

[[Page 77704]]

OIG's final definition of ``value-based activity'' differs from the 
definition in the CMS Final Rule because CMS does not specify that the 
making of a referral is not a value-based activity. As explained in 
CMS's final rule, CMS has not included a comparable restriction because 
of the physician self-referral law's separate definition of referral.
    Comment: Many commenters supported the definition of ``value-based 
activity,'' as proposed. Several commenters asked OIG to clarify the 
definition of ``value-based activity'' further by specifying what 
activities would or would not qualify as value-based; how VBEs would 
demonstrate that the activities they select are reasonably designed to 
achieve a value-based purpose; and what it means to refrain from taking 
an action. A few commenters asked whether providing services to 
patients constitutes a value-based activity.
    Response: The term ``value-based activity'' is intended to be broad 
and to include the actions parties take or refrain from taking pursuant 
to a value-based arrangement and in furtherance of a value-based 
purpose. By way of example, where a VBE participant offeror provides a 
type of health technology under a value-based arrangement for the 
recipient to use to track patient data in order to spot trends in 
health care needs and to improve patient care planning, the provision 
of the health technology by the offeror would constitute a value-based 
activity, and the use of the health technology by the recipient to 
track patient data would constitute a value-based activity. If the 
remuneration a VBE participant offeror provides is care coordination 
services, a value-based activity might be the recipient working with a 
care coordinator provided by the offeror to help transition certain 
patients between care settings. Giving something of value to patients, 
such as a fitness tracker, also may constitute a value-based activity 
if doing so is reasonably designed to achieve a value-based purpose. 
However, we note that, where VBE participants exchange remuneration 
that the recipient VBE participant then transfers to its patients (for 
example, where one VBE participant provides fitness trackers to another 
VBE participant, who in turn furnishes the fitness tracker to the 
patient), the care coordination arrangements safe harbor would be 
available only to protect the remuneration exchanged between the VBE 
participants. The parties may look to the patient engagement and 
support safe harbor to protect the remuneration from the VBE 
participant to the patient. An inaction that constitutes a value-based 
activity might be refraining from ordering certain items or services in 
accordance with a medically appropriate care protocol that reduces the 
number of required steps in a given procedure. This final rule does not 
prescribe how parties prove that a particular action or inaction 
constitutes a value-based activity. Similarly, it is incumbent on the 
parties to demonstrate that they selected value-based activities that 
are reasonably designed to achieve a value-based purpose. Both of these 
analyses would be fact-specific determinations.
    Comment: A commenter asked whether this definition could be 
combined with the definition of ``value-based purpose'' to reduce 
administrative complexity. Another commenter asserted that the 
definition of ``value-based activity'' should recognize the importance 
of maintaining patient care and outcomes at an acceptable level.
    Response: We are finalizing the definition of ``value-based 
activity,'' as proposed, and are not combining it with the definition 
of value-based purpose. In our view, separate definitions do not 
increase administrative complexity, and we have coordinated terminology 
with CMS to reduce complexity. We are not changing the definition of 
``value-based activity'' to include the maintenance of patient care and 
outcomes at an acceptable level because the definition of ``value-based 
activity'' is tied to the definition of ``value-based purpose,'' which 
sets forth four purposes toward which parties may be striving pursuant 
to value-based arrangements. While maintaining patient care and 
outcomes at an acceptable level is clearly desirable, we note that 
doing so, without more, is not one of the four value-based purposes 
needed to establish a VBE for this rulemaking.
    Comment: Many commenters supported the alternate proposal to 
expressly exclude any activity that results in information blocking 
from the definition of ``value-based activity.'' A commenter 
recommended that, if OIG expressly excludes information blocking from 
the definition of ``value-based activity,'' OIG should do so by 
referencing only statutory definitions and requirements in the Cures 
Act and not those set forth in ONC's proposed rule, whereas another 
commenter noted that, as an alternative to expressly excluding 
information blocking activities in the definition of ``value-based 
activity,'' OIG could assume that information blocking will no longer 
be tolerated and leave the enforcement of information blocking 
restrictions to the regulation finalized in 45 CFR part 171.
    Response: The final rule does not include the proposed language 
regarding information blocking. Regardless of whether parties seek safe 
harbor protection, if parties to value-based arrangement are subject to 
the regulations prohibiting information blocking, they must comply with 
those regulations. This final rule does not change the individuals and 
entities subject to the information blocking prohibition in 45 CFR part 
171.
    Comment: A commenter expressed concern that the definition of 
``value-based activity'' is too broad and vague and that VBE 
participants will characterize abusive remuneration-for-referral 
arrangements as value-based activities. The commenter suggested 
requiring that an activity achieve a value-based purpose, as opposed to 
requiring that an activity be reasonably designed to achieve a value-
based purpose.
    Comments varied regarding how to interpret whether an activity is 
``reasonably designed'' to achieve a value-based purpose. While a 
commenter supported interpreting ``reasonably designed'' to mean that 
the value-based activities are expected to further one or more value-
based purposes, another commenter suggested that such a determination 
be based on all relevant facts and circumstances. Other commenters 
recommended establishing a rebuttable presumption that value-based 
activities are reasonably designed to meet their stated value-based 
purpose. Another commenter urged OIG to require that value-based 
activities be directly connected to and directly further the 
coordination and management of care; not interfere with the 
professional judgment of health care providers; not induce stinting on 
care; and not incentivize cherry-picking lucrative or adherent patients 
or lemon-dropping costly or noncompliant patients.
    Lastly, while at least one commenter supported a requirement for 
parties to use an evidence-based process to design value-based 
activities, several commenters opposed this requirement, stating that 
such a standard would be too rigorous and would restrict innovative 
activities.
    Response: We are finalizing our definition as proposed. We 
intentionally crafted a broad definition of ``value-based activity'' to 
encourage parties to innovate when developing these activities. For 
that reason, we are not requiring that an activity achieve a value-
based purpose but rather are requiring that a value-based activity be 
reasonably designed to achieve a value-based purpose. By ``reasonably

[[Page 77705]]

designed,'' we mean that parties should fully expect the value-based 
activities they develop to further one or more value-based purposes. 
Because any such determination would be fact specific, we do not 
believe it is appropriate to establish a rebuttable presumption that 
value-based activities are reasonably designed to meet their stated 
value-based purpose, as suggested by a commenter.
    We note that, while this definition offers parties significant 
flexibility, it is not intended to facilitate parties' attempts to mask 
fraudulent referral schemes presented under the guise of a value-based 
activity. We highlight that the definition provides that merely making 
a referral, without more, is not a value-based activity for purposes of 
this rule.
    Lastly, we do not intend for the value-based safe harbors to 
protect activities that inappropriately influence clinical decision-
making, induce stinting on care, or lead to targeting particularly 
lucrative patients or avoiding high-cost or unprofitable patients. We 
have incorporated a range of safeguards in the safe harbors that are 
designed to guard against these abusive practices. In light of these 
safeguards, we do not believe that revisions to the definition of 
``value-based activity'' are necessary.
    Comment: Several commenters asked OIG to clarify what 
differentiates care coordination services from inappropriate referrals 
and to modify the definition to make clear that a referral could be one 
part of a broader value-based activity. Some commenters expressed 
concern that the definition of ``value-based activity'' prohibits safe 
harbor protection for value-based arrangements in which payments or 
other remuneration depend, in part, on referrals made within a 
preferred provider network. A commenter asked whether documenting that 
a referral was made and the reason for the referral would constitute a 
``value-based activity.''
    Response: Making referrals, or documenting reasons for referrals, 
would not constitute value-based activities. Parties to a value-based 
arrangement may make referrals and document the reasons for the 
referrals as part of a value-based arrangement without losing safe 
harbor protection under an applicable safe harbor, but the parties also 
must be performing one or more value-based activities. Thus, making 
referrals or documenting reasons for referrals, without also engaging 
in a value-based activity, would not be sufficient to meet the 
requirements of the definition because making referrals is not itself a 
value-based activity. Absent at least one value-based activity, parties 
would not have a viable value-based arrangement and would thus not be 
eligible for any of the value-based safe harbors.
    The provision excluding referrals from the scope of value-based 
activities is not intended to interfere with preferred provider 
networks; rather, we intend to require parties to engage in activities 
other than making referrals, such as coordinating care plans across 
providers for a target patient population, to be eligible for safe 
harbor protection.
e. VBE Participant
    Summary of OIG Proposed Rule: We proposed to define ``value-based 
enterprise participant'' or ``VBE participant'' as an individual or 
entity that engages in at least one value-based activity as part of a 
value-based enterprise. Based on historical concerns regarding fraud 
and abuse risk and our understanding that certain types of entities 
were less critical to coordinated care, we proposed that the term ``VBE 
participant'' would not include a pharmaceutical manufacturer; a 
manufacturer, distributor, or supplier of durable medical equipment, 
prosthetics, orthotics, or supplies; or a laboratory. We stated that we 
were considering and thus seeking comments as to whether other types of 
entities should also be ineligible, including pharmacies (including 
compounding pharmacies), PBMs, wholesalers, distributors, and medical 
device manufacturers. As a result of this proposed definition, these 
entities would not be able to participate in VBEs or seek protection 
under the value-based safe harbors or the patient engagement and 
support safe harbor.
    We stated our intent to offer safe harbor protection for 
remuneration exchanged by companies that offer digital technologies to 
physicians, hospitals, patients, and others for the coordination and 
management of patients and their health care. We recognized that 
companies providing these technologies may be new entrants to the 
health care marketplace or may be existing companies such as medical 
device manufacturers. We explained that we would consider for the final 
rule several ways to effectuate our desire to ensure safe harbor 
protection for remuneration exchanged by health technology companies, 
including through modifications to the value-based terminology; 
distinctions drawn among entities based on product-types or other 
characteristics; or modifications to the safe harbors themselves.
    In the OIG Proposed Rule, we considered and solicited comments on 
potential additional safeguards to incorporate into the value-based 
safe harbors to mitigate risks of abuse that might be presented should 
a broader range of entities be eligible to enter into value-based 
arrangements, including restrictions on the parties' use of exclusivity 
and minimum purchase requirements.
    For additional background and rationale for our proposals, we refer 
readers to the discussion of the definition of ``VBE participant'' in 
the OIG Proposed Rule.\16\
---------------------------------------------------------------------------

    \16\ 84 FR 55703-06 (Oct. 17, 2019).
---------------------------------------------------------------------------

    Summary of Final Rule: We are finalizing, with modifications, the 
definition of ``VBE participant.'' We are finalizing our proposed 
policy that a ``VBE participant'' is an individual or entity that 
engages in at least one value-based activity as part of a value-based 
enterprise. We are not finalizing our proposed regulatory text to make 
certain entity types ineligible under the definition of ``VBE 
participant.'' However, we are finalizing our proposed policy to make 
certain entities ineligible for safe harbor protection under the value-
based safe harbors and the patient engagement and support safe harbor 
(see section III.B.e.ii for details). We are also finalizing our 
proposed policy to protect some arrangements involving digital health 
technologies provided by certain entities that would otherwise be 
ineligible for safe harbor protection (see section III.B.e.iii).
    To effectuate these objectives, we are finalizing a different 
approach to the definition of ``VBE participant'' in the following four 
respects.
    First, we are revising the definition of ``VBE participant'' to 
allow all types of individuals (other than patients) and entities to be 
VBE participants. This revision makes our definition more similar to 
CMS's corresponding definition and removes a potential impediment to 
existing organizations that wish to qualify as VBEs but may include 
types of entities we proposed to disallow as VBE participants. We now 
define the term ``VBE participant'' to mean an individual or entity 
that engages in at least one value-based activity as part of a value-
based enterprise, other than a patient when acting in their capacity as 
a patient. This does not, however, mean that every VBE participant will 
receive protection under the applicable safe harbors; it is intended to 
avoid a barrier to the formation and operation of the VBE itself. The 
new definition also makes clear that patients cannot be VBE 
participants, consistent with our intent in the OIG Proposed Rule. 
Entities seeking safe harbor protection for

[[Page 77706]]

remuneration provided to patients should look to the patient engagement 
and support safe harbor for protection, not to the value-based safe 
harbors.
    Second, rather than making certain entities ineligible under the 
definition of ``VBE participant,'' as described in the OIG Proposed 
Rule, the final rule takes a different approach to achieve the proposed 
policy to make some entities ineligible for safe harbor protections. In 
the final rule, within each value-based safe harbor (and the patient 
engagement and support safe harbor, as discussed further at section 
III.B.6), we identify entities that are not eligible to rely on the 
safe harbor to protect remuneration exchanged with a VBE or other VBE 
participants. Specifically, the value-based safe harbors each include 
an ineligible entity list. Remuneration exchanged by entities on the 
list in each safe harbor is not eligible for protection under the safe 
harbor.
    The following entities are included on the ineligible entity lists 
in all of the value-based safe harbors: (i) Pharmaceutical 
manufacturers, distributors, and wholesalers (referred to generally 
throughout this preamble as ``pharmaceutical companies''); (ii) PBMs; 
(iii) laboratory companies; (iv) pharmacies that primarily compound 
drugs or primarily dispense compounded drugs (sometimes referred to 
generally in this rule as ``compounding pharmacies''); (v) 
manufacturers of devices or medical supplies; (vi) entities or 
individuals that sell or rent DMEPOS, other than a pharmacy or a 
physician, provider, or other entity that primarily furnishes services, 
all of which remain eligible (referred to generally throughout this 
preamble as ``DMEPOS companies''); and (vii) medical device 
distributors or wholesalers that are not otherwise manufacturers of 
devices or medical supplies (for example, some physician-owned 
distributors).
    Third, we proposed to address safe harbor protection for technology 
companies by considering how and whether they could fit in the 
definition of a VBE participant. In the final rule, we instead focus on 
safe harbor protection for the remuneration exchanged with or by them. 
Specifically, the care coordination arrangements safe harbor at 
paragraph 1001.952(ee) permits protected remuneration in the form of 
digital health technology (or other technologies) exchanged between VBE 
participants eligible to use the safe harbor. To address protection 
under this safe harbor for arrangements with manufacturers of devices 
and medical supplies and DMEPOS companies that involve digital health 
technology, we have taken a tailored, risk-based approach. 
Manufacturers of devices and medical supplies and DMEPOS companies that 
are otherwise ineligible for the value-based safe harbors are 
nonetheless eligible to rely on the care coordination arrangements safe 
harbor for digital health technology arrangements that meet all safe 
harbor conditions, including an additional one. Under this pathway, we 
define ``limited technology participant'' to include, as further 
discussed below, a manufacturer of a device or medical supply or a 
DMEPOS company that is a VBE participant that exchanges digital health 
technology with another VBE participant or a VBE.
    Our revised approach effectively divides the universe of VBE 
participants into three categories: (i) VBE participants that are 
eligible to rely on the value-based safe harbors for all types of 
arrangements that meet safe harbor conditions; (ii) limited technology 
participants that are only eligible to rely on the care coordination 
arrangements safe harbor for arrangements involving digital health 
technology; and (iii) VBE participants that are ineligible to rely on 
any of the value-based safe harbors for any types of arrangements. The 
first category is the default category, capturing all entities and 
individuals who are not expressly included in the second and third 
categories. For a discussion of ineligible entities and the treatment 
of digital health technology under the patient engagement and support 
safe harbor, see the discussion in section III.B.6.b and f. For a 
discussion of ineligible entities under the personal services and 
management contracts and outcomes-based payments safe harbor, see 
sections III.B.10.c and d.
    Fourth, to address heightened risk of fraud and abuse and to help 
ensure that protected remuneration meets the policy goals of this 
rulemaking, we require that the exchange of digital health technology 
by a limited technology participant is not conditioned on any 
recipient's exclusive use of, or minimum purchase of, any item or 
service manufactured, distributed, or sold by the limited technology 
participant. Rather than finalizing this condition in the definition of 
a VBE participant as contemplated in the OIG Proposed Rule, this is now 
a separate condition at paragraph 1001.952(ee)(8).
i. Approach To Defining ``VBE Participant''
    Comment: While we received some support for our proposed definition 
of ``VBE participant,'' many commenters expressed concerns regarding 
the proposed categorical exclusion of certain entities. Several 
commenters asserted that no entities should be precluded from 
participating in value-based arrangements, and many encouraged us to 
adopt an alternative approach based on product type, company structure, 
fraud risk, the legitimacy of the party's objectives and deliverables, 
or other features. Commenters also noted that many existing value-based 
arrangements include entities that we were considering making 
ineligible to be a VBE participant. Another commenter asserted that 
allowing entities to participate as VBE participants will incentivize 
them to understand and expand cost mitigation strategies, which will 
help lower the cost of care. Others emphasized that the health care 
industry is highly dynamic, with frequent corporate transactions. They 
expressed concern that an entire value-based arrangement may 
inadvertently fall out of compliance with a safe harbor because one VBE 
participant acquires an entity that is not eligible to be a VBE 
participant. Other commenters supported placing exclusions directly in 
the safe harbor, rather than in the definition, to create greater 
flexibility. A commenter recommended that OIG create a new defined 
term, ``VBE partner,'' to designate individuals and entities that 
provide social determinants of health support and services at the 
direction of a VBE or VBE participant but are not themselves part of 
the VBE. According to the commenter, this would allow many services 
providers, such as rideshare companies, social service organizations, 
and foodbanks that already have direct partnerships with a VBE 
participant to participate in protected arrangements without having to 
become full participants in a VBE.
    Response: We recognize that there may be benefits to allowing all 
entities to participate as VBE participants, and we also appreciate the 
concerns raised by these commenters. In response to comments, our 
revised approach, in which any individual (other than a patient) or 
entity is eligible to be a VBE participant, will alleviate many of 
them.
    In the OIG Proposed Rule, we described several approaches we were 
considering for determining entities that could be VBE participants in 
the final rule and, as such, able to rely on the value-based safe 
harbors. We are adopting the approach of making entities ineligible 
under the value-based safe harbors rather than through the definition 
of ``VBE participant.'' This approach allows for closer alignment with 
CMS's terminology, addresses concerns about unintended impacts of

[[Page 77707]]

otherwise ineligible VBE participants on the makeup of a VBE, and does 
not impede VBEs from engaging in a wide range of value-based payment 
and delivery arrangements, regardless of whether those arrangements 
qualify for safe harbor protection. By addressing eligibility in 
specific safe harbors rather than through the VBE participant 
definition, the final rule creates flexibility for all health care 
stakeholders to be part of a VBE and reduces any need for parties to 
form VBEs structured solely for purposes of using the new safe harbors. 
This approach also facilities our final policy on providing safe harbor 
protection for digital health technology arrangements with limited 
technology participants (described in more detail later).
    While all entities are eligible to be VBE participants, each value-
based safe harbor and the patient engagement and support safe harbor 
incorporates a list of entities that are ineligible for safe harbor 
protection. As discussed in greater detail below, we determined which 
entities should be ineligible based on multiple factors, including the 
extent to which the entities are involved in front line care 
coordination and program integrity concerns.
    Under this final rule, a VBE will not cease to meet the definition 
of a ``VBE'' solely because a VBE participant merges with or acquires a 
different type of entity or develops a new business line. Nor would a 
VBE participant necessarily cease to be eligible to use a value-based 
safe harbor solely because it acquires an entity that is not eligible. 
To the extent a transaction causes a VBE participant to become an 
ineligible entity, the safe harbor would no longer be available to 
protect any remuneration exchanged by that entity under a value-based 
arrangement.
    Consistent with the OIG Proposed Rule discussion of alternatives 
for determining which entities are eligible and ineligible for safe 
harbor protection, we have adopted a risk-based, policy-focused 
approach to determine the scope and applicability of the final safe 
harbors. With respect to the ineligible entities in the value-based 
safe harbors, those entities are identified based on a number of 
attributes, including the products and services they offer, how they 
structure their business, and the extent to which they are on the front 
line of care coordination and treatment decisions. In the care 
coordination arrangements safe harbor, we further distinguish among 
entities in part on the basis of product or arrangement type. These 
considerations are directly related to the goals of the Regulatory 
Sprint and the design of the conditions in each safe harbor to protect 
against fraud and abuse.
    With respect to the recommendation that we create a new category of 
``VBE partners,'' we are not adopting this suggestion. The proposed and 
final value-based safe harbors were and are designed for value-based 
arrangements between VBEs and one or more of their VBE participants or 
between or among VBE participants in the same VBE. The ability to 
determine with specificity which individuals and entities are in a VBE 
and which are not enhances transparency, certainty, and accountability 
for arrangements seeking safe harbor protection. Social services 
agencies, rideshare companies, foodbanks, and others are eligible to be 
VBE participants if they wish for their arrangements to be eligible for 
protection under the value-based safe harbors. If for any reason they 
do not wish to be VBE participants or cannot become VBE participants, 
nothing in this rule would prevent them from engaging in care 
coordination or other arrangements that do not fit in these new safe 
harbors. In some cases, the arrangements might fit in other safe 
harbors, such as the local transportation safe harbor (e.g., for 
rideshare arrangements). For other arrangements, the parties would need 
to review the specific facts of the arrangement, including the intent 
of the parties, to ensure compliance with the Federal anti-kickback 
statute.
    Notably, if there is nothing of value given by a social services 
agency or foodbank, for example, to an individual or entity in exchange 
for or to induce or reward referrals of items or services for which 
payment may be made under a Federal health care program, the statute 
would not be implicated. We would expect this to be the case for many 
social services agencies, foodbanks, and other entities that provide 
social services, food, or other supports to patients and (1) do not 
bill Federal health care programs and (2) do not refer Federal health 
care patients to health care providers for reimbursable services or 
otherwise recommend or arrange for such services.
    Comment: Several commenters requested that we either confirm in the 
preamble, or revise the definition of ``VBE participant'' to state 
expressly, that certain types of entities or providers, such as retail 
health clinics, charitable clinics and pharmacies, federally qualified 
health centers, credentialed orthotists and prosthetists, payors, 
physician shareholders and employees of medical groups, and non-
traditional health care entities, among others, qualify as VBE 
participants.
    Response: Under our revised definition of a ``VBE participant,'' 
all types of entities can be VBE participants. Entities would need to 
refer to the specific safe harbors to determine whether they are 
eligible to rely on the safe harbor.
    Comment: Some commenters noted that CMS's proposed value-based 
terminology does not make any entities ineligible to be a VBE 
participant.
    Response: Our final definition of ``VBE participant'' is aligned 
with CMS's definition, with the exception of a detail around the use of 
the term ``individual'' in our rule and ``person'' in CMS's rule and 
our policy that patients may not be VBE participants. The 
``individual'' versus ``person'' verbiage relates to the difference in 
language used elsewhere in the two regulatory schemes and promotes 
overall consistency across safe harbors for OIG and exceptions for CMS.
    For clarity, we have included an express statement in regulatory 
text, not included in CMS's definition, carving patients out of the 
definition of ``VBE participant.'' This carve out would extend to the 
patient's family members or others acting on the patient's behalf, 
consistent with the approach we take elsewhere in this final rule with 
respect to the coordination and management of care with patients. The 
context and framework of the value-based provisions in the OIG Proposed 
Rule made clear that we did not intend patients to be VBE participants 
who could engage in value-based arrangements under the value-based safe 
harbors. In the proposed regulations, we described VBE participants as 
engaging in at least one value-based activity as part of a VBE and 
being part of at least one value-based arrangement to provide at least 
one value-based activity for a target patient population. The role of 
VBE participants in health care business activities of VBEs is not a 
role assumed by patients and families, who play a critical role in 
patient care in other ways. Our modification in the final rule 
clarifies this point.
    Under our proposed rule and this final rule, VBE participants 
providing remuneration to patients would look to the patient engagement 
and support safe harbor for protection, not to the value-based safe 
harbors. Our reference to ``individuals'' in the proposed definition 
was meant to capture physicians, nurses, and other practitioners, 
providers, and suppliers in the health care ecosystem involved in 
caring for patients. Our revised regulatory text recognizes that all 
individuals will likely be a patient at one point or another and that 
our carve-

[[Page 77708]]

out of patients is limited to patients when acting in their capacity as 
patients. In other words, a physician remains eligible to be a VBE 
participant even if he or she is also sometimes a patient.
    Comment: Several commenters encouraged us to consider requiring 
additional safeguards within each safe harbor to address concerns 
regarding particular types of entities, rather than categorical 
exclusions from the definition of ``VBE participant.'' Others opposed 
applying additional safeguards, believing the existing safeguards in 
the OIG Proposed Rule were sufficient for all types of entities.
    Response: For reasons noted above, including input from comments, 
we are not adopting categorical exclusions from the definition of ``VBE 
participant.'' Instead, relying on factors such as fraud and abuse risk 
and level of participation in front line care of patients, we identify 
certain entities as ineligible for protection in specified safe 
harbors, and include a tailored additional condition for certain high-
risk entities engaged in arrangements involving digital health 
technology. The entities that are ineligible for protection and the 
rationale for carving them out are addressed in greater detail below in 
response to comments specific to these entities. We also provide 
greater detail below regarding the entity-specific safeguard we are 
adopting in the care coordination arrangements safe harbor for 
arrangements involving digital health technology.
    Comment: Several commenters challenged OIG's assertion that its 
history of law enforcement activities involving certain types of 
entities should form the basis for whether entities are entitled to 
protection under the value-based safe harbors. Some of these commenters 
noted that many other types of parties, including hospitals and 
physicians, have likewise been the subject of enforcement actions. 
Others asserted that the past bad acts of a few should not dictate the 
future compliance risks of the many, particularly where many of the 
historic enforcement actions resulted in settlements without admission 
of guilt, rather than actual convictions.
    Response: We agree with the commenters that the bad acts of the few 
should not dictate the compliance risks of the many. We proposed and 
are finalizing new safe harbors intended to aid the majority of 
stakeholders that are honest and trying to do the right thing for 
patients and the health care system. The fact that an entity type is 
categorically ineligible for safe harbor protection does not mean that 
all entities in the category are bad actors. In crafting the value-
based safe harbors, we have balanced new flexibility under a criminal 
statute with protections where we identified elevated risk of fraud and 
abuse. Our experience investigating fraud and enforcing the anti-
kickback statute necessarily informs our approach to establishing safe 
harbors for specific payment practices consistent with the criteria set 
forth at section 1128D(a)(2) of the Act (safe harbor authority under 
the Federal anti-kickback statute). Our enforcement and oversight work 
offer insights into common fraud schemes, trends, and methods used by 
bad actors to circumvent rules. In bringing this experience to bear, we 
considered multiple types of entities and arrangements that have been 
the subject of our work. The risk of fraud and abuse is one factor in 
determining the types of entities eligible for protection under the 
safe harbors. Others include, for example, the degree of participation 
of the entity type in the care coordination arrangements that are 
central to this rulemaking and the level of need for the entity type to 
have safe harbor protection to effectuate the policy goals of the 
Regulatory Sprint. We acknowledged in the OIG Proposed Rule and 
reiterate here that the new safe harbors do not address all beneficial 
value-based arrangements.
    Comment: A commenter requested confirmation that the definition of 
``VBE participant'' would not bar an integrated delivery system from 
creating a value-based arrangement within its own system.
    Response: There is nothing in the definition of ``VBE participant'' 
that would preclude an integrated delivery system from creating a 
value-based arrangement within its own system.
    Comment: A commenter requested that OIG make clear that the safe 
harbors do not preclude entities that are ineligible to be VBE 
participants from contributing to value-based activities or contracting 
with VBEs.
    Response: We believe our revised approach, where all entities are 
eligible to be a VBE participant, addresses the commenter's concern. We 
wish to clarify further that the value-based safe harbors do not 
prohibit the VBE from entering into contractual arrangements with any 
type of entity, including an entity that is not a VBE participant. 
However, an entity that is not a VBE participant will not be eligible 
for safe harbor protection. Remuneration exchanged by certain types of 
entities, including non-VBE participants and VBE participants on the 
carve-out list, will not be protected by a value-based safe harbor, and 
parties would need to look to other safe harbors to the extent they 
want to protect it.
    Comment: A commenter supported the fact that the proposed 
definition of ``VBE participant'' did not require VBE participants to 
be equity owners of the VBE.
    Response: We did not propose requirements related to equity 
ownership of VBEs. However, we note that the value-based safe harbors 
do not protect remuneration in the form of ownership interests or 
returns on those interests.
    Comment: A commenter recommended that, if OIG finalizes the 
definition of ``VBE participant'' as proposed, it also modify the 
advisory opinion process so that opinions may be relied upon by parties 
other than just the requesting party.
    Response: Modifying the OIG advisory opinion process is beyond the 
scope of this rulemaking.
ii. Entities Ineligible for Safe Harbor Protection
    The value-based safe harbors deem certain entities ineligible for 
safe harbor protection. Those entities are: Pharmaceutical companies; 
PBMs; laboratory companies; compounding pharmacies; manufacturers of 
devices or medical supplies; DMEPOS companies; and medical device 
distributors and wholesalers. Notwithstanding, under the care 
coordination arrangements safe harbor (paragraph 1001.952(ee)), 
manufacturers of devices and medical supplies and DMEPOS companies are 
eligible as limited technology participants to protect certain digital 
health technology arrangements to allow them to participate in such 
arrangements, along with other types of eligible VBE participants. As 
explained in more detail below, these distinctions are rooted in a 
functional approach focusing on the items, services, and products 
furnished by the different entity types and their roles in care 
coordination, along with assessment of program integrity risk based on 
enforcement experience. We aim to balance flexibility to achieve the 
Regulatory Sprint goals with protection against fraud and abuse.
    This preamble section responds to comments about each of these 
entity types in turn. The outcomes-based payments safe harbor at 
paragraph (d)(2) and the patient engagement and support safe harbor at 
paragraph 1001.952(hh) reference these same entities and rely on the 
same definitions when doing so.

[[Page 77709]]

(a) Pharmaceutical Manufacturers, Wholesalers, and Distributors
    Comment: Many commenters agreed with our proposal not to include 
pharmaceutical manufacturers in the definition of ``VBE participant.'' 
These commenters articulated a variety of supporting rationales, 
including that manufacturers are less involved in care coordination and 
present an increased risk of abusive arrangements. Many other 
commenters encouraged OIG to allow pharmaceutical manufacturers to 
participate as VBE participants, arguing, among other things, that 
manufacturers are well-positioned to contribute to value-based 
arrangements and that their participation is essential given the role 
of medications in improving care. For example, commenters noted that 
manufacturers can leverage data analytics and technology to improve 
both outcomes measurement and care management. Several commenters also 
emphasized that manufacturers can provide a variety of services 
relating to medication adherence, which may play a central role in 
value-based arrangements by managing care and reducing costs. 
Commenters also emphasized that manufacturers often know their product 
best and are thus in an ideal position to bring value through continued 
involvement.
    Response: Under the revised framework we are adopting in this final 
rule, pharmaceutical companies can be VBE participants, and existing 
VBEs that include pharmaceutical companies do not need to be 
restructured for purposes of this rulemaking. However, we are 
effectuating our intent that pharmaceutical companies would not be 
eligible to use the value-based safe harbors by including 
pharmaceutical companies on the ineligible entity list in each safe 
harbor. We agree with the commenters that pharmaceutical manufacturers 
are not as likely as other entities to be involved with front line care 
coordination, and we remain concerned, as noted in the OIG Proposed 
Rule, about the potential for pharmaceutical manufacturers to use the 
value-based safe harbors to protect arrangements that are intended to 
market their products or inappropriately tether clinicians to the use 
of a particular product rather than as a means to create value by 
improving the coordination and management of patient care. As a result, 
protection under the value-based safe harbors does not extend to 
remuneration that pharmaceutical manufacturers exchange with other VBE 
participants.
    We recognize that pharmaceutical manufacturers can play important 
roles in delivering efficient, high quality care to patients, 
including, for example, through medication adherence programs and data 
sharing. However, like any arrangement that does not qualify for a safe 
harbor, such arrangements would need to be analyzed for compliance with 
the anti-kickback statute based on their specific facts, including the 
intent of the parties. They are not eligible for protection under these 
new safe harbors.
    As noted in the OIG Proposed Rule, we continue to consider the role 
of pharmaceutical manufacturers in coordinating and managing care as 
well as how to address value-based contracting and outcomes-based 
contracting for pharmaceutical products and medical devices, including 
devices that do not meet the definition of ``digital health 
technology'' under this rule.
    Comment: Many commenters encouraged OIG to allow pharmaceutical 
manufacturers to participate in value-based contracting arrangements 
where they take on financial risk. Several of these commenters 
specifically supported arrangements where payment for prescription 
drugs is tied to clinical endpoints or patient outcomes, such as where 
a manufacturer agrees to provide a full or partial refund on a product 
if a course of treatment fails to achieve the desired outcome. Other 
commenters expressed skepticism about value-based contracting and 
encouraged OIG to adopt safeguards to protect against potentially 
abusive arrangements. Another commenter suggested that OIG adopt 
manufacturer-specific safe harbors with a sliding scale of risk. Among 
commenters who supported protecting value-based contracting, many 
raised concerns that existing best price requirements in the Medicaid 
Drug Rebate Program operate as an actual or perceived impediment to 
these types of arrangements and encouraged OIG to work with CMS to 
resolve these issues.
    Response: We did not propose either a value-based contracting safe 
harbor or pharmaceutical manufacturer-specific safe harbors with a 
sliding scale of risk in this rulemaking. With respect to commenters' 
concerns regarding the potential impact of value-based contracting on 
Medicaid best price reporting obligations, those issues are outside the 
scope of this rulemaking.
    Comment: A trade association representing pharmaceutical 
manufacturers requested that OIG clarify that any exclusion of 
pharmaceutical manufacturers from the value-based safe harbors is not 
intended to discourage manufacturers from participating in arrangements 
for value-based care. Another commenter asserted that pharmaceutical 
manufacturers' participation in care coordination may be necessary with 
the advancement of therapies like personalized cell therapies, which 
use a modified version of the patient's own cells to treat disease. A 
commenter recommended that a nonprofit generic drug company that 
addresses drug shortages in the marketplace be permitted to participate 
as a VBE participant, even if pharmaceutical manufacturers are not 
eligible.
    Response: Nothing in this final rule is intended to discourage 
pharmaceutical manufacturers from participating in arrangements for 
value-based care. Under this rule as finalized, a pharmaceutical 
company can be a VBE participant collaborating with others in a VBE. 
Nothing prevents a pharmaceutical company (or any other type of entity) 
from participating in care coordination arrangements, but remuneration 
exchanged by the pharmaceutical company under those arrangements would 
not qualify for protection under the value-based safe harbors. For 
example, we appreciate that pharmaceutical companies can work to 
address shortages in the marketplace and could enter into arrangements 
with a VBE and VBE participants to address those issues. Those 
arrangements would need to be analyzed based on their specific facts 
for compliance with the anti-kickback statute. The failure to fit in a 
safe harbor does not mean an arrangement is unlawful under the anti-
kickback statute. Moreover, safe harbor protection is irrelevant to the 
extent that an arrangement does not implicate the anti-kickback 
statute. We reiterate that parties may structure arrangements to meet 
other safe harbors, such as the safe harbor for personal services 
arrangements or the warranties safe harbor and may also use OIG's 
advisory opinion process to the extent they want prospective protection 
for arrangements they wish to undertake.
    Comment: Commenters were divided on whether pharmaceutical 
wholesalers and distributors should be eligible to be VBE participants. 
Some stated that these entities present the same types of risks and 
concerns that manufacturers present (e.g., inappropriately increased 
costs to Federal health care programs) and should be ineligible for the 
same reasons. Many commenters who supported allowing manufacturers to 
be VBE participants also supported allowing wholesalers and 
distributors to be VBE participants.

[[Page 77710]]

    Response: All entities are permitted to be VBE participants under 
this final rule. However, remuneration exchanged by pharmaceutical 
companies, including distributors and wholesalers, is not protected by 
the value-based safe harbors, consistent with our proposal to make them 
ineligible. We adopt this policy for reasons comparable to those for 
making manufacturers ineligible, including that wholesalers and 
distributors are less likely to have a direct role in front line 
patient care coordination. We are not persuaded that pharmaceutical 
distributors' and wholesalers' indirect role in support of coordinating 
care warrants protection under the value-based safe harbors.
(b) Pharmacy Benefit Managers
    Comment: In response to our consideration in the OIG Proposed Rule 
related to PBMs, several commenters urged us to make PBMs ineligible to 
be VBE participants. A few of these commenters supported making PBMs 
ineligible based on concerns about potentially abusive PBM practices 
that they believe affect drug prices and limit treatment options for 
patients. Other reasons that commenters provided include that PBMs are 
not front-line health providers and protecting arrangements involving 
PBMs in the value-based safe harbors may inappropriately affect 
treatment decisions by health care practitioners. A commenter also 
suggested we require VBEs that establish relationships with PBMs to 
include information regarding such relationships in relevant VBE 
documents and reports.
    Conversely, many commenters urged us to allow PBMs to be eligible 
to be VBE participants. Commenters asserted that PBMs are engaged in a 
number of activities that relate to care coordination and the value-
based purposes we proposed, including, for example, developing 
formularies to select drugs based on relative value, leveraging health 
information technology to assist in coordinating care and managing 
benefits, and operating a variety of care coordination programs, such 
as medication adherence, medication therapy management, and chronic 
condition education. Commenters emphasized the role that PBMs play with 
respect to controlling pharmaceutical costs and promoting quality by 
ensuring clinical efficacy. Several commenters sought to distinguish 
PBMs from pharmaceutical manufacturers, noting that pharmacy benefit 
managers have no connection to any particular drug product and do not 
rely on prescriptions or referrals for any particular product. Another 
commenter asserted that PBMs are well-suited to enter into risk bearing 
arrangements because their business model already involves helping 
their clients manage insurance risk.
    Response: As described above, all types of entities are eligible to 
be VBE participants under this final rule. However, we are finalizing 
our proposal for PBMs to be ineligible to rely on the value-based safe 
harbors to protect remuneration.
    PBMs are less likely to be on the front line of care coordination 
and treatment decisions in the same way as other types of VBE 
participants eligible to use the value-based safe harbors. We recognize 
and appreciate the information that commenters provided on the role 
that PBMs serve in supporting value-based care and coordinating care, 
for example, by designing formularies based on relative value, using 
their expertise to improve medication adherence, and managing insurance 
risk. However, we are not persuaded that PBM's indirect role in support 
of coordinating care or managing risk warrants protection under the 
value-based safe harbors, which focus significantly on the coordination 
and management of patient care. PBMs play a unique role in establishing 
benefit networks and associated management services connected to 
payors, pharmaceutical manufacturers, and pharmacies. As a result, PBM 
arrangements raise different program integrity issues from the types of 
value-based arrangements contemplated by this rulemaking and would 
likely require different safeguards.
    Under the final rule, PBMs, as with all individuals (except for 
patients) and entities, are eligible to be VBE Participants. This will 
allow PBMs to continue supporting value-based care, even though they 
are not eligible to rely on the value-based care safe harbors. We note 
that some PBMs' value-based activities may not implicate the Federal 
anti-kickback statute, depending on the specific facts and 
circumstances of each arrangement. Parties may also use OIG's advisory 
opinion process to the extent they want prospective protection for 
arrangements involving the exchange of remuneration with PBMs.
    In response to the suggestion that VBEs that have relationships 
with PBMs be required to document and disclose such relationships, the 
value-based definitions have relevant documentation and oversight 
conditions, including a requirement that the VBE governing 
documentation describe how the VBE participants intend to achieve the 
VBE's value-based purpose(s).
    We recognize that many PBMs are owned, affiliated with, or under 
common ownership structures with other entities, particularly payors 
and health benefit plans. Considering the role that payors have in the 
substantial downside risk and full financial risk safe harbors, it is 
important to note that payors would be eligible for safe harbor 
protection even if they own, are affiliated with, or are under common 
ownership with a PBM. Additionally, a payor would be eligible for safe 
harbor protection if it does not contract out its pharmacy benefit 
management services and instead performs those functions as part of its 
administration of a health benefit plan more broadly. We would consider 
the PBM functions, in that context, to be ancillary to the payor's 
predominant or core business, which is administering a health benefit 
plan. Thus, such a payor would not be considered to be a PBM for 
purposes of eligibility for protection under the value-based safe 
harbors, notwithstanding the fact that it performs some PBM activities. 
See the discussion at section III.B.2.e.5, below regarding entities 
with multiple lines of business for further details regarding the 
predominant or core business standard.
(c) Laboratory Companies
    Comment: While some commenters supported our proposal to make 
clinical laboratories ineligible to be VBE participants or suggested 
that we only allow them to be VBE participants if we included 
additional safeguards, many commenters urged OIG to include clinical 
laboratories as VBE participants. Several commenters noted that 
laboratories are increasingly providing precision diagnostic services 
and posited that this type of personalized medicine is the future of 
both preventive medicine and modern oncology care. Commenters expressed 
concern that making laboratories ineligible to be VBE participants may 
inhibit integration of these types of diagnostic services into 
practice. Others asserted that existing safeguards are sufficient to 
protect against any risk of fraud and abuse.
    Commenters provided various examples of value-based arrangements 
involving laboratories. A commenter provided one example of a 
laboratory that entered into an arrangement with a payor under which it 
reviewed historical test results for a patient population to identify 
those likely to have a condition such as diabetes or chronic kidney 
disease so as to facilitate patients' enrollment in a disease 
management program.

[[Page 77711]]

    Response: Under this final rule, laboratory companies may be VBE 
participants in a VBE and collaborate with other VBE participants 
without affecting the ability of other VBE participants to be eligible 
for safe harbor protection. However, laboratory companies are included 
on the list of carved out entities for which protection is not 
available under value-based safe harbors. As a result, any remuneration 
exchanged by a laboratory company will not be protected by a value-
based safe harbor. We expressed our intent in the OIG Proposed Rule to 
make clinical laboratories ineligible for safe harbor protection 
because of heightened risk of fraud and abuse based on historical 
enforcement experience and because they are, like pharmaceutical 
companies and DMEPOS companies, heavily dependent on practitioner 
prescriptions and referrals. We were, and remain, concerned that these 
entities might misuse the value-based safe harbors as a means of 
offering remuneration primarily to market their products rather than as 
a means to create value for patients, providers, and payors by 
improving the coordination and management of patient care, reducing 
inefficiencies, or lowering costs. We also continue to believe that 
offering protection for remuneration exchanged by a laboratory company 
under the value-based safe harbors is unnecessary to effectuate the 
goals of the Regulatory Sprint because, as compared to other types of 
entities such as hospitals, physicians, and remote patient monitoring 
companies, laboratory companies are not on the front lines of care 
coordination.
    We appreciate the input from commenters who pointed out various 
ways in which laboratories may be participating in care coordination. 
We are not persuaded that these examples warrant revisiting our policy. 
However, we want to be clear that nothing in this rulemaking is 
intended to discourage or prevent a laboratory from participating in 
care coordination arrangements such as those described by the 
commenters so long as the arrangements comply with the anti-kickback 
statute. A laboratory may look to other safe harbors, such as the 
personal services and management contracts safe harbor, as modified in 
this rule, to protect remuneration, and the advisory opinion process 
also remains available.
    Comment: Several commenters requested that OIG clarify how clinical 
laboratories that are owned and operated by entities with other 
regulatory classifications, including hospitals, physician group, and 
medical device manufacturers, would be treated.
    Response: We do not intend for the ineligibility of laboratory 
companies to extend to clinical laboratories that are owned and 
operated through other types of entities, such as hospitals and 
physician practices. Other types of entities, such as hospitals and 
physician practices, that operate clinical laboratories that are not 
the entity's predominant or core line of business are eligible to use 
the value-based safe harbors. This approach ensures that hospitals, 
physicians, and other entities with core care coordination roles are 
not precluded from using the safe harbors because they happen to 
provide some laboratory services, which we understand to be common in 
the industry. We also believe that this approach would preclude any 
suggestion that entities which have a predominant or core line of 
business other than a clinical laboratory (or other ineligible entity), 
such as a hospital, need to restructure their operations or corporate 
structure or otherwise need to modify the manner in which these 
entities operate.
    In this final rule, we use the term ``laboratory companies'' to 
describe the intended category of ineligible entities, rather than the 
term ``clinical laboratory'' that was proposed, because the term 
``laboratory company'' better describes the types of entities we intend 
to make ineligible to rely on the value-based safe harbors. We have 
long used the same terminology in the electronic health records safe 
harbor at paragraph 1001.952(y), and we intend for the term to have the 
same meaning here. Specifically, it describes independent companies 
that operate clinical laboratories and bill for the laboratory services 
they furnish through their own billing numbers. Thus, for example, if a 
hospital furnishes laboratory services through a laboratory that is a 
department of the hospital for Medicare purposes (including cost 
reporting) and the laboratory services are billed through the 
hospital's provider number, then the hospital would not be considered a 
laboratory company for purposes of determining eligibility to rely on a 
value-based safe harbor. In contrast, a hospital affiliated or 
hospital-owned laboratory company with its own supplier number that 
furnishes laboratory services that are billed using a billing number 
assigned to the company and not the hospital would not be eligible for 
safe harbor protection. This approach is consistent with the approach 
we describe in the discussion on entities with multiple business lines, 
below, in that it focuses on both the corporate structure and the 
predominant or core business function of an entity.
(d) Medical Device Manufacturers, Distributors, and Wholesalers
    Comment: Many commenters encouraged OIG to allow medical device 
manufacturers, distributors, and wholesalers to be VBE participants, 
emphasizing, among other things, the role that these entities play in 
collecting, aggregating, analyzing, and sharing data to assist 
clinicians with care coordination and management. Others disagreed with 
our characterization of medical device manufacturers as not being on 
the front line of care coordination.
    Another commenter asserted that our concerns that manufacturers may 
use value-based arrangements to tether clinicians or patients to a 
particular product are misplaced and disregard the improved cost and 
clinical outcomes that derive from standardizing the use of a superior 
product. Similarly, a commenter objected to the suggestion that 
manufacturers' participation in value-based arrangements is driven by 
marketing objectives. An integrated delivery system described existing 
value-based partnerships with medical device companies that it believes 
foster value by optimizing care pathways, improving patient experience, 
and sharing accountability for the results; according to this 
commenter, the medical device companies have been responsible, 
effective, and essential in providing high quality care at a low cost.
    Response: We appreciate commenters' perspectives, and we recognize 
that manufacturers of devices and medical supplies may play an 
important role in some value-based arrangements, including by offering 
digital health technologies that can improve coordination and 
management of care. However, we continue to believe, as a general 
matter, that they are not as directly engaged in care coordination as 
other entities, such as providers and clinicians. We continue to have 
concerns, as described in the OIG Proposed Rule, based on our 
historical law enforcement experience, that manufacturers of devices 
and medical supplies could misuse the flexibilities afforded by the 
value-based safe harbors to offer kickbacks under the guise of care 
coordination activities or to tether a clinician to a particular 
product. Further, we believe there is a risk that these arrangements 
could result in providers selecting products that may not be clinically 
appropriate for, or in the best interest of, a patient. Based on our 
enforcement experience, these

[[Page 77712]]

concerns are heightened with respect to implantable devices used in a 
hospital or ambulatory surgical care setting, for which there is an 
elevated risk for patients undergoing implant surgery if devices are 
selected because of financial incentives rather than patients' best 
interests.
    As discussed at section III.B.2.e.iii, we are adopting a pathway to 
protect the exchange of digital health technologies by manufacturers of 
devices and medical supplies under the care coordination arrangements 
safe harbor, which addresses some of the commenters' concerns. This 
pathway, which imposes an additional safeguard that applies only to 
manufacturers of devices and medical supplies and DMEPOS companies, 
balances our program integrity concerns with our interest in 
facilitating the deployment of health technologies for care 
coordination.
    Comment: Many commenters encouraged OIG not to include device 
manufacturers, distributors, and wholesalers as VBE participants. 
Several of these commenters asserted that medical device manufacturers 
are not on the front line of care coordination. Another commenter 
asserted that, while larger companies may be well-positioned to engage 
in data-driven care coordination activities, most device manufacturers 
do not offer these types of services. The commenter was concerned that 
allowing medical device manufacturers to engage as VBE participants 
would unfairly advantage large manufacturers over smaller 
manufacturers, with larger companies using their size and scale to 
leverage their care coordination capabilities in a manner that 
disincentivizes purchasers from considering competing products. The 
commenter expressed concern that this dynamic may suppress medical 
innovation by smaller companies and encouraged OIG to consider a pilot 
program to assess potential impacts on smaller manufacturers.
    Response: We appreciate the concerns raised by commenters, and, as 
we have explained, we share some of them. However, we also believe that 
digital health technologies hold great promise for improving 
coordination and management of care and achieving the goals of the 
Regulatory Sprint, and we believe that many of these promising 
technologies are either currently being developed, or will in the 
future be developed, by manufacturers of devices and medical supplies. 
We also believe that there will be instances where these digital health 
technologies are inextricably linked to a medical device. To that end, 
we are affording safe harbor protection to the exchange of digital 
health technologies by manufacturers of medical devices under the care 
coordination arrangements safe harbor.
    With respect to the commenter's concerns about potential 
anticompetitive effects from allowing manufacturers of devices and 
medical supplies to participate, we are adopting a safeguard in the 
care coordination arrangements safe harbor that applies to 
manufacturers of devices and medical supplies, as limited technology 
participants, that prohibits exclusivity provisions and minimum 
purchase requirements. We designed this condition to prevent limited 
technology participants from locking-in use of their digital health 
technology, which may have beneficial effects for competition. For 
example, VBE participants may have increased opportunities to use 
multiple of types of digital health technology that best fits their 
needs.
    In response to the commenter's concern about competition between 
large manufacturers and small manufacturers, nothing in this safe 
harbor is intended to favor large entities over small entities. We 
recognize that large manufacturers are likely to have additional 
resources to assess arrangements and determine whether they meet this 
safe harbor. We have strived to limit potential administrative burden 
as much as possible, while also including necessary safeguards against 
fraud and abuse. We believe that this safe harbor and the limited 
technology participant pathway will not require significant resources 
to ensure an arrangement meets all applicable conditions. Furthermore, 
use of these safe harbors and associated compliance is only one factor 
that may affect competition and innovation. There are several other 
factors that impact competition and innovation, but are not subject to 
the Federal anti-kickback statute and thus are outside the scope of 
this rulemaking.
    Comment: With respect to adopting a definition for purposes of 
identifying the category of entities not eligible to be VBE 
participants, several commenters cautioned that it would be virtually 
impossible to define device manufacturers in a manner that would not 
preclude the types of digital health technologies that we stated we 
wished to include. Some commenters recommended that any definition that 
OIG adopts be limited to devices that are separately reimbursed by 
Medicare and not include companies that incorporate medical devices as 
part of their service offerings.
    Many commenters encouraged us not to adopt a new definition, but 
instead to rely on existing definitions adopted by other divisions 
within the Department of Health and Human Services. However, a 
commenter asserted that OIG should not use CMS's definition of 
``applicable manufacturer'' in 42 CFR 403.902, which relates to the 
Open Payments provisions of the Patient Protection and Affordable Care 
Act \17\ (ACA), because that definition would not include manufacturers 
that do not have operations in the United States and reliance on this 
definition would be confusing because it includes manufacturers of 
durable medical equipment, which we proposed not to include in the 
definition of ``VBE participant.''
---------------------------------------------------------------------------

    \17\ Public Law 111-148, 124 Stat. 119, as amended by the Health 
Care and Education Reconciliation Act of 2010 (Pub. L. 111-152, 124 
Stat. 1029).
---------------------------------------------------------------------------

    Response: Notwithstanding the changes to the definition of ``VBE 
participant,'' it remains necessary for us to adopt a definition of 
``manufacturer of a device or medical supply'' to identify entities 
that are limited technology participants for purposes of the care 
coordination arrangements safe harbor.
    The definition we are adopting at paragraph 1001.952(ee)(14)(iv) 
provides that ``manufacturer of a device or medical supply'' means an 
entity that meets the definition of applicable manufacturer in 42 CFR 
403.902 because it is engaged in the production, preparation, 
propagation, compounding, or conversion of a device or medical supply 
that meets the definition of covered drug, device, biological, or 
medical supply in 42 CFR 403.902, but not including entities under 
common ownership with such entity. For purposes of this definition, we 
incorporate and adopt all of the related terminology in 42 CFR 403.902. 
We opted to rely on the ``applicable manufacturer'' terminology 
described in the Open Payments program and its implementing regulations 
because it effectively captures the universe of entities we designate 
as limited technology participants and those that will otherwise be 
carved out of safe harbor protection. Similarly, we opted to rely on 
this terminology because relying on an existing regulatory definition 
promotes consistency across the Department and minimizes additional 
potential regulatory burden. We are not adopting the alternative 
proposed definition that would include any entity that manufacturers 
any item that requires premarket approval by, or premarket notification 
to, the FDA, or that is classified by the FDA as a medical device 
because we believe the

[[Page 77713]]

``applicable manufacturer'' terminology used in the Open Payments 
program provides a more fulsome definition that addresses not only the 
nature of the product (i.e., whether it is regulated by the FDA as a 
device) but also the nature of the entity's functions vis a vis that 
product (e.g., production, preparation, propagation, compounding, or 
conversion). We also intend to include medical device distributors or 
wholesalers on the list of ineligible entities because they are less 
likely to have a direct role in front line patient care coordination, 
and the ``applicable manufacturer'' definition at 42 CFR 403.902 
includes distributors and wholesalers that hold title to the device or 
medical supply. Thus, it is a more comprehensive definition that aligns 
with our objectives. In order to capture distributors and wholesalers 
that do not hold title to the device or medical supply on the 
ineligible entity list, the ineligible entity list in each value-based 
safe harbor includes a separate category for ``a medical device 
distributor or wholesaler that is not otherwise a manufacturer of a 
device or medical supplies.''
    With respect to the commenter who cautioned that reliance on the 
definitions from the Open Payments program would not include 
manufacturers that do not have operations in the United States, we 
refer the commenter to CMS regulations and guidance regarding how 
foreign companies can become subject to reporting obligations under 
section 1128G of the Act.
    Comment: Many commenters shared our concerns regarding physician-
owned distributorships and encouraged us to make them ineligible to be 
VBE participants. A commenter suggested that an entity that generates 
more than forty percent of its business from its physician owners 
should be not be eligible to be a VBE participant. Another commenter 
suggested that we require all VBE participants--regardless of whether 
or not they meet the definition of ``applicable manufacturer''--to meet 
the reporting obligations under section 1128G of the Act.
    Response: We are adopting our proposed policy that physician-owned 
distributorships would not be eligible for safe harbor protection. 
Physician-owned distributors will be captured by one of two categories 
on the ineligible entity lists in each of the value-based safe harbors: 
Manufacturers of devices or medical supplies or medical device 
distributors or wholesalers that are not otherwise manufacturers of 
devices or medical supplies. As described above, the term 
``manufacturer of devices or medical supplies'' is defined in paragraph 
1001.952(ee).
    As we stated in the OIG Proposed rule, physician-owned 
distributorships are inherently suspect under the anti-kickback statute 
because the financial incentives these companies offer their physician 
owners may induce physician owners to perform more procedures (or more 
extensive procedures) and to use the devices the physician-owned 
distributorships sell in lieu of other, potentially more clinically 
appropriate devices. Therefore, as described in greater detail below, 
physician-owned distributorships are also ineligible to rely on the 
care coordination arrangements safe harbor to protect digital health 
technology arrangements, even if they otherwise fit the definition of a 
manufacturer of a device or medical supply.
    With respect to the commenter that suggested that we require all 
VBE participants to meet the reporting obligations under section 1128G 
of the Act, such a requirement is outside the scope of this rulemaking.
(e) DMEPOS Companies
    Comment: Many commenters encouraged us to include DMEPOS companies 
in the definition of ``VBE participant.'' Commenters asserted that 
DMEPOS companies are on the front line of care coordination. Many 
commenters highlighted, for example, the role of DMEPOS companies in 
supporting care coordination through home infusion, home respiratory, 
and diabetes management services; others stated that DMEPOS companies 
engage directly with patients in a variety of ways, including visiting 
patients in their home. Commenters emphasized that DMEPOS companies are 
particularly critical in facilitating transitions from one care setting 
to another. Commenters also noted that the expansion of remote 
monitoring technologies has enhanced the role that DMEPOS companies 
play in care coordination and that device manufacturers are 
increasingly integrating digital technologies into medical devices that 
are classified as DMEPOS. With respect to these and other technologies, 
commenters noted that DMEPOS companies may provide useful data to 
support care coordination. Other commenters encouraged us to make 
DMEPOS companies ineligible for protection under the value-based safe 
harbors because they are not involved in front line patient care 
coordination. Others encouraged us to adopt additional safeguards 
specific to DMEPOS companies.
    Response: We are persuaded by commenters that DMEPOS companies may 
have an important role in value-based arrangements, particularly in the 
context of post-acute care, and that they provide an array of health 
technology services, such as remote patient monitoring, that may 
facilitate the coordination and management of patient care. We believe 
that we must balance the role of these DMEPOS companies with our 
continued concerns, informed by our historical law enforcement 
experience, that some of these entities might misuse the protections 
afforded in the value-based safe harbors as a way to offer kickbacks 
under the guise of care coordination.
    Given our stated interest in the deployment of digital health 
technologies to enhance coordination and management of care and 
consistent with the OIG Proposed Rule as explained elsewhere, we have 
defined the term limited technology participant to include 
manufacturers of medical supplies and entities or individuals that sell 
or rent DMEPOS. Limited technology participants, such as DMEPOS 
companies, may rely on the care coordination arrangements safe harbor 
to protect digital health technologies that they exchange with another 
VBE participant or the VBE, provided the arrangement satisfies an 
additional safe harbor condition that does not apply to other VBE 
participants, discussed in greater detail below. Our approach to DMEPOS 
in the final rule strikes a balance between encouraging the use of 
beneficial digital health technology, which may be offered by DMEPOS 
companies, for care coordination and protecting programs from potential 
fraud and abuse.
    Comment: Some commenters asserted that DMEPOS companies would be 
willing to enter into risk-based arrangements and encouraged OIG to 
provide safe harbor protection for these types of arrangements.
    Response: We believe the commenter is inquiring as to whether risk-
based arrangements involving DMEPOS companies could satisfy the 
conditions of a value-based safe harbor. For the reasons described 
above and in the OIG Proposed Rule, DMEPOS companies are not eligible 
to rely on the value-based safe harbors, except under the limited 
technology participant pathway we have created in the care coordination 
arrangements safe harbor.
    Comment: A commenter recommended that ``distribution vendors'' not 
be considered DMEPOS companies for purpose of any exclusion. The 
commenter argued that these vendors are needed to deploy digital 
medicine programs effectively by directly supporting patients through

[[Page 77714]]

home delivery of digital medical program items.
    Response: All entities can be VBE participants under our revised 
approach, but entities that sell or rent covered DMEPOS are included in 
the ineligible entity lists in each value-based safe harbor and are 
thus ineligible to rely on those safe harbors, except under the limited 
technology participant pathway in the care coordination arrangements 
safe harbor. In the OIG Proposed Rule we listed manufacturer, 
distributor, or supplier of DMEPOS as an ineligible entity type. The 
final rule instead lists an entity or individual that sells or rents 
DMEPOS as ineligible for safe harbor protection (except that a limited 
technology participant is eligible under the care coordination 
arrangements safe harbor). The language in the final rule focuses on 
the nature of an entity's business--selling and renting DMEPOS--to 
better capture the higher risk entities that cannot use the safe 
harbors, and avoids potentially broad terms, such as ``supplier,'' that 
are defined elsewhere in Medicare regulations for different purposes. 
The language ``sells or rents'' is derived from a CMS definition of 
DMEPOS supplier.\18\
---------------------------------------------------------------------------

    \18\ 42 CFR 424.57(a).
---------------------------------------------------------------------------

    We removed the reference to DMEPOS manufacturers because entities 
that manufacture DMEPOS would fall under the final rule's definition of 
``manufacturer of a device or medical supply,'' and it would have been 
duplicative to include these entities under both definitions. Some 
DMEPOS distributors will also be captured by the definition of 
``manufacturer of a device or medical supply'' and would similarly be 
ineligible on that basis. We believe that the universe of entities that 
we intended to capture under the ``manufacturer, distributor, or 
supplier of DMEPOS'' terminology used in the OIG Proposed Rule will now 
be captured by one or both of the categories ``manufacturer of a device 
or medical supply'' and ``an entity that sells or rents [DMEPOS].''
    Comment: Several commenters noted that many types of providers and 
entities, including physician practices, dentists, hospitals, and 
pharmacies, may be enrolled in the Medicare program as DMEPOS suppliers 
and questioned how an exclusion of DMEPOS companies, or requirements 
specific to DMEPOS companies, would apply to them. A commenter 
suggested that OIG should distinguish DMEPOS companies who derive only 
a small portion of their revenues from furnishing DMEPOS.
    Response: In the final rule, the carve-out for DMEPOS companies in 
each of the value-based safe harbors does not apply to a pharmacy or to 
a physician, provider, or other entity that primarily furnishes 
services. In the OIG Proposed Rule, we sought comments on how to ensure 
that these types of entities would remain eligible for safe harbor 
protection even if they own or operate an entity that is ineligible, 
such as a DMEPOS company.\19\ By specifically carving these entities 
out of the definition of DMEPOS companies, we ensure that these 
entities will not become ineligible for safe harbor protection. These 
entities and individuals are likewise not treated as ``limited 
technology participants.'' Thus, physicians, dentists, physician 
practices, and other providers (including, for example, hospitals), who 
primarily furnish services, as well as pharmacies, would not be 
considered DMEPOS companies for purposes of either the ineligible 
entities list or the ``limited technology participant'' definition. 
These parties are therefore able to rely on the three value-based safe 
harbors to the same extent as all other eligible VBE participants 
(including for arrangements involving digital health technologies), and 
they are not required to satisfy the additional condition that applies 
only to limited technology participants.
---------------------------------------------------------------------------

    \19\ 84 FR 55706 (Oct. 17, 2019).
---------------------------------------------------------------------------

(f) Compounding Pharmacies
    Comment: Several commenters responded to our solicitation of 
comments regarding the treatment of compounding pharmacies in the rule. 
Some commenters encouraged OIG not to distinguish between retail 
pharmacies, specialty pharmacies, and compounding pharmacies. One 
commenter expressed concern about generally offering protections to all 
compounding pharmacies, stating that ongoing vigilance for fraud and 
abuse is warranted for the compounding pharmacy industry. The commenter 
added that a more nuanced approach that screens for and offers 
protections in value-based arrangements for demonstrably good actors 
may further access to customized treatments, particularly for patients 
with rare diseases as well as pediatric patients. The commenter also 
described the risks of compounding without rigorous safety and quality 
practices. The commenter suggested that, to address quality, safety, 
and program integrity concerns with compounding pharmacies, OIG could 
limit participation to compounding pharmacies that exemplify good 
compounding practices through adherence to the U.S. Pharmacopeia (USP) 
Chapter 795 and attainment of Pharmacy Compounding Accreditation Board 
(PCAB) accreditation from the Accreditation Commission for Health Care 
(ACHC).
    Other commenters believed that compounding is an essential part of 
patient care, including for specialty pharmacies such as infusion 
pharmacies that treat patients with severe conditions. Commenters 
suggested that pharmacists at compounding pharmacies may play a key 
role in helping coordinate individualized patient care. Commenters 
urged OIG to not exclude pharmacies from the proposed safe harbor based 
on the compounding services they provide. Some commenters raised 
concerns that excluding compounding pharmacies from the value-based 
safe harbors would expose the pharmacies to liability under the Federal 
anti-kickback statute for any remuneration they receive for providing 
prescription compounded medications or pharmacist-approved care 
services.
    Some commenters explained their understanding that compounding is 
the preparation of a specific medication to meet the prescriber's exact 
specifications and to be dispensed directly to an individual patient, 
pursuant to a valid prescription for that patient. Such drugs are 
prescribed when commercially available products do not meet patient 
needs. Commenters noted that compounding should not be confused with 
manufacturing or the mass production of drug products, nor should it be 
confused with making copies of commercially available drug products, 
which is not allowed by law under section 503A(b)(1)(D) of the Federal 
Food, Drug, and Cosmetic Act (21 U.S.C. 353a(b)(1)(D)).
    Response: We agree that pharmacists, including pharmacists at 
compounding pharmacies, can play important roles in coordinating and 
managing patient care and as members of care teams, including for 
patients with rare and serious conditions. Under the final rule, all 
pharmacies and pharmacists can participate in VBEs. As explained 
further below, most pharmacies and pharmacists will be eligible to rely 
on the value-based safe harbors to protect remuneration, even if the 
pharmacy engages in some compounding of drugs.
    However, under the final rule, for reasons explained below, 
pharmacies that primarily compound drugs or primarily dispense 
compounded drugs are ineligible to protect remuneration under the 
value-based safe harbors, as well as the safe harbor protections for 
patient engagement tools and supports

[[Page 77715]]

(paragraph 1001.952(hh)) and outcomes-based payments (amended paragraph 
1001.952(d)). When we refer to compounded drugs in this rule, we refer 
to the common industry understanding of them as drugs that are 
specifically combined, mixed, or altered and prepared for individual 
patients, or that purport to be such drugs. As noted by the commenters, 
compounded drugs are often prescribed or dispensed for patients for 
whom commercially available products are not clinically suitable.\20\ 
We are not defining ``compounding'' or ``compounded drugs'' in 
regulatory text in this rule. For purposes of this rule, compounding 
pharmacies include entities that primarily compound drugs or primarily 
dispense compounded drugs, such as topical pain creams, with or without 
licensure or valid prescriptions. Accordingly, we are not adopting the 
narrower definitional suggestions made by commenters.
---------------------------------------------------------------------------

    \20\ See, e.g., FDA, Compounding and the FDA: Questions and 
Answers, available at https://www.fda.gov/drugs/human-drug-compounding/compounding-and-fda-questions-and-answers (addressing 
what is compounding and why some patients need compounded drugs).
---------------------------------------------------------------------------

    We explained in the OIG Proposed Rule that we were considering 
whether specific types of pharmacies, such as compounding pharmacies, 
should be carved out of safe harbor protection even if others, such as 
retail and community pharmacies, are eligible for safe harbor 
protection. The OIG Proposed Rule states that pharmacies that 
specialize in compounding pharmaceuticals may pose a heightened risk of 
fraud and abuse, as evidenced by our enforcement experience, and may 
not play a direct role in patient care coordination.\21\ We remain 
deeply concerned about fraud and abuse in the compounding pharmacy 
industry.
---------------------------------------------------------------------------

    \21\ 84 FR 55704 (Oct. 17, 2019).
---------------------------------------------------------------------------

    Our recent criminal, civil, and administrative enforcement history 
shows an increasing number of fraud allegations, investigations, and 
cases related to compounded drugs, including topical compounded drugs 
such as creams, gels, and ointments to relieve pain.\22\ OIG's 
oversight experience also has found that Medicare Part D spending for 
compounded topical drugs was 24 times higher in 2016 than it was in 
2010, which raises concerns about fraud and abuse.\23\ According to the 
FDA, there are also safety and effectiveness concerns related to 
compounded drugs, which are not FDA approved.\24\ This is also an area 
of significant growth in Medicare Part D spending; spending for 
compounded topical drugs was 24 times higher in 2016 than it was in 
2010, some of which may be attributed to suspect billing practices. In 
2016, OIG found that about 550 pharmacies had engaged in questionable 
Part D billing practices for compounded topical drugs and warranted 
further scrutiny. Each pharmacy billed extremely high amounts for at 
least one of five measures that OIG has developed as indicators of 
possible fraud, waste, and abuse.\25\ In light of this enforcement and 
oversight experience, we conclude that the risks of allowing pharmacies 
that primarily compound drugs or primarily dispense compounded drugs to 
rely on the value-based arrangements, patient engagement tools and 
supports, and outcomes-based payments safe harbors outweigh the 
potential benefits. As explained further below, other pharmacies are 
eligible to rely on the safe harbors. As with other entities ineligible 
for protection under the value-based, patient engagement tools and 
supports, and outcomes-based payments safe harbors, compounding 
pharmacies can still be VBE participants.
---------------------------------------------------------------------------

    \22\ See, e.g., Press Release, U.S. Department of Justice, 
Compounding Pharmacy, Two of Its Executives, and Private Equity Firm 
Agree to Pay $21.36 Million to Resolve False Claims Act Allegations 
(Sept. 18, 2019), https://www.justice.gov/opa/pr/compounding-pharmacy-two-its-executives-and-private-equity-firm-agree-pay-2136-million; Press Release, U.S. Department of Justice, Four Florida Men 
Charged for Their Roles in a $54 Million Compound Pharmacy Kickback 
Scheme (June 5, 2020), https://www.justice.gov/opa/pr/four-florida-men-charged-their-roles-54-million-compound-pharmacy-kickback-scheme; OIG, Civil Monetary Penalties and Affirmative Exclusions, 
Texas Company and Owner Agree to Voluntary Exclusion (July 20, 
2020).
    \23\ OIG, Questionable Billing for Compounded Topical Drugs in 
Medicare Part D (Aug. 2018), available at https://oig.hhs.gov/oei/reports/oei-02-16-00440.asp.
    \24\ FDA, Compounding and the FDA: Questions and Answers, 
available at http://www.fda.gov/Drugs/GuidanceComplianceRegulatoryInformation/PharmacyCompounding/ucm339764.htm.
    \25\ OIG, Questionable Billing for Compounded Topical Drugs in 
Medicare Part D (Aug. 2018), available at https://oig.hhs.gov/oei/reports/oei-02-16-00440.asp.
---------------------------------------------------------------------------

    We recognize that many pharmacies may dispense some compounded 
drugs. For purposes of this rule, a pharmacy is only considered to be a 
compounding pharmacy (and ineligible for protection under certain safe 
harbors) if it primarily compounds drugs or primarily dispenses 
compounded drugs. We anticipate that most retail pharmacies and 
community pharmacies that offer care coordination and management 
services will not be covered by this category and will be eligible to 
rely on the safe harbors.
    We are not adopting the commenters' suggestions to provide safe 
harbor protection for remuneration exchanged by compounding pharmacies 
that demonstrate that they are good actors or that exemplify good 
compounding practices through adherence to USP Chapter 795 and 
attainment of PCAB accreditation from ACHC. We believe the suggested 
approaches would introduce additional complexity and uncertainty into 
the safe harbors by further attempting to distinguish among different 
types of compounding pharmacies.
    We do not prescribe a specific standard or test for assessing 
whether a pharmacy primarily compounds drugs or primarily dispenses 
compounded drugs. Entities may use a variety of different 
methodologies, depending on their circumstances. We expect parties to 
use a reasonable methodology, which they may wish to document. If an 
entity has multiple lines of business, with one line of business being 
a compounding pharmacy, the entity should use the multiple lines of 
business test as laid out in section III.B.2.e.v of this preamble to 
determine whether it is eligible to rely on the safe harbors or a 
compounding pharmacy ineligible to rely on the safe harbors.
    Entities seeking safe harbor protection that are uncertain as to 
whether they are eligible to rely on the value-based safe harbors or 
any other safe harbor for a particular arrangement may wish to use the 
OIG advisory opinion process.
    Finally, we want to clarify that nothing in this rulemaking should 
affect patients' access to medically necessary compounded drugs. The 
dispensing of compounded drugs pursuant to applicable coverage and 
billing rules does not implicate the Federal anti-kickback statute. Nor 
does this rule speak to the pricing of such products. With respect to 
remuneration paid to compounding pharmacies or pharmacists for services 
furnished to patients, whether such payments implicate the statute is a 
case-by-case determination and the safe harbors for employment and 
personal services and management contracts remain available. As noted 
elsewhere, with respect to value-based contracting with pharmaceutical 
manufacturers, we may consider safe harbor protection for such 
arrangements in future rulemaking.
iii. Digital Health Technologies and Limited Technology Participants
    As explained in more detail below, the final rule includes a 
pathway for protection of ``digital health technology'' arrangements 
involving ``limited technology participants,'' as those terms are 
defined under the care coordination arrangements safe harbor.

[[Page 77716]]

This pathway responds to comments supporting protection of digital 
technology arrangements involving medical device manufacturers and 
DMEPOS companies. VBE participants that are not on the ineligible 
entity list may exchange digital health technologies (and any other 
technologies) under the care coordination arrangements safe harbor, and 
they are not subject to the additional safe harbor condition that 
applies to limited technology participants. Further, the pathway for 
limited technology participants does not apply to the substantial 
downside risk and full financial risk safe harbors. The care 
coordination arrangements safe harbor is available for digital health 
technology arrangements between limited technology participants and VBE 
participants in risk-based arrangements.
    For purposes of the pathway for limited technology participants, we 
are defining the term ``limited technology participant'' at paragraph 
1001.952(ee)(14)(iii) to mean a VBE participant that exchanges digital 
health technology with another VBE participant or a VBE and that is: 
(A) A manufacturer of a device or medical supply, but not including a 
manufacturer of a device or medical supply that was obligated under 42 
CFR 403.906 to report one or more ownership or investment interests 
held by a physician or an immediate family member during the preceding 
calendar year, or that reasonably anticipates that it will be obligated 
to report one or more ownership or investment interests held by a 
physician or an immediate family member during the present calendar 
year (for purposes of this paragraph, the terms ``ownership or 
investment interest,'' ``physician,'' and ``immediate family member'' 
have the same meaning as set forth in 42 CFR 403.902); or (B) an entity 
or individual that sells or rents durable medical equipment, 
prosthetics, orthotics, or supplies covered by a Federal health care 
program (other than a pharmacy or a physician, provider, or other 
entity that primarily furnishes services). In short, many manufacturers 
of medical devices and supplies (but not physician-owned distributors) 
and DMEPOS companies are eligible to be limited technology participants 
if they fit in this definition.
    We are defining ``digital health technology'' at paragraph 
1001.952(ee)(14)(ii) broadly to mean hardware, software, or services 
that electronically capture, transmit, aggregate, or analyze data and 
that are used for the purpose of coordinating and managing care; such 
term includes any internet or other connectivity service that is 
necessary and used to enable the operation of the item or service for 
that purpose. Importantly, this definition specifies the types of 
technology a limited technology participant can exchange under the safe 
harbor. It does not constrain the types of technology that can be 
exchanged by other VBE participants eligible to use the safe harbor.
    Comment: Several commenters emphasized the importance of allowing 
health technology companies to participate as VBE participants and 
asserted that making medical device manufacturers ineligible to be VBE 
participants may impact the availability of digital technologies for 
purposes of coordinating and managing care because no meaningful line 
can be drawn between medical device companies and health technology 
companies. For example, a commenter explained that they offer both 
traditional medical devices and other digital health technologies, the 
latter of which includes clinical decision support tools and artificial 
intelligence-assisted diagnostic support tools. Another commenter noted 
that manufacturers of implantable devices often pair their products 
with software solutions to support patient diagnosis and treatment. A 
trade association representing device manufacturers described a program 
where a manufacturer of automated external defibrillators and cardiac 
monitoring devices with transmitting capabilities offers a device-
agnostic software solution that permits coordination between EMS 
providers and hospitals. According to the commenter, the software 
enables receiving hospitals to access cardiac data in real time so they 
can have advance notice of patients en route and provide consultation 
back to EMS personnel to direct the patient to the appropriate 
treatment location (e.g., community hospital, hospital with specialized 
services). Another commenter explained how digital health technology is 
integrated with medical devices used by patients to provide data to 
patients and providers for patient engagement and treatment adherence 
purposes. Other commenters emphasized the difficulty of clearly 
distinguishing between device manufacturers and digital health 
technology companies, and that both may provide a mix of traditional 
medical devices and digital health technology. Commenters supported an 
approach that would not unintentionally exclude beneficial digital 
health technology from protection under the safe harbor.
    Response: In the OIG Proposed Rule, we expressed interest in 
protecting remuneration in the form of a wide range of mobile and 
digital technologies for the coordination and management of patient 
care, including, by way of example, remote monitoring, predictive 
analytics, data analytics, care consultations, patient portals, 
telehealth and other communications, and software and applications that 
support services to coordinate and monitor patient care and health 
outcomes (for individuals and populations). We noted diabetes 
management services that leverage devices and cloud storage services to 
monitor blood sugar levels and transmit data as an example.
    While recognizing the promise that digital health technologies have 
for improving care coordination and health outcomes, in the OIG 
Proposed Rule we also raised fraud and abuse concerns associated with 
medical device manufacturers based on our historical law enforcement 
experience. Section III.B.2.e.d. explains those concerns in more 
detail. Recognizing these factors, we solicited comments generally on 
how best to protect beneficial digital technologies and mitigate fraud 
and abuse risks. This included requesting comment on definitions and 
factors to consider for specific types of entities that would protect 
digital technology and not be too narrow or broad.
    Consistent with this request for comments, the intent in the OIG 
Proposed Rule, and to address comments received, we define the term 
``digital health technology'' at paragraph 1001.952(ee)(14)(ii) and we 
define ``limited technology participant'' at paragraph 
1001.952(ee)(14)(iii). These definitions balance the interests we 
raised in the OIG Proposed Rule by protecting beneficial digital health 
technology and mitigating the fraud and abuse risks by specifying the 
types of technology that limited technology participants can furnish 
under the care coordination arrangements safe harbor. This approach 
also addresses concerns raised by commenters regarding unintentionally 
excluding beneficial digital health technology from safe harbor 
protection. We discuss each definition in more detail below in this 
section.
    Digital health technology is defined as hardware, software, or 
services that electronically capture, transmit, aggregate, or analyze 
data and that are used for the purpose of coordinating and managing 
care; such term includes any internet or other connectivity service 
that is necessary and used to

[[Page 77717]]

enable the operation of the item or service for that purpose. We intend 
for this term to encompass a wide range of digital health technologies, 
including technologies that are not yet developed or available. It also 
includes associated internet or other connectivity services, including 
dial-up, that are necessary and used to enable the operation of the 
item or service for the purpose of coordinating and managing care. The 
term ``digital health technology'' includes, for example, the software 
solution described by the commenter that enables hospitals to access 
data from cardiac devices used by EMS providers in the field so that 
they can coordinate and manage the care of patients undergoing a 
cardiac emergency, including connectivity services, such as mobile 
hotspots and plans, necessary to enable the EMS providers to transmit 
data from the field to the hospital.
    Only limited technology participants are limited to the types of 
technology set out in the definition of ``digital health technology.'' 
Other VBE participants eligible for the safe harbor may provide 
additional types of technology so long as the value-based arrangement 
squarely meets all safe harbor conditions.
    We share commenters' views regarding the desirability of enabling 
VBE and VBE participants to leverage digital health tools to support 
the coordination and management of care. All individuals (except for 
patients) and entities are eligible to be VBE Participants, and this 
includes health technology companies, including those that are not 
traditionally involved in health care or may be new entrants to health 
care. Except as otherwise provided in the safe harbor regulations, 
health technology companies are eligible to rely on the protection of 
the safe harbors for value-based arrangements with other VBE 
participants, provided that their arrangements squarely meet all 
applicable safe harbor conditions.
    The question arose in the OIG Proposed Rule, and remains relevant 
here, whether manufacturers of devices and medical supplies and DMEPOS 
companies are health technology companies. For most purposes, as 
described above, these entities are carved out of the value-based safe 
harbors and are ineligible to rely on them. However, we are creating a 
pathway to enable these entities to deploy digital health technologies 
under the care coordination arrangements safe harbor at paragraph 
1001.952(ee). For purposes of this safe harbor, manufacturers of 
devices or medical supplies (as defined in paragraph 1001.952(ee)) and 
DMEPOS companies (i.e., entities or individuals that sell or rent 
covered DMEPOS, not including physicians or providers that primarily 
furnish services and pharmacies) that exchange digital health 
technologies with another VBE participant or the VBE are collectively 
termed ``limited technology participants'' in paragraph 1001.952(ee).
    Limited technology participants may use the care coordination 
arrangements safe harbor to protect the exchange of digital health 
technologies with other VBE participants or the VBE if the arrangement 
meets an additional safe harbor condition, described below. Limited 
technology participants may not, by definition, rely on the care 
coordination arrangements safe harbor to exchange other forms of 
remuneration. All other entities eligible to use the safe harbor can 
also exchange remuneration in the form of digital health technology, 
and they do not have to meet the additional safe harbor conditions that 
apply only to limited technology participants at paragraph 
1001.952(ee)(8). For example, physicians and providers that primarily 
furnish services are not treated as limited technology participants and 
are therefore not obligated to meet the additional conditions that 
apply to limited technology participants.
    In short, remuneration in the form of digital health technology may 
be exchanged under the care coordination arrangements safe harbor by 
all entities that are not carved out of the safe harbor, as well as 
limited technology participants.
    Consistent with our statements in the OIG Proposed Rule reflecting 
our intent that physician-owned distributorships not be eligible to 
rely on the value-based safe harbors, we do not intend for physician-
owned distributorships to be able to use the limited technology 
participant pathway in the care coordination arrangements safe harbor. 
To foreclose this possibility, we clarify in paragraph 1001.952(ee)(14) 
that the term ``limited technology participant'' does not include 
manufacturers of devices or medical supplies that were obligated under 
42 CFR 403.906 to report one or more ownership or investment interests 
held by a physician or an immediate family member during the preceding 
calendar year, or that reasonably anticipate that they will be 
obligated to report one or more ownership or investment interests held 
by a physician or an immediate family member during the present 
calendar year. For purposes of this definition, the term ``manufacturer 
of a device or medical supply'' has the meaning set forth in paragraph 
1001.952(ee)(14), and the terms ``ownership or investment interest,'' 
``physician,'' and ``immediate family member'' have the meaning set 
forth in 42 CFR 403.902. We take this opportunity to make clear that 
this regulatory provision should not be construed as an official 
definition of unlawful physician-owned distributorships or physician-
owned entities more broadly. This regulation does not alter our long-
standing guidance regarding physician-owned distributorships, and we 
specifically reaffirm the guidance in our 2013 Special Fraud Alert on 
Physician-Owned Entities.\26\
---------------------------------------------------------------------------

    \26\ See OIG, Special Fraud Alert: Physician-Owned Entities 
(Mar. 26, 2013), available at https://oig.hhs.gov/fraud/docs/alertsandbulletins/2013/POD_Special_Fraud_Alert.pdf.
---------------------------------------------------------------------------

iv. Pharmacies Other Than Compounding Pharmacies
    Comment: The overwhelming majority of commenters on this topic 
supported allowing pharmacies to be VBE participants. Commenters cited 
a wide range of reasons, including that pharmacies and pharmacists are 
already involved in many aspects of care coordination and management 
and that they are on the front line of care coordination because they 
often serve as the key point of contact between patients and the health 
care system due to their geographic proximity to patients. Commenters 
emphasized that pharmacies provide many services to patients, not just 
items. A commenter also noted that an ACO may be a VBE and that a 
number of ACOs currently integrate pharmacists for medication 
management and other services. Conversely, another commenter suggested 
that pharmacies should not be eligible because they present many of the 
same concerns as pharmaceutical manufacturers, wholesalers, and 
distributors.
    Response: With the exception of compounding pharmacies (as 
explained in section III.2.e.ii.f of this preamble), pharmacies can 
utilize each of the final value-based safe harbors for value-based 
arrangements and are not subject to any pharmacy-specific restrictions 
or limitations. Pharmacies other than compounding pharmacies also are 
eligible for safe harbor protection under the safe harbors for patient 
engagement tools and supports (paragraph 1001.952(hh)) and outcomes-
based payments (amended paragraph 1001.952(d)). We are persuaded that 
many pharmacies and pharmacists have the potential to facilitate 
coordination and management of care for patients and

[[Page 77718]]

that their participation in value-based arrangements may further the 
purposes of this final rulemaking. Except in the case of compounding 
pharmacies, these potential benefits outweigh our program integrity 
concerns, which are adequately addressed by the requirements of the 
value-based safe harbors.
v. Entities With Multiple Business Lines
    Comment: We received several comments seeking guidance on how 
entities with multiple business lines or with multiple regulatory 
classifications would be viewed for purposes of safe harbor 
eligibility. Some commenters requested clarification on how the 
eligibility standards would be impacted by corporate affiliations or 
shared ownership. Another commenter noted that some health systems are 
involved in device and technology development.
    Some questioned how OIG would view an entity that operates both 
eligible and ineligible business lines through separate business units, 
with certain commenters suggesting that it would be impossible to 
distinguish between types of entities because the health care industry 
is not siloed in this manner. Others asserted that the fact that many 
companies have multiple business lines is reason enough for OIG not to 
make any types of business lines ineligible to be VBE participants. 
Another commenter requested that clinical quality improvement and data 
registries be eligible to be VBE participants, regardless of their 
ownership or other status.
    Response: Under the final rule, the question of whether a 
particular entity is eligible to rely on a safe harbor, or whether an 
entity fits the definition of a limited technology participant, is 
assessed at the corporate entity level by considering the corporate 
entity's predominant or core line of business. We did not propose, and 
we are not finalizing, standards relating to common ownership or 
corporate affiliation. Corporate affiliation, whether by majority 
ownership, common ownership, or another structure, has no bearing on 
eligibility.
    For example, a pharmacy (other than a compounding pharmacy as 
explained in section III.2.e.ii.f) that is under common ownership with 
a PBM would be eligible to rely on the value-based safe harbors, 
notwithstanding the fact that the pharmacy is related to a PBM, which 
is ineligible to rely on those safe harbors. Likewise, within a health 
system that is comprised of multiple corporate entities, the fact that 
one or more of those entities might engage in activities that make it a 
manufacturer of devices or medical supplies would not impact the 
availability of the safe harbor to other corporate entities in the 
health system that do not engage in such activities.
    Where a single corporate entity operates multiple business lines, 
eligibility turns on the entity's predominant or core business. For 
example, a pharmacy that is operated within the same corporate entity 
as a pharmaceutical manufacturer would not be eligible to rely on these 
safe harbors to the extent the corporate entity's core function is the 
manufacturing of pharmaceuticals and the pharmacy operation merely 
supports the manufacturing line of business. Similarly, where a single 
corporate entity manufactures both pharmaceuticals and medical devices, 
the question of eligibility would focus on which line of business is 
the predominant or core line of business of that corporate entity. For 
example, if a corporation's predominant function is the manufacturing 
of devices (including, for example, preparation, propagation, assembly, 
and processing of devices) and it also manufactures a pharmaceutical 
product that is incorporated into and integral to a medical device (for 
example, a drug-eluting medical device), the entity would be treated as 
a manufacturer of devices or medical supplies because that remains its 
core business and function. The question of whether a quality 
improvement or data registry will be eligible will similarly turn on 
whether it is housed within a corporate entity whose predominant 
function places it on the carve-out list.
    Large corporations that are organized with multiple business lines 
within a single corporate entity will need to assess whether they have 
a predominant or core business. We do not prescribe a specific standard 
or test for assessing an entity's predominant or core business 
function, and we expect that entities may use a variety of different 
methodologies, depending on their circumstances. We would expect 
parties to use a reasonable methodology, which they may wish to 
document. For example, share of revenues may be a relevant metric for 
some entities, but for others where one or more products are still in 
development, revenues may not be an appropriate metric. Entities 
seeking safe harbor protection that are uncertain as to whether they 
are eligible to rely on the value-based safe harbors for a particular 
arrangement may wish to use the OIG advisory opinion process.
    Parties seeking protection under the safe harbors may first need to 
assess the regulatory text for ineligible entities in the specific safe 
harbor of interest. For example, where an entity's business includes 
the sale or rental of DMEPOS covered by a Federal health care program, 
the question of eligibility is addressed by the regulatory text, which 
specifies that the ineligibility of DMEPOS companies does not apply to 
a pharmacy or a physician, provider, or other entity that primarily 
furnishes services. Thus, for example, a disease management company 
that primarily furnishes a suite of disease management services (e.g., 
wellness coaching, patient education, health technology tools to 
promote medication adherence) and also sells or rents DMEPOS in support 
of these services would be eligible to rely on the value-based safe 
harbors and would not be subject to the constraints imposed on limited 
technology participants. Conversely, an entity that sells or rents 
covered DMEPOS and does not primarily furnish services would be 
ineligible, except as a potential limited technology participant under 
the care coordination arrangements safe harbor.
    We also note that, wholly apart from any value-based arrangement, 
transfers of remuneration from one entity to another may implicate the 
Federal anti-kickback statute if those transfers of remuneration are 
intended to induce or reward referrals for items and services covered 
by a Federal health care program. This potential liability arises even 
where the recipient subsequently uses the remuneration in a manner that 
is protected by a safe harbor. Thus, for example, if an ineligible 
entity transferred remuneration to a VBE participant in order for the 
recipient VBE participant to induce or reward referrals back to the 
ineligible entity, the initial transfer may result in liability under 
the Federal anti-kickback statute, even if the recipient VBE 
participant's subsequent transfer of the remuneration to other VBE 
participants or to patients is protected under a safe harbor.
    Comment: Several commenters noted that many providers, including 
hospitals and health systems, often own or operate pharmacies and 
questioned how an exclusion of pharmacies would apply to them.
    Response: Other than pharmacies that primarily compound drugs or 
primarily dispense compounded drugs, pharmacies are not subject to any 
limitations or restrictions under this final rule, and thus ownership 
or operation of many pharmacies by another provider would have no 
impact on eligibility. Should a compounding pharmacy exist within a 
health system that is comprised of multiple corporate entities, the 
fact that one of the entities may be a pharmacy that primarily 
compounds drugs or primarily

[[Page 77719]]

dispenses compounded drugs would not impact the availability of the 
safe harbor to other corporate entities in the health system. Moreover, 
should a compounding pharmacy exist within a single entity that also 
furnishes other services, such as health clinic that furnishes 
physician services, the entity would apply the multiple lines of 
business test to determine whether or not the entity would be 
characterized as a compounding pharmacy.
    Comment: Some commenters described companies that are regulated as 
both CLIA laboratories and manufacturers of devices or medical supplies 
because they perform their own FDA-regulated in-vitro diagnostic tests 
at their own CLIA-certified laboratories and sought clarification 
regarding how they would be viewed.
    Response: We have replaced the term ``clinical laboratory'' with 
the term ``laboratory company'' in this final rule to clarify the type 
of entities that we intend to make ineligible to rely on the value-
based safe harbors. The term ``laboratory company'' refers to 
independent companies that operate clinical laboratories and bill for 
the laboratory services they furnish through their own billing numbers. 
Consistent with the approach described above, the entity would need to 
consider what its predominant or core business function is--
manufacturing (e.g., preparation, propagation, assembly, processing) a 
medical device or furnishing laboratory services. Without further 
details regarding the commenters' specific business operations, we are 
unable to provide a precise response here.
    Comment: A commenter noted that a pharmacy is included as a 
``laboratory'' under CLIA. Other commenters noted that pharmacies may 
be co-located with health clinics or owned and operated by other types 
of providers. The commenters sought guidance on how these relationships 
between entity types would impact eligibility for protection under the 
safe harbors.
    Response: As discussed above, and based upon the comments, we have 
revised the terminology in this final rule to refer to laboratory 
companies rather than clinical laboratories, and we intend for 
``laboratory companies'' to mean independent companies that operate 
clinical laboratories and bill for the laboratory services they furnish 
through their own billing numbers. Consistent with the approach set 
forth above, because a pharmacy's predominant or core business function 
is to provide pharmacy services, not laboratory services, we would not 
consider the fact that pharmacies are treated as laboratories for other 
regulatory purposes to impact their eligibility to rely on the value-
based safe harbors. As noted previously, pharmacies that primarily 
compound drugs or primarily dispense compounded drugs would not be 
eligible for safe harbor protection.
vi. New Safe Harbor Conditions
    Comment: With respect to potential additional safeguards for VBE 
participants generally, commenters suggested a wide range of options, 
some of which we stated that we were considering in the OIG Proposed 
Rule (e.g., prohibitions on exclusivity, required data reporting or 
monitoring). Some commenters also recommended that we implement these 
additional safeguards for certain types of entities (e.g., medical 
device manufacturers).
    Response: Consistent with the proposal within the OIG Proposed 
Rule, we are adopting an additional safeguard in the care coordination 
arrangements safe harbor targeted to manufacturers of devices and 
medical supplies and DMEPOS companies that exchange digital health 
technologies to mitigate the increased risk of abuse presented by 
allowing these entities to use this safe harbor.
    As discussed above, we have created a new category of VBE 
participants, ``limited technology participants,'' which is comprised 
of manufacturers of devices and medical supplies and DMEPOS companies 
that exchange digital health technology with another VBE participant or 
the VBE. Consistent with our proposal in the OIG Proposed Rule, we are 
adopting a requirement in the care coordination arrangements safe 
harbor that the exchange of digital health technologies by limited 
technology participants may not be conditioned on any recipient's 
exclusive use, or minimum purchase, of any item or service 
manufactured, distributed, or sold by the limited technology 
participant. This additional safeguard addresses the specific program 
integrity concerns presented by manufacturers of devices and medical 
supplies and DMEPOS companies, which are heavily dependent on 
practitioner referrals and who might use value-based arrangements to 
tether clinicians to their products or to secure guaranteed referral 
streams.
    Comment: Some commenters suggested that applying safeguards to 
specific types of entities, and not others, might deter those entities 
from participating in value-based arrangements.
    Response: First, we note that we have not imposed any additional 
conditions on specific types of entities in the substantial downside 
financial risk safe harbor or the full financial risk safe harbor. 
Second, we do not concur with the commenter's assertion that the 
limited technology participant pathway will disincentivize 
participation in value-based arrangements; this framework allows 
manufacturers of devices and medical supplies and DMEPOS companies to 
participate in value-based arrangements involving digital health 
technology and benefit from protection under the care coordination 
arrangements safe harbor if they satisfy all safe harbor conditions.
    Comment: In response to our proposal to include a safeguard that 
prohibits exclusivity provisions, many commenters expressed support for 
such a safeguard. Others cautioned that exclusivity provisions in 
contractual arrangements can be appropriate in certain situations, such 
as where substantial financial investments are required or where 
exclusivity is consistent with intellectual property rights and 
protections. Some commenters encouraged us to investigate the pros and 
cons of prohibiting exclusivity provisions before adopting this 
safeguard. At least two commenters opposed any potential prohibition of 
exclusivity requirements. One commenter asserted that no manufacturer 
has the capability or resources to ensure that all of its value-based 
arrangement offerings always operate as a ``plug and play,'' always 
interchangeable, product agnostic system. Another commenter stated that 
parties to value-based arrangements should have flexibility to require 
use of a medical device where clinical evidence dictates that a 
particular practice not currently in use would vastly improve outcomes.
    Response: We are adopting our proposal to preclude protection for 
the exchange of remuneration conditioned on a recipient's exclusive 
use, or minimum purchase, of any item or service manufactured, 
distributed, or sold by a limited technology participant in the care 
coordination arrangements safe harbor. We are only applying this 
condition to remuneration exchanged by limited technology participants; 
it does not apply to any other VBE participants. We are only adopting 
this condition in the care coordination arrangements safe harbor, not 
the other value-based safe harbors. We recognize that exclusivity 
provisions may be appropriate business terms in certain contexts. 
However, precluding safe harbor protection for arrangements that 
include exclusivity provisions tied to products offered by limited 
technology participants is an important safeguard. This safeguard 
mitigates risk that these entities, which

[[Page 77720]]

are heavily dependent on practitioner referrals to sell their products, 
will attempt to use the care coordination arrangements safe harbor to 
protect arrangements intended to generate product sales or arrangements 
that lock practitioners and patients into using products that may not 
be in the patients' best interests in the clinical judgment of the 
practitioners.
    The safe harbor requirement that remuneration exchanged by limited 
technology participants may not be conditioned on any recipient's 
exclusive use or minimum purchase of the limited technology 
participant's products does not prevent use of products based on 
clinical best evidence. Nor does it prevent requirements in value-based 
arrangements that providers use products based on clinical evidence 
showing improved outcomes, when those products are in a patient's best 
interests in the judgment of their practitioners. Nor does the 
provision require that all value-based arrangements be product-agnostic 
or that the digital technology provided under such an arrangement be 
fully interchangeable with other products. The provision does mean 
that, where remuneration is exchanged by a limited technology 
participant, the VBE participants will not be entitled to safe harbor 
protection under the care coordination arrangements safe harbor if the 
limited technology participant conditions the remuneration on the 
exclusive use of its product or a minimum purchase amount. This safe 
harbor requirement does not apply to remuneration exchanged by VBE 
participants that are not limited technology participants.
f. Value-Based Purpose
    Summary of OIG Proposed Rule: We proposed to define a ''value-based 
purpose'' as: (i) Coordinating and managing the care of a target 
patient population; (ii) improving the quality of care for a target 
patient population; (iii) appropriately reducing the costs to, or 
growth in expenditures of, payors without reducing the quality of care 
for a target patient population; or (iv) transitioning from health care 
delivery and payment mechanisms based on the volume of items and 
services provided to mechanisms based on the quality of care and 
control of costs of care for a target patient population.
    Summary of Final Rule: We are finalizing, without modification, our 
definition of ``value-based purpose.''
    Comment: While several commenters expressed support for our 
proposed definition of ``value-based purpose'' as drafted, the majority 
of commenters sought clarification on the term. For example, commenters 
sought clarification on how quality would be defined and measured under 
the value-based purpose and, more specifically, whether certain 
measures would be seen as reducing quality. Another commenter requested 
that OIG address how parties to a value-based arrangement would need to 
document that the arrangement met a value-based purpose. Other 
commenters sought confirmation that the definition of ``value-based 
purpose'' does not require parties to succeed in achieving the 
applicable purpose.
    Response: As a threshold matter, the definition of ``value-based 
purpose'' was crafted to provide parties with flexibility to develop 
innovative care arrangements and strategies specific to the needs of 
their target patient populations. We are not prescribing how parties 
define and measure quality to qualify for the definition or how parties 
document the ways in which they intend to achieve the VBE's value-based 
purpose(s). Whether certain measures reduce quality is a fact-specific 
inquiry. Further, neither the definition of ``value-based purpose'' nor 
the value-based safe harbors requires parties to achieve the VBE's 
value-based purpose(s); rather, the definition of ``value-based 
purpose'' should be read in conjunction with the definition of ``value-
based activity,'' which requires value-based activities to be 
reasonably designed to achieve the VBE's value-based purpose(s). 
Documentation requirements are specified in individual safe harbors.
    Comment: Multiple commenters requested further guidance on the 
fourth value-based purpose of transitioning from health care delivery 
and payment mechanisms based on the volume of items and services 
provided to mechanisms based on the quality of care and control of 
costs of care for a target patient population.
    Response: We are finalizing the fourth value-based purpose in 
recognition that parties transitioning to value-based care may need to 
provide infrastructure and perform other activities necessary to 
transition to the assumption of downside financial risk. For example, 
as discussed in section III.B.5 below, parties to value-based 
arrangements that meet the requirements of the full financial risk safe 
harbor may exchange remuneration during a twelve-month phase-in period, 
where the VBE is contractually obligated to assume full financial risk 
in the next 12 months but has not yet assumed such risk. During this 
phase-in period, the parties may have, as a value-based purpose, the 
purpose of transitioning from health care delivery and payment 
mechanisms based on the volume of items and services provided to 
mechanisms based on the quality of care and control of costs of care 
for a target patient population, and the parties may exchange, among 
other things, remuneration necessary to enable the VBE to transition to 
the assumption of full financial risk.
    Comment: Other commenters advocated for revisions to the definition 
of ``value-based purpose.'' These comments generally focused on two 
issues related to the value-based purpose of appropriately reducing the 
costs to, or growth in expenditures of, payors without reducing the 
quality of care for a target patient population: Whether the definition 
of ``value-based purpose'' should protect: (i) Cost-reduction efforts 
more broadly, rather than only to the benefit of payors; and (ii) cost-
reduction efforts only when paired with improved quality or maintenance 
of already-improved quality of care.
    With respect to the first issue, commenters generally were in favor 
of expanding the third purpose to cover all cost-reduction efforts, not 
just those that benefit payors. At least two commenters asserted that 
this expansion would be necessary to protect gainsharing arrangements.
    Commenters' opinions varied on the second issue, related to our 
proposal that reducing costs to, or the growth in expenditures of, 
payors must be accomplished without reducing the quality of care for 
the target patient population, with some expressing support and others 
opposition. Many commenters opined on our alternative proposal to 
include the reduction of costs to, or growth in expenditures of, payors 
in the definition of ``value-based purpose'' only where there is also 
an improvement in patient quality of care or the parties are 
maintaining an improved level of care. On the one hand, certain 
commenters believed this alternative standard would be overly 
prescriptive and difficult to measure; others expressed support, with 
one stating that a reduction in costs alone is not true value and that 
the improvement of care should be the first priority.
    Response: We are finalizing this portion of the definition, as 
proposed. A goal of this rulemaking is to support quality improvements 
and cost efficiencies achieved through better care coordination that 
benefit patients and the health care delivery system. In our view, 
arrangements that do not result in a reduction in costs to, or growth 
in expenditures of, payors--such as reductions in surgical suite costs 
for a

[[Page 77721]]

hospital--do not further this goal sufficiently to warrant protection 
under the third value-based purpose definition. The definition of 
``value-based purpose'' that we are finalizing is not intended to 
foreclose internal-cost savings arrangements, such as gainsharing, in 
their entirety; however, parties must consider whether such 
arrangements would further other purposes in the ``value-based 
purpose'' definition and the conditions of the applicable value-based 
safe harbor. We also do not believe a higher standard of improving or 
maintaining already improved quality of care is necessary. We are 
persuaded that preventing reductions in quality of care, paired with 
the safeguards in each of the value-based safe harbors, provides both 
flexibility and sufficient protection against the potential for patient 
harm.
    Comment: A commenter asserted that VBEs should have at least one 
value-based purpose related to patient care improvement and expressed 
concern that allowing VBEs to focus solely on cost reduction would 
compromise patient care and have a disproportionate impact on patients 
with rare conditions.
    Response: While a VBE or value-based arrangement may, but is not 
required to, have as a value-based purpose improving the quality of 
care for a target patient population, none of the value-based purposes 
protect value-based arrangements that compromise patient quality of 
care. Of the two value-based purposes that incorporate cost control or 
cost reduction concepts, one requires the appropriate reduction in 
costs to, or growth in expenditures of, payors without reducing the 
quality of care for a target patient population; the other requires the 
transition of health care delivery and payment mechanisms based on the 
volume of items and services provided to mechanisms based on the 
quality of care and control of costs of care to payors for a target 
patient population. Both of these value-based purposes emphasize the 
importance of ensuring patient quality of care.
    We further highlight that each of the value-based safe harbors 
includes a safeguard precluding safe harbor protection for value-based 
arrangements that stint on medically necessary patient care; this 
safeguard provides that the value-based arrangement may not induce 
parties to furnish medically unnecessary items or services or reduce or 
limit medically necessary items or services furnished to any patient.
    Comment: A commenter expressed concern that the ``value-based 
purpose'' definition may lead to patient harm, fails to protect 
adequately against abusive cycling of patients for financial gain, and 
potentially impinges on the professional judgment of health care 
professionals.
    Response: We share the commenter's concerns about patient harm, 
abusive cycling of patients for financial gain and compromised 
professional judgment. We have addressed these concerns through various 
safeguards and requirements of the value-based safe harbors and the 
patient engagement and support safe harbor. We note that compliance 
with the value-based purpose definition does not necessarily qualify 
parties or arrangements for safe harbor protection.
g. Coordination and Management of Care
    Summary of OIG Proposed Rule: We proposed to define ``coordination 
and management of care,'' the first of the four value-based purposes, 
as the deliberate organization of patient care activities and sharing 
of information between two or more VBE participants or VBE participants 
and patients, tailored to improving the health outcomes of the target 
patient population, in order to achieve safer and more effective care 
for the target patient population. In defining this term, we sought to 
distinguish between referral arrangements, which would not be 
protected, and legitimate care coordination arrangements, which 
naturally involve referrals across provider settings but also include 
beneficial activities beyond the mere referral of a patient or ordering 
of an item or service. We expressed particular concern about 
distinguishing between coordinating and managing patient care 
transitions for the purpose of improving the quality of patient care or 
appropriately reducing costs, on one hand, and churning patients 
through care settings to capitalize on a reimbursement scheme or 
otherwise generate revenue. We proposed in preamble that we would not 
consider the provision of billing or administrative services to be the 
coordination and management of patient care.
    Summary of Final Rule: We are finalizing, with modifications, the 
definition of ``care coordination and management.'' First, we have 
revised the definition to clarify that the deliberate organization of 
patient care activities and sharing of information must occur between 
two or more VBE participants, one or more VBE participants and the VBE, 
or one or more VBE participants and patients. Second, in response to 
comments, we have revised the description of the required goals to 
state that the parties' efforts (i.e., the deliberate organization of 
patient care activities and sharing of information) must be designed to 
achieve safer, more effective, or more efficient care to improve the 
health outcomes of the target patient population. These two changes 
clarify the regulatory language with respect to the parties that engage 
in the care coordination and management to include the VBE itself, 
which can be party to a value-based arrangement, and make clear that 
efforts to improve efficiency can be part of coordination and 
management of care. Third, also in response to comments, we have 
revised the definition to clarify that the term does not require 
achievement of the stated goals, but rather that the efforts must be 
designed to achieve such goals.
    Comment: Commenters on this topic varied in their responses to our 
proposed definition of ``coordinating and managing care.'' While we 
received some comments expressing support, others asserted that the 
definition was superfluous. A commenter highlighted that existing CMS 
programs already rely on similar terminology and encouraged OIG to 
align its definition.
    Response: For the reasons stated in the OIG Proposed Rule, we are 
finalizing a definition of ``coordination and management of care.'' 
Among other things, this definition helps ensure that protected 
arrangements serve patients and the goals of coordinated care. Further, 
given the importance of this value-based purpose in the safe harbors, 
the definition provides a standard against which safe harbor compliance 
can be measured. This is intended to help providers seeking to comply 
with the safe harbors. As noted in the OIG Proposed Rule, we considered 
other agency definitions in crafting ours.\27\
---------------------------------------------------------------------------

    \27\ 84 FR 55707 (Oct. 17, 2019). For example, the Agency for 
Healthcare Research and Quality explains that ``[c]are coordination 
is identified by the Institute of Medicine as a key strategy that 
has the potential to improve the effectiveness, safety, and 
efficiency of the American health care system. Well-designed, 
targeted care coordination that is delivered to the right people can 
improve outcomes for everyone: patients, providers, and payers.'' 
https://www.ahrq.gov/ncepcr/care/coordination.html.
---------------------------------------------------------------------------

    Although other laws and regulations, including the physician self-
referral law and associated regulations, may utilize the same or 
similar terminology, the definition and interpretations we are adopting 
in this rule would not affect CMS's (or any other governmental 
agency's) interpretation or ability to interpret such term.
    Comment: At least two commenters opposed our proposed definition 
because they believe it would require

[[Page 77722]]

constant achievement. As an alternative, these commenters proposed 
revising the definition of ``coordination and management of care'' from 
the deliberate organization of patient care activities and sharing of 
information in order to improve health outcomes, to the deliberate 
organization of patient care activities and sharing of information in 
an attempt to improve health outcomes.
    Response: We thank commenters for highlighting this issue. It was 
not our intent for the definition of ``coordination and management of 
care'' to require constant achievement of improved health outcomes. To 
address the issue raised by the commenters and reduce the potential for 
confusion, we have revised the definition to clarify that the 
organization of patient care activities and the sharing of information 
must be designed to achieve safer, more effective, or more efficient 
care to improve the health outcomes of the target patient population. 
Actual achievement of safer, more effective, or more efficient care 
that improves health outcomes is not required. However, the parties 
must ensure that their efforts (i.e., deliberate organization of 
patient care activities and sharing of information) are designed to 
achieve these goals.
    Comment: Several commenters questioned whether: (i) Patient 
monitoring, patient diagnostic activities, patient treatment, and 
communication related to such patient activities; or (ii) predictive 
analytics, would constitute the coordination and management of care.
    Response: Depending on the facts and circumstances, each of the 
actions listed above could qualify as the coordination and management 
of care. We intend for the coordination and management of care to 
require beneficial activities beyond the mere referral of a patient or 
ordering of an item or service. Coordination and management of care 
requires some additional, deliberate effort and sharing of information, 
across two or more parties, that is designed to augment care delivery 
to achieve safer, more effective, or more efficient care to improve 
health outcomes.\28\ For example, the ordering of a diagnostic test, 
such as an imaging study, by a provider and the sharing of the test 
results back to the ordering provider would not, without additional 
beneficial activities, constitute the coordination and management of 
care under the finalized definition. If, however, the ordering of the 
imaging study and the sharing of results was part of a more deliberate, 
organized effort between or among the parties to achieve safer and more 
effective care and improve health outcomes, such as by implementing 
protocols to reduce the number of redundant tests or ensuring that test 
results are readily shared with and available to the patient and all 
members of the patient's caregiver team and used to inform care 
decisions, then the arrangement may constitute coordination and 
management of care. We also emphasize that the definition requires not 
only the deliberate organization of patient care activities, but also 
the sharing of information between (or among) the parties who are 
coordinating and managing care. This information sharing must be part 
of a design to achieve safer, more effective, or more efficient care to 
improve the health outcomes of the target patient population.
---------------------------------------------------------------------------

    \28\ See, e.g., NEJM Catalyst, What is Care Coordination? (Jan. 
1, 2018), https://catalyst.nejm,org/what-is-care-coordination/ 
(providing examples and noting that ``[c]are coordination 
synchronizes the delivery of a patient's health care from multiple 
providers and specialists. The goals of coordinated care are to 
improve health outcomes by ensuring that care from disparate 
providers is not delivered in silos, and to help reduce health care 
costs by eliminating redundant tests and procedures.'').
---------------------------------------------------------------------------

    Our final rule endeavors to encompass a wide range of beneficial 
care coordination activities, with limitations. As described in the OIG 
Proposed Rule, coordination might occur between hospitals and post-
acute care providers, specialists and primary care providers, or 
hospitals and physician practices and patients. It could involve using 
care managers, providing care or medication management, creating a 
patient-centered medical home, helping with effective transitions of 
care, sharing and using health data to improve outcomes, or sharing 
accountability for the care of a patient across the continuum of care. 
These arrangements often naturally involve referrals across provider 
settings but include beneficial activities beyond the mere referral of 
a patient or ordering of an item or service. We see a clear distinction 
between coordinating and managing patient care transitions for the 
purpose of improving the quality of care or improving efficiencies, 
which would fit in the definition, and churning patients through care 
settings to capitalize on a reimbursement scheme or otherwise generate 
revenue, which would not fit in the definition. The OIG Proposed Rule 
cites a relevant example of cycling patients through skilled nursing 
facilities (SNFs) to maximize revenue as the kind of arrangement we do 
not intend to fit in the definition or receive protection under any 
safe harbor.
    Comment: In response to OIG's solicitation of comments on the 
intersection of coordination and management of care and cybersecurity, 
a commenter stated that cybersecurity items or services should meet the 
definition of ``coordination and management of care.'' According to the 
commenter, cybersecurity items or services may be needed to share 
information between or among VBE participants, and the commenter 
expressed concern that parties would overlook opportunities to work 
with small practices that cannot afford proper cybersecurity tools.
    Response: We appreciate the commenters' input; however, we 
respectfully disagree with their recommendation. As a general matter, 
the use or sharing of cybersecurity items and services alone would not 
meet the definition of ``coordination and management of care.'' Having 
reviewed the comments and upon further consideration of the issue, we 
view the use or sharing of such items and services to be focused on 
ensuring the security of patient care items and related information 
exchange, rather than the deliberate organization of patient care 
activities and sharing of information, as required by the definition of 
``coordination and management of care.'' That being said, an 
arrangement involving the exchange of health information technology 
that incorporates cybersecurity items and services could meet the 
definition of ``coordination and management of care.'' For example, 
where a VBE participant provides data analytics software to another VBE 
participant to facilitate the VBE participants' coordination and 
management of care, security features to control access to data 
included within that software would not preclude the data analytics 
software from meeting the definition of ``coordination and management 
of care.'' However, we note that meeting the definition of 
``coordination and management of care'' does not, de facto, afford safe 
harbor protection; for safe harbor protection, the remuneration 
exchanged must squarely satisfy all safe harbor conditions.
    The use or sharing of cybersecurity items and services alone may 
meet other value-based purposes, and such remuneration may be eligible 
for protection under the substantial downside financial risk safe 
harbor (paragraph 1001.952(ff)) or full financial risk safe harbor 
(paragraph 1001.952(gg)). The cybersecurity technology and related 
services safe

[[Page 77723]]

harbor, paragraph 1001.952(jj), also is available to protect the 
exchange of cybersecurity items and services, provided all safe harbor 
requirements are met.
    Comment: In lieu of making the coordination and management of 
patient care a requirement specific to the value-based safe harbors and 
arrangements for patient engagement and support safe harbor, a 
commenter requested that OIG revise the definition of ``value-based 
purpose'' to reflect that one of the value-based purposes must be the 
coordination and management of patient care.
    Response: We appreciate the commenter's input; however, we decline 
to adopt the commenter's suggestion for two reasons. First, the current 
structure facilitates alignment between OIG's and CMS's value-based 
terminology to ease burden on providers and others working to comply 
with both sets of rules. In addition, as finalized, the substantial 
downside financial risk and full financial risk safe harbors already 
provide parties with additional flexibility to identify value-based 
purposes other than the coordination and management of care, in defined 
circumstances.
    Comment: A commenter requested clarification as to the types of 
activities that constitute the provision of billing or administrative 
services. This commenter asserted certain administrative services, such 
as the more effective management of patient records, could improve the 
coordination and management of patient care and should be not be 
excluded from the definition of ``value-based purpose.''
    Response: Administrative services, depending on the facts and 
circumstances, may meet the definition of ``coordination and management 
of care.'' We are clarifying our statement in the OIG Proposed Rule 
that we would not consider the provision of billing or administrative 
services to be the management of patient care \29\ to make clear that 
we view any billing or financial management services arrangement that 
is characterized as facilitating the coordination and management of 
patient care to be outside the scope of this definition for purposes of 
this rule. By financial management services, we mean services such as 
bookkeeping operations, contract management, revenue cycle management, 
or other similar activities. These activities might complement the 
organization of patient care activities, but they are not the type of 
care coordination activities contemplated in our proposed rule or 
covered by the final definition.
---------------------------------------------------------------------------

    \29\ 84 FR 55707 (Oct. 17, 2019).
---------------------------------------------------------------------------

    We also are mindful that, in certain situations, the remuneration 
exchanged by the parties might incidentally assist the recipient with 
performing certain of these administrative functions. However, we 
believe that any benefit that the remuneration has on the 
administrative activities of the recipient should be incidental, at 
most. This approach helps ensure that value-based arrangements eligible 
for safe harbor protection focus on the delivery of care to patients. 
Arrangements that focus on billing and financial management services 
arrangements may be structured to fit in another safe harbor, such as 
the safe harbor for personal services and management contracts, which 
includes protections such as a fair market value requirement. The 
value-based safe harbors are not intended to protect billing and 
financial management services arrangements, even those that might help 
support care coordination and management, that are not fair market 
value under the guise of a value-based arrangement.
    We address this issue through a new provision in the care 
coordination arrangements safe harbor at paragraph 
1001.952(ee)(1)(iii)(A), which provides that the remuneration exchanged 
pursuant to a value-based arrangement may not be exchanged or used more 
than incidentally by the recipient for the recipient's billing or 
financial management services. We are not adopting parallel provisions 
in the substantial downside financial risk or full financial risk safe 
harbors because there are circumstances in which billing and financial 
management services could be included in the remuneration that is 
protected by those safe harbors. For this same reason, we are not 
incorporating this limitation into the definition of coordination and 
management of care, which applies across all of the value-based safe 
harbors.
    Comment: A commenter suggested that we revise this term to require 
the ``coordination or management of care'' instead of the 
``coordination and management of care.''
    Response: We appreciate the commenter's input; however, we are not 
adopting the commenter's suggestion. The coordination and management of 
care reflects an integrated set of activities for patients, as set out 
in the definition we are finalizing in this rule. We are concerned that 
management activities, standing alone, would not be appropriately 
patient-focused to achieve the intent of the value-based safe harbors.
    Comment: A commenter appeared to request that OIG revise its 
definition of ``coordination and management of care'' to provide that 
the deliberate organization of patient care activities and sharing of 
information may be between VBE participants and patients' family 
members or caregivers, in addition to those activities being conducted 
between VBE participants and patients.
    Response: We would consider the deliberate organization of patient 
care activities and sharing of information between VBE participants and 
patients' family members or others acting on the patients' behalf to 
meet the definition of ``coordination and management of care.'' This 
may include, for example, intervening caregivers, and family members, 
such as for patients who are children. We note that an arrangement that 
is solely between a VBE participant and a patient might constitute the 
coordination and management of care, but it would not fit in the value-
based safe harbors because those safe harbors do not protect the 
exchange of remuneration with patients. Other safe harbors may protect 
the exchange of remuneration with patients, including the patient 
engagement and support safe harbor at paragraph 1001.952(hh). 
Arrangements between VBEs and one or more of their VBE participants or 
between or among VBE participants that engage patients in efforts to 
coordinate and manage care could qualify under the value-based safe 
harbors with respect to remuneration flowing between a VBE and VBE 
participant or between VBE participants if all safe harbor conditions 
are met. For purposes of the care coordination arrangements safe 
harbor, parties exchanging remuneration pursuant to the value-based 
arrangement would need to be part of the coordination and management of 
care of the target patient population in some fashion, although levels 
of involvement in care coordination may differ among VBE participants, 
depending on the scope and nature of the arrangement.
3. Care Coordination Arrangements To Improve Quality, Health Outcomes, 
and Efficiency Safe Harbor (42 CFR 1001.952(ee))
a. General Comments
    Summary of OIG Proposed Rule: We proposed a new safe harbor at 
proposed paragraph 1001.952(ee) to protect in-kind remuneration 
exchanged between qualifying VBE participants with value-based 
arrangements that squarely satisfy all of the proposed safe harbor's 
requirements. We developed this safe

[[Page 77724]]

harbor to facilitate value-based care and improved care coordination 
for patients by providers and others that may be assuming no or less 
than substantial downside financial risk.
    Proposed conditions included commercial reasonableness (proposed 
paragraph 1001.952(ee)(2)), written documentation (proposed paragraph 
1001.952(ee)(3)), record retention (proposed paragraph 
1001.952(ee)(11)), and establishment and monitoring of outcomes 
measures (proposed paragraph 1001.952(ee)(1)). We proposed that 
protected remuneration would be used primarily to engage in value-based 
activities that are directly connected to the coordination and 
management of patient care for the target patient population (proposed 
paragraph 1001.952(ee)(4)(ii)). We further proposed that arrangements 
could not induce VBE participants to furnish medically unnecessary care 
or reduce or limit medically necessary care (proposed paragraph 
1001.952(ee)(4)(iii)); could not be funded by outside sources (proposed 
paragraph 1001.952(ee)(4)(iv)); could not limit medical decision-making 
or patient freedom of choice (proposed paragraphs 1001.952(ee)(7)(ii)-
(iii)); could not take into account the volume or value of business 
outside the value-based arrangement (proposed paragraph 
1001.952(ee)(5)); and could not include marketing of items or services 
to patients or patient recruitment activities (proposed paragraph 
1001.952(ee)(7)(iv)). We proposed a requirement that the recipient of 
the remuneration would pay at least 15 percent of the offeror's cost of 
the remuneration (proposed paragraph 1001.952(ee)(6)). We also proposed 
a requirement that arrangements be terminated within 60 days if the 
VBE's accountable body or person determined that the arrangements were 
unlikely to further coordination and management of care, were not 
achieving the value-based purpose or were resulted in material 
deficiencies in quality of care (proposed paragraph 1001.952(ee)(9)). 
In addition, we proposed that an exchange of remuneration would not be 
protected under the care coordination arrangements safe harbor if the 
offeror knows or should know that the remuneration is likely to be 
diverted, resold, or used by the recipient for an unlawful purpose 
(proposed paragraph 1001.952(ee)(10)). These conditions were proposed 
to minimize risks of traditional fee-for-service fraud and abuse and 
pay-for-referral schemes, particularly in arrangements where the 
parties are not assuming downside risk.
    Summary of Final Rule: We are finalizing, with modifications, this 
safe harbor. The safe harbor continues to protect in-kind remuneration 
exchanged between a VBE and VBE participant or between VBE participants 
pursuant to a value-based arrangement that squarely satisfies all of 
the proposed safe harbor's requirements. We have modified and clarified 
many of the safe harbor requirements in response to public comments, as 
described below. The safe harbor includes conditions related to 
commercial reasonableness, outcomes measures, written documentation, 
record retention, monitoring, termination, marketing and patient 
recruitment, and diversion and reselling of remuneration. The safe 
harbor requires that protected remuneration be used predominately to 
engage in value-based activities that are directly connected to the 
coordination and management of care for the target patient population. 
Protected arrangements cannot induce VBE participants to furnish 
medically unnecessary care or reduce or limit medically necessary care; 
cannot limit medical decision-making or patient freedom of choice; and 
cannot take into account the volume or value of business outside the 
value-based arrangement. Under the final rule, all recipients must pay 
15 percent of the offeror's cost or 15 percent of the fair market value 
of the remuneration. We are not finalizing the proposed condition 
related to outside funding of the remuneration.
    As detailed in section III.B.2.e and III.B.2.g of this preamble 
relating to the VBE participant definition, we are carving out patients 
and certain entities from the safe harbor; those entities are listed at 
paragraph 1001.952(ee)(13). We are finalizing a limited pathway for 
safe harbor protection in the care coordination arrangements safe 
harbor for manufacturers of devices and medical supplies and DMEPOS 
companies participating in digital health technology arrangements at 
paragraph 1001.952(ee)(13). As discussed in section III.B.2.e.vi of 
this preamble, we are finalizing a condition in the care coordination 
arrangements safe harbor that restricts those entities from 
conditioning the exchange of remuneration on any recipient's exclusive 
use, or minimum purchase, of any item or service manufactured, 
distributed, or sold by those entities.
    This safe harbor protects in-kind remuneration only. Some monetary 
compensation associated with care coordination or value-based 
activities may be protected under other safe harbors, such as the other 
value-based safe harbors or the safe harbor for personal services and 
management contracts and outcomes-based payments at paragraph 
1001.952(d).
    Comment: Many commenters expressed support for the care 
coordination arrangements safe harbor and the existence of a value-
based safe harbor that did not mandate the assumption of downside 
financial risk. These commenters stated the safe harbor would 
facilitate innovative arrangements to improve care coordination and 
facilitate community partnerships. Other commenters, while generally 
supportive of the safe harbor, asserted that it included too many 
burdensome, complex, and subjective conditions; these commenters urged 
OIG to reduce the number of requirements in the safe harbor. 
Conversely, some commenters opposed the safe harbor, with their 
concerns largely falling into two categories: (i) The potential for 
fraud and abuse because the safe harbor does not require the parties to 
assume downside risk or that there are not strong enough program 
integrity guardrails; and (ii) negative effects on competition, i.e., 
unduly benefiting larger providers.
    Response: We thank commenters for their feedback. The safe harbor 
is intended to protect arrangements by parties who are transitioning to 
higher levels of risk or who are engaging in care coordination that 
improves quality and efficiency, without assuming risk. We agree with 
commenters that there could be increased risk of fraudulent or abusive 
behavior (e.g., overutilization) where providers who order items or 
services are not at substantial downside financial risk. We structured 
the care coordination arrangements safe harbor to reflect and mitigate 
that increased risk. The safe harbor includes requirements tailored to 
ensure that arrangements protected by the safe harbor--which could 
apply to remuneration exchanged between parties who refer Federal 
health care program business to each other and where both parties are 
paid by Federal health care programs on a fee-for-service basis--do not 
result in the traditional FFS fraud and abuse risks. As described in 
the OIG Proposed Rule, traditional FFS fraud and abuse risks include 
inappropriately increased costs to the Federal health care programs or 
patients, corruption of practitioners' medical judgment, 
overutilization, inappropriate patient steering, unfair competition, or 
poor-quality care.\30\
---------------------------------------------------------------------------

    \30\ 84 FR 55696 (Oct. 17, 2019).
---------------------------------------------------------------------------

    We aimed to finalize a safe harbor that is not administratively 
burdensome, overly complex, or subjective, but we

[[Page 77725]]

acknowledge that parties must satisfy a number of criteria to receive 
safe harbor protection and that some parties may find the safe harbor 
administratively burdensome, overly complex, and subjective with 
respect to their particular arrangements. However, we believe that 
these conditions, taken together, ensure the safe harbor protects 
legitimate value-based arrangements, fosters improved care 
coordination, allows for innovation, adequately addresses the 
traditional FFS risks described above, and limits potentially 
problematic referral schemes. We acknowledge that larger entities may 
be better positioned to afford some types of investments required by 
value-based activities, but we have intentionally crafted this safe 
harbor for a wide range of care coordination arrangements, including 
arrangements between small entities, providers serving rural and 
underserved communities, or both, that might not require substantial 
investment. As we describe elsewhere, many of the conditions are 
flexible (i.e., not one-size-fits-all) and can be satisfied in ways 
that take into account the size of, and resources available to, VBE 
participants.
    Comment: A commenter proposed that, in lieu of the care 
coordination arrangements safe harbor, OIG enumerate acceptable value-
based arrangements that are of minimal monetary value to the referral 
source.
    Response: We did not propose to adopt a list of acceptable value-
based arrangements of minimal monetary value in lieu of the care 
coordination arrangements safe harbor, and we are not adopting any such 
list as part of this final rule.
    Comment: A primary care provider requested that we address whether 
or not it would be permissible to waive cost-sharing amounts for select 
services under the care coordination arrangements safe harbor.
    Response: As a threshold matter, whether cost-sharing is owed for a 
particular service covered by Medicare or Medicaid is programmatic 
policy under the auspices of CMS and state Medicaid programs. If cost-
sharing is owed by the beneficiary under the applicable programmatic 
rules and a provider or supplier waives any such obligations, then a 
question arises about whether any benefit stemming from the waiver of 
the beneficiary's cost-sharing obligations implicates the Federal anti-
kickback statute or the Beneficiary Inducements CMP.
    Cost-sharing waivers furnished to patients would not qualify for 
protection under the care coordination arrangements safe harbor. First, 
cost-sharing waivers are not in-kind remuneration, and the care 
coordination arrangements safe harbor is limited to exchanges of in-
kind remuneration. Second, as explained further in section III.2.e.i of 
this preamble, the context and framework of the value-based provisions 
in the OIG Proposed Rule made clear that we did not intend patients to 
be VBE participants who could engage in value-based arrangements under 
the value-based safe harbors. We are finalizing, as proposed, that the 
care coordination arrangements safe harbor is available to protect only 
the exchange of in-kind remuneration between parties to a value-based 
arrangement, not remuneration exchanged with patients. In response to 
comments and for clarity, we have: (i) Revised the definition of ``VBE 
participant'' to expressly exclude patients; and (ii) revised the 
introductory language of the paragraph to expressly limit protection to 
exchanges of remuneration between a VBE and VBE participant or between 
VBE participants.
    In some cases, other existing protections may be available for some 
cost-sharing waivers, including cost-sharing waivers by certain 
entities that are not offered as part of any advertisement or 
solicitation; are not routine; and are made following an individual 
determination of financial need.\31\
---------------------------------------------------------------------------

    \31\ See, e.g., 42 U.S.C. 1320a-7b(b)(3)(D), (G); 42 CFR 
1001.952(k); OIG, Special Fraud Alert: Routine Wavier of Copayments 
or Deductible Under Medicare Part B, 59 FR 65372, 65377 (Dec. 19, 
1994), available at https://oig.hhs.gov/fraud/docs/alertsandbulletins/121994.html.
---------------------------------------------------------------------------

    Comment: A hospital association requested that the care 
coordination arrangements safe harbor include a 12-month preparation 
period that would be analogous to the ''phase-in'' periods in the 
substantial downside financial risk and full financial risk safe 
harbors. Similarly, at least two commenters requested that OIG protect 
initial investments in value-based arrangements or activities by 
parties exploring the creation of a VBE, with a commenter requesting 
that OIG protect such remuneration prior to any terms being set forth 
in a written agreement.
    Response: We are not adopting the suggestion for a preparation or 
``phase-in'' period for the care coordination arrangements safe harbor. 
There may be practical or operational reasons for parties to engage in 
financial arrangements or make ``phase-in'' investments as they explore 
creating a VBE or before committing to a particular value-based 
arrangement with partners. On balance, however, these considerations do 
not outweigh the heightened risk of fraud or abuse during a ``phase-
in'' period in advance of the commencement of a value-based 
arrangement, particularly in situations where parties have not yet 
created a VBE with its attendant accountability and transparency 
protections. Moreover, it is OIG's belief that the need for a ``phase-
in'' period is lower in the context of this safe harbor compared to the 
risk-based safe harbors because this safe harbor is limited to in-kind 
remuneration and does not require the assumption of risk. We allow for 
a preparation or ``phase-in'' period in the two risk-based safe harbors 
because we recognize that parties to a value-based arrangement may need 
to exchange remuneration during a period of time before the VBE 
formally takes on downside financial risk in order to prepare the VBE 
and the VBE participants for that assumption of risk. The same context 
does not exist for the care coordination arrangements safe harbor 
because it does not require the assumption of risk. We note, however, 
that parties may be able to structure some preparatory arrangements to 
fit in this safe harbor, provided that a proper VBE and value-based 
arrangement have been established and all other safe harbor 
requirements are met, including the requirement that any exchange of 
remuneration be used predominantly to engage in value-based activities. 
Parties may also look to other potentially available safe harbors for 
preparatory arrangements.
    Comment: Multiple commenters requested clarification on, and 
examples regarding, the types of entities and activities that could 
qualify for protection under the care coordination arrangements safe 
harbor. For example, a commenter requested that OIG expressly protect 
income guarantees for physicians transitioning from traditional 
compensation schemes to value-based models.
    Response: With respect to the question regarding income guarantees, 
income guarantees are not in-kind remuneration and would therefore not 
qualify for protection under the care coordination arrangements safe 
harbor. While neither exhaustive nor sufficiently detailed to allow for 
a comprehensive analysis of the arrangement under the Federal anti-
kickback statute and the care coordination arrangements safe harbor, we 
provide the following high-level examples to illustrate arrangements 
that could be structured to satisfy the conditions of the care 
coordination arrangements safe harbor.
    First, to coordinate care and better manage the care of their 
shared patients,

[[Page 77726]]

a specialty physician practice may wish to provide data analytics items 
(e.g., software designed to present certain data) and services (e.g., 
conducting data analysis) to the primary care physician practice with 
which it works closely and from which it receives referrals for 
consultations and federally reimbursable items and services. The data 
analytics items and services could, for example, identify practice 
patterns that deviate from evidence-based protocols or confirm whether 
followup care recommended by the specialty physician practice is being 
sought by patients or furnished by the primary care physician group. 
This provision of data analytics items and services could be structured 
to satisfy the care coordination arrangements safe harbor.
    Second, hospitals and physicians could work together in new ways to 
coordinate and manage care for patients being discharged from the 
hospital. The hospital might provide a physician group with care 
managers (who identify the physician group's high-risk patients and 
help manage patients' care transitions, medications, and home-based 
care) to ensure patients receive appropriate followup care post-
discharge; data analytics systems to help the group's physicians ensure 
that their patients are achieving better health outcomes; and remote 
monitoring technology to alert the group's physicians when a patient 
needs a health care intervention to prevent unnecessary emergency room 
visits and readmissions.
    Third, a medical technology company could partner with physician 
practices, to better coordinate and manage care for patients discharged 
from a hospital with digitally-equipped devices that collect and 
transmit data to the physicians to help monitor the patients' recovery 
and flag the need to intervene in real time (e.g., a device that 
monitors range of motion that could inform what an appropriate physical 
therapy intervention may be). The technology company could provide the 
physician group with necessary digital health technology that improves 
the physician group's ability to observe recovery and intervene, as 
necessary.
    We remind parties seeking to structure an arrangement to satisfy 
the care coordination arrangements safe harbor that compliance with the 
safe harbor requires a fact-specific assessment. In addition, we remind 
stakeholders that the advisory opinion process remains available for 
parties seeking to determine whether a particular arrangement satisfies 
the care coordination arrangements safe harbor or for parties that 
would like to request prospective protection for an arrangement that 
does not squarely satisfy the terms of the safe harbor.
    Comment: A commenter appeared to believe that the statement in the 
OIG Proposed Rule that ``each offer of remuneration must be analyzed 
separately for compliance with the safe harbor'' \32\ requires each 
value-based arrangement to be reviewed by the Department, with the 
potential for the Department to deny safe harbor protection for any 
proposal.
---------------------------------------------------------------------------

    \32\ 84 FR 55708 (Oct. 17, 2019).
---------------------------------------------------------------------------

    Response: If there are multiple streams of remuneration flowing 
under a single value-based arrangement, the parties would need to 
evaluate each such stream separately to assess compliance with the safe 
harbor (or, as appropriate, other available safe harbors). In the 
context of an enforcement action, the government would likewise analyze 
each such stream separately, and consider the totality of the 
arrangement, to assess potential liability under the Federal anti-
kickback statute. The care coordination arrangements safe harbor does 
not require, nor do any of our other value-based safe harbors require, 
the submission of the value-based arrangement to the Department for 
review.
    Comment: Many commenters urged OIG to align the care coordination 
arrangements safe harbor with CMS's value-based exception to the 
physician self-referral law, with some asserting that the different 
requirements in each would increase regulatory complexity and pose a 
barrier to the advancement of value-based care. To facilitate 
alignment, commenters suggested that OIG permit monetary remuneration, 
remove any contribution requirement, or adopt CMS's definition of 
``commercial reasonableness.'' A commenter appeared to request that OIG 
and CMS both include a provision requiring a signed agreement.
    Response: We aligned our safe harbors with the exceptions being 
adopted by CMS as part of the Regulatory Sprint wherever possible. For 
the reasons discussed in greater detail in section III.A.1, complete 
alignment is not appropriate, including with respect to most of the 
provisions of the care coordination arrangements safe harbor referenced 
by commenters. In particular, the contribution and exclusion of 
monetary remuneration serve to reduce risk of intentional kickback 
schemes for reasons explained more fully in the preamble discussions of 
each requirement, sections III.B.3.g (contribution requirement) and 
III.B.3.e.i (in-kind remuneration). Specific to the recommended 
expansion of the safe harbor to protect monetary remuneration, we 
continue to believe that providing safe harbor protection for monetary 
remuneration presents heightened fraud and abuse risks that outweigh 
the potential benefits to Federal health care programs and patients. 
This is particularly true where remuneration is exchanged between 
parties that are not required to assume substantial financial risk, and 
the protected remuneration is not required to be fair market value and 
may take into account the volume or value of referrals for the target 
patient population. Consistent with this concern, the new safe harbor 
for outcomes-based payments at paragraph 1001.952(d)(2), which is 
available for monetary remuneration, includes a fair market value 
requirement and a limitation on directly taking into account the volume 
or value of referrals. With respect to the commenter's request that OIG 
and CMS align their respective signed writing requirements, we are 
finalizing a requirement that the terms of the value-based arrangement 
must be set forth in writing and signed by the parties, and we make 
clear that the writing requirement can be satisfied by a collection of 
documents, which aligns with the writing requirement in CMS's value-
based exception.
b. Outcome Measures
    Summary of OIG Proposed Rule: We proposed to provide flexibility in 
selecting outcome measures given the range of arrangements that may be 
covered by the proposed safe harbor. We proposed in proposed paragraph 
1001.952(ee)(1) to require parties to establish one or more specific 
evidence-based, valid outcome measures to serve as benchmarks for 
assessing the recipient's performance under the value-based arrangement 
and advancement toward achieving the coordination and management of 
care for the target population. The measures would not include patient 
satisfaction or convenience measures. We expressed our view that 
outcome measures should reflect more than maintenance of the status quo 
and considered requiring that outcomes measures drive meaningful 
improvements in quality, health outcomes, or efficiencies, whether by 
driving improvements that are measurable or that are more than nominal 
in nature. We indicated that we were considering for the final rule and 
solicited comment on whether we should require rebasing of the outcome

[[Page 77727]]

measure (e.g., resetting the benchmark).\33\
---------------------------------------------------------------------------

    \33\ 84 FR 55708 (Oct. 17, 2020).
---------------------------------------------------------------------------

    Summary of Final Rule: We are finalizing, with modifications, the 
outcome measures requirement at paragraph 1001.952(ee)(4). The 
modifications are based on public comments. The final rule requires 
that the parties to a value-based arrangement establish one or more 
legitimate outcome or process measures that the parties reasonably 
anticipate will advance the coordination and management of care for the 
target patient population based on clinical evidence or credible 
medical or health science support. The measure(s) must: (i) Include one 
or more benchmarks related to improving, or maintaining improvement, in 
the coordination and management of care for the target patient 
population; (ii) relate to the remuneration exchanged under the value-
based arrangement; and (iii) not be based solely on patient 
satisfaction or patient convenience. The outcome or process measure and 
its benchmark must be monitored, periodically assessed, and 
prospectively revised, as necessary, so that working towards the 
measure continues to advance the coordination and management of care of 
the target patient population.
    Comment: Commenters generally supported the outcome measures 
requirement, as proposed. However, some commenters opposed requiring 
the parties to establish outcome measures against which a party would 
be measured under a value-based arrangement. For example, the 
commenters asserted that requiring the establishment of outcome 
measures would be administratively burdensome, would be confusing, and 
would not reflect the lack of valid outcome measures for many specialty 
practices. Some commenters asked OIG for an exception to the 
requirement for small and rural-based VBE participants and Indian 
health care providers. A commenter representing Indian health care 
providers requested that they be carved out from the outcome measures 
requirement because of a concern that the outcome measures would not be 
aligned with already reported Tribal outcome measures and would become 
an unnecessary administrative burden on understaffed Indian health care 
providers. Other commenters suggested that OIG should not finalize the 
outcome measures requirement because the writing requirement in the 
care coordination arrangements safe harbor is sufficient to protect 
against fraud and abuse.
    Response: As noted in the OIG Proposed Rule, inclusion of a 
meaningful outcome measure in a protected value-based arrangement will 
help ensure that the arrangement is designed to advance care 
coordination and serves the needs of the target patient population. As 
explained below, we have revised the requirement in the final rule to 
increase flexibility, broaden options for meeting the requirement, and 
reduce administrative burden, including on rural and small providers 
and on Indian health care providers. Our revised approach also 
addresses the comment regarding lack of standards for specialty 
practices because we are not requiring use of industry standard 
measures. Specialty practices may create measures using a range of 
data, information, and sources, including internally generated data and 
information, provided that, among other requirements, the measures are 
based on clinical evidence, credible medical support, or credible 
health science support, include an appropriate benchmark, and relate to 
the remuneration being provided under the arrangement. This last 
requirement helps ensure, as we explained in the OIG Proposed Rule, 
that the measure bears a close nexus to the value-based activities in 
the value-based arrangement and the needs of the target patient 
population.
    We are not aware of any impediment to Indian health care providers 
using existing outcomes measures that they are already required to 
report; nothing in the safe harbor requires development of new measures 
if existing measures meet the final rule requirements.
    We do not agree that a writing requirement is a sufficient 
safeguard against fraud or abuse based on our enforcement experience. 
While documentation is important for transparency and compliance 
verification, it does not prevent fraud or abuse or ensure that 
arrangements are carried out in accordance with their terms or serve 
their intended purposes.
    Comment: Commenters varied in their responses to the terminology we 
proposed in the outcome measures requirement (``specific evidenced-
based, valid outcome measures''). For example, commenters asked OIG to 
define ``outcome measure'' and ``evidence-based.'' A commenter 
supported the concept of ``evidence-based'' outcome measures, stating 
that OIG's proposal would provide needed flexibility to allow both 
clinical and non-clinical outcome measures and to allow participants to 
select up-to-date outcome measures, such as measures related to social 
determinants of health. Other commenters pointed out the significant 
time and resources needed, particularly for smaller VBEs and VBE 
participants, to undertake studies or gather and document evidence for 
novel interventions and to develop, implement, and monitor evidence-
based measures. Some commenters explained that using ``evidence-based'' 
as the standard would chill innovation by precluding innovative models 
for which evidence does not already exist or value-based arrangements 
that are currently pilots or demonstrations intended to develop 
evidence. A commenter expressed concern that conditioning safe harbor 
protection on ``valid'' outcome measures was too subjective and 
recommended the outcome measures be ``clinically meaningful,'' which 
could be based on measurable data or real-world evidence.
    Response: We have reconsidered our use of the term ``evidence-
based'' in this rule. Our use of the term may have indicated a level of 
scientific rigor and resource investment beyond what we intended for 
purposes of this safe harbor, which is intended to be available for 
experienced and new entrants into value-based care, including those not 
yet ready to assume financial risk, and to promote innovation in care 
delivery. We intended to include a standard that captured clinical and 
non-clinical measures (including measures related to quality of care, 
process improvements, efficiency in care delivery, and social 
determinants of health), while also allowing for innovation. We did not 
intend to require that protected arrangements be grounded in 
experimental research, randomized clinical trials, best available 
evidence, or other similar characteristics often associated with the 
term ``evidence-based'' in common definitions. We did not intend to be 
overly restrictive or to require strict scientific evidence of the 
utility of an outcome measure. Having considered the comments, common 
definitions, and input from Department experts, we are persuaded that 
the term ``evidence-based'' was overly restrictive and not the best 
term to describe the outcome measures we envisioned for purposes of 
this rule.
    We have likewise reconsidered our use of the terms ``valid'' and 
``specific'' in the OIG Proposed Rule. These terms dovetailed with our 
use of ``evidence-based'' and were intended to convey that the selected 
outcome measures needed to be grounded in legitimate, verifiable data, 
or other information. That is, we intended that selected measures be 
legitimate and not sham measures used to justify an illegitimate

[[Page 77728]]

exchange of remuneration. Our intent is that selected measures be 
credible and appropriate for the care coordination and management 
purpose of the arrangement. Upon further consideration, the term 
``legitimate''--and its common sense meaning--better effectuates our 
intent, and we use that term in the final rule.
    Accordingly, in this final rule, we are revising the requirement 
that parties establish one or more specific evidence-based, valid 
outcome measures. Under the final rule, the parties to a value-based 
arrangement must establish one or more legitimate outcome or process 
measures that the parties reasonably anticipate will advance the 
coordination and management of care for the target patient population 
based on clinical evidence or credible medical or health science 
support. The terms ``clinical evidence or credible medical or health 
science support,'' better reflect our intent to have a reasonable, 
flexible standard applicable to a wide range of arrangements and to 
allow selection of measures based on scientific, clinical, medical, 
social science, or industry quality standards, or other legitimate, 
verifiable data or information, whether internal to the VBE or 
externally generated. By use of the term ``health science'' we intend 
to include public health, health informatics, research and development, 
and sciences that look at the treatment and prevention of diseases. 
Unlike the new protection provided within the personal services and 
management contracts safe harbor for outcomes-based payments, in this 
safe harbor parties may rely on credible health science as well as 
credible medical support, reflecting that this safe harbor covers a 
wider variety of care coordination arrangements (including remuneration 
in the form of health technology) and protects only in-kind 
remuneration, rather than monetary payments, presenting relatively 
lower overall risk.
    The revised requirement continues to encompass both clinical and 
non-clinical measures, and internal or externally generated measures, 
and will allow participants to select up-to-date outcome or process 
measures over time. Under the final rule, parties will be required to 
document the measures they select and the clinical evidence, credible 
medical support, or credible health science support upon which they 
relied in making the selection by providing a description of the 
measures in a signed writing.
    Comment: Some commenters requested clarification from OIG regarding 
how parties should select outcome measures, and others asked for 
additional flexibility in the selection of outcome measures. For 
example, parties asked OIG to permit both internally developed 
measures, i.e., measures that do not require validation in a medical 
journal or by another third-party source, and process-based measures, 
such as providing or not providing a specific treatment to improve 
patient outcomes or safety. A commenter asserted that outcome measures 
should be anticipated to advance the coordination or management of care 
of the target patient population rather than the coordination and 
management of care of individual patients. Another commenter opposed 
the requirement for outcome measures to advance the coordination and 
management of care altogether, stating that care coordination is 
process-based, not outcomes-based.
    Other commenters expressed concern that too much flexibility for 
parties to select outcome measures could lead parties to use subjective 
measures that do not improve patient outcomes or are otherwise abusive. 
A commenter suggested OIG require that: (i) Value-based arrangements 
advance the coordination and management of care for the target patient 
population; and (ii) in any dispute concerning the applicability of 
this safe harbor, the VBE will bear the burden of proving, based upon 
objective evidence, that the value-based arrangement advanced the 
coordination and management of care of the target patient population. 
Some commenters asked OIG to include an express requirement in the 
final rule that outcome measures be designed to drive meaningful 
improvements in quality, health outcomes, or efficiencies in care 
delivery. Others supported a requirement for parties to establish more 
than one outcome measure or only measures reflecting the outcomes most 
important to patients.
    A commenter recommended that parties be able to assess performance 
toward achieving outcome measures with respect to the entire patient 
population of an integrated delivery system instead of a subset of that 
population. A commenter asked OIG to address issues regarding 
individual physician participant measurement compared to group 
measurement. The commenter expressed concern that individual physicians 
may not have sufficient influence on the development of outcome 
measures for their target patient population and that physician-level 
measures can be challenging to develop (including because of small 
sample size and appropriate accountability of individual physicians).
    Response: We are modifying the requirement to clarify that parties 
must select one or more legitimate outcome or process measures based on 
clinical evidence, credible medical support, or credible health science 
support. Parties must reasonably anticipate that the measures they 
select will advance the coordination and management of the care of the 
target patient population, which is the focus of this safe harbor. The 
revised measure selection standard offers greater flexibility and 
opportunities for innovation over time. The final rule permits clinical 
and non-clinical measures, internally or externally developed.
    Under the final rule, the outcome or process measures do not need 
to be independently validated by a medical or other journal or another 
third-party source. They can be process-based, such as, for example, a 
measurement of the number of patients with diabetes that had their 
blood pressure tested, and we are modifying the regulatory text to 
clarify this. Unlike the new protection under the personal services and 
management contracts safe harbor for outcomes-based payments, which 
requires parties to achieve an outcome measure to receive payment (the 
outcome measure may have a process component), the care coordination 
arrangements safe harbor measure requirement offers greater 
flexibility. It is broader in recognition that the safe harbor: (i) 
Protects only in-kind remuneration, such as health technology, for 
which process measures may be the most legitimate and useful type of 
measure; and (ii) is available to VBE participants that are not taking 
on risk for achieving outcomes.
    In response to the assertion that outcome measures should be 
anticipated to advance the coordination or management of care of the 
target patient population rather than the coordination and management 
of care, we addressed, and rejected, a similar suggestion in section 
III.2.B.g regarding changing ``and'' to ``or'' in the definition of 
coordination and management of care. Because the condition requiring 
parties to establish outcome measures incorporates the definition of 
``coordination and management of care'', it is appropriate to use that 
defined term, which, for the reasons offered above, includes an ``and'' 
rather than an ``or.''
    Where available, use of measures validated by a credible third 
party would be a prudent practice, but this is not required. We confirm 
that parties can select a measure applicable to the entire target 
patient population or select a different outcome or process measures 
for different segments of the target patient population (e.g., the 
measure for

[[Page 77729]]

organ transplant patients within a target patient population may differ 
from the appropriate measure for a non-transplant patient). In such 
circumstances, the parties must (among other criteria) reasonably 
anticipate that all such measures collectively will advance the 
coordination and management of care for the entire target patient 
population. With respect to selecting the target patient population, we 
refer readers to that section of this preamble, section III.B.2.c.
    We are further modifying our proposed rule to respond to the 
comments and our own concerns regarding parties selecting measures in a 
way that does not improve patient care or that could be abusive. In the 
OIG Proposed Rule, we considered requiring that outcome measures drive 
meaningful improvements in quality, health outcomes, or efficiencies, 
whether by driving improvements that are measurable or that are more 
than nominal in nature. We expressed concern about measures that merely 
reflected the status quo. Arrangements that merely drive nominal change 
or reflect only the status quo could be less likely to serve the care 
coordination aims of this rulemaking and more likely to be vehicles to 
reward referrals than arrangements in which parties receive 
remuneration designed to drive meaningful, more than nominal, change in 
patient care.
    Accordingly, under the final rule, the outcome or process measures 
must include one or more benchmarks related to improvements in, or the 
maintenance of improvements in, the coordination and management of care 
for the target patient population. The measures must relate to the 
remuneration exchanged under the value-based arrangement so that there 
is a close nexus between the value-based activities under the 
arrangement and what the parties are measuring. Further, the measures 
cannot be based solely on patient satisfaction or patient convenience, 
both of which can be subjective, uninformative with respect to quality 
or efficiency of care, and gamed with relative ease, including through 
use of rewards or incentives to patients. On this last point, we are 
aware that some legitimate patient satisfaction or patient convenience 
measurement tools provide valuable information to providers and others 
managing patient care. This safe harbor does not preclude use of such 
tools (or any other form of measurement) as parties to value-based 
arrangements see fit and find useful. But patient satisfaction or 
patient convenience cannot be the only measure for purposes of 
satisfying the safe harbor. Lastly, we are finalizing a requirement for 
monitoring, periodically assessing, and prospectively revising an 
outcome or process measure and its benchmark, as necessary, as 
described below. This suite of requirements, taken together, is 
intended to reduce the likelihood of abuses and ensure that the 
selected measures relate to the protected remuneration and aim to 
foster meaningful advancements in the coordination and management of 
care.
    Our revisions to the outcomes measure provision should address the 
concerns raised regarding measurement at the individual or group 
levels. This rule provides flexibility for parties to design legitimate 
measures appropriate to the arrangement, using internal or external 
data, and to account for characteristics such as available sample size 
and ability of individual physicians to effect change. It is up to the 
parties to determine which individual or entity that is a party to the 
arrangement, e.g., a VBE participant, is accountable for assessing 
progress on measures.
    We are not prescribing how many measures parties must use; while we 
anticipate value-based arrangements often would have more than one 
outcome or process measure (or measures that include process measures 
as a component of an outcome measure), some arrangements may lend 
themselves to only one measure. Additionally, we are not requiring that 
parties use only measures related to those outcomes or processes most 
important to patients or that value-based arrangements must, in fact, 
successfully advance the coordination and management of care for the 
target patient population. The standard we are finalizing is designed 
to encourage the selection of outcome and process measures that will 
result in improved care for patients. To the comment about the VBE's 
burden of proof in matters of dispute about the safe harbor, as with 
all safe harbors in the criminal Federal anti-kickback statute, any 
party seeking to avail themselves of the protection of a safe harbor 
generally bears the burden of proof that they meet the requirements of 
the safe harbor.
    Comment: Some commenters expressed concern regarding whether 
parties must meet the outcome measures in order to have safe harbor 
protection, with a few commenters stating such a requirement would 
disadvantage providers treating higher-risk patient populations who may 
be less likely to meet outcome measures.
    Response: We clarify that under the final rule, for purposes of 
this safe harbor, parties need not successfully achieve the outcome or 
process measure they select to qualify for safe harbor protection (and 
if they select more than one, they need not meet any of them). However, 
parties will need to monitor and periodically assess their arrangements 
and potentially revise measures and benchmarks, as described below. 
This will ensure that the selected measures remain a meaningful tool to 
advance care coordination goals. Without the requirement to establish 
and track progress toward achieving measures, the risk increases that 
parties could abuse the care coordination arrangements safe harbor to 
inappropriately drive referrals rather than patient care improvement.
    We recognize that, despite best efforts, parties to a value-based 
arrangement may not always achieve their selected measures due to a 
variety of factors, such as uncertainty of patient behavior, lack of 
control of results by a VBE participant, or misjudgments.
    We note a key distinction between this safe harbor and the 
protection of outcomes-based payments under the personal services and 
management contracts safe harbor. The personal services and management 
contracts safe harbor requires that agents achieve the outcome measure 
established for their payments in order to receive those payments. This 
is in keeping with a core purpose of the outcomes measure, which is to 
be the basis for a party to receive a protected outcomes-based payment.
    Comment: A commenter supported adding a requirement for parties to 
make information regarding any outcome measures they establish 
transparent to the public.
    Response: We are not requiring that the outcomes or process 
measures for value-based arrangements be made public under this safe 
harbor, although parties are free to do so. We did not propose a public 
transparency requirement and do not finalize one here. We recognize 
transparency serves important accountability and integrity goals. 
Consequently, we have included other conditions in the final safe 
harbor intended to foster transparency while balancing the potential 
burden on the parties seeking safe harbor protection. With respect to 
outcome or process measures, we are finalizing the requirement that 
parties include a description of the measures in a signed writing and 
make available to the Secretary, upon request, all materials and 
records sufficient to establish compliance with the conditions of the 
care coordination arrangements safe harbor.
    Comment: Several commenters stated that OIG should not require the 
use of

[[Page 77730]]

measures from CMS's Quality Payment Program (QPP) in the outcome 
measure requirement, arguing that existing QPP measures are inadequate 
for many specialties. Some commenters suggested OIG could encourage, 
but not require, participants to utilize the criteria for the QPP 
measures as a framework for establishing outcome measures. 
Alternatively, some commenters requested that OIG require the use of 
certain measures, such as measures promulgated by the National Quality 
Forum, or require all quality and cost measures to be independently 
assessed and approved by a third-party, multi-stakeholder organization.
    Response: To provide flexibility and avoid triggering concerns that 
any specified measures may be inadequate or inappropriate for certain 
types of individuals or entities (e.g., specialists), we are not 
requiring parties to utilize QPP measures or measures developed by any 
particular organizations or to receive third-party approval for the 
measures. Parties may use these measures at their discretion for 
purposes of this safe harbor.
    Comment: Several commenters encouraged OIG to allow patient 
satisfaction and experience of care measures, such as timeliness of 
care, to qualify as outcome measures under the care coordination 
arrangements safe harbor. Along these same lines, a commenter suggested 
that OIG include patient satisfaction and efficiency of care measures, 
such as creating systems that prevent visits to the emergency room (for 
example, rapid outpatient testing and evaluation services) that would 
improve outcomes and reduce costs. This commenter observed that 
satisfied patients are more likely to keep follow up appointments and 
be compliant with care. Some commenters asserted that patient 
satisfaction and experience measures reflect quality of care and noted 
that CMS recognizes patient satisfaction as a quality measure that 
affects reimbursement. Other commenters supported using convenience 
measures, such as the availability of treatment times or timeliness of 
patient's access to care, as outcome measures because they asserted 
that patient adherence to treatment improves when care is convenient. 
Another commenter stated that, while convenience, alone, may not be a 
valid measure, OIG should permit parties to use convenience measures 
when they are tied to other measures, such as utilization. On the other 
hand, some commenters did not consider patient satisfaction or 
convenience to be a valid outcome measure, noting a lack of evidence 
tying patient satisfaction to better clinical outcomes.
    Response: The commenters variously describe efficiency of care, 
patient satisfaction, patient convenience, and patient experience of 
care measures. As explained elsewhere, we have modified the outcomes 
measures requirement to include process measures, which addresses the 
commenters' suggestions regarding experience of care and efficiency of 
care measures, such as rapid access to outpatient testing and 
evaluation services. To assist commenters in appropriately categorizing 
their outcome or process measures, we provide additional clarification 
on patient satisfaction, patient convenience, and patient experience 
measures. For purposes of this rulemaking, patient satisfaction is 
about whether a patient's expectations for a health care encounter were 
met, e.g., a patient's assessment of the responsiveness of hospital 
staff. Different patients with different expectations can experience 
the exact same care but report different degrees of satisfaction.\34\ 
Patient convenience could include measures that assess patient access 
to care and accessibility of care, or the factors involved in arranging 
for the provision of care, e.g., the distance or proximity to a site of 
care or the hours during which care can be obtained.
    In applying our regulation, patient experience can involve finding 
out whether something that should happen in a health care setting 
happened, for example, whether all hospital discharge planning 
protocols were followed for certain patients. Patient experience 
measures can overlap with patient satisfaction or convenience measures; 
in particular, patient satisfaction or patient convenience could be a 
sub-part of a patient experience measure. Accordingly, whereas patient 
satisfaction or patient convenience cannot be the sole measure for 
purposes of the care coordination arrangements safe harbor, the same 
may not be true for patient experience measures, depending on the facts 
and circumstances.
    As stated in the OIG Proposed Rule, we are concerned that patient 
satisfaction and patient convenience measures may not reflect actual 
improvement in the quality of patient care, health outcomes, or 
efficiency in the delivery of care. In some cases, such measures can be 
subjective, uninformative with respect to quality or efficiency of 
care, and potentially gamed with relative ease, including through use 
of rewards or incentives to patients. That said, some patient 
satisfaction or patient convenience measurement tools provide valuable 
information to government programs, providers, and others managing 
patient care. This safe harbor does not preclude use of such tools (or 
any other form of measurement) as parties to value-based arrangements 
see fit and find useful. As noted previously, while patient 
satisfaction or patient convenience cannot be the sole measure for 
purposes of the care coordination arrangements safe harbor, patient 
satisfaction or patient convenience can be tied to other legitimate 
measures or can exist alongside such other measures.
    Comment: Several commenters encouraged OIG not to require regular 
rebasing of outcome measures, and in particular, they opposed specific 
timing for when parties must rebase these measures. These commenters 
asserted that any timing requirement would be arbitrary, might 
discourage participation in value-based arrangements, or may not be 
clinically appropriate in all circumstances. A commenter expressed 
concern that requiring rebased outcome measures could lead to the 
unintended consequence of providers abandoning proven care coordination 
programs once they have achieved a maximized performance level. On the 
other hand, some commenters supported this requirement; for example, a 
commenter supported rebasing pursuant to a specified timeframe, such as 
every year, as long as the VBE participants determined that rebasing is 
feasible.
    Response: In the OIG Proposed Rule, we considered whether to 
require parties to rebase outcomes measures (i.e., reset benchmarks 
used to determine whether the outcome measure was achieved) where 
rebasing is feasible. We indicated our intent to consider specifying a 
timeline for rebasing or requiring that it be done periodically. We 
solicited comments on whether rebasing should depend on the type of 
outcome measure or the nature of the arrangement. We also explained in 
the preamble to the OIG Proposed Rule that revisions to outcomes 
measures (i.e., modification of outcomes measures) would need to 
continue to incentivize the recipient of the remuneration to make 
meaningful improvements. We expressed concern that retrospective 
revisions could obscure a lack of meaningful improvement.
    Upon further consideration of the terminology in the OIG Proposed 
Rule, we conclude that we can best express our intended policy by using 
the term ``revise'' rather than ``rebase'' in the final rule. The term 
``revise'' has a broader common meaning and better reflects the goal 
that measures be

[[Page 77731]]

changed or updated to advance improvements in care coordination. In 
addition, we view ``rebase'' as a subcategory of ``revise''; in other 
words, we recognize that the rebasing of benchmarks may be the best way 
to ``revise'' the measure. Because we intended for parties to have the 
flexibility to either ``revise'' measures, i.e., modify or update 
measures to advance improvements in care coordination, or ``rebase'' 
benchmarks, and because ``revise'' could serve as an umbrella term 
which would include ``rebase,'' we believe ``revise'' encapsulates our 
intent.
    In practice, parties can meet the requirement by revising the 
measure itself or by rebasing the benchmarks for the measure. We 
recognize that rebasing may not be necessary for all legitimate outcome 
or process measures that advance the coordination and management of 
care for a target patient population. For the final rule, measures must 
be monitored, periodically assessed, and prospectively revised as 
necessary to ensure that the measure and its benchmark continues to 
advance the coordination and management of care of the target patient 
population. We emphasize that any revisions must be prospective, not 
retrospective.
    We are requiring a periodic assessment and, as necessary based on 
such assessment, revision of outcome or process measures and 
benchmarks. Recognizing that different measures should be assessed on 
different timelines, we are not implementing a specific timeframe for 
assessing or revising measures, as in some cases, outcome measures 
could be reviewed annually, whereas for others significant benefits to 
patients could reasonably take 2 to 3 years to achieve.
    As evidenced by the above discussion, we are also finalizing a 
requirement for parties to a care coordination arrangement to have one 
or more benchmarks for each outcome or process measure that are related 
to improving or maintaining improvements in the coordination and 
management of care of the target patient population. Benchmarks help 
ensure that the remuneration exchanged pursuant to the value-based 
arrangement continues to drive meaningful improvements, or the 
maintenance of improvements, in the coordination and management of care 
for the target patient population.
    Comment: Some commenters opposed a requirement for payors to 
identify outcome measures, positing that such a top-down approach would 
limit providers that are best situated to identify value-driving 
activities and may be impractical when payors are not parties to a 
value-based arrangement. Another commenter suggested that the adoption 
of payor-identified outcome measures by a VBE should be a favorable 
factor when evaluating a value-based arrangement for compliance with 
the proposed safe harbor. According to the commenter, payors have 
unique capabilities to: (i) Give providers the information they need to 
identify patient populations that may benefit most from management and 
care coordination interventions; and (ii) recommend benchmarks based on 
experience and access to data that are used to assess outcome measures.
    Response: The final rule allows, but does not require, the use of 
payor-driven or developed outcome measures. Parties are free to use 
payor measures if they find them useful or if doing so is required by a 
payor.
    Comment: We solicited comments on using a different outcomes 
measures standard for information technology than for other care 
coordination arrangements. Commenters were generally supportive of an 
alternative standard, such as an adoption and use standard, stating 
that it would allow more flexibility, which is important for 
arrangements that are centered on an ever-changing and developing 
industry. At least one commenter suggested language for this 
alternative standard, namely, ``the parties determine in good faith 
that the technology is expected to meaningfully advance achievement of 
the targeted health outcomes, patient care quality improvements, or the 
appropriate reduction in costs . . . [etc.],'' while another commenter 
suggested that VBE participants should have the option, but not be 
required, to designate utilization and adoption measures in IT 
arrangements as alternatives to outcome measures. A commenter who 
supported the use of alternative measures for IT advocated against 
OIG's proposal to implement a time frame after which the recipient of 
IT would be required to pay fair market value for continued use of the 
IT, stating that suddenly requiring fair market value payments may 
unnecessarily cause drastic and costly changes to an entire system and 
could disrupt continuity of care.
    Response: The final rule for establishing the required outcomes or 
process measures is flexible enough to address information technology 
arrangements. Legitimate process measures (including use and adoption) 
or performance measures can be used so long as the parties reasonably 
anticipate that the measures will advance the coordination and 
management of care of the target patient population and the benchmark 
and other requirements are met. No separate outcome measures 
requirement is needed for information technology arrangements. We are 
not finalizing our proposal that outcomes measures be evidence-based, 
which we acknowledged could have been a difficult standard for some 
information technology arrangements. Measures must be selected based on 
clinical evidence or credible medical or health science support. This 
support may be based on external sources or generated internally. The 
specific addition of health science as a basis for selection reflects 
our intent, among other things, to allow remuneration in the form of 
information technology under the care coordination safe harbor. Since 
we are not including an IT-specific standard, we are not placing a time 
limit on the use of IT-related remuneration in care coordination 
arrangements. In light of our modifications to the measurement standard 
and other safeguards against fraud and abuse in the safe harbor, 
adopting the additional requirements we considered in the OIG Proposed 
Rule related to outcomes measures for the exchange of health 
information technology is not necessary.
c. Commercial Reasonableness
    Summary of OIG Proposed Rule: We proposed at paragraph 
1001.952(ee)(2) to require that the value-based arrangement pursuant to 
which the remuneration is exchanged be commercially reasonable, 
considering both the arrangement itself and all value-based 
arrangements within the VBE. We indicated that we were considering for 
the final rule whether to define a ``commercially reasonable 
arrangement'' as an arrangement that would make commercial sense if 
entered into by reasonable entities of a similar type and size, even 
without the potential for referrals. We solicited comments on the need 
for a definition of a ``commercially reasonable arrangement.''
    Summary of Final Rule: We are finalizing, without modification, our 
proposed requirement at paragraph 1001.952(ee)(2). We are not defining 
a ``commercially reasonable arrangement'' in the final rule.
    Comment: Some commenters supported a commercial reasonableness 
requirement while others opposed it. Several commenters noted that this 
requirement is inconsistent with the value-based arrangements exception 
to the physician self-referral law, which does not require that the 
value-based arrangement be commercially reasonable. Others emphasized 
that the

[[Page 77732]]

standard introduces complexity and uncertainty that may require parties 
to consult with legal counsel, with some of these commenters asserting 
that this burden could have a disproportionate impact on small and 
rural providers.
    Response: In the context of care coordination arrangements where 
parties are not required to take on financial risk, the remuneration 
does not need to be consistent with fair market value, and the 
remuneration may take into account the volume of patients in the target 
patient population or the value of referrals or other business 
generated between the parties resulting from referrals of the target 
patient population, we believe requiring the value-based arrangement to 
be commercially reasonable is an important safeguard to ensure that 
safe harbor protection is limited to remuneration exchanged pursuant to 
value-based arrangements that are designed and implemented to achieve 
legitimate objectives rather than merely to induce or reward referrals.
    The commercial reasonableness requirement focuses on ensuring that 
parties structure the terms of their value-based arrangement, including 
but not limited to the amount of the remuneration, in a manner that is 
calibrated to achieve the parties' legitimate business purposes. For 
example, as described in the OIG Proposed Rule, if VBE participants 
were to enter into a value-based arrangement to facilitate the sharing 
of patient-outcome data, it may be commercially reasonable for a 
hospital VBE participant to donate technology to a group practice VBE 
participant to facilitate this process. However, it may not be 
commercially reasonable for that same hospital VBE participant to 
donate technology substantially more sophisticated, or with enhanced 
functionality, beyond that necessary for communicating data on shared 
patients between the two parties.\35\ We are concerned that, absent the 
commercial reasonableness requirement, the other conditions in this 
safe harbor will not sufficiently mitigate the risk of one party 
offering more remuneration than is necessary, such as in the example 
above, to reward the other party for referrals of target patient 
population patients, which is why we are finalizing the requirement in 
this final rule that the value-based arrangement itself be commercially 
reasonable. Further, the commercial reasonableness requirement is the 
only safeguard in the care coordination arrangements safe harbor that 
directly addresses the risk that parties might use a series of value-
based arrangements to effectuate a payment-for-referral scheme. For 
this reason, we are finalizing the second prong of the commercial 
reasonableness requirement that the value-based arrangement must be 
commercially reasonable when considering all value-based arrangements 
in the VBE.
---------------------------------------------------------------------------

    \35\ 84 FR 55709. In the OIG Proposed Rule, we noted in 
connection with this example that nothing would prevent the donation 
of technology with enhanced functionality when a value-based 
arrangement requires that capability or when technology without that 
functionality is not practicable.
---------------------------------------------------------------------------

    In sum, the commercial reasonableness requirement in this safe 
harbor: (i) Helps to ensure that the value-based arrangement, and all 
value-based arrangements within in the VBE, serve legitimate 
objectives; (ii) mandates that parties structure the terms of their 
value-based arrangement, including but not limited to the amount of the 
remuneration, in a manner that is calibrated to achieve the parties' 
legitimate business purposes; and (iii) reduces the likelihood that the 
value-based arrangement might be a payment-for-referral scheme.
    With respect to the complexities associated with assessing 
commercial reasonableness and the potential need to consult with legal 
counsel, we appreciate those concerns and note that the inclusion of a 
commercial reasonableness condition in safe harbors is not new. Several 
existing safe harbors require protected remuneration to be commercially 
reasonable. We believe parties, including small and rural providers, 
can apply this concept and that including it as a condition of this 
safe harbor will not impose significant additional burden.
    In response to those commenters who noted that the proposed safe 
harbor is inconsistent with CMS's proposed exception for value-based 
arrangements, we note that CMS's exception for value-based arrangements 
(42 CFR 411.357(aa)(3)), as finalized, includes a commercial 
reasonableness requirement.
    Comment: A commenter asserted that the move to value-based care 
helps to eliminate many of the program integrity concerns that OIG 
might seek to address through a commercial reasonableness requirement.
    Response: We agree that a shift to value-based payment models may 
curb some of the traditional program integrity concerns associated with 
a fee-for-service payment system. However, this safe harbor offers 
protection for care coordination arrangements without requiring that 
the parties assume financial risk or otherwise participate in a value-
based payment model. As a result, the traditional program integrity 
risks resulting from fee-for-service payment are likely to persist. For 
example, we are concerned that, in some circumstances and in the 
absence of safe harbor guardrails, remuneration furnished pursuant to a 
value-based arrangement may lead to overutilization, corruption of 
practitioners' medical judgment, inappropriate patient steering, or 
unfair competition. By requiring the value-based arrangement to be 
commercially reasonable with respect to both the arrangement itself and 
all value-based arrangements within the VBE, this condition helps to 
safeguard against these program integrity concerns by requiring that 
the terms of the value-based arrangement be calibrated to achieve the 
parties' legitimate business purposes.
    For example, we explained in the OIG Proposed Rule that a single 
value-based arrangement in which a hospital VBE participant provides a 
necessary number of care coordinators for the target patient population 
to a SNF VBE participant may be commercially reasonable. However, if a 
VBE includes multiple similar value-based arrangements, each of which 
involves the same hospital VBE participant furnishing care coordinators 
to the same SNF VBE participant for the same or a similar target 
patient population, the commercial reasonableness of the remuneration 
exchanged within the value-based arrangements in the aggregate may be 
suspect if it lacks a legitimate business purpose.\36\ This arrangement 
could lead to the program integrity concerns identified above (e.g., 
inappropriate patient steering) and, absent a commercial reasonableness 
requirement, the conditions of the safe harbor might otherwise be met.
---------------------------------------------------------------------------

    \36\ 84 FR 55709.
---------------------------------------------------------------------------

    Comment: Some commenters asserted that a commercial reasonableness 
requirement will create an obstacle to value-based care. Others 
asserted that few arrangements would ever satisfy this criterion 
because value-based arrangements do not make any commercial sense 
without the potential for referrals. These commenters noted that 
changes in referral patterns alone are not the goal of a value-based 
arrangement but that they may well be the consequence.
    Response: We are not persuaded that a commercial reasonableness 
requirement will impede the transition to value-based care. We believe 
that it is eminently feasible to structure value-based arrangements to 
meet the commercial reasonableness requirement by ensuring that the 
terms of the value-

[[Page 77733]]

based arrangement, and all value-based arrangements within the VBE, are 
reasonably calculated to achieve the VBE participants' legitimate 
business purposes.
    The framing of the commercial reasonableness condition in the final 
rule, which allows for the possibility of referrals, addresses the 
commenters' concerns. Specifically, we recognize that a value-based 
arrangement may, and often will, result in referrals. The commercial 
reasonableness requirement is intended to ensure that the terms of the 
value-based arrangement, considering both the arrangement itself and 
all value-based arrangements within the VBE, are calibrated to achieve 
the value-based purpose(s) of the arrangement, not the generation of 
referrals. We agree with the commenters' related assertion that changes 
in referral patterns alone are not the goal of a value-based 
arrangement but may be the consequence.
    For example, a value-based arrangement that provides remuneration 
in excess of what is reasonably necessary to coordinate and manage the 
care of the target patient population, as contemplated by the terms of 
that arrangement, would not be commercially reasonable. Likewise, terms 
that are calibrated to secure referrals, rather than to achieve the 
value-based purposes of the value-based arrangement, would result in an 
arrangement that is not commercially reasonable for purposes of this 
safe harbor. The mere fact that referral patterns may change as a 
result of a value-based arrangement does not necessarily preclude the 
arrangement from meeting the commercial reasonableness requirement.
    Comment: With respect to whether we should adopt a definition for a 
commercially reasonable arrangement, several commenters expressed 
support, but these commenters did not agree on a definition. Some 
commenters supported the definition presented in the preamble to the 
OIG Proposed Rule, which defined a ``commercially reasonable 
arrangement'' as an arrangement that would make commercial sense if 
entered into by reasonable entities of a similar type and size, even 
without the potential for referrals. Others encouraged us to adopt 
CMS's proposed definition, which states that commercially reasonable 
means the particular arrangement furthers a legitimate business purpose 
of the parties and is on similar terms and conditions as like 
arrangements. Other commenters suggested that OIG should focus on 
whether the arrangement makes ``value-based'' sense in the context of a 
value-based arrangement instead of whether it makes ``commercial'' 
sense. Other commenters provided alternative definitions that varied in 
scope. A commenter asserted that the definition should not preclude 
consideration of referrals not covered by Medicare.
    Commenters also requested various clarifications and affirmative 
statements from OIG, including that: (i) Commercial reasonableness 
refers primarily to the non-financial elements of a transaction or 
arrangement while the concept of fair market value addresses the 
financial aspects, and (ii) an arrangement may be commercially 
reasonable even if it operates at a loss.
    Response: While we are not adopting a definition of ``commercially 
reasonable arrangement,'' we appreciate commenters' requests for 
guidance. There are multiple dimensions to commercial reasonableness, 
including both the financial and non-financial terms of an arrangement. 
The fact that an arrangement generates a loss for a party is one 
factor, among many, that could be considered in analyzing whether an 
arrangement is commercially reasonable. An arrangement may be 
commercially reasonable even if it does not result in profit for one or 
more of the parties. Any determination whether a particular value-based 
arrangement is commercially reasonable would be based on the totality 
of the facts and circumstances of such arrangement, and the financial 
aspects of the value-based arrangement would be relevant to that 
inquiry.
    With respect to the assertion that the commercial reasonableness 
definition should not preclude consideration of referrals of non-
Medicare business, as we stated above, we are not adopting this 
definition. We reiterate that the commercial reasonableness requirement 
in this safe harbor requires that the VBE participants structure the 
terms of the value-based arrangement in a manner that is calibrated to 
achieve the parties' legitimate business purposes. We also reiterate 
our longstanding guidance that arrangements that do not involve 
referrals of Federal health care program beneficiaries or business 
generated by Federal health care programs may implicate the Federal 
anti-kickback statute by disguising remuneration for Federal health 
care program business through the payment of amounts purportedly 
related to non-Federal health care program business. Arrangements with 
this type of disguised remuneration would not be calibrated to achieve 
a legitimate business purpose and would thus not be commercially 
reasonable. Whether any particular arrangement reflects this type of 
disguised remuneration would depend on the specific facts of the 
arrangement.
    Comment: Some commenters asserted that the definition of 
``commercially reasonable arrangement'' in the preamble to the OIG 
Proposed Rule, which considered defining such an arrangement as one 
that would make commercial sense if entered into by reasonable entities 
of a similar type and size, even without the potential for referrals, 
is inconsistent with OIG's prior commentary relating to the requirement 
in certain other safe harbors that the remuneration must be reasonably 
necessary to accomplish the commercially reasonable business purpose of 
the arrangement.
    Response: We are not further defining a ``commercially reasonable 
arrangement'' in this final rule, beyond the test for commercial 
reasonableness articulated in the regulatory text (i.e., that 
commercial reasonableness must be evaluated by considering both the 
value-based arrangement itself and all value-based arrangements within 
the VBE). As explained above, the test for commercial reasonableness is 
tailored to this particular safe harbor for care coordination 
arrangements and is meant to be both flexible to allow for innovative 
arrangements that serve legitimate objectives and sufficiently 
constrained to limit the risk of schemes to pay for referrals. That 
said, our prior guidance remains instructive on the application of the 
term ``commercially reasonable'' in the safe harbor context, 
particularly with respect to having a legitimate business purpose.\37\
---------------------------------------------------------------------------

    \37\ See, e.g., Medicare and State Health Care Programs: Fraud 
and Abuse; Clarification of the Initial OIG Safe Harbor Provisions 
and Establishment of Additional Safe Harbor Provisions Under the 
Anti-Kickback Statute; Final Rule, 64 FR 63518, 63425 (Nov. 19, 
1999) available at https://oig.hhs.gov/fraud/docs/safeharborregulations/getdoc1.pdf.
---------------------------------------------------------------------------

d. Writing
    Summary of OIG Proposed Rule: We proposed in proposed paragraph 
1001.952(ee)(3) to require that each value-based arrangement, pursuant 
to which the remuneration is exchanged, be set forth in a signed 
writing, established in advance of, or contemporaneous with, the 
commencement of the value-based arrangement or any material change to 
the value-based arrangement. We proposed in the same paragraph that the 
writing state, at a minimum: (i) The value-based activities to be 
undertaken

[[Page 77734]]

by the parties to the value-based arrangement; (ii) the term of the 
value-based arrangement; (iii) the target patient population; (iv) a 
description of the remuneration; (v) the offeror's cost for the 
remuneration; (vi) the percentage of the offeror's cost contributed by 
the recipient; (vii) if applicable, the frequency of the recipient's 
contribution payments for the offeror's ongoing costs; and (viii) the 
specific evidence-based, valid outcome measure(s) against which the 
recipient would be measured.
    Summary of Final Rule: We are finalizing, with modifications, the 
writing requirement in paragraph 1001.952(ee)(3). The following 
modifications respond to public comments: (i) The writing requirement 
can be satisfied by a collection of documents; (ii) parties must 
document the fair market value of the remuneration or, alternatively, 
the offeror's cost of the remuneration and the accounting methodology 
utilized to determine such cost; and (iii) parties must document the 
value-based purpose(s) of the value-based activities provided for in 
the value-based arrangement. We are also clarifying that the terms of 
the value-based arrangement must be established in advance of, or 
contemporaneous with, the commencement of the value-based arrangement 
``and any material change,'' instead of ``or any material change.'' In 
the preamble to OIG Proposed Rule, we described a writing requirement 
that would promote transparency of the value-based arrangement, both at 
its commencement and when there is a material change. These are the 
logical junctures where the writing requirement particularly serves its 
transparency purposes. Our proposed regulatory text did not make clear 
that the writing was needed at both junctures; our modifications more 
clearly express that policy. Lastly, we are modifying the writing 
requirement for consistency with changes to the language of the outcome 
and process measures condition, discussed in section III.3.b. The 
remaining requirements of the writing requirement are finalized as 
proposed.
    Comment: While several commenters expressed support for the writing 
requirement, numerous commenters were concerned that this requirement 
does not afford parties the flexibility to document their value-based 
arrangement in a ``collection of documents'' and instead requires a 
single signed writing.
    Response: We have revised the writing requirement to permit a 
``collection of documents'' approach in response to commenters' 
concerns. To receive safe harbor protection, the terms of the value-
based arrangement must be set forth in writing and signed by the 
parties in advance of, or contemporaneous with, the commencement of the 
value-based arrangement and any material change to the value-based 
arrangement. Under this approach, parties are not required to have a 
single, signed writing setting forth the terms of the agreement, but 
there must be either a single, signed writing or a collection of 
documents in place--in advance of, or contemporaneous with, the 
commencement of the value-based arrangement--in order to meet this 
condition. In addition, if any material term (e.g., an outcome or 
process measure) changes during the course of the value-based 
arrangement, the parties would need to set forth such changes in a 
signed writing or collection of documents in advance of, or 
contemporaneous with, the commencement of the modified value-based 
arrangement. We note that, while the terms do not need to be set forth 
in a single, signed writing, we believe this approach is a best 
practice from a compliance perspective.
    Comment: A commenter requested that OIG permit a VBE to sign the 
writing required by this safe harbor on behalf of all parties to the 
applicable value-based arrangement because, according to the commenter, 
it would be challenging to arrange for all parties to sign a single 
document in advance of the commencement of the value-based arrangement.
    Response: We decline to adopt the commenter's suggestion. To 
promote transparency and accountability, each value-based arrangement 
must be set forth in writing and signed by all parties to the value-
based arrangement. While the VBE may be a signatory to the value-based 
arrangement, its signature alone would not meet the writing requirement 
for this or any of the other value-based safe harbors. We believe there 
is sufficient flexibility in this requirement insofar as we do not 
require the writing to be a single document (i.e., the parties can sign 
separate documents), and we allow it to be signed in advance of, or 
contemporaneous with, the commencement of the value-based arrangement.
    Comment: Some commenters disagreed with the proposed writing 
requirement, stating that it was burdensome, was too prescriptive, or 
would increase the risk of inadvertent non-compliance. Commenters took 
particular issue with the requirement that parties document the 
offeror's cost for the remuneration. A commenter asserted that this 
provision is unnecessary in light of the condition to maintain and make 
available to the Secretary, upon request, all materials and records 
sufficient to establish compliance with the conditions of this safe 
harbor, while at least two commenters expressed concern that it could 
result in the inappropriate disclosure of competitively sensitive 
information. One such commenter provided the example of an offeror that 
might furnish certain in-kind remuneration to a VBE participant to 
benefit the VBE and further its value-based purpose, but who might want 
to offer the same in-kind remuneration to the recipient at market rates 
for use in other lines of business. According to the commenter, it 
would be commercially unreasonable to require the offeror to disclose 
its cost structure and requested that we allow parties to satisfy this 
condition through a written representation that the contribution amount 
equals at least 15 percent of the offeror's cost.
    Response: We are not persuaded that our writing requirement is 
overly prescriptive or burdensome, rather it is an essential safeguard. 
The required contents are of the kind commonly part of business 
agreements: The parties, purposes, services, financial and business 
terms, duration, and metrics. In addition, for safe harbor purposes, we 
view the requirement that the writing set forth the offeror's cost for 
the remuneration or the fair market value of the remuneration--detailed 
in section III.B.3.g--as a material term to the parties' arrangement 
because of the safe harbor's 15 percent contribution requirement. The 
inclusion of this term in the writing ensures a transparent 
understanding of the arrangement agreed to by the parties.
    Accordingly, we are finalizing the writing requirement, including a 
requirement that parties document: (i) Either the fair market value of 
the remuneration or the offeror's cost of the remuneration, dependent 
upon the methodology used by the parties to determine the contribution 
amount; and (ii) the percentage and amount contributed by the 
recipient. Consistent with revisions to the contribution requirement 
methodology discussed in detail in section III.B.3.g, we require that 
parties who choose to document the offeror's cost of the remuneration, 
instead of the fair market value, also must document the reasonable 
accounting methodology used to calculate such costs.
    We believe requiring parties to calculate and document the 
contribution amount based on the fair

[[Page 77735]]

market value of the remuneration or the offeror's cost of the 
remuneration addresses commenters' confidentiality concerns and, for 
this reason, we are not adopting the commenter's suggestion to use 
written representations of the offeror's cost for the purposes of 
satisfying the writing requirement. We understand that information 
relating to an offeror's cost may include proprietary or competitively 
sensitive information that parties might not wish to put in their 
written agreements. We do not believe the same holds true for fair 
market value.
    In response to commenters' concerns that the writing requirement 
increases the risk of inadvertent non-compliance, we note that our 
modification to permit a collection of documents to satisfy the 
requirement should help address compliance concerns by incorporating 
more flexibility in this requirement. Further, should an arrangement 
inadvertently fail to comply with a safe harbor condition that would 
not mean that the arrangement violates the Federal anti-kickback 
statute. Rather, the arrangement would not have safe harbor protection 
and would need to be analyzed based on its facts, including the intent 
of the parties, for compliance with the statute.
    Comment: A commenter requested that we address how parties to a 
value-based arrangement would need to document a value-based 
arrangement's value-based purpose.
    Response: We did not expressly propose--as part of the writing 
requirement--that the parties document the value-based purpose(s) of 
the value-based activities provided for in the value-based arrangement. 
However, such requirement, which we are including in the final rule, 
effectuates our intent and logically flows from the intersection of the 
following proposals, each which is finalized here: (i) That the writing 
state, among other things, the value-based activities to be undertaken 
by the parties to the value-based arrangement; (ii) the ``value-based 
activity'' definition, which would require, in part, that the activity 
is reasonably designed to achieve at least one value-based purpose of 
the value-based enterprise; and (iii) the requirement that protected 
remuneration be used predominantly to engage in value-based activities 
that are directly connected to the coordination and management of care 
for the target patient population. In particular, it seems sensible 
that in describing the value-based activity--which, by definition, are 
reasonably designed to achieve at least one value-based purpose of the 
value-based enterprise--and to confirm that one purpose is the 
coordination and management of care, the writing would specify the 
value-based purpose that the activities are designed to achieve.
    Consequently, we finalize a condition requiring that parties 
document the value-based purpose(s) of the value-based activities 
provided for in the value-based arrangement as part of the required 
writing. In particular, we view the documentation of the value-based 
purpose(s)--and specifically, documentation of the care coordination 
and management of care purpose--to be an important component of a 
writing designed to ensure transparency and accountability.
e. Limitations on Remuneration
i. In-Kind Remuneration
    Summary of OIG Proposed Rule: We proposed that the remuneration 
exchanged must be in-kind under the proposed condition at paragraph 
1001.952(ee)(4)(i).
    Summary of Final Rule: We are finalizing, without modification, the 
requirement that the remuneration be in-kind, and moving it to 
paragraph 1001.952(ee)(1)(i).
    Comment: While some commenters supported limiting protection under 
the care coordination arrangements safe harbor to in-kind remuneration, 
a number of commenters requested that OIG expand the safe harbor to 
protect monetary remuneration of any amount or, alternatively, monetary 
remuneration up to a certain amount annually. Many commenters asserted 
that the proposed safe harbor would not protect financial arrangements 
that incentivize behavior change, such as shared savings payments or 
payments to adhere to care protocols, and further asserted that the 
other safeguards in the safe harbor are sufficient to protect against 
fraud and abuse. A commenter suggested that OIG only protect shared 
savings distributed after the VBE has satisfied its expenses. Some 
commenters requested that the safe harbor protect monetary remuneration 
distributed under upside-only risk arrangements, particularly where the 
remuneration is tied directly or indirectly to achievement under a 
value-based arrangement with a payor. Other commenters asserted that 
the care coordination arrangements safe harbor should protect 
ownership, investment interests, loan arrangements (including interest 
payments), and similar transactions to fund infrastructure for the VBE 
that will facilitate the development and operation of a value-based 
arrangement.
    Other commenters asserted that the safe harbor should permit the 
exchange of monetary remuneration, so physician practices can receive 
remuneration and purchase their own clinical tools or services and 
select staff members who best meet the needs of the practice. For 
example, a primary care practice explained that it would like to engage 
a psychologist or behavioral health professional to assist with 
patients presenting with depressive symptoms or needing additional 
assistance managing mental health conditions and that expanding this 
safe harbor to protect monetary remuneration would allow the practice 
to select a behavioral health professional who, among other things, 
best meets the needs of the practice's patient population. They 
explained that, otherwise, the offeror of in-kind remuneration would 
make those purchasing decisions and selections for the recipient. 
Another commenter asserted that OIG's and CMS's final rules should 
align to protect both in-kind and monetary remuneration or only in-kind 
remuneration, arguing that any inconsistency would result in a barrier 
to the advancement of value-based care. A commenter suggested that the 
safe harbor protect monetary remuneration for specific services; for 
example, a hospital might offer to cover the costs of a nurse navigator 
at a SNF, instead of providing the nurse navigator directly, because it 
wants the SNF to have the contractual relationship with the nurse 
navigator. Lastly, several commenters requested that OIG expand the 
safe harbor to protect monetary remuneration exchanged under 
arrangements involving Indian health programs.
    Response: We are finalizing the requirement that the remuneration 
exchanged pursuant to this safe harbor must be in-kind. We continue to 
believe that providing safe harbor protection to monetary remuneration 
exchanged under arrangements where: (i) The parties are not required to 
assume financial risk, and (ii) the protected remuneration is not 
required to be fair market value and may take into account the volume 
or value of referrals for the target patient population, presents 
heightened fraud and abuse risks that outweigh the potential benefits 
to Federal health care programs and patients. OIG's longstanding 
guidance makes clear that remuneration in the form of cash and cash 
equivalents pose a higher risk of interfering with clinical decision-
making, incentivizing overutilization or inappropriate utilization, and 
increasing costs to Federal health care programs. We do not

[[Page 77736]]

view protection for ownership or investment interests as fundamental to 
parties entering into value-based arrangements for the coordination and 
management of care for a target patient population. Parties seeking to 
protect a particular investment interest may look to existing safe 
harbors (e.g., the safe harbor for investment interests at paragraph 
1001.952(a)); in addition, the advisory opinion process remains 
available. Further, while we understand recipients' desire to select 
their own care coordination items and services rather than receiving 
items and services an offeror selects, we note that parties do not have 
to enter into value-based arrangements and might agree to enter into 
such arrangements only where the item(s) or service(s) being offered 
are satisfactory to the recipient. We also note that, where a party 
offering remuneration desires for the recipient to contract directly 
for items and services, the recipient may do so as long as the offeror 
pays the vendor of the items and services directly. Further, while we 
understand recipients' desire to select their own care coordination 
items and services rather than receiving items and services an offeror 
selects, we note that parties do not have to enter into value-based 
arrangements and might agree to enter into such arrangements only where 
the item(s) or service(s) being offered are satisfactory to the 
recipient. We also note that, where a party offering remuneration 
desires for the recipient to contract directly for items and services, 
the recipient may do so as long as the offeror pays the vendor of the 
items and services directly. Lastly, we note that individuals and 
entities may look to other safe harbors, such as the safe harbor for 
personal services and management contracts and outcomes-based payment 
arrangements at paragraph 1001.952(d), for protection for certain 
monetary remuneration.
    Finally, in response to the comment requesting that CMS's and OIG's 
final protections align to protect both in-kind and monetary 
remuneration or only in-kind remuneration, we refer readers to section 
III.A.1, where we discuss fundamental differences in statutory 
structures and sanctions across the physician self-referral law and 
Federal anti-kickback statute and elaborate on the reasoning behind 
conditions that differ in any similar exception and safe harbor 
finalized by CMS and OIG, respectively, in each agency's final rule in 
connection with the Regulatory Sprint. With respect to OIG's specific 
policy to limit the care coordination arrangements safe harbor to in-
kind remuneration, this policy addresses the heightened risk that 
fungible monetary remuneration could be misused to make intentional 
kickback payments and would be more difficult to track. OIG and CMS 
permit monetary and non-monetary remuneration in the value-based safe 
harbors and exceptions that require parties to assume risk.
ii. Remuneration Used To Engage in Value-Based Activities
    Summary of OIG Proposed Rule: We proposed to require, at proposed 
paragraph 1001.952(ee)(4)(ii), that the remuneration provided by, or 
shared among, VBE participants be used primarily to engage in value-
based activities that are directly connected to the coordination and 
management of care of the target patient population. We recognized that 
in-kind remuneration exchanged for value-based activities may 
indirectly benefit patients outside of the scope of the value-based 
arrangement and that parties may find it difficult to anticipate or 
project the scope or extent of these ``spillover'' benefits.
    Summary of Final Rule: We are finalizing, with modifications, the 
proposed requirement at paragraph 1001.952(ee)(1)(ii). The two 
modifications are explained in greater detail in the responses to 
comments. First, the remuneration exchanged must be used predominantly 
to engage in value-based activities that are directly connected to the 
coordination and management of care for the target patient population. 
We replaced the word ``primarily'' with the word ``predominantly.'' 
Second, we added a condition that the remuneration exchanged result in 
no more than incidental benefits to persons outside of the target 
patient population. Further, for the reasons previously explained in 
the value-based terminology section discussing the definition of the 
``coordination and management of care'' at section III.B.2.g, we added 
a condition to this final safe harbor clarifying that remuneration 
exchanged pursuant to a value-based arrangement may not be exchanged or 
used more than incidentally by the recipient for the recipient's 
billing or financial management services.
    Comment: Commenters generally supported our proposal to require 
that protected remuneration be primarily used to engage in value-based 
activities that are directly connected to the coordination and 
management of care for the target patient population and expressed 
concerns about our alternative proposal to require that the 
remuneration exchanged be limited to value-based activities that only 
benefit the target patient population. Commenters asserted a variety of 
reasons why prohibiting spillover benefits outside the target patient 
population would be unworkable or undesirable in practice. For example, 
some commenters asserted that prohibiting spillover benefits would 
create a disincentive for innovation, and others emphasized the 
complexities in trying to manage benefits to prevent spillover. Some 
commenters requested that we expressly state that the benefits of the 
value-based arrangement do not need to be limited to the members of a 
target patient population. Another commenter stated that the term 
``primarily'' is vague, which could make this requirement difficult to 
implement and monitor.
    Response: We agree with the commenters' concerns that prohibiting 
spillover benefits outside of the target patient population would be 
unworkable. In the OIG Proposed Rule, and for purposes of this final 
rule, we recognize that in-kind remuneration exchanged for value-based 
activities may indirectly benefit patients out of the scope of the 
associated value-based arrangement and that parties may find it 
difficult to anticipate or project the extent of such ``spillover'' 
benefits. We likewise acknowledge the need to provide parties with 
sufficient flexibility while also minimizing the risk of disguised, 
improper remuneration unrelated to the coordination and management of 
care for the target patient population. To address the commenters' 
concerns about spillover effects, in the final rule we have clarified 
that the value-based activities for which the remuneration is used can 
result in no more than incidental benefits to persons outside of the 
target patient population. This language acknowledges the difficulty 
VBE participants could face in preventing ``spillover'' benefits and 
reflects our intent to permit safe harbor protection for care 
coordination arrangements that predominantly benefit the target patient 
population.
    We are replacing the proposed term ``primarily'' with 
``predominantly'' in the final rule. These words are analogous (e.g., 
meaning chiefly, mainly, principally). We make the change for 
consistency with comparable language in other safe harbors. The term 
``predominantly'' appears for a similar purpose in the EHR and 
cybersecurity safe harbors, at paragraphs 1001.952(y) and (jj), 
respectively, and our parallel use of the same term in paragraph 
1001.952(ee) enhances consistency for stakeholders across safe harbors. 
To the commenter's concern about vagueness,

[[Page 77737]]

we are not quantifying with specificity the degree to which 
remuneration is used to engage in value-based activities to offer 
flexibility for the range of value-based arrangements for which safe 
harbor protection may be sought.
    Comment: Several commenters requested that we clarify that a device 
with multiple functions does not violate the Federal anti-kickback 
statute or the Beneficiary Inducements CMP when it is primarily used 
for managing a patient's health care. Commenters noted that 
increasingly medical devices are being produced with multiple 
functions, or they rely on non-medical platforms such as consumer 
electronic products (e.g., smartphones, tablets).
    Response: It appears that the commenters are asking whether the 
furnishing of a multi-function device, or a device that relies on a 
multi-use technology platform, can meet the safe harbor requirement 
that the remuneration is predominantly used to engage in value-based 
activities that are directly connected to the coordination and 
management of care for the target patient population. We also presume 
for purposes of this response that the device would be furnished to the 
recipient for less than fair market value.
    As a threshold matter, compliance with the care coordination 
arrangements safe harbor depends on whether the device is furnished 
from one VBE participant to another VBE participant or if the device is 
furnished directly from a VBE participant to a patient. If the device 
is furnished by a VBE participant to another VBE participant, then the 
care coordination arrangements safe harbor may protect the remuneration 
if the device will be used predominantly to engage in value-based 
activities that are directly connected to the coordination and 
management of care for the target patient population, and all other 
safe harbor requirements are met.
    For example, a health information technology tool that enables both 
remote patient monitoring and two-way telehealth capabilities may 
satisfy the predominant use requirement if the remote patient 
monitoring and two-way telehealth technologies will be used by the 
recipient to coordinate and manage care for the target patient 
population. However, a health information technology tool that includes 
some functionalities that the recipient may use to coordinate and 
manage care for the target patient population and other functionalities 
that the recipient may use for purposes other than to coordinate and 
manage care for the target patient population may not meet this 
standard. For example, a health information technology tool that the 
recipient VBE participant uses to collect, track, and analyze data 
relevant to the outcome measures established by the VBE participants 
and is also used to collect, track, and analyze the VBE participant's 
internal financial metrics for purpose of operating its own business 
would likely not meet the predominant use standard, unless the use for 
financial metrics is minimal.
    In the above example, if the VBE participants wish to protect the 
health information technology tool under this safe harbor, the 
financial monitoring functionalities could be disabled to ensure that 
the predominant use test is met. Alternatively, if the recipient VBE 
participant pays fair market value for the financial monitoring 
functionalities, then the parties might conclude that they do not need 
to protect that aspect of the arrangement under this safe harbor, or 
they may look to another safe harbor, such as the personal services and 
management contracts safe harbor at paragraph 1001.952(d), to protect 
that aspect of the arrangement. To be protected under paragraph 
1001.952(ee), the remaining remuneration for which fair market value 
has not been paid would need to meet the predominant use condition and 
all other safe harbor conditions.
    We note that if the collecting, tracking, and analyzing data for 
the outcomes measures for the target patient population results in the 
VBE participant observing something that prompts a change to how it 
delivers care for all patients, not just the target patient population, 
this additional use would constitute an incidental benefit to persons 
outside the target patient population; such incidental benefit would 
not be a disqualifying feature of the remuneration under this provision 
in paragraph 1001.952(ee).
    If a multi-function device is being furnished by a VBE participant 
directly to a patient, then the VBE participant would look to the 
patient engagement and support safe harbor, at paragraph 1001.952(hh), 
for protection, not the care coordination arrangements safe harbor. As 
explained above, the care coordination arrangements safe harbor does 
not protect remuneration--including a free or discounted device--
flowing from VBE participants to patients. Note that, among other 
requirements, the patient engagement and support safe harbor requires 
that the remuneration has a direct connection to the coordination and 
management of care of the target patient population.
    With respect to the Beneficiary Inducements CMP, we note that 
remuneration that is protected under a safe harbor to the Federal anti-
kickback statute is not considered remuneration for purposes of the 
Beneficiary Inducements CMP.
    Comment: Some commenters argued that this proposed limitation on 
the exchange of remuneration--in particular, the requirement that the 
remuneration be used to engage in value-based activities directly 
connected to the coordination and management of care of the target 
patient population--is unduly restrictive. Commenters stated that this 
condition should not be limited to the first of the four value-based 
purposes (the coordination and management of care for the target 
patient population) and should be expanded to permit a direct 
connection to any of the value-based purposes. Commenters further 
asserted that expanding this condition to require a direct connection 
to any value-based purpose would reduce regulatory burden, foster 
innovation, and facilitate alignment with CMS's value-based exceptions 
to the physician self-referral law.
    Response: The care coordination arrangements safe harbor does not 
preclude a value-based arrangement from furthering other value-based 
purposes; however, the safe harbor does require that the remuneration 
exchanged be used predominantly to engage in value-based activities 
that are directly connected to the coordination and management of care 
for the target patient population. By requiring that each party to a 
value-based arrangement under the care coordination arrangements safe 
harbor include the coordination and management of care for the target 
patient population as at least one of the value-based purposes, we seek 
to distinguish between referral arrangements, which would not be 
protected, and legitimate care coordination arrangements, which 
naturally involve referrals across provider settings but include 
beneficial activities beyond the mere referral of a patient or ordering 
of an item or service.
    Comment: Some commenters supported using alternative language to 
the direct connection standard, such as ``reasonably related and 
directly tied'' or ``directly connected or reasonably related.'' Many 
of these commenters asserted that alternative language would better 
convey the close nexus between this safe harbor and the coordination 
and management of care of a target patient population. Other commenters 
advocated for other changes to the standard, e.g., replacing ``directly 
connected'' with only ``connected.''
    Response: We are finalizing the standard, proposed at paragraph

[[Page 77738]]

1001.952(ee)(1), now codified at paragraph 1001.952(ee)(1)(ii) 
requiring that remuneration be used predominately to engage in value-
based activities that are directly connected to the coordination and 
management of care for the target patient population. We are not 
finalizing the similar standard proposed at paragraph 1001.952(ee)(7) 
requiring that the value-based arrangement is directly connected to the 
coordination and management care of the target patient population, 
because doing so would introduce unnecessary duplication to the safe 
harbor. We believe the direct connection standard we are finalizing 
appropriately captures the relationship we are requiring (i.e., a close 
nexus) between the value-based activities (for which protected 
remuneration must be used predominantly to engage in) and the 
coordination and management of care for the target patient population.
    Comment: A commenter sought clarification as to whether 
remuneration tied to either receiving referrals or being included in a 
preferred provider network would be a value-based activity directly 
connected to the coordination and management of care.
    Response: As stated elsewhere in this final rule, the making of a 
referral, standing alone, is not a value-based activity. Accordingly, 
neither the exchange nor use of remuneration tied solely to receiving 
patient referrals or being included in a preferred provider network 
would be a value-based activity, let alone one that is directly 
connected to the coordination and management of care. Were such conduct 
combined with other value-based activities, the ``direct connection'' 
standard could be met, depending on the facts and circumstances.
iii. No Furnishing of Medically Unnecessary Items or Services or 
Reduction in Medically Necessary Items or Services
    Summary of OIG Proposed Rule: We proposed at paragraph 
1001.952(ee)(4)(iii) to require that the remuneration exchanged not 
induce VBE participants to furnish medically unnecessary items or 
services or reduce or limit medically necessary items or services 
furnished to any patient.
    Summary of Final Rule: We are finalizing, with modification, this 
condition at paragraph 1001.952(ee)(7)(iii). The modification provides 
that the value-based arrangement (rather than merely the remuneration) 
cannot induce the parties to furnish medically unnecessary items or 
services or reduce or limit medically necessary items or services.
    Comment: Commenters universally supported this safeguard. A 
commenter separately encouraged OIG to develop clear guidelines to 
enforce this provision that do not unduly hinder the provision of 
health care or second-guess physicians' medical decision-making.
    Response: We are finalizing this proposed protection for patient 
care and Federal program expenditures, with additional modifications to 
fully effectuate our intent. As stated in the OIG Proposed Rule, 
remuneration that induces a provider to order or furnish medically 
unnecessary care is inherently suspect. We likewise stated that a 
reduction in medically necessary services would be contrary to the 
goals of this rulemaking and could, in certain instances, be a 
violation of the CMP law provision relating to gainsharing 
arrangements.\38\ We do not intend to protect arrangements that do 
either. Upon further consideration, we have determined that our choice 
of language for the regulatory text too narrowly focused on the 
remuneration in the care coordination arrangement and did not capture 
the full range of ways through which ill-intentioned parties might seek 
to use a value-based arrangement to induce medically unnecessary care 
or limit medically necessary care. Accordingly, to better reflect our 
intent, the final regulation text prohibits the value-based arrangement 
from inducing parties to order or furnish medically unnecessary items 
or services or reduce or limit medically necessary items or services 
furnished to any patient.
---------------------------------------------------------------------------

    \38\ Section 1128A(b) of the Act.
---------------------------------------------------------------------------

    In response to the commenter's concern that this safeguard not 
unduly hinder physicians' medical judgment, this condition is not 
intended to interfere with medical decision-making; rather, it is 
intended to support decision-making in the best interests of patients 
without inappropriate financial influence. This requirement is a 
hallmark safeguard against fraudulent and abusive practices that could 
lead to inappropriate utilization, inappropriate steering of patients, 
or stinting on care. We note that a separate condition of the safe 
harbor prohibits potential limitations on VBE participant's ability to 
make decisions in the best interests of the target patient population.
iv. Remuneration From Individuals or Entities Outside the Applicable 
VBE
    Summary of OIG Proposed Rule: We proposed at 1001.952(ee)(4)(iv) 
that the remuneration exchanged could not be funded by, or otherwise 
result from the contributions of, any individual or entity outside of 
the applicable VBE. We stated that we were considering a requirement 
that remuneration be provided directly from the offeror to the 
recipient.
    Summary of Final Rule: We are not finalizing the proposed funding 
limitation or a requirement that remuneration be provided directly from 
the offeror to the recipient.
    Comment: A few commenters supported the requirement prohibiting 
remuneration from individuals or entities outside the applicable VBE. 
Other commenters asked for exceptions to the requirement, such as 
exceptions for remuneration that would benefit the VBE's patients and 
where the donating third-party would have no direction or control over 
how the remuneration could be used. Other commenters opposed the 
requirement, stating that it would prevent VBE participants from 
deriving remuneration from a wide variety of appropriate outside 
funding sources, such as payors. Another commenter raised concerns that 
a VBE participant could lose safe harbor protection unfairly if it 
receives remuneration from another VBE participant that was funded by 
another party without recipient of the renumeration knowing that source 
of funding. We also received comments on OIG's consideration of whether 
to require that remuneration be provided directly from the offeror to 
the recipient, with such commenters stating that such a requirement 
would create unnecessary practical impediments.
    Response: We are not finalizing the proposed requirement 
prohibiting parties to a value-based arrangement from exchanging any 
remuneration funded by, or otherwise resulting from the contributions 
of, an individual or entity outside of the applicable VBE. The purpose 
of these proposals was to ensure that protected arrangements would be 
closely related to the VBE, that VBE participants would be committed to 
the VBE and striving to achieve the coordination and management of care 
for the target patient population, and that non-VBE participants could 
not indirectly use the safe harbor to protect arrangements that are 
designed to influence the referrals or decision-making of VBE 
participants. On balance, we do not believe the proposed conditions 
would add appreciably to the program integrity protection offered by 
the combination of safeguards we are including in the final safe 
harbor, which address these same concerns. We seek to minimize 
practical impediments to use of the safe harbor by avoiding conditions 
we do not believe are needed. However, we emphasize that remuneration 
exchanged outside of

[[Page 77739]]

a value-based arrangement would not be protected by any of the value-
based safe harbors.
    We also are not finalizing the requirement considered in preamble 
to the OIG Proposed Rule that remuneration be provided directly from 
the offeror to the recipient. As explained in the OIG Proposed Rule, 
this requirement would have prohibited the involvement of individuals 
and entities other than the VBE or a VBE participant in the exchange of 
remuneration under a value-based arrangement, including, potentially 
third-party vendors and contractors. We agree with commenters asserting 
that this requirement could create unnecessary practical impediments 
that would be outweighed by any potential benefit of such a condition.
f. Taking Into Account the Volume or Value of, or Conditioning 
Remuneration on, Business or Patients Not Covered Under the Value-Based 
Arrangement
    Summary of OIG Proposed Rule: We proposed in proposed paragraph 
1001.952(ee)(5) to prohibit the offeror of the remuneration from taking 
into account the volume or value of, or conditioning an offer of 
remuneration on: (i) Referrals of patients that are not part of the 
value-based arrangement's target patient population; or (ii) business 
not covered under the value-based arrangement.
    Summary of Final Rule: We are finalizing, without modification, the 
requirement in paragraph 1001.952(ee)(5).
    Comment: While some commenters supported our proposal, asserting 
that the requirement appropriately differentiates between actual care 
coordination arrangements and improper pay-for-referral schemes, a few 
commenters did not support the requirement for various reasons. A 
commenter expressed concern that this requirement will be difficult to 
administer if recipients of remuneration have any business arrangements 
outside the VBE and posited that adequate remedies exist under current 
law to address the type of sham or abusive arrangements this provision 
intends to preclude from safe harbor protection, although the commenter 
did not identify any specific remedies. Another commenter asserted that 
this requirement should be removed to align physician incentives with 
the delivery of value-based care.
    Conversely, a commenter opposed the proposed standard on the basis 
that it is too narrow and encouraged us to prohibit parties from taking 
into account the volume or value of referrals within the target patient 
population and to also prohibit exclusivity or minimum-purchase 
requirements in value-based arrangements. The commenter advocated for a 
modified condition that would restrict any remuneration that depends on 
or is calculated based on the volume or value of any Federal health 
care referrals, whether inside or outside the target patient 
population.
    Response: We are finalizing this condition, as proposed. For 
purposes of the safe harbor, value-based care, including coordinated 
care, may take into account the volume of patients in the target 
patient population or value of referrals or other business generated 
between the parties resulting from referrals of the target patient 
population (e.g., an offeror may base the number of hours it provides 
care coordination services to the recipient on the volume of patients 
in the target patient population). A complete prohibition on 
remuneration that takes into account the volume or value of referrals 
could operate as an actual or perceived barrier to safe harbor 
protection for the kinds of innovative care coordination arrangements 
that are the goal of this rulemaking. We are finalizing the limitation 
with respect to referrals of patients and business generated outside 
the target patient population under the value-based arrangement as an 
important safeguard to protect against remuneration offered under the 
guise of a value-based arrangement that is intended to induce the 
recipient's referrals of patients or business not covered under the 
value-based arrangement.
g. Contribution Requirement
    Summary of OIG Proposed Rule: We proposed in paragraph 
1001.952(ee)(6) to condition safe harbor protection on the recipient's 
payment of at least 15 percent of the offeror's cost for the in-kind 
remuneration (i.e., a 15 percent contribution requirement). We also 
proposed at paragraph 1001.952(ee)(6) that the recipient make such a 
contribution in advance of receiving the in-kind remuneration, if a 
one-time cost, or at reasonable, regular intervals if an ongoing cost.
    Summary of Final Rule: We are finalizing, with modification, the 
contribution requirement in paragraph 1001.952(ee)(6). Based on 
comments, we are revising the contribution requirement methodology to 
require recipients to pay at least 15 percent of either the offeror's 
cost of the remuneration, as determined using any reasonable accounting 
methodology, or the fair market value of the remuneration. We are 
finalizing, with only a minor technical modification to address syntax, 
our proposal that, if the remuneration is a one-time cost, the 
recipient must make the contribution in advance of receiving the in-
kind remuneration; if the remuneration is an ongoing cost, the 
recipient must make any contributions at reasonable, regular intervals.
    Comment: Many commenters expressed support for the proposed 15 
percent contribution requirement or otherwise acknowledged that some 
level of contribution likely would be an appropriate safeguard to hold 
VBE participants accountable, promote engagement, and lower the risk 
that unnecessary or improper remuneration would be furnished pursuant 
to a value-based arrangement. The majority of commenters opposed any 
contribution requirement, with several asserting that such a 
requirement would be administratively burdensome; would necessitate 
onerous documentation and analysis, e.g., documenting and tracking the 
exchange of remuneration, in addition to undertaking an analysis as to 
whether the items or services exchanged constitute remuneration in the 
first place; and would discourage parties from entering into beneficial 
value-based arrangements.
    Response: We are retaining a 15 percent contribution requirement 
for purposes of the care coordination arrangements safe harbor. We 
proposed the contribution requirement to: (i) Increase the likelihood 
that the recipient would use the care coordination item(s) and 
service(s); (ii) ensure that the remuneration would be well-tailored to 
the recipient; and (iii) promote the recipient's vested interest in 
achieving the intended purpose of the value-based arrangement, namely, 
furthering the coordination and management of care of the target 
patient population.
    We are not persuaded that the contribution requirement would be 
overly burdensome or chill participation in value-based arrangements. 
While there may be some administrative burden associated with a 
contribution requirement, on balance we believe this requirement is 
important to mitigate what OIG identified in the OIG Proposed Rule as 
traditional fraud and abuse risks, e.g., inappropriately increased 
costs to the Federal health care programs or patients, corruption of 
practitioners' medical judgment, overutilization, and inappropriate 
patient steering.
    Comment: Many commenters supported a lower contribution amount (or 
no contribution amount) for arrangements involving certain providers 
with financial constraints.

[[Page 77740]]

These commenters generally asserted that, absent an exemption from, or 
significant reduction in the amount of, the contribution requirement, 
many providers would not be able to afford to participate in value-
based arrangements. Commenters had varying suggestions for who should 
qualify as a provider with financial constraints, including, for 
example, essential hospitals, critical access hospitals, Indian health 
care providers, not-for-profit social services organizations, free and 
charitable clinics, small and rural practices, and practices serving 
medically underserved areas. Some commenters offered potential 
definitions while others favored existing definitions, such as those 
promulgated by the U.S. Small Business Administration, CMS, and the 
Health Resources and Services Administration.
    Response: Having considered the comments and the goals of this 
rulemaking, we are not reducing or eliminating the contribution amount 
for arrangements involving certain providers with financial 
constraints. While we remain sensitive to the limited resources of many 
types of potential VBE participants, including those cited by 
commenters, we believe that the contribution requirement serves as an 
important guardrail to prevent fraud and abuse under the guise of a 
value-based arrangement and an incentive for parties to develop 
arrangements that are both effective in coordinating and managing care 
and economically prudent. We believe the contribution requirement will 
help ensure that parties are serious about collaborating to achieve the 
purpose of coordinating and managing patient care and will deliberately 
design care coordination arrangements most likely to be effective at 
achieving quality and efficiency aims in an economically prudent 
manner. In addition, we decline to make exceptions to the 15 percent 
contribution requirement for categories of VBE participants (e.g., 
small and rural practices) for several reasons. First, some 
designations can change over time (for example, a physician practice 
may qualify as a small practice at some points in time but not at 
others, depending on staffing changes), which could create confusion 
about the implementation of the contribution requirement when such a 
change occurs. Second, the same types of fraud and abuse risks 
associated with potentially valuable in-kind remuneration from a 
referral source apply equally to both larger or urban recipients, for 
example, and the types of recipients that requested an exemption from 
the 15 percent contribution requirement or a lower contribution 
percentage, such as small or rural providers. OIG's enforcement 
experience demonstrates that fraud is perpetrated by both small and 
large entities and happens across all geographic areas. Third, the 15 
percent contribution requirement is based on the electronic health 
records items and services safe harbor at paragraph 1001.952(y)(11), 
which does not differentiate among recipients. Finally, in the context 
of the flexibilities of the overall safe harbor, the advantages from a 
compliance perspective of a single bright line standard outweigh the 
potential benefits of variable standards based on geographic location 
or other characteristics. Moreover, we have no basis for determining 
different amounts for different parties. Should the 15 percent 
contribution requirement pose a barrier to use of the safe harbor, 
parties are reminded that failure to fit in a safe harbor does not mean 
that an arrangement is necessarily unlawful and that OIG's advisory 
opinion process is also available.
    Comment: At least one commenter suggested that the safe harbor 
except certain forms of in-kind remuneration (e.g., remuneration that 
consists of cybersecurity technology and related services and IT-
related updates, upgrades, and patches) from the contribution 
requirement.
    Response: We decline to include any exceptions to the contribution 
requirement under the care coordination arrangements safe harbor 
because we believe that, in the context of this safe harbor, this 
requirement is important to mitigate traditional fraud and abuse risks 
and ensure that parties enter into arrangements that serve value-based 
purposes. However, we remind parties seeking safe harbor protection for 
the exchange of cybersecurity technology and related services that the 
cybersecurity technology and related services safe harbor, paragraph 
1001.952(jj), is available to protect the exchange of cybersecurity 
items and services, provided all safe harbor requirements are met, and 
note that such safe harbor does not include a contribution requirement.
    Comment: Commenters generally opposed the proposal that the 
contribution requirement be calculated based upon the offeror's cost. 
For example, a commenter asserted that an offeror's cost may be 
difficult to determine where the offeror has substantial development 
costs but small marginal costs for each individual recipient or user. 
Another commenter posited that this standard would provide insufficient 
flexibility because the benefit of the remuneration exchanged may be 
realized by one party more than the other, for example, where the 
remuneration exchanged between two or more parties primarily benefits 
the offeror versus the recipient. Commenters suggested various 
methodologies to calculate the contribution requirement, including: (i) 
The offeror's cost or fair market value; (ii) the offeror's cost or a 
price charged by the offeror to purchasers outside of the VBE; (iii) 
any reasonable accounting methodology; and (iv) an amount based on the 
price for that product or service (or a reasonably comparable product 
or service if it is new to the market) typically charged by the offeror 
to reasonably comparable customers outside VBEs. Another commenter 
recommended we define ``offeror's cost,'' whereas another commenter 
expressed concern that the standard would be difficult to implement 
because items or services that benefit patients could have little or no 
quantifiable independent value to the VBE recipient.
    A commenter asserted that calculating cost may be difficult when 
tools and software are developed internally by the developer or 
manufacturer and made available by a VBE participant or acquired as 
part of a bundled sale under the discount safe harbor. A commenter also 
stated that there may be substantial development costs but only 
marginal costs for each individual recipient and that costs could be 
subject to proprietary and confidentiality obligations.
    Response: In the OIG Proposed Rule, in addition to our proposal 
that the contribution requirement be calculated based upon the 
offeror's cost, we stated we were considering two other methodologies 
for determining the 15 percent requirement: Fair market value of the 
remuneration to the recipient or the reasonable value of the 
remuneration to the recipient. To afford parties additional 
flexibility, we are revising the contribution requirement methodology 
in this final rule to require recipients to pay at least 15 percent of 
either: (i) The offeror's cost of the remuneration, as determined using 
any reasonable accounting methodology; or (ii) the fair market value of 
the remuneration. As indicated in the OIG Proposed Rule, we are not 
requiring that parties obtain an independent fair market valuation. We 
selected fair market value rather than reasonable value because fair 
market value is a more specific standard, a widely used term in 
valuation, and common to many existing safe harbors such that many 
stakeholders and the government have experience with it. We are 
finalizing the

[[Page 77741]]

requirement as ``fair market value'' instead of ``fair market value of 
the remuneration to the recipient'' because we believe the inclusion of 
``to the recipient'' could confuse generally accepted valuation 
methodologies due to its focus on only one party. We expect that 
parties to a value-based arrangement seeking protection under this safe 
harbor would use generally accepted valuation methodologies and 
principles in any determination of ``fair market value'' in relation to 
the contribution requirement, which could incorporate factors related 
to the recipient.
    To provide parties flexibility we are not specifically defining 
``offeror's cost'' or requiring a specific methodology for determining 
fair market value. To the extent costs are proprietary or confidential, 
depending on the circumstances, parties could meet this condition 
through the use of contractual provisions in their value-based 
arrangements to protect information from further disclosure or rely on 
the fair market value option to determine the 15 percent contribution 
requirement.
    We are finalizing our proposal that, if the remuneration is deemed 
by the parties to be a one-time cost, e.g., a one-time purchase of 
telehealth-related technology, the recipient must make the contribution 
in advance of receiving the in-kind remuneration; to the extent the 
remuneration is deemed by the parties to be an ongoing cost, e.g., a 
subscription service to a data analytics tool, the recipient must make 
any contributions at reasonable, regular intervals, with the frequency 
of such payments documented in writing. We note that parties have the 
flexibility to structure the recipient's contribution payment as either 
a one-time or ongoing payment, depending upon the facts and 
circumstances of the arrangement and the parties' preference.
    Comment: We received several comments advocating for or against the 
adoption of alternative proposals noted in the OIG Proposed Rule. For 
example, many commenters favored an across-the-board reduction in the 
contribution requirement from 15 percent to 5 percent. Other commenters 
backed an exemption to, or a significant reduction in, the contribution 
requirement for certain categories of remuneration, such as technology 
and technology-related items, although at least one commenter opposed 
this approach due to administrative burden concerns. Another commenter 
urged OIG to calibrate the contribution based on the financial need of 
the target patient population.
    Response: We are retaining the 15 percent contribution requirement, 
as proposed, with the aforementioned methodology modifications. We 
believe that a contribution requirement lower than 15 percent would not 
achieve a sufficient level of accountability and engagement of the 
recipient. Moreover, we decline to vary the contribution requirement 
based upon the type of remuneration at issue or the arrangement's 
target patient population; such variation would introduce unnecessary 
operational complexity.
    Comment: A commenter recommended that OIG take into account 
nonmonetary contributions from the recipient to the offeror for 
purposes of calculating the contribution requirement.
    Response: To meet this safe harbor's contribution requirement, a 
recipient must pay at least 15 percent of the offeror's cost of the 
remuneration (as determined using any reasonable accounting 
methodology) or at least 15 percent of the fair market value of the 
remuneration. Parties to a care coordination arrangement where any 
nonmonetary contributions flow in both directions--from the offeror to 
the recipient and the recipient to the offeror--would need to assess 
any potential Federal anti-kickback statute implications for both 
streams of contributions. To the extent that both streams of 
contributions constitute remuneration, implicate the Federal anti-
kickback statute, and the parties seek protection under the care 
coordination arrangements safe harbor, the parties must satisfy the 
contribution requirement for each stream of remuneration. There may be 
circumstances under which the parties could appropriately offset 
payments made to satisfy the contribution requirement for each stream, 
but any such assessment would be fact specific. For example, it would 
be appropriate for parties to offset payment amounts to satisfy the 
contribution requirement for separate streams of remuneration to reduce 
administrative burden, provided each stream of remuneration complied 
with the Federal anti-kickback statute. In contrast, it would be 
inappropriate for parties to offset payment amounts in an attempt to 
reduce a party's contribution requirement below 15 percent and any 
associated arrangement would not be protected by this safe harbor.
    Comment: A commenter recommended that, for purposes of applying the 
15 percent contribution requirement in the care coordination 
arrangements safe harbor, OIG recognize a VBE's good faith allocation 
of the in-kind remuneration across various arrangements. The commenter 
identified a number of manners in which it believed a reasonable 
allocation could be made (e.g., patient needs associated with a 
particular arrangement, such as a chronic care program), and noted that 
in some cases, a reasonable allocation might be a per capita allocation 
of in-kind remuneration across all VBE participants.
    Response: First, for the purposes of our response, we assume that 
the commenter means that the in-kind remuneration provided by the VBE 
or VBE participant to other VBE participants would be shared by various 
VBE participants to a value-based arrangement, or various value-based 
arrangements, under the same VBE (e.g., a shared care coordinator or 
shared information technology system). To the extent that VBE 
participants to a value-based arrangement or various value-based 
arrangements are sharing in-kind remuneration provided by the VBE or 
another VBE participant, it would be reasonable--under both 
methodologies that parties can use to determine the contribution 
requirement--to reasonably and in good faith allocate the ``offeror's 
cost for the in-kind remuneration'' or the ``fair market value'' of the 
shared resources between the various VBE participants sharing in the 
resources.
    As stated above, we would expect that parties to a value-based 
arrangement seeking protection under this safe harbor would use 
reasonable accounting methodologies and generally accepted valuation 
methodologies and principles in determining any appropriate allocation 
of the shared resources for the purposes of determining the ``offeror's 
cost for the in-kind remuneration'' or the ``fair market value'' in 
relation to the contribution requirement. We acknowledge that 
reasonable accounting methodologies and commonly accepted valuation 
principles would allow for consideration of the shared nature of the 
in-kind remuneration. We further highlight that we would not expect 
that any aggregate contribution amounts--from VBE participants sharing 
in any in-kind remuneration--result in a windfall to the offeror.
    Comment: Some commenters expressed concern that a contribution 
requirement would upend the existing regulatory framework that parties 
rely on to assess whether an item or service constitutes remuneration. 
For example, a dialysis provider stated that a contribution requirement 
may unintentionally create a presumption that many care coordination 
activities

[[Page 77742]]

that do not constitute remuneration for purposes of the Federal anti-
kickback statute are, in fact, remuneration with a specific value. The 
same commenter illustrated its concern by explaining that multiple 
Medicare conditions for coverage require dialysis facilities to 
coordinate dialysis patients' care with other providers, including 
physicians and nursing homes. The dialysis provider requested that OIG 
confirm that the following does not constitute remuneration: (i) The 
provider performs care coordination services because they are required 
to do so by Medicare or other payors' rules, other law, or to meet the 
clinical standard of care, and (ii) the care coordination services 
provided do not relieve another party of an obligation assigned to it 
by Medicare or other payors' rules or other law.
    Response: The contribution requirement does not change the current 
regulatory framework for assessing whether an item or service exchanged 
between two or more parties constitutes remuneration under either the 
Federal anti-kickback statute or the Beneficiary Inducements CMP. As we 
have stated in prior OIG guidance on this issue, we view 
``remuneration'' under the Federal anti-kickback statute to consist of 
anything of value in any form or manner whatsoever.\39\ With respect to 
the request for guidance as to whether (i) care coordination services 
performed by a provider because they are required to do so by Medicare 
or other payors' rules, other law, or to meet the clinical standard of 
care, and (ii) care coordination services that do not relieve another 
party of an obligation assigned to it by Medicare or other payors' 
rules or other law, such services could constitute remuneration under 
the Federal anti-kickback statute. However, we remind readers that even 
if care coordination services constitute remuneration, the Federal 
anti-kickback statute is not necessarily implicated. For example, the 
Federal anti-kickback statute generally is not implicated for financial 
arrangements limited solely to patients who are not Federal health care 
program beneficiaries. Further, depending on the facts and 
circumstances (including the intent of the parties), the provision of 
care coordination services may implicate the Federal anti-kickback 
statute but not violate it.
---------------------------------------------------------------------------

    \39\ See, e.g., OIG, Special Fraud Alert, 59 FR 65372, 65377 
(Dec. 19, 1994), available at https://oig.hhs.gov/fraud/docs/alertsandbulletins/121994.html; OIG, Medicare and State Health Care 
Programs: Fraud and Abuse; OIG Anti-Kickback Provisions, 56 FR 
35952, 35978 (July 29, 1991), available at https://oig.hhs.gov/fraud/docs/safeharborregulations/freecomputers.htm. See also OIG 
advisory opinions generally, e.g., OIG Adv. Op. No. 20-02, where OIG 
states, ``For purposes of the anti-kickback statute, `remuneration' 
includes the transfer of anything of value, directly or indirectly, 
overtly or covertly, in cash or in kind.''
---------------------------------------------------------------------------

    Comment: Some commenters asserted that the proposed 15 percent 
contribution requirement is arbitrary or that there is no evidence a 
contribution requirement would mitigate fraud and abuse concerns. Other 
commenters suggested that the contribution requirement is duplicative 
of existing safeguards included in the care coordination arrangements 
safe harbor, e.g., the requirement that remuneration must be used 
primarily to engage in value-based activities that are directly 
connected to the coordination and management of care of the target 
patient population.
    Response: We disagree with the commenters. We believe the 
contribution requirement will promote accountability, fiscal 
responsibility, and greater engagement by the recipient. We note that 
contribution requirements have been implemented in other contexts, such 
as those included in the electronic health records items and services 
(EHR) safe harbor at paragraph 1001.952(y) and the Federal 
Communications Commission's Rural Health Care Pilot Program.\40\ 
Moreover, we do not believe the contribution requirement is duplicative 
of other safeguards. While several conditions in the safe harbor 
promote accountability, the contribution requirement provides an 
objective, bright-line standard for parties that requires recipients in 
value-based arrangements to have a financial stake in the arrangement 
and encourages a tangible commitment to achieving the value-based 
arrangement's goals.
---------------------------------------------------------------------------

    \40\ See, e.g., Federal Communication Commission, Rural Health 
Care Pilot Program FAQs, available at https://www.fcc.gov/general/rural-health-care-pilot-program#faqs (requiring eligible recipients 
to fund 15 percent of the cost of infrastructure design and 
construction of broadband networks for health care purposes, in 
recognition that a contribution requirement will ``incentiviz[e] 
participants to choose the most cost-effective services and 
equipment and refrain from purchasing a higher level of service or 
equipment than needed'') (as cited to by the Federal Communication 
Commission, Promoting Telehealth for Low-Income Consumers, 84 FR 
36865, 36869 (July 30, 2019)).
---------------------------------------------------------------------------

    Comment: At least two commenters drew attention to the parallel 
contribution requirements in the care coordination arrangements and EHR 
safe harbors. For example, a commenter highlighted the perceived 
inconsistency of relying on the EHR safe harbor to justify our 
contribution requirement on the one hand and indicating that we were 
considering revisiting or eliminating the contribution requirement in 
the EHR safe harbor on the other. Another commenter sought to 
distinguish the care coordination arrangements safe harbor from the EHR 
safe harbor by stating that a contribution requirement may be 
appropriate in the EHR safe harbor because the EHR safe harbor has less 
stringent standards, but a contribution requirement is not warranted in 
the care coordination arrangements safe harbor. The commenter further 
asserted that the EHR safe harbor protects items and services that have 
clear independent value to the recipient, while items and services 
exchanged pursuant to value-based arrangements may not always have such 
independent value.
    Response: In the OIG Proposed Rule, we considered removing the 
contribution requirement in the EHR safe harbor, but as discussed 
subsequently in this final rule, we are retaining the EHR safe harbor's 
contribution requirement. Accordingly, both the care coordination 
arrangements safe harbor and the EHR safe harbor, as finalized, include 
a 15 percent contribution requirement. We disagree that the EHR safe 
harbor has less stringent standards. The care coordination arrangements 
and EHR safe harbors have distinct requirements tailored to the type of 
remuneration that may be protected by the respective safe harbor. With 
respect to the commenter's suggestion that items and services exchanged 
pursuant to the care coordination arrangements safe harbor may not 
always have independent value to the recipient (in contrast to the EHR 
safe harbor), we note that any such determination would be fact 
specific. Moreover, the contribution requirement does not change any 
assessment of whether an item or service exchanged between two or more 
parties constitutes remuneration under the Federal anti-kickback 
statute. We remind stakeholders that to implicate the Federal anti-
kickback statute, there must be ``remuneration'' offered, paid, 
solicited, or received in the transaction or arrangement at issue. If 
the Federal anti-kickback statute is not implicated by a transaction or 
arrangement, then safe harbor protection is not necessary. 
Consequently, we would expect arrangements that qualify under the care 
coordination arrangements safe harbor to involve remuneration exchanged 
between the parties.
h. Direct Connection to the Coordination and Management of Care
    Summary of OIG Proposed Rule: We proposed at paragraph 
1001.952(ee)(7)(i) that a value-based arrangement must have a direct 
connection to the

[[Page 77743]]

coordination and management of care for the target patient population.
    Summary of Final Rule: We are not finalizing the condition at 
proposed paragraph 1001.952(ee)(7)(i) because it would substantially 
duplicate the condition at paragraph 1001.952(ee)(1)(ii), which 
requires the remuneration to be used predominantly to engage in value-
based activities that are directly connected to the coordination and 
management of care.
    Comment: Commenters generally did not support the condition 
proposed at paragraph 1001.952(ee)(7)(i), albeit for varying reasons. 
Some took issue with the fact that the condition did not afford parties 
the flexibility to select any one of the value-based purposes available 
to VBEs, and rather tied parties to the value-based purpose relating to 
the coordination and management of care. Some commenters argued that 
this condition was not necessary in light of other safeguards included 
in the care coordination arrangements safe harbor.
    Response: We are not finalizing the condition proposed at paragraph 
1001.952(ee)(7)(i) because it would substantially duplicate the 
condition we are finalizing at paragraph 1001.952(ee)(1)(ii). With 
respect to the commenters that argued that the proposed condition did 
not afford parties the flexibility to select any one of the value-based 
purposes available to VBEs, and rather tied parties to the value-based 
purpose relating to the coordination and management of care, we refer 
commenters to the discussion of the condition we finalize at paragraph 
1001.952(ee)(1)(ii), in section III.B.3.e.ii. of the preamble. There we 
explain, in part, that the care coordination arrangements safe harbor's 
conditions do not preclude a value-based arrangement from furthering 
other value-based purposes; however, the safe harbor does require that 
the remuneration exchanged be used predominantly to engage in value-
based activities that are directly connected to the coordination and 
management of care for the target patient population.
i. Preserving Clinical Decision-Making
    Summary of OIG Proposed Rule: In proposed paragraph 
1001.952(ee)(7)(ii), we proposed that the value-based arrangement must 
not limit parties' ability to make decisions in the best interests of 
their patients.
    We also proposed in proposed paragraph 1001.952(ee)(7)(iii) that 
value-based arrangements cannot direct or restrict referrals if: (i) A 
patient expresses a preference for a different practitioner, provider, 
or supplier; (ii) the patient's payor determines the provider, 
practitioner, or supplier; or (iii) such direction or restriction is 
contrary to applicable law or regulations under titles XVIII and XIX of 
the Act.
    Summary of Final Rule: We are finalizing, with modification, the 
proposed condition that the value-based arrangement must not limit the 
VBE participant's ability to make decisions in the best interests of 
its patients and relocating it to paragraph 1001.952(ee)(7)(i). We are 
making a technical correction to change ``their patients'' to ``its 
patients.'' In paragraph 1001.952(ee)(7)(ii), we are finalizing the 
condition related to directing or restricting referrals with one 
clarification. We are deleting ``or regulations'' because 
``regulations'' is already captured by the term ``applicable law'' in 
the final regulation. Thus, a value-based arrangement cannot direct or 
restrict referrals if such direction or restriction is contrary to 
applicable law under titles XVIII and XIX of the Act.
    Comment: Commenters were very supportive of prohibiting any 
limitation on VBE participants' ability to make decisions in the best 
interests of their patients and limiting how the value-based 
arrangement can direct or restrict referrals to a particular provider, 
practitioner, or supplier. Many commenters asserted that these 
standards will protect patient choice and ensure the independence of 
medical or professional judgment.
    Response: We agree with the commenters, and we are finalizing these 
two requirements--a prohibition on any limitation of VBE participants' 
ability to make decisions in the best interests of their patients, and 
limiting the circumstances in which parties to a value-based 
arrangement may direct or restrict referrals--to support patient choice 
and independent medical and professional judgment. Based on these 
conditions, remuneration exchanged as part of arrangements that unduly 
restrict patient choice or the independence of medical or professional 
judgment through inappropriate direction or restriction of referrals 
will not be protected. This requirement aims to ensure that VBEs and 
VBE participants that are parties to a value-based arrangement maintain 
their independent, medical, or other professional judgment without 
undue restriction. This condition is not intended to bar VBEs or VBE 
participants from communicating the benefits of receiving care from 
other VBE participants in the VBE.
    Comment: Several commenters urged the OIG to adopt more robust 
safeguards to protect patient choice and ensure the independence of 
medical or professional judgment. A commenter recommended that health 
care professionals be given the ability to override any (i) practice 
guideline or standard; (ii) electronic health record technology; (iii) 
clinical-decision support software; (iv) computerized order entry 
program; or (v) policies that may be imposed or implemented by a VBE or 
payor if such an override is, in the professional judgment of the 
health care professional, consistent with their determination of 
medical necessity and appropriateness or nursing assessment, in the 
best interests of the individual patient, and consistent with the 
patient's wishes.
    Another commenter asserted that the OIG Proposed Rule appears to 
give a provider the authority to direct a referral unless the patient 
otherwise expresses an alternative choice. The commenter recommended 
that we include a requirement that the VBE provide notice to patients 
informing them that: (i) The entity is participating in a financial 
risk-based program where the entity receives financial benefits under 
applicable conditions; (ii) referrals for care may be made to a 
restricted list of providers and practitioners; and (iii) the patient 
has the freedom to choose any qualified provider or practitioner and 
the right to reject any referral to a particular provider or 
practitioner if they have an alternative preferred provider or 
practitioner. Another commenter urged OIG to provide consumer-tested 
templates for VBEs to communicate with patients that they retain their 
rights to choose providers.
    Response: With respect to the commenter's assertion that the OIG 
Proposed Rule appears to give the provider the authority to direct a 
referral unless the patient otherwise expresses an alternative choice, 
we note that the provision we are finalizing also prohibits the value-
based arrangement from directing or restricting referrals where the 
patient's payor determines the provider, practitioner, or supplier, or 
where the direction or restriction is contrary to applicable law under 
titles XVIII and XIX of the Act. Moreover, nothing in this safe harbor 
gives providers authority to direct referrals. This provision describes 
one among several conditions of safe harbor protection, in this case a 
limitation on what a protected value-based arrangement can do.
    With respect to the suggestion that providers be permitted to 
override various care protocols, guidelines, policies, or technology-
driven systems, this safe harbor does not affect the authority of 
providers to do so. A

[[Page 77744]]

provider's obligation to comply with care protocols, guidelines, 
policies, or technology-driven systems is outside the scope of this 
final rule. This safe harbor speaks only to the conditions under which 
a value-based arrangement would receive prospective safe harbor 
protection under the Federal anti-kickback statute. The value-based 
arrangement may not limit the VBE participant's ability to make 
decisions in the best interests of its patients. Facts and 
circumstances demonstrating that the value-based arrangement has 
limited a VBE participant's ability to make decisions in the best 
interest of its patients would disqualify the remuneration exchanged 
pursuant to the value-based arrangement from protection under this safe 
harbor. In drafting the final rule on this point, we have been guided 
in part by experience with long-established rules in the physician 
self-referral law \41\ and the Medicare Shared Savings Program \42\ 
that address preservation of patient preferences and clinician judgment 
choice in the context of directed referrals.
---------------------------------------------------------------------------

    \41\ See, e.g., 42 CFR 411.354(d)(4)(iv).
    \42\ See, e.g., 42 CFR 425.305(b).
---------------------------------------------------------------------------

    While we appreciate the commenters' suggestions regarding patient 
notice, we did not propose a patient notice requirement in the OIG 
Proposed Rule for any of the three value-based safe harbors, and we are 
not including a patient notice requirement in this final rule. Such a 
requirement would add administrative burden without appreciably adding 
benefits, including protections against fraud and abuse, given the 
combination of conditions we are finalizing. Further, such notices, if 
executed poorly, could confuse patients. Parties may wish to provide 
notifications, and nothing in this rule prevents them from doing so. We 
are not providing templates for communications with patient regarding 
patient choice, and defer to providers, payors, and others to develop 
best practices for notices and other relevant communications.
    Comment: A commenter urged the OIG to preclude safe harbor 
protection for any arrangement that involves paying for referrals and 
to protect against any given market player requiring referrals only to 
certain facilities. Another commenter recommended that VBEs be 
prohibited from taking any adverse action against a patient that 
chooses an alternative provider or practitioner.
    Response: We share the commenter's concerns regarding abusive, pay-
for-referral arrangements. We also recognize that legitimate care 
coordination arrangements may involve an exchange of remuneration 
between parties that are in a position to give or receive referrals and 
that referrals may be made between VBE participants coordinating and 
managing a patient's care through a value-based arrangement. One of the 
objectives of the care coordination arrangements safe harbor is to 
identify and define attributes of legitimate care coordination 
arrangements and afford protection only to remuneration exchanged under 
such arrangements. The requirements of this safe harbor and the value-
based terminology (e.g., value-based purpose, value-based activity, 
value-based arrangement) work together to achieve this objective. 
Abusive, pay-for-referral arrangements, such as an arrangement where an 
individual or entity is required to offer remuneration to a provider in 
order to receive that provider's referrals or an arrangement that 
encourages providers to steer patients in ways that are not in the 
patients' best interests, will not be able to meet the requirements of 
the safe harbor.
    With respect to the commenter's concern regarding a particular 
person or entity requiring referrals only to certain entities, we 
believe these types of directed referral provisions may be problematic 
in certain instances but also are common features of many legitimate 
care coordination arrangements. As explained in the preceding response, 
the limitations we are adopting in this final rule reflect important 
safeguards to protect patient choice and independence of medical and 
professional judgment and effectuate an appropriate balance between the 
competing concerns of protecting legitimate care coordination 
arrangements and preventing inappropriate pay-for-referral schemes.
    With respect to the recommendation that, as a condition of safe 
harbor protection, VBEs should be prohibited from taking any adverse 
action against a patient that chooses an alternative provider or 
practitioner, we note that nothing in the safe harbor limits or directs 
a patient's choice of provider or services, including a patient's 
choice to seek care outside the VBE. As indicated in the OIG Proposed 
Rule and implemented in this final rule, it is our intent that a 
patient can express a preference for a different practitioner, 
provider, or supplier and the value-based arrangement cannot restrict 
or limit that choice. Further, safe harbor protection does not extend 
to any arrangement where the value-based arrangement directs or 
restricts referrals to a particular provider, practitioner, or supplier 
if the patient's payor determines the provider, practitioner, or 
supplier or the direction or restriction is contrary to applicable law 
under titles XVIII and XIX of the Act.
j. Marketing of Items or Services or Patient Recruitment Activities
    Summary of OIG Proposed Rule: We proposed in proposed paragraph 
1001.952(ee)(7)(iv) that the value-based arrangement could not include 
marketing to patients of items or services or engaging in patient 
recruitment activities. We stated that we did not intend for this 
limitation to prohibit a VBE participant that is a party to a value-
based arrangement from educating patients in the target patient 
population regarding permissible value-based activities.
    Summary of Final Rule: We are finalizing, with modifications, this 
requirement at paragraph 1001.952(ee)(1)(iii). We have revised the 
language of the text at paragraph 1001.952(ee)(1)(iii) to clarify that 
the protected remuneration under the value-based arrangement may not be 
exchanged or used for the purpose of marketing items or services 
furnished by the VBE or a VBE participant to patients or for patient 
recruitment activities.
    Comment: Several commenters strongly supported our proposal, or, 
alternatively, advocated for the imposition of additional conditions to 
protect against abusive marketing practices. However, the majority of 
commenters on this topic either sought clarification on the parameters 
of the condition or opposed it altogether. A commenter asked OIG to 
define allowable educational activities and prohibited marketing 
activities, and another commenter questioned whether a distinction 
between marketing and educational activities is possible when, 
according to the commenter, the line between marketing and education is 
subjective and requires an intent-based inquiry. Another commenter 
suggested that OIG prohibit marketing and patient recruitment 
activities but permit efforts to make patients aware of the 
availability of items or services at times when the patient could 
reasonably benefit from such information. Other commenters requested 
that OIG provide guidance on, and specific examples of, the distinction 
between marketing and patient recruitment activities on the one hand, 
and patient education activities on the other. For example, a commenter 
asked whether a program to screen patients for fall risk and educate 
them on their risks and appropriate next steps would be considered 
patient education or a marketing activity. Another

[[Page 77745]]

commenter asked whether a hospice's provision of free home-based 
palliative care services or room and board to patients unable to pay 
would constitute marketing or patient recruitment activities.
    Numerous commenters opposed the prohibition on patient marketing 
and patient recruitment activities altogether, asserting that the 
condition is too broad. A commenter declared that marketing activities 
are necessary in order to meaningfully educate patients on their health 
care options, and another commenter claimed that a marketing and 
patient recruitment prohibition would limit a value-based enterprise's 
ability to leverage technology that might empower patients to make 
informed decisions and gain timely access to appropriate care. This 
commenter encouraged OIG to provide an exception for marketing-based 
technology that is used to achieve a defined health outcome under a 
value-based arrangement.
    Response: We are finalizing a narrower condition than the condition 
proposed in the OIG Proposed Rule because we agree with the commenters 
that our proposed condition was broader than necessary to prevent the 
fraud and abuse concerns addressed by the condition. Rather than 
prohibiting all marketing and patient recruitment activities under a 
value-based arrangement, as proposed, the requirement we are finalizing 
prohibits the exchange of or use of remuneration for the purpose of 
marketing items or services provided by the VBE or VBE participants or 
for patient recruitment activities.
    We use the terms ``marketing'' (e.g., promoting or selling 
something), ``education'' (e.g., informing, instructing, or teaching), 
and ``recruitment'' (e.g., enlisting someone to do something) in 
accordance with their commonsense meanings. We are not defining in 
regulatory text ``marketing,'' ``patient recruitment activities,'' or 
``education,'' or a similar term (note that the regulatory text does 
not use ``education'' or ``educational activities'' but we use such 
terms in our preamble explanation). We decline to define these terms: 
(i) In recognition that these terms are commonly understood; and (ii) 
to avoid overly prescriptive definitions that may chill appropriate 
educational activities. In lieu of regulatory definitions, we offer 
illustrative examples below to aid stakeholders in applying the safe 
harbor provision.
    As noted in the OIG Proposed Rule, the proposed marketing and 
recruitment restriction would prevent misuse of the safe harbor by 
those seeking to use purported value-based arrangements to perpetuate 
fraud schemes through the purchase of beneficiaries' medical identity 
or other inducements to lure beneficiaries to obtain unnecessary care. 
As stated in the OIG Proposed Rule, our enforcement experience 
demonstrates that fraud schemes often involve a mixture of both 
inducements to lure beneficiaries to obtain unnecessary care and the 
use of marketing-like activities to steal patients' medical identities. 
In particular, OIG has long-standing concerns about marketing 
activities that involve personal contact with beneficiaries. For 
example, OIG has previously explained that door-to-door marketing, 
telephone solicitations, direct mailings, and in-person sales pitches 
or ``informational'' sessions can be extremely coercive, particularly 
when such activities target senior citizens, Medicaid beneficiaries, 
and other particularly vulnerable patients.\43\
---------------------------------------------------------------------------

    \43\ OIG, OIG Adv. Op. No. 08-20 (Nov. 19, 2008), available at 
https://oig.hhs.gov/fraud/docs/advisoryopinions/2008/AdvOpn08-20.pdf.
---------------------------------------------------------------------------

    Consequently, we believe that remuneration used for marketing and 
patient recruitment activities, regardless of whether the activities 
are driven by technology or tied to achieving a defined health outcome, 
remains suspect and requires fact-specific scrutiny under the Federal 
anti-kickback statute; therefore, we decline to provide safe harbor 
protection for such remuneration in this safe harbor.
    Nevertheless, we acknowledge the benefits of objective educational 
materials to provide patients with general health care information and 
information about their health care options. We do not consider 
remuneration exchanged between parties to a value-based arrangement to 
(i) provide objective patient educational materials or (ii) engage in 
objective patient informational activities to constitute marketing or 
patient recruitment activities for purposes of this safe harbor 
condition. As we explained in the OIG Proposed Rule, this condition 
would not prohibit a VBE participant that is a party to the value-based 
arrangement from educating patients in the target patient population 
about permissible value-based activities.
    A determination regarding whether remuneration is being exchanged 
or used for the purposes of marketing items or services or patient 
recruitment activities or for an educational activity requires a fact-
specific analysis; however, the following examples illustrate how we 
distinguish between marketing and patient recruitment, on the one hand, 
and education on the other. Using examples from the OIG Proposed 
Rule,\44\ if a SNF or home health agency placed a staff member at a 
hospital to assist patients in the discharge planning process, and in 
doing so, the staff member educated patients regarding care management 
processes used by the SNF or home health agency, this would not 
constitute marketing of items and services (provided the staff member 
only worked with patients that had already selected the SNF or home 
health agency and SNF or home-health agency care was medically 
appropriate for such patient). However, if the SNF or home health 
agency placed a staff member at a hospital to perform care coordination 
services and to market the SNF's or home health agency's services to 
hospital patients, the arrangement would not comply with this 
requirement because the remuneration being exchanged pursuant to the 
arrangement--the services offered by the staff member--would be 
exchanged for the purpose of engaging in marketing.
---------------------------------------------------------------------------

    \44\ 84 FR 55712 (Oct. 17, 2019).
---------------------------------------------------------------------------

    As an additional example, we would not consider actions, such as 
notifying a patient of the criteria used by a VBE participant to 
determine patient eligibility for care coordination services or 
informing the target patient population of potential health benefits 
that may be derived from care coordination for a patient's chronic 
condition, to be marketing or patient recruitment activities. This sort 
of targeted education to the patient is distinguishable from broader 
marketing and recruiting campaigns designed to sell products or 
services or recruit patients.
    Notably, in some circumstances, it may not be necessary to make a 
distinction between marketing and education to determine whether an 
arrangement fits in a value-based safe harbor. If remuneration is 
exchanged pursuant to an arrangement that does not qualify as a 
``value-based arrangement,'' as defined here, it is not eligible for 
safe harbor protection. For example, an arrangement solely for a 
direct-mail marketing campaign or other advertising would need to 
qualify as a value-based arrangement under the definition at paragraph 
1001.952(ee) to be eligible to use a value-based safe harbor. We cannot 
envision a circumstance where such an arrangement would be a ``value-
based arrangement'' as defined in this final rule or be eligible under 
this safe harbor. Should one VBE participant wish to

[[Page 77746]]

engage in a direct-mail campaign that markets, in part, another VBE 
participant's services and the parties seek safe harbor protection for 
such arrangement, they should look to the personal services and 
management contracts safe harbor at paragraph 1001.952(d).
    In response to the commenter's inquiry regarding a screening 
program for fall risk, it is not clear from the commenter's description 
whether the program would be part of a coordinated plan of care for a 
target patient population to improve outcomes or a marketing or patient 
recruitment activity to attract patients to the VBE or its 
participants. If the former, the arrangement could qualify for safe 
harbor protection, if all safe harbor conditions are met. If the 
latter, it would not be protected. Based on our oversight experience, 
we are concerned that a fall risk screening program could be misused as 
a marketing or patient recruitment activity if the screening program 
was not part of the coordination and management of care or an objective 
educational program. There is a risk that such a program could be used 
to lure beneficiaries to obtain unnecessary care. Whether a particular 
fall risk screening program is a marketing program, an educational 
program, or a value-based arrangement will depend on its specific facts 
and circumstances.
    Additionally, we note that remuneration exchanged between parties 
to a value-based arrangement that is used to offer something of value 
to patients to incentivize them to obtain a fall screening examination 
from one of the parties would not be protected by this safe harbor. We 
have modified the regulatory text to make clear that prohibited 
marketing includes not only exchanging remuneration for the purpose of 
engaging in patient recruitment activities or marketing but also using 
remuneration for such purposes. This change effectuates our intent 
articulated in the preamble to the OIG Proposed Rule to limit the risk 
of the value-based arrangement being used as a marketing or recruiting 
tool to generate federally payable business for the VBE 
participant.\45\ To illustrate how this condition would operate, the 
parties cannot exchange remuneration for the purpose of engaging in 
patient recruitment activities or marketing (e.g., a SNF or home health 
agency placed a care coordinator at a hospital to market the SNF's or 
home health agency's services to hospital patients). In addition, the 
parties cannot use the remuneration for marketing or engaging in 
patient recruitment activities (e.g., the hospital asks the care 
coordinator placed by the SNF or home health agency to send out 
mailings to the local community regarding the hospital's services).
---------------------------------------------------------------------------

    \45\ 84 FR 77712 (Oct. 17, 2019).
---------------------------------------------------------------------------

    Regarding the question about a hospice's provision of free home-
based palliative care services or room and board to patients unable to 
pay, such an arrangement would not be protected by the care 
coordination arrangements safe harbor. This safe harbor is limited to 
remuneration exchanged between parties to a value-based arrangement, 
i.e., between a VBE and VBE participant or between VBE participants. It 
does not encompass arrangements involving the exchange of remuneration 
to patients. Other safe harbors or exceptions to the Beneficiary 
Inducements CMP may be available to protect the provision of such items 
and services to patients, depending upon the facts and circumstances.
    We reiterate that nothing in this safe harbor prevents VBEs or VBE 
participants from marketing their services. Indeed, arrangements need 
not have safe harbor protection to be lawful, and we observe that many 
legitimate health care entities lawfully market services without 
benefit of a safe harbor. However, value-based arrangements that 
include the exchange or use of remuneration for the purpose of 
marketing or patient recruitment would not be eligible for protection 
under the care coordination arrangements safe harbor.
    Comment: A commenter requested that OIG address whether a VBE 
participant that is a payor and owns a company that provides remote 
monitoring devices or has a vendor relationship with a company that 
provides such devices could suggest certain device utilization for 
purposes of improved care.
    Response: The commenter describes the recommendation or referral of 
a device by a VBE participant that is a payor and is affiliated with a 
company that provides remote monitoring devices but does not identify 
remuneration provided under the value-based arrangement. Without 
additional facts, we can only respond generally to the comment. First, 
we would highlight that this safe harbor does not protect free or 
reduced-priced items or services that sellers provide either as part of 
a product sale arrangement or ancillary to a value-based arrangement. 
Free or reduced-priced items and services provided either as part of a 
product sale arrangement or ancillary to a value-based arrangement may 
not need safe harbor protection or may be protected by other safe 
harbors.
    Second, nothing in the safe harbor would prohibit a VBE participant 
from using remuneration it received pursuant to a value-based 
arrangement to inform the target patient population of the availability 
of care coordination activities it provides to patients (e.g., patient 
monitoring) in a targeted, objective, and educational manner so long as 
the remuneration is not exchanged or used for marketing or patient 
recruitment activities. In this final rule, we have clarified that the 
content of the marketing the safe harbor prohibits is the marketing of 
items and services furnished by the VBE or a VBE participant to 
patients.
    To the extent that payors or other VBE participants provide 
remuneration to patients in the form of a free device, such 
remuneration would not be protected by this safe harbor. We note that 
other safe harbors or exceptions to the Beneficiary Inducements CMP may 
be available to protect the provision of such items and services, 
depending upon the facts and circumstances.
    Comment: A health system recommended that provider affiliation 
announcements be carved out of the definition of marketing or 
recruitment activities so that providers can inform patients that they 
participate in value-based arrangements. Another commenter similarly 
urged OIG to permit individuals or entities participating in a VBE to 
market themselves as VBE participants to patients.
    Response: Remuneration exchanged between parties to a value-based 
arrangement may be used to inform patients in the target patient 
population that the VBE participant participates in the value-based 
arrangement without such information being considered a marketing or 
recruitment activity. However, whether broader advertising (that 
includes VBE participant-related information) would be considered a 
prohibited marketing or recruitment activity for safe harbor purposes 
would be a fact-specific determination. For example, as part of a 
larger value-based arrangement between a physician group and a 
hospital, a hospital provides tablets to the physician group, which the 
physician group uses for in-office patient asthma management education. 
If the education application used on the tablet identifies all VBE 
participants capable of helping the patients manage their asthma and 
provide other services, the tablet would not run afoul of the marketing 
prohibition because it is not being used to market or recruit patients. 
It informs patients of VBE participants

[[Page 77747]]

capable of providing disease management and other services. However, if 
the hospital also used the tablets to send text messages, 
notifications, and other pop-ups that solicit the patient to receive 
services from VBE participants, the tablet would be marketing under 
this safe harbor because it is being used for broader advertising or 
patient recruitment activity. A tablet, as part of a care coordination 
arrangement, could be protected remuneration; however, if it is part of 
a larger marketing scheme, the tablet would not be protected because 
that scheme would not be eligible for protection under this safe harbor 
and would be subject to a separate analysis under the Federal anti-
kickback statute. Similarly, if the tablet was used as part of larger 
data harvesting scheme for marketing purposes, that scheme would not be 
eligible for protection under this safe harbor and be subject to a 
separate analysis under the Federal anti-kickback statute.
    Comment: A commenter sought clarification on how to interpret the 
marketing and patient recruitment prohibition in the context of 
Medicare Advantage beneficiaries, and, specifically, whether compliance 
with existing CMS and OIG requirements associated with marketing to, 
and recruitment of, Medicare Advantage patients would be sufficient to 
maintain protection under the value-based safe harbors. In a similar 
vein, a health insurer requested that OIG clarify its definition of 
marketing and patient recruitment activities, as it relates to pre-
enrollment activities.
    Response: While acknowledging that payors may be subject to a wide 
range of other regulations, including CMS regulations and guidance 
specific to Medicare Advantage plans, we do not believe that compliance 
with CMS marketing requirements is sufficient for purposes of the safe 
harbor. Medicare Advantage regulations relating to patient enrollment 
and marketing are specific to payor-patient interactions in that 
program. In contrast, the conditions of this safe harbor are focused on 
facilitating beneficial care coordination and addressing potential 
fraud and abuse risks related to the exchange of remuneration between 
and among providers and suppliers. We remind the commenter that 
compliance with the care coordination arrangements safe harbor, as with 
all Federal anti-kickback statute safe harbors, is voluntary, and 
Medicare Advantage plans, or their contractors, may continue to seek 
protection under other existing safe harbors.
    Comment: Several commenters expressed concern that the prohibition 
on marketing and patient recruitment activities may conflict with 
existing CMS rules regarding discharge planning, or, at the very least: 
(i) Be inconsistent with the concept of a preferred provider network 
operating within the context of a VBE; or (ii) potentially limit VBE 
participants' ability to inform patients of the availability of items 
and services during the discharge planning process.
    Response: The prohibition on the marketing of items and services 
and patient recruitment activities, as finalized, relates specifically 
to the remuneration exchanged. Thus, for example, if a skilled nursing 
facility provides remuneration to a hospital under a value-based 
arrangement in the form of a discharge planner, the discharge planner 
could not market or recruit patients to the skilled nursing facility; 
doing so would prevent the value-based arrangement from qualifying for 
safe harbor protection. Nothing in the safe harbor prevents the 
hospital from informing patients about available skilled nursing 
facilities during the discharge planning process.
    This prohibition is not inconsistent with current CMS hospital 
conditions of participation regarding discharge planning, which require 
(among other conditions) that hospitals provide a comprehensive list of 
certain post-acute care providers, as applicable, to patients prior to 
discharge.\46\ Providing a comprehensive list of post-acute care 
providers would not constitute exchanging or using remuneration for 
marketing or patient recruitment for safe harbor purposes. This would 
be true even if the discharge planner provided to the hospital in the 
prior example were the person furnishing the list to patients, provided 
the discharge planner did not market or recommend the skilled nursing 
facility or another VBE participant on the list.
---------------------------------------------------------------------------

    \46\ 42 CFR 483.42(c).
---------------------------------------------------------------------------

    This prohibition is not inconsistent with the potential for a 
preferred provider network to operate within the context of a VBE. 
Using the above discharge planner example, the remuneration could 
comply with the marketing and patient recruitment activity prohibition 
if, for example, the discharge planner only provides written 
educational materials regarding the preferred provider network to 
target patient population members and does not actively recruit 
patients to the skilled nursing facilities in the preferred provider 
network and does not market or recommend any particular provider on the 
list. It is incumbent on parties seeking to establish and operate 
preferred provider networks to do so in a manner that complies with all 
pertinent regulations, and our safe harbor requirements are not 
intended to interfere with or supplant other compliance obligations.
    Comment: A commenter expressed concern that the proposed 
prohibition on marketing and patient recruitment would bar a VBE from 
publishing quality improvement or cost reduction data. The commenter 
declared that VBEs should be permitted to share performance data 
regarding VBE participants to help inform patient choice.
    Response: We would not consider the publication of quality and cost 
data to constitute marketing or patient recruitment activity. 
Therefore, parties to a value-based arrangement could exchange 
remuneration for the purpose of publishing such data, and we believe 
such data may be beneficial to inform patient choice.
    Comment: To mitigate OIG's concerns regarding marketing, a 
manufacturer suggested that OIG include as an additional safe harbor 
requirement that VBE participants disclose their participation in the 
VBE to patients, similar to the Medicare Shared Savings Program 
beneficiary notice requirements.
    Response: We thank the commenter for its suggestion. As noted 
elsewhere in this rule, we did not propose a patient notice requirement 
in the OIG Proposed Rule and are not including a patient notice 
requirement for reasons explained elsewhere. However, VBE participants 
are not prohibited, as noted above, from utilizing notices to 
transparently disclose their participation in a VBE to patients.
k. Monitoring and Assessment
    Summary of OIG Proposed Rule: We proposed at paragraph 
1001.952(ee)(8) that the VBE, a VBE participant in the value-based 
arrangement acting on the VBE's behalf, or the VBE's accountable body 
or responsible person monitor and assess, no less frequently than 
annually, or once during the term of the value-based arrangement for 
arrangements with terms of less than 1 year: (i) The coordination and 
management of care for the target population in the value-based 
arrangement; (ii) any deficiencies in the delivery of quality care 
under the value-based arrangement; and (iii) progress toward achieving 
the evidence-based, valid outcome measure(s) in the value-based 
arrangement. We further proposed to require that the party conducting 
such monitoring and

[[Page 77748]]

assessment report the results of the monitoring and assessment to the 
VBE's accountable body or responsible person (if the VBE's accountable 
body or responsible person is not itself conducting the monitoring and 
assessment).
    Summary of Final Rule: We are finalizing the monitoring and 
assessment requirement, with modifications, at paragraph 
1001.952(ee)(9). We are requiring that the VBE, a VBE participant in 
the value-based arrangement acting on the VBE's behalf, or the VBE's 
accountable body or responsible person reasonably monitor and assess 
the following, no less frequently than annually, or once during the 
term of the value-based arrangement for arrangements with terms less 
than 1 year: (i) The coordination and management of care for the target 
patient population in the value-based arrangement; (ii) any 
deficiencies in the delivery of quality care under the value-based 
arrangement; and (iii) progress toward achieving the legitimate outcome 
or process measure(s) in the value-based arrangement. We are revising 
the proposed language--from specific evidence-based, valid outcome 
measure(s) to legitimate outcome or process measure(s)--to align with 
the standard for outcomes measures finalized in paragraph 
1001.952(ee)(4), discussed at section III.B.3.b.
    We also require that the party conducting such monitoring and 
assessment report their findings to the VBE's accountable body or 
responsible person (if the VBE's accountable body or responsible person 
is not itself conducting the monitoring and assessment). Finally, we 
are making a technical correction by adding ``the following'' and ``of 
the following'' to the introductory language of the paragraph for 
greater clarity about what must be monitored and assessed.
    Comment: Many commenters supported an annual monitoring and 
assessment requirement, where monitoring is tailored to the complexity 
and sophistication of the VBE and VBE participants. A physician trade 
organization recommended that OIG require monitoring and assessment of 
a value-based arrangement's value-based activities instead of the 
coordination and management of care for the target patient population, 
and another commenter asserted that OIG should require monitoring and 
assessment of whether value-based activities meet any of the value-
based purposes. A commenter urged that the monitoring and assessment 
provision require monitoring of utilization, referral patterns, and 
expenditure data to ensure that abuse is curtailed, and gaming is 
reduced. Another commenter supported heightened standards and 
conditions for monitoring and assessment but did not specify any such 
standards and conditions. Some commenters opposed a monitoring and 
assessment requirement, with a commenter stating that writing-related 
safeguards are sufficient to protect against fraud and abuse.
    Response: We are finalizing a monitoring and assessment requirement 
because we believe it is a critical safeguard to ensure oversight of 
the value-based arrangement. We are not adopting the suggestion to 
expand the condition to require monitoring of all value-based 
activities instead of the coordination and management of the care for 
the target patient population. Paragraph 1001.952(ee)(1)(ii) of this 
safe harbor requires the remuneration exchanged to be used 
predominantly to engage in value-based activities related to the 
coordination and management of care for the target patient population; 
consequently, we believe that it is appropriate to require the 
monitoring and assessment to focus on this value-based purpose. Under 
this requirement, the responsible party must monitor and assess whether 
and how the coordination and management of care is being implemented. 
``Coordination and management of care'' is defined at paragraph 
1001.952(ee)(14) for purposes of this safe harbor as the deliberate 
organization of patient care activities and sharing of information 
between two or more VBE participants or VBE participants and patients, 
tailored to improving the health outcomes of the target patient 
population, in order to achieve safer and more effective care for the 
target patient population. Thus, we expect any monitoring and 
assessment to evaluate how the value-based arrangement is or is not 
achieving this value-based purpose, as defined in this final rule. The 
monitoring and assessment may identify opportunities to reevaluate the 
value-based activities the parties are undertaking and the manner in 
which they are undertaking them to improve their chances of achieving 
this value-based purpose.
    While we are not requiring monitoring and assessment of 
utilization, referral patterns, and expenditure data, monitoring and 
assessment of such data may be a best compliance practice for many 
arrangements, depending on the complexity and sophistication of the VBE 
participants, the VBE, and the value-based arrangement and available 
resources. We have added ``reasonably,'' to the monitoring and 
assessment provision to codify that, for all value-based arrangements, 
monitoring and assessment should be reasonable in relation to the 
complexity and sophistication of the VBE participants, the VBE, and the 
value-based arrangement and available resources.\47\ We would expect 
parties to do as much as is appropriate based on the complexity and 
sophistication of the VBE participants, the VBE, and the value-based 
arrangement and available resources, but nothing in this provision 
should be construed to stop parties from having more robust monitoring 
and assessment processes than those described herein. This requirement 
both: (i) Provides flexibility for VBE participants associated with 
smaller, less-sophisticated VBEs and value-based arrangements to 
effectuate relatively more modest monitoring and assessment processes; 
and (ii) requires VBE participants associated with more complex and 
sophisticated VBEs and value-based arrangements to develop and operate 
appropriately complex and robust monitoring and assessment processes.
---------------------------------------------------------------------------

    \47\ 84 FR 55713 (Oct. 17, 2019).
---------------------------------------------------------------------------

    Comment: A commenter expressed concern that the annual monitoring 
and assessment requirement may have limited impact unless: Patients 
have a clearly articulated pathway for communicating and resolving 
concerns; outcome measures are valid and reflect outcomes important to 
patients; and results are reported to the Department or another 
oversight entity. Another commenter asked OIG to provide more 
information on the monitoring and assessment requirement and, 
specifically, to outline the reporting, auditing, and general oversight 
requirement of each VBE participant in the VBE.
    Response: We appreciate the commenter's concern regarding the 
potential limited impact of the monitoring and assessment requirement. 
We are not requiring parties to value-based arrangements to establish 
specific protocols for receiving and addressing patient concerns or to 
report data to the Department, except as otherwise set forth in 
paragraph 1001.952(ee)(12), which requires that the VBE or VBE 
participant make available to the Secretary, upon request, all 
materials and records sufficient to establish compliance with the 
conditions of this safe harbor. However, we are finalizing the 
requirement for parties to establish one or more legitimate outcome or 
process measures, and to monitor and assess certain information.

[[Page 77749]]

    Specifically, to comply with the monitoring and assessment 
requirement, either the VBE, a VBE participant in the value-based 
arrangement acting on the VBE's behalf, or the VBE's accountable body 
or responsible person must reasonably monitor and assess: (i) The 
coordination and management of care for the target patient population 
in the value-based arrangement; (ii) any deficiencies in the delivery 
of quality care under the value-based arrangement; and (iii) progress 
toward achieving the legitimate outcome or process measure(s) in the 
value-based arrangement. While, as stated above, the final safe harbor 
does not require the establishment of specific monitoring and 
assessment protocols or prescribe how VBEs must receive and address any 
patient concerns, we note that, as part of any VBE's regular monitoring 
activities, it would be a good compliance practice to establish a 
mechanism through which patients and others could submit reports 
related to, for example, deficiencies in the delivery of quality care 
under the value-based arrangement. Further, it would be a good 
compliance practice, as part of any VBE's regular monitoring and 
assessment activities, to assess any credible reports of, for example, 
deficiencies in the delivery of quality care under the value-based 
arrangement to determine their validity and any potential triggering of 
the termination and corrective action provision.
    Again, the final rule does not prescribe a one-size-fits-all 
approach for monitoring and assessment, nor does it specify the 
reporting, auditing, and general oversight requirement of each VBE 
participant in the VBE. This lack of specificity is designed to allow 
VBEs (and their VBE participants) flexibility to establish a monitoring 
and assessment program that is reasonable for that particular VBE and 
value-based arrangement. As stated above, the monitoring and assessment 
processes for each value-based arrangement should be reasonable in 
relation to the complexity and sophistication of the VBE, VBE 
participants, and value-based arrangement. Given the flexibility 
parties have to form VBEs and value-based arrangements of varying 
levels of complexity, we anticipate that the monitoring and assessment 
processes for the diverse value-based arrangements that could be 
protected by this safe harbor may vary.
    Comment: A commenter expressed concern that, if the party 
responsible for monitoring and assessment does not comply with the 
requirements of the safe harbor, that party's noncompliance places 
other parties at risk through no fault of their own.
    Response: A safe harbor applies only where each condition of the 
safe harbor is squarely met. Therefore, if the party responsible for 
monitoring and assessment does not perform its responsibility in 
accordance with the safe harbor requirements, the remuneration 
exchanged pursuant to the value-based arrangement would not receive 
protection. However, where another party has done everything that it 
reasonably could to comply with the safe harbor requirements applicable 
to that party but the remuneration exchanged loses safe harbor 
protection as a result of another party's noncompliance, the party's 
efforts to take all possible reasonable steps would be relevant in a 
determination of whether such party had the requisite intent to violate 
the Federal anti-kickback statute.
    Comment: Commenters expressed concern regarding, and urged 
flexibility for, the requirement for monitoring and assessment of 
progress toward evidence-based outcome measures. For example, a 
commenter asserted that participants to a new value-based arrangement 
need time to achieve success, as evidenced by the performance results 
of Medicare Shared Saving Program, and may not be able to progress 
quickly towards the outcome measures. Commenters noted that factors 
beyond a provider's control can impact outcomes and that interventions 
such as primary care, preventive services, and chronic care management 
may yield benefits that take numerous years to materialize.
    Response: For a number of reasons, we believe the responsible party 
or parties should monitor and assess progress toward the outcome or 
process measure(s) the parties establish. Such monitoring and 
assessment may reveal whether efforts to achieve the outcome measure(s) 
have led to improvements or deficiencies in patient care; whether the 
outcome measure(s) the parties initially established continue to be the 
best goalposts for achieving one or more value-based purposes; and 
whether the items or services the offeror provided under the value-
based arrangement, such as care coordination services, are effective 
tools for driving beneficial changes in care delivery. We agree with 
commenters that factors beyond a VBE participant's control could impact 
outcomes and that benefits of outcome measures could manifest over a 
longer timeframe; for this reason, the requirement for monitoring and 
assessment does not mandate that the parties achieve the outcome or 
process measure(s) on any particular timeframe.
l. Termination of the Arrangement
    Summary of OIG Proposed Rule: We proposed at proposed paragraph 
1001.952(ee)(9) that the parties terminate the value-based arrangement 
within 60 days if the VBE's accountable body or responsible person 
determines that the value-based arrangement: (i) Is unlikely to further 
the coordination and management of care for the target patient 
population; (ii) has resulted in material deficiencies in quality of 
care; or (iii) is unlikely to achieve the evidence-based, valid outcome 
measure(s). We said we were considering for the final rule, and sought 
comments on, an alternative to the proposed termination requirement 
that would instead allow for remediation--within a reasonable 
timeframe--before any required termination.
    Summary of Final Rule: We are finalizing, with modifications, a 
termination provision for this safe harbor at paragraph 
1001.952(ee)(10). Under the final rule, if the VBE's accountable body 
or responsible person determines, based on the monitoring and 
assessment conducted pursuant to paragraph 1001.952(ee)(9), that the 
value-based arrangement has resulted in material deficiencies in 
quality of care or is unlikely to further the coordination and 
management of care of the target patient population, the parties must, 
within 60 days, either terminate the arrangement or develop and 
implement a corrective action plan designed to remedy the deficiencies 
within 120 days and, if the corrective action plan fails to remedy the 
deficiencies within 120 days, terminate the value-based arrangement.
    Comment: Some commenters expressed support for our proposed 
termination requirement, but many expressed concerns about what it 
would mean in practice. Many commenters supported the alternative we 
described in the preamble to the proposed rule that would allow for 
remediation, within a reasonable timeframe, before any required 
termination. These commenters noted a variety of operational and policy 
concerns with mandating termination within 60 days. For example, some 
commenters noted that complex arrangements may require more than 60 
days to unwind responsibly. Some commenters suggested that a cure 
period be permitted where the VBE determines that a plan of correction 
may be devised to cure the deficiencies, and others suggested that 
remediation should be an option, but not a requirement. With respect to 
the length of a remediation

[[Page 77750]]

period during which parties could develop and implement a corrective 
action plan, commenters suggested a variety of time periods, ranging 
from 90 days to 1 year. Multiple commenters suggested a 120-day period. 
Another commenter suggested that any termination requirement should be 
suspended indefinitely as long as the parties are working in good faith 
to implement a corrective action plan. A commenter also noted that 
there is a difference between arrangements that are not making progress 
and those that are causing harm and suggested that the latter require 
immediate termination. Finally, a commenter requested that OIG clarify 
that parties do not have an obligation to assess for any events that 
trigger the termination provision on an ongoing basis, but instead are 
required to do so annually or prior to renewal of an agreement.
    Response: We appreciate commenters' concerns regarding the 
potential challenges associated with requiring termination within 60 
days if the VBE's accountable body or responsible person determines one 
or more of the triggering events has occurred. Several changes in the 
final rule address many of the concerns expressed by the commenters. 
The final rule provides more flexibility by requiring the parties, 
within 60 days, either to terminate the arrangement or to develop and 
implement a corrective action plan in the event the VBE's accountable 
body or responsible person determines that the value-based arrangement 
has resulted in material deficiencies in quality of care or is unlikely 
to further the coordination and management of care for the target 
patient population. The option for corrective action plans is 
consistent with our statements in the OIG Proposed Rule that we were 
considering allowing for remediation within a reasonable timeframe and 
that our goal is a reasonable but also prompt termination of 
arrangements that are no longer serving the goals for which safe harbor 
protection is offered.
    The final rule does not require the parties to terminate the 
arrangement or implement a corrective action plan if the VBE's 
accountable body or responsible person determines that the value-based 
arrangement is unlikely to achieve its legitimate outcome or process 
measures. This safe harbor does not require the recipient to achieve an 
outcome or process measure. Also, the safe harbor permits the parties 
to the value-based arrangement to modify outcome or process measures 
prospectively, as long as other elements of the safe harbor continue to 
be met (for example, a change to an outcome measure would be a material 
change to the value-based arrangement that would need to be documented 
in writing and signed by the parties, in accordance with paragraph 
1001.952(ee)(3)).
    With respect to the option to develop and implement a corrective 
action plan, the final rule requires that such plan be designed to 
remedy the identified deficiencies within 120 days. If the corrective 
action plan fails to remedy the deficiencies within 120 days, the 
parties are required to terminate the value-based arrangement, and safe 
harbor protection for remuneration exchanged pursuant to the value-
based arrangement would no longer be available. We selected a 120-day 
period based on recommendations from commenters and because we believe 
this time period is both long enough to allow a meaningful opportunity 
to remediate the deficiencies and short enough to necessitate diligent 
attention by the parties.
    With respect to the commenter who asserted that a determination 
that the value-based arrangement has resulted in patient harm should 
require immediate termination, we appreciate the commenter's concern, 
and we agree that such a determination is a serious finding that should 
prompt immediate attention by the parties. We did not include a 
``patient harm'' provision in the OIG Proposed Rule because incidents 
of patient harm will always be ``material deficiencies in quality of 
care,'' that would trigger this condition. However, not all material 
deficiencies in quality of care necessarily mean that there has been 
patient harm.
    Finally, with respect to the commenter that requested clarification 
regarding the frequency with which parties must assess for any events 
that would trigger the termination or corrective action provision, we 
note that, consistent with the OIG Proposed Rule, this final rule ties 
the termination of the value-based arrangement or implementation of a 
corrective action to certain triggering events identified through 
``monitoring and assessment.'' Monitoring and assessment must occur no 
less frequently than annually or at least once during the term of the 
value-based arrangement for arrangements with terms of less than 1 
year. Thus, at a minimum, the party or parties responsible for 
monitoring and assessment must monitor the matters listed in the 
regulation at paragraph 1001.952(ee)(9) and report the results so that 
the accountable body or person can make a determination as to whether 
any of the events that trigger the termination or corrective action 
provision have occurred. We note that it would be a best compliance 
practice to ensure monitoring and assessment also involves receiving 
and assessing reports and other information related to the 
circumstances that must be monitored and assessed (e.g., deficiencies 
in the delivery of quality care under the value-based arrangement). 
These reports would inform the accountable body or responsible person's 
determination regarding termination or corrective action under 
paragraph 1001.952(ee)(10).
    Comment: A commenter expressed concern that the safe harbor 
contains too much deference to the subjective beliefs and 
determinations of the VBE participants, who the commenter asserts are 
self-interested. The commenter recommended that the termination 
provision in the safe harbor be revised to require termination if the 
information available to the VBE's accountable body or responsible 
person indicates that a triggering event has occurred. The commenter 
also recommended that the safe harbor specify that the VBE bears the 
burden of proof with respect to the question of whether the information 
available to the VBE's accountable body or responsible person required 
termination of the value-based arrangement.
    Response: We believe that the revisions we are adopting in this 
final rule, which require termination or a corrective action plan if 
the VBE's accountable body or responsible person reaches one of two 
determinations help to mitigate the commenter's concerns regarding 
excessive deference to the subjective beliefs of the VBE participants. 
We do not believe it is necessary to specify that the VBE bears the 
burden of proof with respect to whether termination was required 
because any party seeking to avail themselves of the protection of a 
safe harbor generally bears the burden of proof that they meet the 
requirements of the safe harbor.
    Comment: Several commenters raised concerns regarding our proposal 
to require termination if the VBE's accountable body or responsible 
person determines that the value-based arrangement is unlikely to 
achieve the evidence-based, valid outcome measure(s). For example, 
several commenters noted that it may take time to see results and that 
results may plateau at certain times. Commenters suggested that this 
provision may result in parties' prematurely judging an arrangement's 
success or failure and that 60 days was an arbitrary timeframe. Another 
commenter expressed concern that the termination provision implies that 
an arrangement could move in and

[[Page 77751]]

out of compliance with the safe harbor as performance changes from 
month to month. Another commenter requested that participants be 
permitted to modify measures prospectively, rather than have to 
terminate the value-based arrangement.
    Response: We appreciate the concerns raised by commenters, and we 
are not finalizing the proposed requirement that the parties terminate 
the arrangement if the VBE's accountable body or responsible person 
determines that the value-based arrangement is unlikely to achieve the 
outcome measure(s). We believe that requiring termination, or a 
corrective action plan, upon such a determination is at odds with other 
elements of this safe harbor. As we have stated elsewhere, this safe 
harbor does not require that the value-based arrangement result in a 
particular level of performance on the outcome or process measure. It 
requires that the parties identify an outcome or process measure and 
that the outcome or process measure relates to the remuneration 
exchanged under the arrangement. We also wish to clarify that the safe 
harbor permits the parties to modify the outcome or process measure 
prospectively during the term of the agreement, as long as the other 
elements of the safe harbor continue to be met and the modification is 
memorialized in a writing signed by the parties.
    We caution, however, that this safe harbor separately requires the 
VBE, a VBE participant in the value-based arrangement acting on the 
VBE's behalf, or the VBE's accountable body or responsible person to 
reasonably monitor, assess, and report progress toward achieving the 
outcome or process measure. There may be circumstances where such 
monitoring and assessment of outcome or process measure progress may 
generate a finding that indicates that the value-based arrangement no 
longer meets all of the requirements of the safe harbor. For example, 
the finding may indicate that the remuneration exchanged is not being 
used predominantly to engage in value-based activities that are 
directly connected to the coordination and management of care for the 
target patient population. Thus, while we are not creating an 
affirmative obligation to terminate or enter into a corrective action 
plan based on a determination that the value-based arrangement is 
unlikely to achieve the selected outcome or process measure, we caution 
that parties to a value-based arrangement who wish to be protected 
under the safe harbor should periodically evaluate compliance with safe 
harbor standards.
m. Diversion, Resell, or Use for Unlawful Purposes
    Summary of OIG Proposed Rule: In proposed paragraph 
1001.952(ee)(10), we proposed that an exchange of remuneration would 
not be protected under the care coordination arrangements safe harbor 
if the offeror knows or should know that the remuneration is likely to 
be diverted, resold, or used by the recipient for an unlawful purpose.
    Summary of Final Rule: We are finalizing, without modification, 
this requirement at paragraph 1001.952(ee)(11).
    Comment: We received very few comments on this proposal. Some 
commenters expressed support for the provision, while another commenter 
raised concerns that this standard would be difficult for individual 
providers and small group practices to understand and comply with 
because the standard is not specifically defined.
    Response: We believe that the standard is straightforward. Where an 
offeror knows, or should know, that the recipient is likely to divert 
or resell the remuneration, or otherwise use it for an unlawful 
purpose, the remuneration is not protected by the safe harbor. This 
could arise in cases where the recipient's intended diversion is overt. 
For example, where a recipient expressly states its intent to sell the 
items received from the offeror to third parties, it would make clear 
its intended diversion. It can also arise, for example, where the 
nature or scope of the remuneration offered to the recipient is such 
that the offeror should know that diversion or resale is likely, such 
as where a VBE participant provides remuneration far in excess of what 
could reasonably be needed for the recipient to undertake the value-
based activity for which the remuneration is intended and the 
remuneration is transferable in nature. For example, if a VBE 
participant provides handheld tablets to another VBE participant to 
facilitate coordination and management of care, but the offeror 
provides substantially more tablets than could reasonably be used by 
the recipient for the intended purpose (e.g., 100 tablets when ten are 
objectively sufficient for the intended use), then the offeror might 
reasonably know that the recipient is likely to divert or resell the 
excess tablets. In sum, this standard is an explicit statement of what 
is otherwise implicit in the conditions of the care coordination 
arrangements safe harbor: The exchange of remuneration that the offeror 
knows or should know is likely to be diverted, resold, or used by the 
recipient for purposes other than the coordination and management of 
care of a target patient population would not be protected under this 
safe harbor.
n. Materials and Records
    Summary of OIG Proposed Rule: To enhance transparency, we proposed 
a requirement at proposed paragraph 1001.952(ee)(11) that VBE 
participants or the VBE make available to the Secretary, upon request, 
all materials and records sufficient to establish compliance with the 
conditions of this safe harbor. We solicited comments regarding whether 
we should require parties to maintain materials and records for a set 
period of time (e.g., at least 6 years or 10 years).
    Summary of Final Rule: We are finalizing, with modifications, the 
materials and records requirement at paragraph 1001.952(ee)(12). The 
final rule specifies that, for a period of at least 6 years, the VBE or 
its VBE participants must maintain records and materials sufficient to 
establish compliance with the conditions of the safe harbor.
    Comment: While we received relatively few comments on this 
condition, commenters were generally supportive of our proposal. In 
response to our solicitation regarding whether we should require 
parties to maintain materials and records for a set period of time, 
e.g., 6 years or 10 years, multiple commenters were in favor of a 6-
year retention period, with one stating that this approach would 
facilitate alignment with CMS's proposed rule and existing HIPAA 
requirements.
    Response: We are persuaded that a 6-year retention period will 
promote transparency while aligning with the corresponding requirement 
in CMS's final rule. We have modified the relevant provisions in the 
care coordination arrangements, substantial downside financial risk, 
and full financial safe harbors.
    Comment: A commenter questioned the need for a materials and 
records requirement because maintenance of these materials is already 
part of any compliance program. The same commenter further questioned 
whether OIG would bring an investigation or pursue a Federal anti-
kickback statute case based solely on the failure to satisfy a 
documentation requirement rather than the underlying substantive 
safeguards.
    Response: We continue to believe this requirement promotes 
transparency and gives parties notice that the Secretary may request 
materials and records

[[Page 77752]]

sufficient to demonstrate compliance with the care coordination 
arrangements safe harbor. We further note that not all parties seeking 
protection under this safe harbor may have a compliance program or may 
have developed one that requires maintenance of materials and records 
for less than 6 years.
    Safe harbors offer voluntary protection from liability under the 
Federal anti-kickback statute for specified arrangements, and no entity 
or individual is required to fit within a safe harbor. Failure to fit 
within a safe harbor does not mean a party has violated--or even 
implicated--the Federal anti-kickback statute, it simply means the 
party may not look to the safe harbor for protection for that 
arrangement. For a party to assert safe harbor protection, all of the 
safe harbor's conditions must be satisfied, including any condition 
related to materials and records. Further, it would be prudent for any 
party relying on a safe harbor to protect certain remuneration to 
document in some form compliance with that safe harbor. Decisions 
regarding enforcement actions are made based on application of the 
Federal anti-kickback statute to the specific facts and circumstances 
presented by an arrangement.
    Comment: A commenter stated that OIG should adopt additional 
requirements related to materials and records, including 
contemporaneous documentation of, among other things, the VBE's belief 
that the value-based arrangement is reasonably designed to achieve a 
value-based purpose, the specific basis for such belief, and the VBE's 
reasonable anticipation that particular evidence-based, valid outcome 
measures will advance the coordination and management of care of the 
target patient population.
    Response: We decline to require the specific requested 
certifications. We intentionally drafted the materials and record 
requirement broadly to avoid creating a list of all documentation that 
parties must develop and maintain to comply with this condition of the 
safe harbor. Moreover, we do not seek to increase administrative burden 
by prescribing the manner in which parties must document their 
compliance.
    Comment: A health system stated that the proposed care coordination 
arrangements safe harbor included burdensome reporting requirements and 
expressed concern about the large volume of paperwork that would go 
back and forth between ACOs and HHS or CMS.
    Response: We disagree with the commenters' assertion that the 
materials and records requirement is burdensome. To the extent parties 
wish to avail themselves of the protection of this safe harbor, we 
believe it is reasonable to require them to maintain documentation that 
demonstrates their compliance with its terms. With respect to the 
commenter's concern about the exchange of large volumes of paperwork, 
we note that parties must only furnish such documentation to the 
Secretary upon request. We do not anticipate this requirement will 
necessitate frequent exchange of paperwork between, for example, an ACO 
and OIG.
    Comment: A medical device manufacturer expressed concern that 
materials and records submitted to the Secretary pursuant to this 
condition would be subject to the Freedom of Information Act or other 
disclosure requirements. The manufacturer stated such materials could 
include proprietary and confidential trade secret information.
    Response: OIG is subject to the Freedom of Information Act (FOIA) 
and the Department's FOIA regulations set forth at 45 CFR part 5. These 
regulations provide that submitters of records may designate in writing 
that all or part of the information contained in such records is exempt 
from disclosure under FOIA exemption 4--covering trade secrets and 
confidential commercial or financial information--at the time they 
submit such records or within a reasonable time thereafter. The 
Department, including OIG, will make reasonable efforts to notify 
submitters of records if the Department determines that material that 
submitters have designated as exempt from disclosure under FOIA 
exemption 4 may have to be disclosed in response to a FOIA request. 
Under the Department's FOIA regulations, submitters have an opportunity 
to respond and, if desired, file a court action to prevent disclosure 
of exempt records.
o. Additional Proposed Safeguards
i. Bona Fide Determination
    Summary of OIG Proposed Rule: We considered a condition that would 
require that, in advance of, or contemporaneous with, the commencement 
of the applicable value-based arrangement, the VBE's accountable body 
or responsible person make two bona fide determinations with respect to 
the value-based arrangement: (i) The value-based arrangement is 
directly connected to the coordination and management of care for the 
target patient population; and (ii) the value-based arrangement is 
commercially reasonable, considering both the arrangement and all 
value-based arrangements within the VBE.\48\
---------------------------------------------------------------------------

    \48\ 84 FR 55714 (Oct. 17, 2019).
---------------------------------------------------------------------------

    Summary of Final Rule: We are not finalizing the proposed 
condition.
    Comment: We received relatively few comments on this proposal. 
Commenters either expressed general statements of support or 
opposition, with a commenter who opposed the condition asserting that 
such bona fide determinations would add unnecessary complexity to 
demonstrating compliance with the safe harbor.
    Response: We are not finalizing this requirement. We believe the 
goal of this proposed safeguard--ensuring appropriate oversight by the 
VBE's accountable body or responsible person--is achieved through the 
combination of other conditions included in this safe harbor. We do not 
believe this condition is needed to prevent fraud or abuse in light of 
the totality of other conditions we are finalizing in this rule.
ii. Prohibition on Cost-Shifting
    Summary of OIG Proposed Rule: We considered, and sought comment on, 
a condition prohibiting VBEs or VBE participants from billing Federal 
health care programs, other payors, or individuals for the remuneration 
exchanged under the value-based arrangement; claiming the value of the 
remuneration exchanged under the value-based arrangement as a bad debt 
for payment purposes under a Federal health care program; or otherwise 
shifting costs to a Federal health care program, other payors, or 
individuals.
    Summary of Final Rule: We are not finalizing the proposed 
condition.
    Comment: We received comments expressing either general support for 
or opposition to this proposed safeguard. For example, in support of 
finalizing a cost-shifting prohibition, a commenter stated that a 
value-based enterprise's decision to offer remuneration in the context 
of a value-based arrangement should not make other parties financially 
responsible for such payments. A commenter argued that this proposed 
safeguard, among others, would be duplicative of other requirements in 
the safe harbor or be incompatible with or irrelevant in a value-based 
system. The commenter asserted that the additional safeguards proposed 
by OIG, including a prohibition on cost-sharing, would create an 
additional barrier to value-based arrangements rather than breaking 
down barriers that already exist. Other commenters, including Tribal 
organizations, advocated against the

[[Page 77753]]

inclusion of a cost-shifting prohibition, stating such a safeguard is 
unnecessary because improvements in care coordination result in overall 
savings to the Federal Government even if they result in additional 
referrals or payments by Medicare and Medicaid.
    Response: Having considered the comments, we are not finalizing a 
cost-shifting prohibition. On balance, we conclude that the combination 
of conditions in the final safe harbor will adequately protect against 
fraud and abuse risks, and an additional safeguard related to cost-
shifting is not necessary in the context of the value-based safe 
harbors. We did not intend to limit appropriate billing of Federal 
health care programs or other payors for medically necessary items and 
services furnished in connection with value-based care. As we explained 
in the OIG Proposed Rule, we do not want to exclude arrangements from 
safe harbor protection that involve legitimate shifting of costs that 
result from achieving care coordination goals or other value-based 
purposes. As we explained, depending on the arrangement, one might 
expect to see increases in primary care costs or costs for care 
furnished in home and community settings paired with reductions in 
unnecessary hospitalizations, duplicative testing, and emergency room 
visits; one also might see increases in remote monitoring or care 
management services. Parties remain responsible for billing Federal 
health care programs and other payors in accordance with their program 
rules.
iii. Fair Market Value Requirement and Restriction on Remuneration Tied 
to the Volume or Value of Referrals
    Summary of OIG Proposed Rule: We stated that we were considering 
including one or both of the following conditions in the care 
coordination arrangements safe harbor: (i) A fair market value 
requirement on any remuneration exchanged pursuant to a value-based 
arrangement; and (ii) a prohibition on VBE participants determining the 
amount or nature of the remuneration they offer, or the VBE 
participants to whom they offer such remuneration, in a manner that 
takes into account the volume or value of referrals or other business 
generated, including both business or patients that are part of the 
value-based arrangement and those that are not.
    Summary of Final Rule: We are not finalizing either proposed 
condition in the care coordination arrangements safe harbor.
    Comment: While we received some comments expressing support for 
these conditions, the overwhelming majority of commenters opposed the 
inclusion of a fair market value requirement or of a prohibition on 
determining the amount or nature of the remuneration in a manner that 
takes into account the volume or value of referrals or other business 
generated. While varying in their rationales, commenters generally 
asserted that including either safeguard would constrain care 
coordination efforts. Several commenters supported the condition that 
would prohibit taking into account the volume or value of referrals but 
recommended limiting this condition to patients who are not part of the 
value-based arrangement.
    Response: In this final rule, we are not adopting a blanket 
prohibition on determining the amount or nature of remuneration in a 
manner that takes into account the volume or value of referrals or 
other business generated; rather, we are finalizing a narrower 
prohibition that the offeror of the remuneration cannot take into 
account the volume or value of, or condition an offer of remuneration 
on: (i) Referrals of patients that are not part of the value-based 
arrangement's target patient population; or (ii) business not covered 
under the value-based arrangement. We stated in the OIG Proposed Rule, 
and we continue to believe, that fair market value requirements and 
restrictions that prohibit paying remuneration based on the volume or 
value of referrals help ensure that protected payments are for 
legitimate purposes and are not kickbacks. For this reason, we included 
a safeguard in paragraph 1001.952(ee)(5) that requires, as a condition 
of safe harbor protection, that the offeror not take into account the 
volume or value of, or condition remuneration on, business or patients 
not covered under the value-based arrangement. This approach is 
consistent with our proposal in paragraph 1001.952(ee)(5), as well as 
the comments summarized above recommending that we limit any volume or 
value condition to patients who are not part of the value-based 
arrangement.
    However, we also acknowledge commenters' concerns that legitimate 
care coordination arrangements may naturally involve referrals across 
provider settings. In this final rule, therefore, we have not finalized 
a fair market value requirement or a prohibition on determining the 
amount or nature of remuneration in a manner that takes into account 
the volume or value of referrals or other business generated. Instead, 
we have relied on other program integrity safeguards so that the safe 
harbor will protect beneficial care coordination arrangements while 
precluding protection for pay-for-referral schemes that do not serve, 
and may be contrary to, the goals of coordinated care and the shift to 
value. These safeguards operate to preclude safe harbor protection for 
abusive arrangements such as a provider churning patients through care 
settings to capitalize on a reimbursement scheme or otherwise generate 
revenue and arrangements where VBE participants offer, or are required 
to provide, remuneration to receive referrals or to be included in a 
``preferred provider network'' (i.e., ``pay-to-play'' arrangements).
    In response to commenters' concerns that a fair market value 
requirement would constrain the kinds of care coordination arrangements 
that we intend to protect, we also are not finalizing a fair market 
value requirement. However, we have included a commercial 
reasonableness standard in this safe harbor, which requires that the 
value-based arrangement be commercially reasonable, considering both 
the arrangement itself and all value-based arrangements within the VBE. 
We believe this commercial reasonableness standard, in combination with 
the other safe harbor conditions, appropriately balances program 
integrity concerns and the need to facilitate innovative value-based 
arrangements.
iv. Additional Requirements for Dialysis Providers
    Summary of OIG Proposed Rule: In recognition of the unique 
attributes of the dialysis industry (e.g., market dominance by a 
limited number of dialysis providers), we expressed concern in the OIG 
Proposed Rule that participation by dialysis providers in value-based 
arrangements could present increased fraud and abuse risks. 
Accordingly, we solicited comments on potential additional safe harbor 
conditions specific to dialysis providers to ensure that their care 
coordination arrangements operate to improve the management and care of 
patients and are not pay-for-referral schemes. We stated that we were 
considering including conditions such as enhanced monitoring, 
reporting, or data submission.
    Summary of Final Rule: We are not finalizing additional conditions 
on dialysis providers in the care coordination arrangements safe 
harbor.
    Comment: Commenters generally opposed additional conditions on 
dialysis providers on the basis of one or both of the following 
arguments: (i)

[[Page 77754]]

ESRD patients would stand to benefit the most from the care 
coordination arrangements safe harbor (highlighting, for example, the 
fact that such patients require care across multiple providers); and 
(ii) OIG's concerns regarding market consolidation were misplaced. 
Other commenters stated additional safeguards were not necessary for 
dialysis providers based on data indicating improved quality of care 
for ESRD patients and reduction of costs. In contrast, an association 
representing dialysis providers shared OIG's concerns that the unique 
characteristics of the highly concentrated dialysis market posed unique 
and significant fraud and abuse risks and encouraged OIG to develop 
detailed methodologies and metrics to facilitate OIG's monitoring and 
assessment of market consolidation and possible pay-for-referral 
schemes, before permitting dialysis providers to use the value-based 
safe harbors.
    Response: While we are mindful of concerns created by a potential 
decrease in competition among dialysis providers, we are persuaded that 
the potential benefits of care coordination within the dialysis 
community outweigh the concerns for a potential decrease in 
competition. Accordingly, we are not imposing additional requirements 
specific to dialysis providers in the care coordination arrangements 
safe harbor.
v. Submission of Information to Department
    Summary of OIG Proposed Rule: To promote transparency, we solicited 
comments in the OIG Proposed Rule on a requirement, specific to the 
care coordination arrangements safe harbor, for VBEs to submit certain 
data to the Department that would identify the VBE, VBE participants, 
and value-based arrangements.
    Summary of Final Rule: We are not finalizing this proposed 
requirement in the care coordination safe harbor.
    Comment: Some commenters strongly supported a requirement for VBEs 
to submit data to the Department or to a publicly available database 
that would identify the VBE, VBE participants, and value-based 
arrangements. A commenter supported an optional reporting requirement 
and appeared to believe that any such data submission would result in 
the applicable parties' automatically satisfying the safe harbor's 
writing requirement.
    Other commenters urged OIG not to adopt such a requirement and 
provided various reasons for their position. For example, some 
commenters stated that the requirement would be unduly burdensome or 
that the administrative burden would outweigh any program integrity 
benefit to the Department, while at least one commenter believed the 
requirement could discourage implementation of value-based arrangements 
or full compliance with the safe harbor. Another commenter asserted 
that a requirement for VBEs to submit certain data to the Department 
would be unnecessary in light of the proposed requirement for parties 
to make available to the Secretary, upon request, all materials and 
records sufficient to establish compliance with the conditions of the 
care coordination arrangements safe harbor. A commenter also expressed 
concern that the materials and records submitted to the Department 
could be subject to the Freedom of Information Act and misused by some 
to gain access to potentially competitive, proprietary information 
regarding trade secrets, commercial relationships, or value-based 
arrangement business model information.
    Response: To minimize burden, the final care coordination 
arrangements safe harbor does not require VBEs to submit data to the 
Department (e.g., data or information relating to the identity the VBE, 
VBE participants, and value-based arrangements), unless records are 
requested by the Secretary under the materials and records requirement. 
OIG will continue to evaluate whether to modify this safe harbor in the 
future. A better understanding of the structure of VBEs, likely VBE 
participants, and the form of value-based arrangements could allow for 
more effective oversight and identification of potential problems. OIG 
maintains its oversight authorities to conduct audits and evaluations, 
as well as criminal, civil, and administrative investigations of fraud 
and misconduct related to Federal health care programs, operations, and 
beneficiaries. Finally, we remind parties that they must make available 
to the Secretary, upon request, all materials and records sufficient to 
establish compliance with the conditions of a safe harbor, a required 
at paragraph 1001.952(ee)(12).
p. Alternative Regulatory Structure
    Summary of OIG Proposed Rule: In the OIG Proposed Rule, we stated 
that we were considering an alternative regulatory structure and 
approach to protect care coordination and other value-based 
arrangements that are not at full financial risk and are not part of a 
CMS-sponsored model.\49\ Under the alternative approach, we stated that 
we would rely on the personal services and management contracts safe 
harbor at paragraph 1001.952(d) to allow greater flexibility for 
innovation as arrangements become more closely aligned with value-based 
purposes and the parties take on more downside financial risk.
---------------------------------------------------------------------------

    \49\ 84 FR 55715-16 (Oct. 17, 2019).
---------------------------------------------------------------------------

    Summary of Final Rule: We are not finalizing the alternative 
regulatory structure.
    Comment: Several commenters opposed this alternative regulatory 
approach. Some argued that it would not provide as clear a mechanism 
for obtaining safe harbor protection for value-based arrangements as 
the proposed value-based safe harbors and that a fair market value 
requirement would create operational challenges. Another commenter 
asserted that the alternative approach would not provide sufficient 
protection against fraud and abuse and encouraged OIG to proceed with 
the proposed value-based safe harbors. Another commenter expressed 
support for the alternative regulatory structure to the extent OIG did 
not adopt the value-based exceptions proposed by CMS.
    Response: We thank commenters for their insights. While we believe 
that the alternative approach of creating tiered protection using the 
personal services and management contracts safe harbor at paragraph 
1001.952(d) also would accomplish the objective of allowing greater 
flexibility for innovation as the arrangements become more closely 
aligned with value-based purposes and the parties take on more downside 
financial risk, we concluded that the value-based framework described 
in section III.B.1 of this preamble is better calibrated to achieve the 
objectives of the Regulatory Sprint to Coordinated Care. We elected to 
finalize the value-based framework because we agree with those 
commenters who stated that the value-based framework would better 
protect against fraud and abuse, and we were mindful of those 
commenters who stated that the alternative approach would create 
operational challenges.
    Comment: A commenter suggested that OIG adopt a safe harbor 
specific to value-based activities undertaken by an integrated delivery 
system that includes a non-profit payor and a dedicated physician group 
that includes physician owners and employees. According to the 
commenter, the remuneration paid among the system's components presents 
a low risk of fraud and abuse. Another commenter recommended that OIG 
adopt a safe harbor for a limited set of arrangements that are pre-
approved by OIG to promote care coordination and management, reduce 
costs, or

[[Page 77755]]

facilitate a transition to value-based care. According to the 
commenter, the safe harbor should be limited to specific value-based 
purposes delineated by OIG, with certification required for any 
arrangements that have value-based purposes outside those identified by 
OIG.
    Response: We did not propose these suggested safe harbors, and 
thus, we are not adopting them in this final rule. Depending on the 
facts and circumstances, remuneration exchanged pursuant to an 
arrangement between or among parties in an integrated delivery system 
could be protected under one of the value-based safe harbors we are 
finalizing in this final rule. With respect to the comment requesting a 
safe harbor for arrangements that would be pre-approved by OIG and, in 
certain instances, subject to certification requirements, we believe 
that such an approach would be administratively unworkable and overly 
burdensome. Parties who would like to recommend new safe harbors not 
finalized in this rulemaking may do so by responding to OIG's annual 
solicitation regarding the development of new or modified safe harbor 
regulations.\50\
---------------------------------------------------------------------------

    \50\ Section 1128D(a) of the Act (42 U.S.C. 1320a-7d(a)).
---------------------------------------------------------------------------

4. Value-Based Arrangements With Substantial Downside Financial Risk 
(42 CFR 1001.952(ff))
    Summary of OIG Proposed Rule: We proposed at paragraph 1001.952(ff) 
a safe harbor for certain value-based arrangements involving the 
exchange of remuneration between a VBE that assumes substantial 
downside financial risk from a payor and a VBE participant that 
meaningfully shares in the VBE's downside financial risk. We proposed 
methodologies for determining substantial downside financial risk and 
what it means to meaningfully share in risk (discussed further at 
III.B.4.b). We proposed that the safe harbor would protect both 
monetary and in-kind remuneration and explained that the safe harbor 
would offer greater flexibility, compared to the care coordination 
arrangements safe harbor at paragraph 1001.952(ee), in recognition of 
the VBE's assumption of substantial downside financial risk. We 
explained in the OIG Proposed Rule that the safe harbor could apply, 
for example, to a value-based arrangement between an accountable care 
organization that is a VBE and a network provider to share savings and 
losses earned or owed by the accountable care organization, or between 
a VBE that has contracted with a payor for an episodic payment and a 
hospital and post-acute care provider that would be coordinating care 
for the patients under the episodic payment. We proposed additional 
conditions that would apply under the safe harbor, detailed in sections 
III.B.4.c-q.
    Summary of Final Rule: We are finalizing, with modifications, the 
requirements of this safe harbor at paragraph 1001.952(ff). For a 
value-based arrangement to be protected under this safe harbor, a VBE 
must assume substantial downside financial risk from a payor under one 
of three methodologies, and a VBE participant must assume a meaningful 
share of the VBE's total risk, which share has been reduced, under the 
first methodology, from 8 percent in the proposed rule to at least 5 
percent in the final rule. The final provisions governing these levels 
of risk are discussed at section III.B.4.b of this preamble. The safe 
harbor, as finalized, protects both monetary and in-kind remuneration 
exchanged pursuant to value-based arrangements between VBEs and VBE 
participants. Other conditions finalized in the rule are explained in 
detail at sections III.B.4.c-q. These conditions include: Ineligible 
entities; inclusion of a 6-month ``phase-in'' period; requirements that 
certain remuneration be used to engage in value-based activities and 
directly connect to certain value-based purposes; writing and record 
retention requirements; protections for patient choice and clinical 
decision-making; protections against medically unnecessary services; 
limits on marketing or patient recruitment; and limits on remuneration 
that takes into account business or patients outside the value-based 
arrangement. We are not finalizing the proposed limit on outside 
funding of protected remuneration. The final safe harbor does not offer 
protection for arrangements downstream of a VBE participant, such as 
arrangements between two VBE participants. The final safe harbor 
permits protection for payments made under the upstream risk-assumption 
contracts between the VBE and the payor from whom the VBE assumes risk.
    The final safe harbor at paragraph 1001.952(ff) may be used by 
participants in CMS-sponsored models, if safe harbor conditions are 
met, but it is primarily for other kinds of value-based arrangements, 
including arrangements in the commercial market. We are separately 
finalizing a safe harbor at paragraph 1001.952(ii) for CMS-sponsored 
models (as defined) (see discussion at section III.B.7).
a. General Comments
    Comment: While some commenters supported the substantial downside 
financial risk safe harbor, others expressed concern that the safe 
harbor is too complicated to be useful.
    Response: We appreciate commenters highlighting their concerns. We 
have revised the substantial downside financial risk safe harbor by 
streamlining and clarifying its defined terms and conditions, which we 
believe addresses these concerns. For example, in paragraph 
1001.952(ff)(9), we provided additional clarity about the manner in 
which parties must calculate savings and losses pursuant to 
methodologies in the definition of ``substantial downside financial 
risk.''
    Comment: Multiple commenters urged OIG to align this safe harbor 
with CMS's exception to the physician self-referral law for value-based 
arrangements with meaningful downside financial risk in order to 
facilitate their compliance efforts. Commenters generally favored the 
risk thresholds proposed in the meaningful downside financial risk 
exception to the physician self-referral law over the substantial 
downside financial risk thresholds proposed in OIG's safe harbor.
    Response: As with the OIG Proposed Rule, we coordinated with CMS in 
the development of this final rule and aimed to promote alignment 
between the two rules where possible. For a general discussion of the 
rationale for our decision to finalize safe harbors that diverge in 
certain aspects from the parallel exceptions to the physician self-
referral law, we refer readers to section III.A.1 of the preamble to 
this final rule. With respect to the risk thresholds in CMS's rule, and 
as discussed further below, we have determined that CMS's methodology 
is not appropriate for this safe harbor because it focuses on physician 
risk arrangements and remuneration rather than risk assumed at the VBE 
level.
b. Definitions
i. Substantial Downside Financial Risk
    Summary of OIG Proposed Rule: We proposed at paragraph 
1001.952(ff)(8)(i) that a VBE would be at substantial downside 
financial risk if it were subject to risk pursuant to one of four 
methodologies: (i) Shared savings with a repayment obligation to the 
payor of at least 40 percent of any shared losses, where loss is 
determined based upon a comparison of costs to historical expenditures, 
or to the extent such data is unavailable, evidence-based, comparable 
expenditures; (ii) a

[[Page 77756]]

repayment obligation to the payor under an episodic or bundled payment 
arrangement of at least 20 percent of any total loss, where loss is 
determined based upon a comparison of costs to historical expenditures, 
or to the extent such data is unavailable, evidence-based, comparable 
expenditures; (iii) a prospectively paid population-based payment for a 
defined subset of the total cost of care of a target patient 
population, where such payment is determined based upon a review of 
historical expenditures, or to the extent such data is unavailable, 
evidence-based, comparable expenditures; or (iv) a partial capitated 
payment from the payor for a set of items and services for the target 
patient population where such capitated payment reflects a discount 
equal to at least 60 percent of the total expected fee-for-service 
payments based on historical expenditures or, to the extent such data 
is unavailable, evidence-based, comparable expenditures of the VBE 
participants to the value-based arrangements.
    Summary of Final Rule: We are finalizing, with modifications, the 
definition of ``substantial downside financial risk'' at paragraph 
1001.952(ff)(9)(i). Based on comments, we are reducing the risk 
threshold that parties must assume in order to meet the definition of 
``substantial downside financial risk'' for the first payment 
methodology (the ``Shared Savings and Losses Methodology'') to 30 
percent, and we are clarifying that, under this methodology, savings 
and losses must be calculated by comparing current expenditures for all 
items and services that are covered by the applicable payor and 
furnished to the target patient population to a bona fide benchmark 
designed to approximate the expected total cost of such care. We are 
clarifying that, for the second methodology, savings and losses must be 
calculated by comparing current expenditures for all items and services 
furnished to the target patient population pursuant to a defined 
clinical episode of care that is covered by the applicable payor to a 
bona fide benchmark designed to approximate the expected total cost of 
care for the defined clinical episode of care (the ``Episodic Payment 
Methodology''). We also clarify that, for the Episodic Payment 
Methodology, the parties must design the clinical episode of care to 
cover items and services furnished collectively in more than one care 
setting. We are finalizing a revised partial capitation methodology 
(the ``VBE Partial Capitation Methodology'') pursuant to which the VBE 
is at substantial downside financial risk if the VBE receives from the 
payor a prospective, per-patient payment that is: (i) Designed to 
produce material savings; and (ii) paid on a monthly, quarterly, or 
annual basis, for a predefined set of items and services furnished to 
the target patient population designed to approximate the expected 
total cost of expenditures for the predefined set of items and 
services. Finally, we are not finalizing the proposed population-based 
payment methodology because population-based payments may not, in all 
circumstances, involve downside financial risk. For example, we 
understand that at least some population-based payments do not put 
providers at risk of receiving a lower reimbursement amount and instead 
are used as a cash-flow mechanism to support provider investments in 
care management tools.
    Comment: Although we received some statements of support, the 
overwhelming majority of commenters on this topic opposed our proposed 
definition of ``substantial downside financial risk.'' These commenters 
generally asserted that our proposed risk thresholds were too high, 
particularly for the Shared Savings and Losses Methodology and 
suggested other thresholds, such as 10 percent for the Shared Savings 
and Losses Methodology. For example, a commenter asserted that our 
proposed definition of ``substantial downside financial risk'' was not 
aligned with the levels of risk assumed under other public and private 
sector value-based payment initiatives and would serve as a barrier to 
providers entering into risk-based arrangements. The same commenter 
suggested that, in setting qualifying risk levels too high, OIG would 
promulgate safe harbors that would be available only to sophisticated 
entities that are able to take on high levels of financial risk (e.g., 
ACOs associated with large health systems). Another commenter stated 
that our identified risk thresholds were arbitrary and biased against 
smaller and rural health care providers because such providers likely 
lack the capital reserves necessary to assume substantial downside 
financial risk. Other commenters asserted that our view of risk was too 
narrow by failing to consider the importance of upside financial risk, 
contractual risk, clinical risk related to treating complex patients, 
operational risk, and investment risk. At least one commenter urged OIG 
to include financial risk that is assumed only in the event certain 
quality benchmarks are not met.
    Response: We solicited comments on whether the proposed risk 
thresholds should be higher or lower, or whether some or all of the 
methodologies should be modified to better capture the assumption of 
substantial downside financial risk for items and services furnished to 
patients or omitted from the final rule entirely. In response to 
comments and based on further consideration of risk assumption 
requirements used by Innovation Center models, we are reducing the risk 
threshold required for the Shared Savings and Losses Methodology from 
40 to 30 percent, and we are not including a risk threshold in the VBE 
Partial Capitation Methodology. We are retaining the 20 percent risk 
threshold for the Episodic Payment Methodology because we believe the 
risk threshold proposed and finalized is consistent with the design of 
episodic payment models in which health care stakeholders currently 
participate, including Innovation Center models that adopt a similar 
payment methodology. The risk thresholds in the final rule reasonably 
reflect substantial downside financial risk under the three 
methodologies for purposes of this safe harbor. Moreover, we believe 
risk thresholds are necessary to mitigate traditional fraud and abuse 
risks associated with payment systems that incorporate, in whole or in 
part, fee-for-service reimbursement methodologies. Arrangements with 
lower risk levels would be analyzed for compliance with the anti-
kickback statute on a fact-specific basis.
    The requirement for the VBE to assume substantial downside 
financial risk, as opposed to upside financial risk, contractual risk, 
clinical risk related to treating complex patients, operational risk, 
or investment risk, or financial risk that is assumed only in the event 
certain quality benchmarks are not met, is appropriate because we are 
not persuaded that other types of risk would provide as strong an 
incentive to change ordering or referring behaviors of providers and 
suppliers that might still be paid on a fee-for-service basis or 
otherwise help ensure that safe-harbored arrangements would serve 
appropriate value-based purposes. We believe the risk levels set in the 
final rule will be substantial enough to reduce any traditional volume-
driven incentives to overutilize or increase program costs by ordering 
and referring providers and to increase incentives to promote efficient 
delivery of health care.
    This safe harbor does not prevent the VBE from assuming other types 
of risk from the payor suggested by commenters, e.g., investment risk, 
contractual risk, and clinical risk related

[[Page 77757]]

to treating complex patients, as long as the VBE also assumes 
substantial downside risk from a payor. However, we note that these 
other types of risk may result in an exchange of remuneration that 
implicates the Federal anti-kickback statute and must be separately 
considered for compliance with the statute.
    As discussed in section III.B.4.d below, a VBE and a payor that is 
a VBE participant can enter into value-based arrangements to protect 
remuneration under this safe harbor. The types of risk suggested by 
commenters may be protected by this safe harbor if remuneration 
exchanged and the associated value-based arrangements meet all 
applicable conditions.
    We appreciate the challenges associated with assuming risk that 
certain smaller and rural providers may face. The definition of ``VBE'' 
affords parties significant flexibility and places no limit on the 
number of providers that can participate in the VBE and work together 
to assume substantial downside financial risk. We also highlight that 
other safe harbors, including the care coordination arrangements safe 
harbor, at paragraph 1001.952(ee), and the outcomes-based payments safe 
harbor at paragraph 1001.952(d)(2), may be available for parties that 
are not ready to assume the level of risk required by this safe harbor.
    Comment: Commenters requested clarification on the practical 
application of the methodology OIG proposed in the ``substantial 
downside financial risk'' definition--shared savings with a repayment 
obligation to the payor of at least 40 percent of any shared losses. 
For example, a commenter asked whether the shared savings and losses 
repayment calculation must be applicable to the entire value-based 
enterprise or if it could be limited to a particular shared savings and 
losses arrangement between specified VBE participants. Other commenters 
asked whether the shared savings and losses repayment obligation could 
be in the form of a forfeited withhold or risk-pool payment, as opposed 
to an actual repayment of cash. Similarly, another commenter asserted 
that this methodology should permit the assumption of risk through 
front-end withholds or dues assessments. Another commenter asked how 
the shared savings and losses percentage threshold should be calculated 
if the sharing rate varies based on quality performance and other 
adjustments.
    Response: In response to commenters' request for additional detail, 
we are clarifying that the Shared Savings and Losses Methodology 
expressly requires that any losses and savings calculations take into 
account all items and services that are covered by the applicable payor 
and furnished to the target patient population, not simply those items 
and services furnished by specified VBE participants. In other words, 
the Shared Savings and Losses Methodology is dependent on the items and 
services covered by the payor and provided to the target patient 
population, not the specific composition of the VBE and its VBE 
participants. For example, a VBE could not limit its risk for shared 
savings and losses under this methodology for certain outpatient items 
and services by only entering into value-based arrangements with a 
narrow set of providers that only furnish care in outpatient settings.
    In response to comments, we also are clarifying that this 
methodology permits the assumption of risk prospectively or 
retrospectively. As long as the VBE meets the requirements of the 
Shared Savings and Shared Losses Methodology, as finalized, including 
the requirement that losses and savings be calculated by comparing 
certain expenditures to a bona fide benchmark designed to approximate 
the expected total cost of the applicable care, this safe harbor does 
not prescribe how the payor and VBE structure payments to effectuate 
the VBE's risk.
    Finally, under the Shared Savings and Losses Methodology, financial 
risk must equal at least 30 percent of loss, where loss is determined 
by comparing current expenditures for all items and services that are 
covered by the applicable payor and furnished to the target patient 
population to a bona fide benchmark designed to approximate the 
expected total cost of such care. To satisfy the Shared Savings and 
Losses Methodology, any adjustments based on quality performance or 
other factors may not bring the financial risk below 30 percent of such 
loss.
    Comment: With respect to the second proposed methodology (the 
Episodic Payment Methodology), some commenters asked whether such 
arrangements could be prospective or retrospective. A commenter 
asserted that we should add another episodic or bundled payment 
arrangement methodology, similar to this methodology, but that requires 
any repayment obligation for losses to equal, at a minimum, 20 percent 
of historical expenditures. The commenter also requested that we 
clarify that this methodology applies only to an ``episode of care'' 
that involves multiple care settings. Finally, a commenter, asserting 
that it was unaware of any value-based arrangement that can provide 
quality care at 80 percent of episode costs, recommended we reframe 
this substantial downside financial risk methodology as ``discount-
based.''
    Response: As an initial matter, we clarify that the Episodic 
Payment Methodology is with respect to a set of defined items and 
services related to a clinical condition and, as a result, have 
replaced the OIG Proposed Rule term ``episodic or bundled payment 
methodology'' with ``clinical episode of care'' in order to better 
convey this requirement. We also confirm that financial risk assumed 
pursuant to the Episodic Payment Methodology may be prospective or 
retrospective.
    In response to the commenter that requested we clarify that this 
methodology applies only to an ``episode of care'' that involves 
multiple care settings, we are requiring in paragraph 
1001.952(ff)(9)(i)(B)(2) that the parties design the clinical episode 
of care to cover items and services collectively furnished in more than 
one care setting. The VBE and the payor can meet this requirement as 
long as they design the clinical episode of care to cover a collection 
of items and services that they anticipate will be provided in more 
than one care setting even if a particular patient in the target 
patient population undergoing a clinical episode of care ultimately 
does not receive items and services in more than one care setting. We 
believe this requirement is consistent with episodic or bundled payment 
methodologies that involve services delivered by more than one provider 
and promotes collaboration across providers and suppliers that may 
otherwise operate independently and deliver care in silos.
    To illustrate these clarifications, the Episodic Payment 
Methodology could include a clinical episode of care for an inpatient 
procedure for which the payor and the VBE design the clinical episode 
of care to cover items and services furnished across care settings in a 
hospital and post-acute care setting, such as a physician clinic or a 
skilled nursing facility. In contrast, we do not consider a bundled 
payment to a provider for an episode of care that occurs in a single 
setting, such as a DRG payment to a hospital for inpatient services, to 
be an episodic payment for purposes of this rule.
    Lastly, we are not finalizing an episodic payment methodology that 
requires a repayment obligation for losses equal to, at a minimum, 20 
percent of historical expenditures or reframing the Episodic Payment 
Methodology as ``discount based,'' as suggested by a commenter. We 
clarify that the Episodic Payment Methodology,

[[Page 77758]]

as finalized, does not require the payor to discount the cost of items 
and services included in the defined clinical episode of care by 20 
percent. Rather, the VBE must assume risk for at least 20 percent of 
any loss realized pursuant to a defined clinical episode of care, with 
losses (and savings) calculated by comparing current expenditures for 
all items and services included in the defined clinical episode of care 
and furnished to the target patient population to a bona fide benchmark 
designed to approximate the expected total cost of such care.
    Comment: Commenters generally expressed confusion regarding the 
application of the fourth prong included in the proposed ``substantial 
downside financial risk'' definition--a partial capitation payment that 
reflects a discount equal to at least 60 percent of the total expected 
fee-for-service payments. For example, a commenter asked why this 
methodology includes a discount because capitation itself places a 
physician at risk through a per-member, per-month payment. Another 
commenter suggested that we revise this prong to encompass capitated 
payments for a limited set of services, e.g., primary care. Some 
commenters asserted that the 60 percent discount level was not 
economically feasible and suggested that OIG lower the discount level.
    Response: In response to comments, we are finalizing the VBE 
Partial Capitation Methodology, with modifications. We are removing the 
discount percentage requirement in recognition that the partial 
capitation payment, as set forth in paragraph 1001.952(ff)(9)(i)(C), 
itself, constitutes the assumption of substantial downside financial 
risk. In keeping with the intent of the prior discount percentage 
requirement, we also are requiring that this methodology be designed to 
result in material savings. In other words, the VBE Partial Capitation 
Methodology is designed to achieve cost efficiencies by incentivizing 
better care coordination that benefits patients and the health care 
delivery system by placing the VBE at substantial downside financial 
risk.
    We are not defining material savings in regulatory text to provide 
parties flexibilities in designing partial capitation payments. There 
are a number of ways that parties might design a partial capitation 
payment consistent with this methodology to generate material savings. 
For example, the parties may design a capitation payment with 
utilization targets that are intended to lower costs versus historical 
utilization, or the parties may use other methodologies that 
incentivize the VBE to operate more efficiently and lower costs. We 
recognize that, as the VBE and its VBE participants become more 
efficient, the opportunity to achieve materials savings, as that term 
is commonly understood, may become more difficult. As a VBE 
successfully reduces costs in one year, it becomes harder to further 
reduce costs in subsequent years. Under this methodology, and because 
we are not defining ``material savings,'' parties have flexibility to 
design partial capitation payment rates to account for such issues. For 
example, the parties could use national or regional utilization data in 
designing the partial capitation payment to appropriately adjust the 
payment rates to account for the efficiency of the VBE.
    Additionally, given the complexity of establishing a partial 
capitation payment, payors, from whom the VBE assumes risk under this 
methodology, will have a significant role in their design. Payors have 
experience and expertise in designing actuarial models to assess and 
project costs for their plans and establish rates. Capitation payments 
designed consistent with generally accepted actuarial principles can, 
for example, ensure that a partial capitation payment: (i) Captures all 
reasonable, appropriate, and attainable costs; (ii) is sufficient, 
based on past and anticipated service utilization by the target patient 
population; (iii) reflects cost trends; (iv) is risk adjusted as 
appropriate; and (iv) provides documentation and transparency on how 
the rate was developed. While not an exhaustive list, these factors 
would be relevant in assessing whether a capitation payment is designed 
to generate material savings.
    We also are clarifying the form in which the VBE must receive a 
partial capitation payment. Specifically, we are requiring that the VBE 
receive from a payor a prospective, per-patient payment, paid on a 
monthly, quarterly, or annual basis. This methodology would not include 
fee-for-service payments under the Medicare inpatient prospective 
payment system or other fee-for-service payments under Medicare Parts A 
or B. The per-patient payment must be for a predefined set of items and 
services furnished to the target patient population, designed to 
approximate the expected total cost of expenditures for the predefined 
set of items and services. As noted above, this payment must be 
intended to result in material savings.
    We emphasize that, under the VBE Partial Capitation Payment 
Methodology, the VBE is assuming risk for a predefined set of items or 
services that are less than all of the items and services covered by 
the payor, in contrast to the full financial risk safe harbor, which 
requires the VBE to assume full financial risk for all items and 
services from a payor. For example, a partial capitation payment under 
this methodology may cover primary care services only for a target 
patient population but not inpatient services, prescription drugs, or 
other items and services covered by the payor.
    While we are not specifying a percentage or scope of items and 
services that must be reimbursed on a capitated basis, the requirement 
that partial capitation payments be intended to result in material 
savings achieves a similar purpose. A VBE assuming substantial downside 
risk is afforded flexibility under this safe harbor because, as 
explained previously, this level of risk mitigates the traditional 
risks of fraud and abuse associated with fee-for-service payments. The 
effectiveness of that mitigation is directly connected to the incentive 
associated with substantial downside risk methodologies; increased risk 
means the VBE has a greater incentive to reduce costs and improve 
outcomes for patients. In the context of the VBE Partial Capitation 
Methodology, the substantial downside risk is partly dependent on the 
scope of items and services covered by the partial capitation payment. 
For example, a VBE that receives a partial capitation payment for 
inpatient services associated with one DRG has less incentive than a 
VBE that receives a partial capitation payment for all inpatient 
services.
    We recognize that payors are unlikely to contract with a VBE under 
a partial capitation payment for a narrow set of items or services. 
However, ensuring that VBEs have the appropriate level of incentives by 
assuming risk is a key safeguard in this safe harbor and is the reason 
why we are finalizing the requirement that partial capitation payments 
be designed to generate material savings. We note that the scope of 
services is just one factor for determining whether the capitation 
payment was designed to generate material savings. For example, a VBE 
and a payor could design a partial capitation payment that meets this 
methodology if the VBE receives capitation payments for a narrow set of 
services that are typically high cost as long as the capitation 
payments for that limited set of high-cost items or services were 
designed to generate material savings.
    We also note that this safe harbor conditions protection on the VBE 
assuming substantial downside

[[Page 77759]]

financial risk from the payor for the predefined items and services. It 
does not require the VBE to assume other functions from the payor, such 
as enrollment, grievance and appeals, solvency standards, and other 
administrative functions performed by payors.
    Comment: In response to our solicitation of comments regarding 
alternative means to calculate savings and losses (and in particular, 
how best to establish a baseline that appropriately assesses the VBE's 
financial performance), we received a number of comments recommending 
modifications to the proposed requirement that, for each methodology 
under the ``substantial downside financial risk'' definition, parties 
would need to determine any savings or losses realized based upon a 
review of historical expenditures, or to the extent such data was 
unavailable, evidence-based, comparable expenditures. For example, 
several commenters questioned our reliance on historical expenditures 
as a reliable datapoint, with several expressing concern that such a 
standard may not be adequately risk-adjusted or an accurate benchmark 
to the extent parties are providing new treatments, items, and services 
(representing the latest advances in technology, for example) that 
exceed the cost of treatment in benchmark years. At least two 
commenters recommended that we add ``projected spending'' as a method 
to compare costs, with one asserting that historical expenditures may 
not be appropriately risk adjusted. A commenter also suggested that we 
allow parties to adjust payments as needed to cover the costs of new 
treatment options.
    Response: We are no longer requiring that parties rely on 
historical expenditures or evidence-based, comparable expenditures to 
determine a benchmark used in calculating any losses or savings 
realized. We recognize, as highlighted by commenters, that historical 
expenditures could be volatile or otherwise result in an inaccurate 
benchmark, particularly for smaller entities, and that other data, such 
as national or regional data, may be appropriate factors that can be 
used for setting an accurate benchmark. Consequently, we are revising 
this requirement to provide that, for two of the methodologies 
finalized in the ``substantial downside financial risk'' definition--
the Shared Savings and Losses Methodology and the Episodic Payment 
Methodology--parties must calculate any losses or savings based upon a 
bona fide benchmark, i.e., a legitimate benchmark, designed to 
approximate the cost of care.\51\ Specifically, for the Shared Savings 
and Shared Losses Methodology, we require that the parties calculate 
losses by comparing current expenditures for all items and services 
that are covered by the applicable payor and furnished to the target 
patient population to a bona fide benchmark designed to approximate the 
expected total cost of such care. Similarly, for the Episodic Payment 
Methodology, we require that parties calculate losses by comparing 
current expenditures for all items and services that are covered by the 
applicable payor, furnished to the target patient population, and 
relate to a defined clinical episode of care to a bona fide benchmark 
designed to approximate the expected total cost of care for the defined 
clinical episode of care.
---------------------------------------------------------------------------

    \51\ We are not requiring that parties compare current 
expenditures to a bona fide benchmark designed to approximate the 
expected total cost of care for the VBE Capitation Payment 
Methodology because of its prospective nature and per-patient, per-
month, per-quarter, or per-year payment structure. Instead, for this 
methodology, parties must establish a capitated payment for a 
predefined set of items and services furnished to the target patient 
population, designed to approximate the expected total cost of 
expenditures for the predefined set of items and services. The 
capitated payment must also (among other criteria) be intended to 
result in material savings.
---------------------------------------------------------------------------

    This revision has two aims. First, we seek to protect against the 
selection of benchmarks that artificially create savings or 
inappropriately insulate any VBE participant from losses. This is based 
on our intent to ensure that parties are truly assuming downside 
financial risk. Second, we seek to provide parties with the flexibility 
necessary to establish a baseline tailored to the contract or value-
based arrangement between the VBE and the payor. Thus, under these 
revised methodologies, a bona fide benchmark does not need to be based 
on historical expenditures or, to the extent such data is unavailable, 
evidence-based, comparable expenditures, as proposed in the OIG 
Proposed Rule. With this revised standard, a bona fide benchmark may be 
appropriately adjusted, e.g., through a prospective or retrospective 
risk-adjustment to account for outlier health care expenditures, 
provided the methodology for such adjustment is established in advance. 
We emphasize that any such adjustment must be consistent with the 
requirement that the bona fide benchmark be designed to approximate the 
expected total cost of care.
    We note that there are several ways that parties may demonstrate 
that a benchmark is bona fide. Parties seeking examples of bona fide 
benchmarks may look to Innovation Center models, the Medicare Shared 
Savings Program, Medicaid programs, or private payors that have adopted 
and validated benchmarks for their participants in similar risk-based 
models. Bona fide benchmarks may incorporate concepts such as risk 
adjustments, cost projections (including those related to new 
treatments), and peer comparisons, as applicable. Given the complexity 
of establishing a benchmark, we anticipate that payors from whom the 
VBE assumes risk will be involved in their design. Similar to the 
design of a partial capitation payment, payors have relevant experience 
and expertise in designing actuarial models to assess and project costs 
for their plans that will support the development of bona fide 
benchmarks. Benchmarks that are validated or designed consistent with 
generally accepted actuarial principles will likely be bona fide. 
Parties will need to assess and ensure the validity and appropriateness 
of the benchmark based on the specific facts and circumstances of their 
VBE, the value-based arrangement, the scope of the items and services 
covered, and the target patient population.
    Comment: Several commenters requested that OIG include a cap or 
stop-loss threshold in the substantial downside financial risk safe 
harbor that would limit the amount of loss incurred by the VBE. For 
example, specific to the clinical episode of care methodology, a 
commenter recommended that we limit potential losses to 20 percent of 
historical expenditures; specific to the shared savings methodology, a 
commenter encouraged protection for arrangements that include stop-loss 
thresholds for shared losses set at a certain percentage of historical 
benchmark costs, akin to the Medicare Shared Savings Program.
    Alternatively, other commenters urged OIG to simply clarify that 
reinsurance arrangements, or other like arrangements to protect against 
catastrophic losses, would not fall outside of our proposed definition 
of ``substantial downside financial risk.'' According to these 
commenters, reinsurance arrangements are critical to encouraging the 
assumption of downside financial risk.
    Response: Given the inherent differences in target patient 
populations, the sophistication of parties participating in value-based 
arrangements, and varying risk methodologies that parties may adopt, we 
decline to include a specific cap, stop-loss threshold, or reinsurance 
threshold. This provides parties

[[Page 77760]]

flexibility to adopt various risk methodologies that still satisfy the 
safe harbor's definition of ``substantial downside financial risk.'' 
Parties entering into a contract or a value-based arrangement to assume 
substantial downside financial risk should have the flexibility to 
determine the appropriate cap, stop-loss, or reinsurance threshold, if 
any, and we clarify that neither the safe harbor's conditions nor the 
definition of ``substantial downside financial risk'' precludes parties 
from entering into reinsurance arrangements or other like arrangements 
to protect against catastrophic losses. Nevertheless, we caution that 
such arrangements should not be used as a vehicle to materially shift 
the substantial downside financial risk a VBE is otherwise required to 
assume pursuant to this safe harbor.
    Comment: Several commenters supported OIG's alternate proposal to 
adopt risk levels more closely aligned with advanced APMs and other 
payor advanced APMs, as both terms are defined at 42 CFR 414.1305, or 
requested that the definition of ``substantial downside financial 
risk'' include advanced APMs. In addition, a commenter noted that the 
risk levels proposed by OIG exceeded those required in advanced APMs.
    Response: We are not revising the risk levels set forth in the 
``substantial downside financial risk'' definition to align with those 
of advanced APMs and other payor advanced APMs, as both terms are 
defined at 42 CFR 414.1305. Different risk thresholds between this safe 
harbor and advanced APMs and other payor advanced APMs are appropriate 
in light of the differing objectives between this rulemaking and the 
Quality Payment Program, the Medicare payment program that relies on 
the defined terms advanced APMs and other payor advanced APMs. For 
example, the advanced APM track of the Quality Payment Program is 
specific to eligible clinicians and offers a potential five percent 
Medicare bonus payment, among other benefits. By contrast, this safe 
harbor protects arrangements of a wide variety of industry stakeholders 
beyond eligible clinicians from liability under a criminal statute and 
sets out the conditions under which that protection is available.
    It is possible that participants in an advanced APM might assume 
risk at levels that meet the requirements of this safe harbor. Further, 
some advanced APM participants may be eligible for safe harbor 
protection under the new CMS-sponsored model arrangements safe harbor 
found at paragraph 1001.952(ii).
    Comment: Multiple commenters requested that we opine on whether 
certain arrangements would meet our proposed definition of 
``substantial downside financial risk.'' For example, at least two 
commenters requested that we address whether a bonus pool or 
gainsharing arrangement, tied to the achievement of certain outcome 
measures, could potentially meet our definition of ``substantial 
downside financial risk.'' The commenters argued in favor of such an 
interpretation, asserting that the potential to earn a bonus payment 
constitutes downside risk to the extent the bonus is (i) otherwise 
considered part of the recipient's aggregate compensation, and (ii) 
withheld if outcome measures are not met.
    Response: The definition of ``substantial downside financial risk'' 
requires, among other criteria, that the VBE assume the potential for 
realizing losses. This definition would permit parties to design a two-
sided risk methodology that would place the VBE at downside financial 
risk and upside financial risk. In other words, the definition 
requires, at a minimum, the VBE to assume substantial downside 
financial risk, but does not preclude the parties from including other 
risk methodologies, so long as all other conditions of the safe harbor 
are met. For example, arrangements that include a bonus pool or 
gainsharing, along with the VBE assuming the required substantial 
downside financial risk, may be protected by this safe harbor. However, 
a risk methodology that only includes upside risk would not meet this 
requirement.
ii. Meaningful Share
    Summary of OIG Proposed Rule: We proposed at paragraph 
1001.952(ff)(2) that this safe harbor would protect remuneration 
exchanged between a VBE and a VBE participant if the VBE participant 
meaningfully shares in the VBE's substantial downside financial risk 
for providing or arranging for items and services for the target 
patient population. We proposed that a VBE participant would 
meaningfully share in the VBE's risk if the VBE participant met one of 
the following three methodologies: (i) A risk-sharing payment pursuant 
to which the VBE participant is at risk for 8 percent of the amount for 
which the VBE is at risk under its agreement with the applicable payor 
(e.g., an 8-percent withhold, recoupment payment, or shared losses 
payment); (ii) a partial or full capitated payment or similar payment 
methodology (excluding certain enumerated reimbursement methodologies); 
or (iii) in the case of a VBE participant that is a physician, a 
payment that meets the requirements of the physician self-referral 
law's regulatory exception for value-based arrangements with meaningful 
downside financial risk at 42 CFR 411.357(aa)(2).
    Summary of Final Rule: We are finalizing, with modifications, at 
paragraph 1001.952(ff)(3) a requirement for the VBE participant to be 
at risk for a meaningful share of the VBE's substantial downside 
financial risk for providing or arranging for the provision of items 
and services for the target patient population. We are finalizing, with 
modifications, the proposed definition of ``meaningful share'' at 
paragraph 1001.952(ff)(9)(ii). Specifically, based on comments we are: 
(i) Revising the first methodology of the ``meaningful share'' 
definition (the ``Risk-Sharing Payment Methodology'') to clarify that 
any risk assumed by a VBE participant pursuant to this methodology must 
be two-sided risk; (ii) lowering the risk threshold for the Risk-
Sharing Payment Methodology from 8 percent to at least 5 percent of the 
losses and savings, as applicable, realized by the VBE pursuant to its 
assumption of substantial downside financial risk; (iii) revising the 
second methodology of the ``meaningful share'' definition to apply to 
prospective, per-patient payments for a predefined set of items and 
services furnished to the target patient population (the ``Meaningful 
Share Partial Capitation Methodology''); and (iv) not finalizing the 
proposed methodology applicable to physician payments that meet the 
requirements of the physician self-referral law's regulatory exception 
for value-based arrangements with meaningful downside financial risk at 
42 CFR 411.357(aa)(2) (the ``CMS Exception Methodology'').
    Comment: While we received comments in favor of our proposed 
requirement for the VBE participant to assume a meaningful share of the 
VBE's substantial downside financial risk, many advocated against it, 
suggesting no or optional risk requirements for VBE participants 
downstream from the VBE assuming substantial downside financial risk. 
These commenters highlighted varying Innovation Center models that do 
not require the downstream assumption of risk.
    Response: We are finalizing a requirement for VBE participants, 
other than the payor from which the VBE is assuming risk, to be at risk 
for a meaningful share of the VBE's substantial downside financial risk 
pursuant to a value-based arrangement

[[Page 77761]]

with the VBE. This safe harbor is not chiefly designed for Innovation 
Center models, which may not have downside financial risk, and which 
may fit more readily in the new safe harbor at paragraph 1001.952(ii) 
for CMS-sponsored models. The requirement to assume a meaningful share 
of the VBE's risk is foundational to the structure of the safe harbor, 
which does not include certain established safeguards, such as a fair 
market value requirement, designed to mitigate risks inherent to a 
traditional fee-for-service payment methodology, nor additional 
safeguards present in the care coordination arrangements safe harbor, 
such as a bar on monetary compensation or a contribution requirement, 
that protect against payment for referral schemes. The requirement to 
assume a meaningful share of the VBE's risk helps ensure that VBE 
participants ordering or arranging for items and services for the 
target patient population share in the VBE's value-based purposes and 
cost-reduction goals.
    The payor from which the VBE is assuming substantial downside 
financial risk is exempt from the requirement to meaningfully share in 
the VBE's substantial downside financial risk in paragraph 
1001.952(ff)(3). As discussed in greater detail in section III.B.4.d, 
this carve-out applies to those payors from which VBEs are assuming 
risk that elect to also be a VBE participant and enter into a value-
based arrangement with a VBE. In such circumstances, the payor, as a 
VBE participant, need not share again in the risk that the VBE assumed 
from it in the value-based arrangement.
    Comment: While at least one commenter supported the risk threshold 
in the first proposed methodology for meaningfully sharing in the VBE's 
risk (a risk-sharing payment pursuant to which the VBE participant is 
at risk for 8 percent of the amount for which the VBE is at risk under 
its agreement with the applicable payor), the majority of commenters 
advocated that we lower the risk threshold, such as to 5 percent. 
Commenters highlighted varying Innovation Center models that impose 
lower risk requirements or rely on a broader risk framework. Other 
commenters suggested that this methodology should be expanded to 
encompass other types of risk, for example, operational or contractual 
risk. Commenters suggested that a more expansive methodology would 
encourage a greater number of providers to take on downside risk 
arrangements while still effectively deterring potential fraudulent 
behavior. A commenter recommended that OIG revise the first proposed 
methodology for meaningfully sharing in the VBE's risk to state that 
the VBE participant is at risk for ``at least 8 percent'' of the VBE's 
risk to allow for other arrangements that involve greater downside 
risk.
    Response: We are revising the Risk-Sharing Payment Methodology to 
reduce the required minimum risk threshold from 8 percent to at least 5 
percent and requiring two-sided risk (e.g., savings and losses). We 
believe this level of risk is appropriate to ensure VBE participants 
share the VBE's goal of cost reduction and to reduce fraud and abuse 
risks while making this safe harbor more accessible to individuals and 
entities that want to exchange remuneration with the VBE pursuant to 
this safe harbor. As finalized, this methodology aligns with the Shared 
Savings and Losses Methodology in the definition of ``substantial 
downside financial risk.'' This modification will provide VBE and VBE 
participants additional flexibilities to align risk-sharing 
methodologies and protect similar exchanges of remuneration (e.g., 
savings and losses) in value-based arrangements.
    We are not permitting VBE participants to meet the Risk-Sharing 
Payment Methodology by assuming other types of risk, such as 
operational or contractual risk. We are concerned these types of risk 
would not adequately align a VBE participant's financial incentives 
with that of the VBE's cost-reduction goals resulting from the VBE's 
assumption of substantial downside financial risk.
    Comment: Some commenters opposed pegging the first risk-sharing 
payment methodology of the ``meaningful share'' definition to the total 
risk assumed by the VBE. For example, a commenter noted that VBE 
participants, and in particular smaller providers, are unlikely to 
accept risk for 8 percent of the total amount for which the VBE is at 
risk from the payor. The commenter urged OIG to revise its meaningfully 
share standard to require that the VBE participant assume risk only for 
its own costs and suggested 20 percent as a potential risk assumption 
threshold.
    Response: As finalized, the Risk-Sharing Payment Methodology 
continues to require that the VBE participant share in a certain 
percentage of the VBE's total risk. However, in response to comments, 
we are finalizing a lower risk threshold of 5 percent for this 
methodology and clarifying that this methodology requires two-sided 
risk.
    We also clarify that, to the extent a VBE realizes catastrophic 
losses, triggering any reinsurance or other like arrangement into which 
the VBE has entered, the VBE participant would calculate any amount 
owed to the VBE pursuant to this methodology based on the VBE's losses, 
as adjusted by the reinsurance or other like arrangement.
    Comment: A commenter requested that OIG define ``partial capitation 
arrangements'' in the context of the second proposed methodology for 
meaningfully sharing in the VBE's risk--a partial or full capitation 
payment or similar payment methodology, excluding the Medicare 
inpatient prospective payment system or other like payment methodology. 
The commenter also asked whether there is a minimum amount that would 
qualify as partial capitation.
    Response: In response to comments, we are finalizing the Meaningful 
Share Partial Capitation Methodology with revisions that, for clarity, 
more fully describe the permissible capitation methodology. Pursuant to 
this revised methodology, a VBE participant must: (i) Receive from the 
VBE a prospective, per-patient payment on a monthly, quarterly, or 
annual basis for a predefined set of items and services furnished to 
the target patient population by the VBE participant designed to 
approximate the expected total cost of those expenditures for the 
predefined items or services; and (ii) not separately claim payment 
from the payor for the predefined set of items and services covered by 
the partial capitated payment. Consistent with our stated goal in the 
OIG Proposed Rule, we believe this methodology ensures that those VBE 
participants assuming a meaningful share of the VBE's risk pursuant to 
the Meaningful Share Partial Capitation Methodology do so in a manner 
that is aligned with the payor's cost-reduction goals.
    For the same reasons we are not specifying the percentage or scope 
of items and services that must be included in the VBE Partial 
Capitation Methodology, we are not specifying a minimum amount of items 
and services that must be covered to meet the Meaningful Share Partial 
Capitation Methodology. Likewise, we note that this methodology would 
not include fee-for-service payments under the Medicare inpatient 
prospective payment system or other fee-for-service payments under 
Medicare Parts A or B. Payments must be made on a monthly, quarterly, 
or annual basis to satisfy this methodology.
    A VBE participant may be at risk through this methodology not only 
where the VBE is at substantial downside financial risk through the VBE 
Partial Capitation Methodology but

[[Page 77762]]

also any other substantial downside financial risk methodology. For 
example, VBE participants could be at risk through the Meaningful Share 
Partial Capitation Methodology, and the VBE could assume substantial 
downside financial risk from a payor through the Episodic Payment 
Methodology.
    Comment: We received varying comments on the third proposed 
methodology for meaningfully sharing in the VBE's risk: Physician VBE 
participants would be deemed to meaningfully share in the VBE's risk if 
they meet the definition of ``meaningful downside financial risk'' 
under the physician self-referral law at 42 CFR 411.357(aa)(2). Some 
commenters either opposed this provision altogether or advocated for a 
lower threshold than the 25 percent threshold for sharing in the costs 
of the remuneration exchanged under a value-based arrangement, with a 
few commenters suggesting between 5 and 15 percent. On the other hand, 
some commenters supported this provision stating, for example, that it 
facilitated alignment across OIG's and CMS's rules. Another commenter 
requested that OIG amend this provision to apply more broadly to other 
VBE participants and not just physicians.
    Response: We are not finalizing the third proposed methodology (the 
CMS Exception Methodology). Pursuant to the final meaningful downside 
financial risk exception at 42 CFR 411.357(aa)(2), a physician must be 
at ``meaningful downside financial risk'' for failure to achieve the 
value-based purpose(s) of the value-based enterprise during the entire 
duration of the value-based arrangement. A physician assumes 
``meaningful downside financial risk'' if the physician is responsible 
to repay or forgo no less than 10 percent of the total value of the 
remuneration the physician receives (or is entitled to receive) under 
the value-based arrangement in the event of the failure to achieve the 
value-based purpose(s) of the value-based enterprise.
    Upon further consideration of the varied comments we received 
regarding the CMS Exception Methodology, we believe the CMS Exception 
Methodology does not fit within the framework of the substantial 
downside financial risk safe harbor, which is different from the 
meaningful downside financial risk exception CMS is finalizing. Unlike 
CMS's meaningful downside financial risk exception, OIG's safe harbor 
requires the VBE participant to assume risk for a meaningful share of 
the VBE's substantial downside financial risk. Risk under the CMS 
Exception Methodology is tied to a percentage of the total value of the 
remuneration the physician receives under the value-based arrangement 
rather than a percentage of the risk the VBE assumes from the payor. 
The CMS Exception Methodology does not require the physician to 
meaningfully share in financial risk assumed by the VBE, a requirement 
of the safe harbor.
    Comment: A commenter expressed concern that the differing standards 
for the assumption of downside risk in the safe harbor (i.e., 
``substantial downside financial risk'' and ``meaningfully sharing in 
the VBE's substantial downside financial risk'') would confuse parties 
to value-based arrangements and discourage participation. The commenter 
appeared to suggest that OIG adopt a single, low risk threshold in the 
substantial downside financial risk safe harbor.
    Response: While we appreciate the commenter's input, we 
respectfully disagree. It is appropriate to have differing risk 
assumption requirements for the VBE and the VBE participant. The VBE is 
contracting or entering into a value-based arrangement with a payor to 
assume substantial downside financial risk, most likely for items and 
services provided across care settings and by multiple VBE 
participants. Conversely, the VBE participant contracting with the VBE 
is not only one step removed from the payor contract, but its 
performance of value-based activities is likely to have a narrower 
focus, specific to the items and services it furnishes to the target 
patient population. As such, we believe a lower risk assumption 
threshold is appropriate for the VBE participant.
    Comment: A commenter recommended that ``advanced APMs'' and ``other 
payer APMs,'' as both terms are defined at 42 CFR 414.1305, should be 
expressly included in the safe harbor and automatically qualify as 
assuming a meaningful share of the VBE's substantial downside financial 
risk. Another commenter suggested that we adopt the ``more than nominal 
risk'' standard for advanced APMs instead of the proposed 
``meaningfully share'' standard.
    Response: Because this safe harbor has broader applicability to the 
health care industry than the regulations in which the defined terms 
referenced by the commenter are used (which apply to a Medicare payment 
program for physicians), we decline to revise the definition of 
``meaningful share'' to encompass the potentially lower risk thresholds 
set forth in the ``advanced APM'' and ``other payer APM'' definitions 
as set forth in 42 CFR 414.1305 or adopt, in lieu of ``meaningful 
share,'' the ``more than nominal risk'' standard. Thus, participants in 
advanced APMs and other payer APMs will not automatically qualify as 
having a ``meaningful share'' of the VBE's substantial downside 
financial risk and must meet the risk thresholds we are finalizing.
    Comment: A commenter asked whether a VBE participant could join an 
existing value-based arrangement between a VBE and one or more VBE 
participants and satisfy the safe harbor requirement to assume a 
meaningful share of the VBE's risk by sharing in such risk only for the 
duration of its participation in the value-based arrangement, as 
opposed to the duration of the value-based arrangement.
    Response: If the VBE has already entered into a value-based 
arrangement with one or more VBE participants for purposes of this safe 
harbor, a party may join the existing value-based arrangement as a VBE 
participant provided all safe harbor requirements are met, including 
amending the signed writing to include a description of the manner in 
which the new VBE participant will have a meaningful share of the VBE's 
substantial downside financial risk.
    We note that, other than during the 6-month phase-in period that is 
available under this safe harbor, the VBE participant must be at risk 
for a meaningful share of the VBE's risk throughout its participation 
in the value-based arrangement. This requirement does not apply if the 
VBE participant is the payor from which the VBE is assuming risk.
    Comment: A commenter asserted that OIG should add language to the 
safe harbor stating that VBE participants' meaningful share of risk can 
be through front-end withholds or dues assessments and need not be 
through back-end repayment.
    Response: For the risk methodologies under the definition of 
``meaningful share,'' we did not propose, and the final rule does not 
prescribe, how the parties to a value-based arrangement may effectuate 
the VBE participant's risk, and as such, the parties could effectuate 
risk prospectively or retrospectively.
iii. Other Defined Terms
    Summary of OIG Proposed Rule: We proposed at paragraph 
1001.952(ff)(8)(ii) that the terms ``coordination and management of 
care,'' ``target patient population,'' ``value-based activity,'' 
``value-based arrangement,'' ``value-based enterprise,'' ``value-based 
purpose,'' and ``VBE participant'' would

[[Page 77763]]

have the meaning set forth in proposed paragraph 1001.952(ee).
    Summary of Final Rule: We are finalizing, with modifications, our 
proposed use of the value-based terminology at paragraph 
1001.952(ff)(9)(iii). We no longer use the term ``coordination and 
management of care'' in this safe harbor. Additionally, because we are 
finalizing at paragraph 1001.952(ff)(1) a requirement making certain 
entities ineligible to use the safe harbor, we adopt for this safe 
harbor the definition of ``manufacturer of a device or medical supply'' 
at paragraph 1001.952(ee)(12).
    Comment: A few commenters requested that OIG define the term 
``payor,'' with a commenter specifically suggesting that we define such 
term to include a managed care organization that has a contract with 
Medicare, Medicaid, or another Federal health care program that is 
subject to 1128B of the Act. A commenter also asked OIG to define the 
term ``used'' in relation to the requirement that remuneration be used 
primarily to engage in value-based activities that are directly 
connected to the items and services for which the VBE is at substantial 
downside financial risk and that are set forth in writing. The 
commenter also asked OIG to define the term ``offeror's cost'' in 
relation to the requirement that the writing state all material terms 
of the value-based arrangement, including the offeror's cost of the 
remuneration.
    Response: We are not defining the term ``payor.'' The term has its 
commonsense meaning of a payor of health care items and services on 
behalf of patients. We confirm that, for purposes of this safe harbor, 
such term would include managed care organizations that have contracted 
with Medicare, Medicaid, and other Federal health care programs. We 
also are not defining the term ``used'' in regulatory text but use the 
term consistent with its commonsense, well-understood meaning (e.g., to 
put into action or service, utilize). Further, we decline to define the 
term ``offeror's costs'' because, as explained at section III.B.4.k, we 
are not finalizing the requirement that the writing include the 
offeror's costs.
c. Entities Ineligible for Safe Harbor Protection
    Summary of OIG Proposed Rule: We proposed in proposed paragraph 
1001.952(ee) to limit the entities that could qualify as VBE 
participants, which would have the effect of limiting availability of 
the value-based safe harbors, including the substantial downside 
financial risk safe harbor at proposed paragraph 1001.952(ff), for 
those ineligible entities. The proposed definition of ``VBE 
participant'' is summarized more fully in section III.B.2.e of this 
preamble.
    Summary of OIG Final Rule: As explained at section III.B.2.e, we 
are not finalizing our proposal in proposed paragraph 1001.952(ee) to 
limit the entities that could qualify as VBE participants. Rather, in 
the final rule we are identifying parties ineligible to rely on safe 
harbors in the safe harbors themselves. For the substantial downside 
financial risk safe harbor, we are finalizing a requirement that 
remuneration is not exchanged by any of the following entities: (i) 
Pharmaceutical manufacturers, wholesalers, and distributors; (ii) PBMs; 
(iii) laboratory companies; (iv) pharmacies that primarily compound 
drugs or primarily dispense compounded drugs; (v) manufacturers of 
devices or medical supplies; (vi) entities or individuals that 
manufacture, sell, or rent DMEPOS (other than a pharmacy or a 
physician, provider, or other entity that primarily furnishes services, 
all of whom remain eligible); and (vii) medical device distributors or 
wholesalers that are not otherwise manufacturers of devices or medical 
supplies.
    Summaries of comments, our responses, and policy decisions 
regarding this issue can be found in the discussion of VBE participants 
in section III.B.2.e of this preamble.
d. VBE's Assumption of Risk From a Payor
    Summary of OIG Proposed Rule: We proposed at paragraph 
1001.952(ff)(1) that the VBE must assume substantial downside financial 
risk from a payor and that the VBE could assume such risk directly from 
a payor or through a VBE participant acting on behalf of the VBE (i.e., 
as an agent of, and accountable to, the VBE).
    Summary of Final Rule: We are finalizing, with modifications, this 
requirement at paragraph 1001.952(ff)(2). First, we are modifying the 
safe harbor to provide two options to VBEs assuming substantial 
downside financial risk from a payor. A VBE can assume risk from the 
payor through an arrangement that meets the definition of ``value-based 
arrangement,'' or a VBE can assume risk from a payor through a contract 
that places the VBE at substantial downside financial risk. The first 
option provides protection for the remuneration exchanged between the 
payor and the VBE, if all safe harbor requirements are met. To 
effectuate this, the payor must be a VBE participant and the VBE must 
assume risk from the payor through a value-based arrangement. Under the 
second option, if a payor does not wish to be part of the VBE, the VBE 
can assume substantial downside financial risk from the payor through a 
written contract. Under this option, the contract that places the VBE 
at risk is not a value-based arrangement and the safe harbor would not 
protect remuneration exchanged pursuant to it.
    Second, we are modifying the risk assumption requirement to clarify 
that the payor cannot act on behalf of the VBE; the VBE must be a 
distinct legal entity or represented by a VBE participant, other than a 
payor, that acts on the VBE's behalf.
    Comment: Some commenters opposed the proposed requirement that a 
VBE assume risk from a payor, asserting payor involvement should not be 
a prerequisite to safe harbor protection. For example, a post-acute-
care provider asserted that, where the financial risk shared between 
providers is significant, the safe harbor should be available 
regardless of whether a payor is directly involved.
    Response: We are finalizing the requirement that the VBE assume 
substantial downside financial risk from a payor because we view it as 
a critical safeguard against the potential for fraud and abuse. Payors 
are ultimately responsible for the cost of the items and services 
furnished to a target patient population, which informs our decision to 
require that they be party to the risk arrangement that serves as the 
foundation for this safe harbor. Moreover, the payor serves as an 
entity with both a holistic view of, and a financial interest in 
reducing, total expenditures for the target patient population, which 
we believe mitigates the risks traditionally associated with fee-for-
service systems, such as overutilization or inappropriate utilization.
    Consistent with our emphasis in the OIG Proposed Rule that parties 
assuming substantial downside financial risk have more flexibility, we 
have modified the safe harbor so that payors and VBEs have two options 
for entering into the risk arrangement--entering into either a value-
based arrangement or a written contract for the VBE to assume risk from 
the payor.
    Under the first option for risk arrangements, payors must be a VBE 
participant, which is permitted under our final definition of ``VBE 
participant.'' The payor (as a VBE participant) and the VBE can enter 
into a value-based arrangement for the VBE to assume substantial 
downside

[[Page 77764]]

financial risk. As we proposed and are finalizing in this rule, the 
introductory paragraph to 1001.952(ff) protects remuneration exchanged 
between a VBE and a VBE participant pursuant to a value-based 
arrangement. Therefore, remuneration exchanged pursuant to a payor's 
and a VBE's value-based arrangement could be protected by this safe 
harbor, including remuneration exchanged to implement a substantial 
downside financial risk methodology (e.g., shared savings and losses), 
if the value-based arrangement meets all applicable conditions of the 
safe harbor. We do not believe this option would pose an unreasonable 
burden on the payor because a value-based arrangement requires only the 
provision of at least one value-based activity for a target patient 
population, and the payor and VBE already must enter into an agreement 
to effectuate the VBE's assumption of risk for the target patient 
population. We believe any burden would be outweighed by the benefits 
of safe harbor protection.
    Under the second option, payors that do not wish to be part of the 
VBE may choose to enter into a written contract for purposes of the VBE 
assuming substantial downside financial risk. Under this option, payors 
would not be VBE participants, the written contract between the payor 
and the VBE would not be a value-based arrangement, and the payor would 
not be subject to the other conditions of the safe harbor. In such 
circumstances, these contracts must only meet the condition at 
paragraph 1001.952(ff)(2), i.e., they must evidence the VBE's 
assumption of substantial downside financial risk from the payor. 
Remuneration exchanged pursuant to a risk assumption contract that is 
not a value-based arrangement is not protected by this safe harbor. The 
VBE and the payor would need to assess any potential remuneration 
exchanged pursuant to the risk arrangement contract and its compliance 
with the Federal anti-kickback statute.
    In response to the commenter suggesting that providers should be 
permitted to assume risk without a payor, we recognize that there may 
be risk-based arrangements between and among providers that facilitate 
the goals set forth in the definition of ``value-based purpose'' and 
that seek to reduce overall costs. However, this safe harbor does not 
protect such arrangements. Other safe harbors may be available to 
protect such arrangements, such as the care coordination arrangements 
safe harbor or the personal services and management contracts and 
outcomes-based payment arrangements safe harbor.
    Comment: Commenters requested that we clarify how the safe harbor 
would apply to arrangements involving certain categories of Federal 
health care program beneficiaries, such as Medicare fee-for-service 
patients or Indian Health Service (IHS) beneficiaries. In particular, 
multiple commenters expressed concern that, because Indian health care 
is compensated through IHS appropriations and the Medicare, Medicaid, 
and CHIP programs, Indian health care providers could not be risk-
bearing entities, as required in the proposed substantial downside 
financial risk safe harbor.
    Response: Given the requirement that the VBE assume substantial 
downside financial risk from a payor, this safe harbor will be 
available only for contracts or value-based arrangements where the 
target patient population is comprised of patients insured by a payor 
with which a VBE can enter into a risk arrangement. For example, 
whereas the safe harbor may be available for certain Medicaid direct 
contracting or managed care models,\52\ it likely would not currently 
be available for an arrangement with a target patient population 
comprised of patients enrolled only in Medicare Parts A and B (i.e., 
Medicare fee-for-service) because, outside of Innovation Center models 
and the Medicare Shared Savings Program, we are not aware of a 
mechanism that would allow a VBE to contract with the Medicare program 
to assume substantial downside financial risk for items and services 
for those patients.
---------------------------------------------------------------------------

    \52\ See Center for Health Care Strategies, Inc., Value-Based 
Payments in Medicaid Managed Care: An Overview of State Approaches 
(Feb. 2016), available at https://www.chcs.org/media/VBP-Brief_022216_FINAL.pdf.
---------------------------------------------------------------------------

    It is also possible that Indian health care providers might not be 
risk-bearing entities for purposes of this safe harbor. This would not 
foreclose Indian health care providers from engaging in care 
coordination arrangements and seeking safe harbor protection under the 
care coordination arrangements safe harbor, which does not require the 
assumption of any risk (but is available for non-monetary remuneration 
in risk-bearing arrangements), or other available safe harbors, such as 
the personal services and management contracts and outcomes-based 
payments safe harbor that protects monetary payments for achieving 
quality outcomes. Moreover, the fact that an arrangement does not fit 
in a safe harbor does not make the arrangement unlawful, and the OIG 
advisory opinion process is also available for parties seeking a 
determination about a specific existing or proposed arrangement.
    Comment: At least two commenters expressed support for the ability 
of a VBE participant to contract and assume risk on behalf of the VBE.
    Response: We confirm that, for purposes of this final rule, parties 
have this flexibility. A VBE may assume risk from the payor directly or 
through a single VBE participant acting on its behalf because we 
recognize that not all VBEs may be a separate legal entity.
    Comment: While acknowledging patients' right to choose a provider, 
a commenter requested that OIG not require parties to assume downside 
financial risk for those patients who choose to receive health care 
items or services from parties outside of the VBE. According to the 
commenter, physicians participating in VBEs that are clinically 
integrated need to refer patients within high-functioning networks that 
follow care management programs, and providers should not be required 
to assume downside financial risk for those patients who seek care 
outside the network.
    Response: We are not adopting the commenter's suggestion to exclude 
those patients who choose to receive care outside a VBE from the 
calculation of downside financial risk. While we recognize that 
patients in the target patient population ultimately could select 
providers and suppliers both inside and outside the VBE, we believe the 
VBE and its VBE participants can still coordinate and manage the care 
of these patients and should be required to assume risk for these 
patients in order to benefit from the increased flexibility afforded by 
this safe harbor. In addition, allowing providers to remove patients 
from the calculation of downside risk if they choose any provider 
outside the VBE could lead to manipulation of the target patient 
population in ways that could compromise the quality of patient care, 
e.g., providers might encourage more costly patients to obtain care 
elsewhere. This approach is consistent with the Medicare Shared Savings 
Program.
    Comment: A medical device manufacturer asserted that this safe 
harbor should be expanded to recognize that, in many cases, the items 
or services for which the VBE is at risk will not necessarily be 
provided directly to patients in the target patient population but 
instead may be an ancillary part of their care under the value-based 
arrangement, such as products and services deployed by medical device 
manufacturers.
    Response: We require that the VBE be at substantial downside 
financial risk

[[Page 77765]]

for providing or arranging for the provision of items and services for 
a target patient population and that the VBE participant assume a 
meaningful share of that risk. There is no requirement that such items 
and services be provided directly to the target patient population, and 
there is nothing in the safe harbor that prevents the VBE's risk from 
encompassing items and services for, but not provided directly to, the 
target patient population, such as ancillary products and services. 
However, pursuant to paragraph 1001.952(ff)(1)(v), manufacturers of 
devices or medical supplies are not eligible to use this safe harbor to 
exchange remuneration.
e. Phase-In Period
    Summary of OIG Proposed Rule: To address start-up arrangements for 
parties preparing to take on risk, we proposed at paragraph 
1001.952(ff)(1) that this safe harbor would protect remuneration 
exchanged between the VBE and a VBE participant during the 6 months 
prior to the date by which the VBE must assume substantial downside 
financial risk. We proposed that, during this phase-in period, the VBE 
must be contractually obligated to assume such risk from a payor.
    Summary of Final Rule: We are finalizing the 6-month phase-in 
period, with modification, and relocating it to paragraph 
1001.952(ff)(2).
    Comment: Commenters overwhelmingly supported a phase-in period, 
noting that many providers and organizations will need time to assume 
downside financial risk. However, many commenters asserted that the 
proposed 6-month time period was insufficient and recommended a longer 
phase-in period, such as 1 or 2 years. These commenters expressed 
concern that, absent a longer phase-in period, the safe harbor would be 
available to only highly sophisticated and large organizations that 
already have the capacity to take on high levels of financial risk. 
Another commenter argued that a longer phase-in period is essential in 
order to allow newly formed or small VBEs the flexibility to establish 
baselines against which to measure losses or savings. Some commenters 
highlighted other justifications for a longer phase-in period, 
including the significant training and integration needed for the 
adoption of new software systems and the need for providers with less 
experience with value-based arrangements, including small or rural 
providers, to have more time to assume financial risk. Other commenters 
requested that OIG extend the phase-in period only in defined 
circumstances, e.g., for VBEs created by independent medical practices 
or in circumstances where the 6-month phase-in period would place an 
undue burden on the parties to the arrangement. Finally, another 
commenter suggested a capacity-building period of 2 years where an 
entity would take on lower levels of downside financial risk and 
gradually build up to the thresholds set forth in the definition of 
``substantial downside financial risk.''
    Response: We solicited comments on whether 6 months was a 
sufficient timeframe for a phase-in period or whether a longer or 
shorter timeframe would be appropriate. Having reviewed the comments 
and considered the issue, we have determined that, while some parties 
interested in assuming substantial downside financial risk might 
benefit from a phase-in period of more than 6 months, a 6-month phase-
in period, paired with the availability of the care coordination 
arrangements safe harbor, should provide a sufficient on-ramp for 
parties seeking safe harbor protection for start-up or capacity-
building arrangements to prepare to assume substantial downside 
financial risk.
    In addition, the changes we have made to the definition of 
``substantial downside financial risk'' to replace the previous 
requirements for comparisons to historical benchmarks should allay 
concerns raised by newly formed or small entities about the time needed 
to establish baselines against which to measure losses or savings. In 
particular, the new standard for setting a benchmark provides 
flexibility to individuals and entities that may not have historical 
benchmarks to establish benchmarks using other appropriate data, such 
as regional or national data.
    Comment: A commenter requested that OIG confirm that all 
remuneration exchanged during the phase-in period related to VBE 
participants' good faith efforts to set up the VBE or value-based 
arrangement would be protected, even if the value-based arrangement 
ultimately did not move forward.
    Response: To qualify for protection during the phase-in period, the 
VBE must have a contract or a value-based arrangement with the payor to 
assume risk within the next 6 months. To illustrate, if a VBE enters 
into a contract with a payor on January 1, the VBE must assume 
substantial downside financial risk no later than July 1st. The phase-
in period runs from January 1 to July 1 (or an earlier date if the VBE 
assumes risk sooner). We recognize that a VBE might discover during the 
phase-in period that it is unable to assume the planned risk because, 
for example, of a failure to achieve an adequate network or necessary 
infrastructure. Remuneration exchanged between a VBE and a VBE 
participant during the phase-in period would be protected even if the 
VBE ultimately does not assume substantial downside financial risk at 
the conclusion of the phase-in period, provided the VBE had entered 
into a contract or a value-based arrangement with the payor to assume 
substantial downside financial risk and all other safe harbor 
requirements were met.
    With respect to the question about setting up a VBE, under the 
final rule, parties may not use the 6-month phase-in period to protect 
remuneration exchanged in order to set up a VBE because, as a condition 
of meeting the safe harbor, the VBE must already be in existence. In 
addition, there must be a value-based arrangement between the VBE and 
VBE participant that includes the exchange of payments or something of 
value for which safe harbor protection is sought. The remuneration 
under this value-based arrangement could relate to efforts to set up 
necessary infrastructure to assume risk for the target patient 
population.
    Comment: A commenter asked OIG to protect all legitimate pre-
arrangement activities associated with assuming risk, even where the 
VBE is not under a contractual obligation to assume risk. Another 
commenter asked whether payments by an academic medical center to 
physicians to maintain income levels during the phase-in period are 
protected.
    Response: We decline to protect pre-arrangement activities when the 
VBE has not entered into a contract or a value-based arrangement to 
assume risk from a payor, although the actual assumption of risk need 
not occur for 6 months. The requirement that the VBE enter into a 
contract or value-based arrangement to assume risk is a critical 
safeguard to protect against parties' attempts to exploit the phase-in 
period of this safe harbor to protect problematic payments when they 
have no intention of entering into the risk arrangements required by 
the safe harbor.
    Income guarantee payments would not satisfy any of the risk-based 
methodologies set forth in the definitions of ``substantial downside 
financial risk'' or ``meaningful share.'' Whether income guarantee 
payments to physicians could otherwise be protected by this safe harbor 
would depend on whether such remuneration satisfies all requirements of 
the safe harbor. For example, such payments likely would not satisfy 
the requirement that remuneration be directly connected to at least one 
of the three value-based

[[Page 77766]]

purposes defined in paragraph 1001.952(ee)(14)(x)(A)-(C). It seems 
unlikely that income guarantee payments would be directly connected to 
the deliberate organization of patient care activities and sharing of 
information to improve care for the target patient population, as the 
definition of coordination and management of care requires. 
Additionally, while we acknowledge that income guarantees could result 
in ancillary benefits to patients or could contribute to appropriate 
cost reductions, we consider it unlikely that income guarantee payments 
could be directly connected to improvements in the quality of care or 
appropriate reductions in costs.
f. Remuneration Used To Engage in Value-Based Activities
    Summary of OIG Proposed Rule: We proposed at paragraph 
1001.952(ff)(3)(i) that the remuneration exchanged pursuant to this 
safe harbor must be used primarily to engage in value-based activities 
that are directly connected to the items and services for which the VBE 
is at substantial downside financial risk.
    Summary of Final Rule: We are finalizing, with modifications, this 
requirement at paragraph 1001.952(ff)(4)(ii). First, for the reasons 
set forth in section III.B.3.e.ii of this preamble, we are replacing 
the word ``primarily'' with ``predominantly'' so that the safe harbor 
now requires the remuneration exchanged to be used predominantly to 
engage in value-based activities that are directly connected to the 
items and services for which the VBE has assumed (or has entered into a 
written contract or value-based arrangement to assume within the next 6 
months) substantial downside financial risk. Second, we are modifying 
this requirement to provide that the remuneration exchanged pursuant to 
a methodology for the assumption of risk does not need to meet this 
condition if the remuneration is part of a value-based arrangement that 
meets all other safe harbor conditions. That is, remuneration exchanged 
between either a VBE and a payor (as a VBE participant) pursuant to a 
methodology that meets the definition of ``substantial downside 
financial risk,'' or between a VBE and a VBE participant (other than a 
payor) pursuant to a methodology that meets the definition of 
``meaningful share,'' need not be used predominantly to engage in 
value-based activities that are directly connected to the items and 
services for which the VBE is at substantial downside financial risk. 
Lastly, we are clarifying that the items and services to which the 
value-based activities must be directly connected are those for which 
the VBE has assumed (or has entered into a written contract or value-
based arrangement to assume within the next 6 months) substantial 
downside financial risk. This clarification is in recognition that 
parties to a value-based arrangement may exchange remuneration during 
the phase-in period when the VBE has not yet assumed substantial 
downside financial risk but has entered into a written contract or 
value-based arrangement to assume such risk within the next 6 months.
    Comment: Some commenters expressed general concern that this 
proposed requirement would be administratively burdensome, and at least 
one commenter more specifically stated that it would be burdensome to 
track how monetary remuneration is spent in order to ensure compliance 
with this requirement. Another commenter suggested that this 
requirement would preclude protection of remuneration in the form of 
shared savings. These commenters appeared to request that OIG remove 
this condition either in its entirety (thereby permitting parties to 
use any remuneration protected under this safe harbor for any purpose 
permissible under applicable law) or only with respect to monetary 
remuneration or a subset of monetary remuneration, such as shared 
savings and other performance-based payments. Alternatively, a 
commenter asserted that OIG should treat certain payments, such as 
bonus distributions and performance-based payments, as payments for the 
past performance of activities directly connected to the items and 
services for which the VBE is at risk.
    Response: The commenters' concerns and recommendations appear to 
stem from a perceived difficulty with tracking and monitoring the VBE 
participant's use of the remuneration. In response to the commenter's 
concerns, we are revising this requirement to include the following 
modifier at the start of paragraph 1001.952(ff)(4)(i): Unless exchanged 
pursuant to risk methodologies defined in paragraph (9)(i) or (ii). 
With this modifier, monetary remuneration exchanged pursuant to a risk 
methodology that meets the definition of ``substantial downside 
financial risk'' or ``meaningful share,'' i.e., the risk methodologies 
defined in paragraph 1001.952(ff)(9)(i) and (ii), does not need to be 
used predominantly to engage in value-based activities. Because such 
remuneration effectuates the assumption of risk required by the safe 
harbor, it is appropriate to exempt this remuneration from the 
requirement for remuneration to be used predominantly to engage in 
value-based activities.
    All other remuneration exchanged must be used predominantly to 
engage in value-based activities that are directly connected to the 
items and services for which the VBE has assumed substantial downside 
financial risk. With respect to the commenters' concerns regarding 
tracking another party's use of such remuneration, we emphasize that 
the safe harbor does not require the offeror of remuneration to track 
the recipient's use to determine whether such use is consistent with 
the safe harbor requirement to predominantly use remuneration to engage 
in value-based activities for the target patient population. We 
recognize that all parties to the value-based arrangement would lose 
safe harbor protection if the recipient fails to satisfy the 
predominant use requirement, but we believe there are ways for an 
offeror to protect itself against this risk, such as by including terms 
in the signed writing requiring the recipient to use funds in a 
particular manner. With respect to a commenter's concern that this 
condition would preclude the protection of shared savings, this 
condition, as finalized, would not preclude the protection of shared 
savings, as long as the shared savings arrangement satisfies all of the 
safe harbor's conditions.
    We are not persuaded by the suggestion that we allow remuneration 
to be used for any purpose permissible under applicable law. In order 
to use this safe harbor, the parties must have formed a value-based 
enterprise that has one or more value-based purposes. We believe that 
requiring remuneration to be used predominately for value-based 
activities associated with the target patient population is an 
important mechanism to help ensure that the parties are working toward 
these purposes.
    Comment: Commenters stated that the requirement for parties to 
exchange remuneration that is used to engage in value-based activities 
that are ``directly connected'' to the items and services for which the 
VBE has assumed (or has entered into a contract to assume within the 
next 6 months) substantial downside financial risk could subject 
parties seeking protection under this safe harbor to undue scrutiny 
regarding what constitutes a direct connection.
    Response: We believe parties are well-positioned to demonstrate 
that the value-based activities they undertake have a direct connection 
to the items and services provided to patients in the target patient 
population. Pursuant to paragraph 1001.952(ff)(5) of the safe

[[Page 77767]]

harbor, the value-based activities must be set forth in writing, which 
provides an opportunity for parties to document how such activities are 
directly connected to the items and services for which the VBE is at 
substantial downside financial risk.
    By way of example, in a value-based arrangement where a VBE is at 
risk for an episode of care involving hospital and post-acute care, if 
the VBE furnishes or finances the provision of additional clinical 
staff or social workers for use by both a VBE participant hospital and 
a VBE participant skilled nursing facility, the clinical staff or 
social workers must predominantly engage in value-based activities that 
are directly connected to the items and services furnished during the 
episode of care for which the VBE is at substantial downside financial 
risk. In the OIG Proposed Rule, we provided an example involving a 
target patient population undergoing hip replacement surgery to show 
what it means to have a direct connection between the value-based 
activities and items and services for the target patient population. 
Using this same example under the final rule, if a VBE is at 
substantial downside financial risk for the items and services provided 
to patients in a target patient population undergoing hip replacement 
surgery, the VBE could give a VBE participant money to hire a staff 
member who predominately coordinates patients' transitions between care 
settings after hip replacement surgery. The VBE could not give the VBE 
participant money to hire a staff member who coordinates transitions 
between care settings for patients undergoing an array of surgical 
procedures other than hip replacement surgery.\53\
---------------------------------------------------------------------------

    \53\ 84 FR 55694, 55718 (Oct. 17, 2019).
---------------------------------------------------------------------------

g. Direct Connection to Value-Based Purposes
    Summary of OIG Proposed Rule: We proposed at paragraph 
1001.952(ff)(3)(ii) that the protected remuneration must be directly 
connected to one or more of the VBE's value-based purposes, at least 
one of which must be the coordination and management of care for the 
target patient population.
    Summary of Final Rule: We are finalizing, with modification, this 
condition at paragraph 1001.952(ff)(4)(i). The final rule provides that 
protected remuneration must be directly connected to at least one of 
the three value-based purposes defined in paragraph 
1001.952(ee)(13)(x)(A)-(C). Remuneration may advance more than one 
value-based purpose.
    We summarize and respond to comments specific to the substantial 
downside financial risk safe harbor regarding this condition below. For 
a more detailed discussion and a summary of the general comments 
received regarding the requirement for a direct connection to the 
coordination and management of care, as proposed in both the care 
coordination arrangements safe harbor and this safe harbor, and our 
responses, we refer readers to the care coordination arrangements safe 
harbor section discussion at section III.B.3.h.
    Comment: A commenter asserted that all payment arrangements 
protected by this safe harbor should have as a value-based purpose a 
focus on cost reduction and quality improvement.
    Response: In the context of remuneration exchanged pursuant to 
value-based arrangements where parties have met the requirements of the 
definitions of ``substantial downside financial risk'' and ``meaningful 
share,'' we recognize that it may be appropriate for parties to have 
value-based purposes related to achieving appropriate cost reductions 
or quality improvements. Accordingly, we are revising this condition to 
provide parties additional options for remuneration to be directly 
connected to at least one of three value-based purposes defined in 
paragraph 1001.952(ee)(13)(x)(A)-(C). Remuneration must be directly 
connected to one or more of the following value-based purposes: The 
coordination and management of care for the target patient population; 
improving the quality of care for the target patient population; and 
appropriately reducing the costs to, or growth in expenditures of, 
payors without reducing the quality of care for the target patient 
population. Parties may choose to meet one or more of these three 
value-based purposes to satisfy this condition. For a more detailed 
discussion regarding these value-based purposes see section III.B.2.f.
h. Reductions in Medically Necessary Items or Services
    Summary of OIG Proposed Rule: At proposed paragraph 
1001.952(ff)(3)(iii), we proposed to require that the remuneration 
exchanged not induce the VBE participants to reduce or limit medically 
necessary items or services furnished to any patient.
    Summary of Final Rule: We are finalizing, with modification, this 
condition at paragraph 1001.952(ff)(7)(iii). We are modifying the 
condition to clarify that the value-based arrangement (not merely the 
remuneration exchanged) may not induce the VBE or VBE participants to 
reduce or limit medically necessary items or services furnished to any 
patient. We summarize and respond to comments specific to the 
substantial downside financial risk safe harbor regarding this 
provision below. For a more detailed discussion and a summary of 
additional comments received regarding this requirement, as proposed in 
both the care coordination arrangements and substantial downside 
financial risk safe harbors, and our responses, we refer readers to the 
care coordination arrangements safe harbor discussion at section 
III.B.3.e.iii.
    Comment: Multiple commenters supported additional conditions to 
safeguard against the risks of cherry-picking, lemon-dropping, and 
stinting on care. For example, a commenter stated that the assumption 
of downside financial risk presented a heightened risk for cherry-
picking patients, discharging highly complex, rare, or costly patients, 
and stinting on care for patients with high medical needs. The 
commenter appeared to recommend Federal Government oversight of value-
based arrangements to address these risks. Another commenter 
recommended OIG formally monitor for cherry-picking or lemon-dropping 
activities and eliminate eligibility for safe harbor protection for 
parties inappropriately engaged in these activities.
    Response: We acknowledge that assuming downside financial risk may 
heighten the risks identified by the commenter. We believe that the 
parameters created by the value-based definitions as well as the 
safeguards in this safe harbor protect against such conduct. For 
example, the definition of ``target patient population'' requires that 
the VBE or its VBE participants identify the target patient population 
using legitimate criteria, and criteria that seek to exclude costly or 
noncompliant patients would not be legitimate. However, in response to 
the comment that the nature of value-based arrangements, themselves, 
can create incentives for stinting or cherry-picking, we are expanding 
this prohibition to apply to not only the remuneration exchanged 
between the parties but also all terms and conditions of a value-based 
arrangement.
    With respect to OIG's oversight, we anticipate that individuals and 
entities that are part of a value-based enterprise will be subject to 
OIG's program integrity and oversight activities to the same extent as 
other individuals and entities that engage in Federal health care 
program business.

[[Page 77768]]

i. Ownership or Investment Interests
    Summary of OIG Proposed Rule: At proposed paragraph 
1001.952(ff)(3)(iv), we proposed that this safe harbor would not 
protect an ownership or investment interest in the VBE or any 
distributions related to an ownership or investment interest.
    Summary of Final Rule: We are finalizing, without modification, 
this condition and relocating it to paragraph 1001.952(ff)(4)(iii).
    Comment: A few commenters opposed this condition. For example, a 
commenter asserted that some potential participants may not be 
comfortable investing in a VBE where such investment is unprotected by 
safe harbors and therefore may avoid involvement in otherwise 
beneficial substantial downside financial risk arrangements. Another 
commenter urged OIG to clarify that it was not our intent to prohibit 
VBE participants from establishing a corporate structure for a VBE in 
which the participants may receive an equity interest, stating that, 
without such a clarification, the safe harbor would unnecessarily 
restrict the ability of individuals and entities to dictate the 
corporate structure of VBEs they create.
    Response: We do not view protection for ownership or investment 
interests as fundamental to removing barriers to parties entering into 
value-based arrangements and are not protecting them under this safe 
harbor. Parties seeking to protect a particular ownership or investment 
interest may look to other safe harbors (e.g., the safe harbor for 
investment interests, paragraph 1001.952(a), which protects certain 
investment interests if all requirements of the safe harbor are met), 
and the advisory opinion process remains available.
j. Remuneration From Individuals or Entities Outside the Applicable VBE
    Summary of OIG Proposed Rule: At proposed paragraph 
1001.952(ff)(3)(v), we proposed that the safe harbor would not protect 
remuneration funded, or otherwise resulting from contributions, by an 
individual or entity outside of the applicable VBE.
    Summary of Final Rule: We are not finalizing this condition.
    Comment: A commenter asserted that imposing this requirement would 
inhibit contributions or funding by an affiliate of a VBE or a VBE 
participant (e.g., a parent organization). Another commenter suggested 
OIG permit ``outside'' donations under the substantial downside 
financial risk safe harbor when the donation would benefit a VBE's 
patients and the third-party donor would have no direction or control 
over how the funds would be spent.
    Response: We are not finalizing this condition because of concerns 
that it may be unduly prescriptive and for the reasons described at 
section III.3.e.iv related to the similar proposal for the care 
coordination arrangements safe harbor. However, the exchange of 
remuneration between parties other than the VBE and a VBE participant 
(e.g., remuneration exchanged between a third-party donor and a VBE 
participant or a VBE) would not be protected by this or any value-based 
safe harbor. Similarly, in the circumstances presented by the 
commenter, we would not view contributions or funding from an affiliate 
of a VBE (that is not a VBE participant) to that VBE as qualifying for 
protection under this or any value-based safe harbor. However, under 
this final rule, the mere fact that an affiliate of a VBE exchanges 
remuneration with that VBE would not preclude safe harbor protection 
for value-based arrangements between that VBE and its VBE participants.
    Comment: A commenter requested that we address how the exclusion of 
safe harbor protection for remuneration funded, or otherwise resulting 
from contributions, by an individual or entity outside of the 
applicable VBE would operate where a VBE sought to enter into a value-
based arrangement with a payor that was not, itself, a VBE participant.
    Response: As noted above, we are not finalizing the proposed 
condition. For purposes of the value-based safe harbors, we are 
finalizing a definition of ``value-based arrangement'' in paragraph 
1001.952(ee)(14)(vii) that requires the arrangement to be only between 
or among the VBE and one or more of its VBE participants or between or 
among VBE participants in the same VBE.
    However, the modification explained in section III.B.4.d above, 
addresses the commenter's concern regarding assuming risk from a payor 
that is not a VBE participant. In that section, we explained that, 
while a payor could opt to be a VBE participant, it need not do so in 
order for a VBE to contract to assume substantial downside financial 
risk from a payor. However, unless the payor is a VBE participant, this 
safe harbor would not protect the remuneration exchanged between the 
payor and the VBE.
k. Writing
    Summary of OIG Proposed Rule: At proposed paragraph 
1001.952(ff)(4), we proposed that the terms of the value-based 
arrangement must be set forth in a signed writing that contains, among 
other information, a description of the nature and extent of the VBE's 
substantial downside financial risk for the target patient population 
and a description of the manner in which the recipient meaningfully 
shares in the VBE's substantial downside financial risk.
    Summary of Final Rule: We are finalizing, with modifications, this 
condition at paragraph 1001.952(ff)(5). The modifications are based on 
public comments. First, parties must document the manner in which the 
VBE assumes risk from a payor and the VBE participant assumes a 
meaningful share of such risk. Second, the writing requirement can be 
satisfied by a collection of documents. Third, we are not requiring 
documentation of the offeror's costs. Fourth, the writing must be 
established in advance of, or contemporaneous with, the commencement of 
the value-based arrangement ``and any material change,'' instead of 
``or any material change.'' Thus, the initial terms of the value-based 
arrangement must be set forth in the signed writing, in advance of, or 
contemporaneous with the commencement of the arrangement, and any 
material change to the value-based arrangement also must be set forth 
in the signed writing in advance of, or contemporaneous with the 
commencement of the material change. As with the similar modification 
we are making to the writing requirement in the care coordination 
arrangements safe harbor, these are the logical junctures where the 
writing requirement particularly serves its transparency purposes. Our 
proposed regulatory text did not make clear that the writing was needed 
at both junctures; our modifications more clearly express that policy.
    This writing requirement does not apply to the contracts between a 
payor and a VBE in circumstances where the payor is not a VBE 
participant. Such contracts would not constitute value-based 
arrangements, subject to this condition. However, as set forth in 
paragraph 1001.952(ff)(2), such contracts must be in writing.
    For further discussion of the general comments we received 
regarding a writing requirement in the value-based safe harbors, we 
refer readers to section III.B.3.d discussing the writing requirement 
for purposes of the care coordination arrangements safe harbor; in this 
section, we respond only to the comments specific to the proposed 
substantial downside financial risk safe harbor's writing requirement.

[[Page 77769]]

    Comment: A commenter recommended that OIG revise this condition of 
the substantial downside financial risk safe harbor to remove the 
requirement that parties specify the type and the offeror's cost of the 
remuneration. The commenter stated that the offeror's cost is not 
material to the arrangement because the safe harbor does not include a 
contribution requirement and, furthermore, may be difficult to 
determine.
    Response: We agree and are removing the requirement that the 
parties include the offeror's costs in the writing.
l. Does Not Take Into Account the Volume or Value of, or Condition 
Remuneration on, Business or Patients Not Covered Under the Value-Based 
Arrangement
    Summary of OIG Proposed Rule: At proposed paragraph 
1001.952(ff)(5), we proposed that the VBE or VBE participant offering 
the remuneration could not take into account the volume or value of, or 
condition the remuneration on, referrals of patients outside of the 
target patient population or business not covered under the value-based 
arrangement. This safeguard is identical to that proposed for the care 
coordination arrangements safe harbor.
    Summary of Final Rule: We are finalizing this condition, without 
modification and relocating it to paragraph 1001.952(ff)(6). For a more 
detailed discussion and a summary of our responses to the comments 
received on this condition and our rationale for finalizing it, we 
refer readers to the care coordination arrangements safe harbor 
discussion at III.B.3.f. Comments received on this topic addressed the 
condition as it applied to the value-based safe harbors generally; we 
did not receive separate comments on this condition specific to this 
safe harbor.
m. Preserving Clinical Decision-Making
    Summary of OIG Proposed Rule: At proposed paragraph 
1001.952(ff)(6)(i), we proposed that value-based arrangements must not 
limit VBE participants' ability to make decisions in the best interests 
of their patients. In addition, at proposed paragraph 
1001.952(ff)(6)(ii) we proposed that value-based arrangements cannot 
direct or restrict referrals to a particular provider, practitioner, or 
supplier if: (i) A patient expresses a preference for a different 
practitioner, provider, or supplier; (ii) the patient's payor 
determines the provider, practitioner, or supplier; or (iii) such 
direction or restriction is contrary to applicable law or regulations 
under titles XVIII and XIX of the Act. We proposed to interpret this 
condition consistent with the parallel condition proposed for the care 
coordination arrangements safe harbor.
    Summary of Final Rule: We are finalizing, with modification, the 
proposed condition that the value-based arrangement must not limit the 
VBE participant's ability to make decisions in the best interests of 
its patients at paragraph 1001.952(ff)(7)(i). We are making a technical 
correction to change ``their patients'' to ``its patients.'' We also 
are finalizing, with modification, the condition related to directing 
or restricting referrals, at paragraph 1001.952(ff)(7)(ii). We are 
deleting ``or regulations'' from the proposed provision because 
regulations are captured by the term ``applicable law.''
    For a more detailed discussion, summaries of comments we received 
regarding this requirement, as proposed in each of the value-based safe 
harbors, and our responses, we refer readers to the discussion of this 
condition in the care coordination arrangements safe harbor at section 
III.B.3. Below we discuss the comments we received on this condition 
specific to the proposed substantial downside financial risk safe 
harbor.
    Comment: A commenter requested that OIG clarify how this 
requirement would apply to an arrangement involving patients who are 
covered by managed care payors, where patient preferences are likely to 
be limited.
    Response: If a managed care payor determines the providers, 
practitioners, or suppliers from whom patients may seek health care 
items and services under a managed care plan, then the value-based 
arrangement could not direct or restrict referrals to a particular 
provider, practitioner, or supplier in a contrary manner.
n. Materials and Records
    Summary of OIG Proposed Rule: At proposed paragraph 
1001.952(ff)(7), we proposed to require that the VBE or its VBE 
participants make available to the Secretary, upon request, all 
materials and records sufficient to establish compliance with the 
conditions of the safe harbor. We solicited comments regarding whether 
we should require parties to maintain materials and records for a set 
period of time (e.g., at least 6 years or 10 years).
    Summary of Final Rule: We are finalizing, with modification, the 
materials and records requirement. We are specifying that, for a period 
of at least 6 years, the VBE or its VBE participants must maintain 
records and materials sufficient to establish compliance with the 
conditions of the safe harbor.
    This requirement will promote transparency and facilitate alignment 
with CMS's parallel value-based exception. For a more detailed 
discussion and a summary of and responses to the comments received 
about the records requirement, as proposed in each of the value-based 
safe harbors, we refer readers to the discussion of this condition in 
the care coordination arrangements safe harbor at section III.B.3.n. 
Comments received on this topic addressed the requirement as it applied 
to the value-based safe harbors generally; we did not receive separate 
comments on this requirement specific to this safe harbor.
o. Marketing of Items or Services or Patient Recruitment Activities
    Summary of OIG Proposed Rule: We proposed at paragraph 
1001.952(ff)(6)(iii) a condition to bar protection for remuneration 
exchanged pursuant to value-based arrangements that include marketing 
to patients of items or services or engaging in patient recruitment 
activities. We proposed to interpret this condition consistent with our 
interpretation of the same proposed requirement in the care 
coordination arrangements safe harbor.
    Summary of Final Rule: We are finalizing this requirement, with 
modifications and relocating it to paragraph 1001.952(ff)(4)(v). As 
with the care coordination arrangements safe harbor, rather than 
prohibiting all marketing and patient recruitment activities, we are 
modifying this provision to prohibit the exchange of remuneration for 
the purpose of marketing items or services furnished by the VBE or VBE 
participants to patients or for the purpose of patient recruitment 
activities. Comments received on this topic addressed the requirement 
as it applied to the value-based safe harbors generally; we did not 
receive separate comments on this requirement specific to this safe 
harbor. Consequently, we refer readers to the discussion in section 
III.B.3.j of this condition in the care coordination arrangements safe 
harbor for a summary of applicable comments, our responses, and a more 
detailed discussion of this standard, including our rationale for the 
modification being made.
p. Downstream Arrangements
    Summary of OIG Proposed Rule: We proposed to protect only 
remuneration exchanged between a VBE and a VBE participant at paragraph 
1001.952(ff).
    Summary of Final Rule: We are finalizing, without modification, the 
requirement that the exchange of remuneration be between the VBE and

[[Page 77770]]

a VBE participant in the introductory paragraph of 1001.952(ff).
    Comment: A commenter agreed with our proposal to limit this safe 
harbor to remuneration exchanged solely between the VBE and a VBE 
participant and acknowledged the potential fraud and abuse risks 
inherent in downstream arrangements where a contracting party has 
assumed little or no financial risk. However, the majority of 
commenters advocated for extending safe harbor protection to 
remuneration that passes between and among VBE participants, or between 
VBE participants and downstream contractors. A commenter stated that 
downstream arrangements are essential to facilitating care coordination 
efforts, while another commenter asserted that requiring a VBE 
participant to meaningfully share in the VBE's substantial downside 
financial risk appropriately curtails any fee-for-service incentives. A 
commenter posited that this requirement would result in value-based 
activities being inefficiently routed through the VBE, and another 
commenter questioned why this safe harbor only protects remuneration 
between a VBE and VBE participant when the care coordination 
arrangements safe harbor more broadly protects remuneration between a 
VBE and a VBE participant or between VBE participants.
    Response: We did not propose to protect arrangements where 
remuneration is passed from one VBE participant to another VBE 
participant or from a VBE participant to a downstream contractor. In 
this final rule, we are limiting safe harbor protection to the exchange 
of remuneration between the VBE and a VBE participant for which the 
combination of safe harbor conditions was designed. This safe harbor 
provides greater regulatory flexibility than the care coordination 
arrangements safe harbor, and as a result, we decline to extend safe 
harbor protection to downstream financial arrangements to which the VBE 
is not a party and that may not include all of the safeguards required 
by this safe harbor, including requirements related to the assumption 
of downside financial risk. A VBE participant seeking to exchange 
remuneration with another VBE participant may look to the care 
coordination arrangements safe harbor or other safe harbors, such as 
the personal services and management contracts and outcomes-based 
payments safe harbor.
    Comment: A commenter expressed concern that limiting safe harbor 
protection to remuneration exchanged between the VBE and a VBE 
participant would be unworkable if the applicable VBE were comprised of 
an informal network of individuals and entities (versus a separate 
legal entity). In particular, the commenter seemed to believe that, in 
such circumstances, the VBE participants would not be able to protect 
any remuneration using this safe harbor.
    Response: This safe harbor requires that a VBE assume substantial 
downside financial risk for certain items and services provided to the 
target patient population. In circumstances where the VBE is not a 
formal legal entity, but rather is comprised of a network of VBE 
participants, a single VBE participant may act on behalf of the VBE to 
contract or enter into a value-based arrangement with a payor to assume 
substantial downside financial risk. In such circumstances, this safe 
harbor could protect the exchange of remuneration between the VBE 
participant acting on behalf of the VBE and other VBE participants. We 
note that, while different VBE participants may act on behalf of the 
VBE at different times during the term of the value-based arrangement, 
only remuneration between a VBE participant acting on behalf of the VBE 
and another VBE participant may be protected. The safe harbor would not 
protect remuneration exchanged between two VBE participants, neither of 
whom are currently acting on behalf of the VBE.
q. Possible Additional Safeguards
    Summary of OIG Proposed Rule: We stated in the preamble to the OIG 
Proposed Rule that we were considering adopting specified additional 
safeguards in the final rule, including a commercial reasonableness 
requirement, a monitoring standard, a cost-shifting prohibition, and a 
requirement to submit information to the Department regarding the VBE, 
the VBE participants, and the value-based arrangement.
    Summary of Final Rule: We are not finalizing these proposed 
conditions. Upon further consideration, we do not consider them 
necessary to mitigate fraud and abuse risk given the overall structure 
and totality of conditions in the final safe harbor.
    Comment: We received a variety of comments regarding potential 
additional safeguards in the substantial downside financial risk safe 
harbor. A commenter opposed the addition of a commercial reasonableness 
requirement, asserting that it would be inconsistent with CMS's similar 
exception and potentially would chill innovation where parties have 
assumed downside risk. Several commenters suggested including 
additional transparency requirements for patients. A commenter 
recommended that we include a prohibition on inappropriate cost 
shifting to Federal health care programs. A few commenters suggested 
that OIG require objective and quantifiable outcome measures to show 
the remuneration exchanged enhances patient outcomes. Another commenter 
urged us to include a termination provision similar to that in the care 
coordination arrangements safe harbor.
    Response: We are not imposing a commercial reasonableness 
requirement in this safe harbor in recognition of the VBE and its VBE 
participants assuming substantial downside financial risk. We believe 
the assumption of downside financial risk helps to ensure that the 
remuneration is exchanged in order to achieve value-based purposes 
rather than to pay for referrals, which is at the core of the 
commercial reasonableness standard in other safe harbors. We did not 
propose patient transparency or notice requirements and are not 
including such conditions in this final rule. While parties may choose 
to provide patient notifications, such a condition in the safe harbor 
would not add appreciable additional protection against payments for 
referrals. We also are not including a cost-shifting prohibition, in 
recognition that the assumption of substantial downside financial risk 
is intended to drive a reduction in costs, which may include Federal 
health care program costs.
    While parties may include termination provisions or outcome measure 
requirements as part of their value-based arrangements, we are not 
requiring these terms as a condition of the safe harbor.
5. Value-Based Arrangements With Full Financial Risk (42 CFR 
1001.952(gg))
    Summary of OIG Proposed Rule: We proposed at paragraph 1001.952(gg) 
a full financial risk safe harbor that would protect remuneration 
exchanged between a VBE and a VBE participant pursuant to a value-based 
arrangement where the VBE has assumed, or is contractually obligated to 
assume within the next 6 months, full financial risk, as set out at 
proposed paragraph 1001.952(gg)(1). We proposed to define ``full 
financial risk'' at proposed paragraph 1001.952(9)(i) to mean that 
``the VBE is financially responsible for the cost of all items and 
services covered by the applicable payor for each patient in the target 
patient population and is prospectively paid by the applicable payor.''
    We proposed that the full financial risk safe harbor would include 
certain safeguards, such as requirements that:

[[Page 77771]]

(i) The VBE have a signed writing with the payor that specifies the 
target patient population and terms evidencing full financial risk 
(proposed paragraph 1001.952(gg)(1)); (ii) the parties have a signed 
writing that specifies the material terms of the value-based 
arrangement (proposed paragraph 1001.952(gg)(2)); and (iii) the VBE 
participant not claim payment from a payor (proposed paragraph 
1001.952(gg)(3)). Further, we proposed at paragraph 1001.952(gg)(4) 
that the remuneration exchanged be used primarily to engage in value-
based activities; be directly connected to one or more of the VBE's 
value-based purposes, at least one of which must be the coordination 
and management of care for the target patient population; not induce 
reductions or limitations of medically necessary care; and not be 
funded by outside contributions. At proposed paragraph 1001.952(gg)(5), 
we proposed a restriction on taking into account the volume or value of 
business outside the value-based arrangement, and at proposed paragraph 
1001.952(gg)(6), we proposed that the VBE provide or arrange for an 
operational utilization review program and quality assurance program. 
At proposed paragraph 1001.952(gg)(7), we proposed a restriction on 
marketing and patient recruitment, and at proposed paragraph 
1001.952(gg)(8), we proposed a requirement to make available materials 
and records to the Secretary.
    Summary of Final Rule: We are finalizing, with modifications, the 
safe harbor at paragraph 1001.952(gg). We are modifying the definition 
of ``full financial risk'' at paragraph 1001.952(gg)(10)(ii) to require 
the VBE to be at risk on a prospective basis for the cost of all items 
and services covered by the applicable payor for each patient in the 
target patient population for a term of at least 1 year. We are 
defining ``prospective basis'' at paragraph 1001.952(gg)(10)(ii) to 
mean the VBE has assumed financial responsibility for the cost of all 
items and services covered by the applicable payor prior to the 
provision of items and services to patients in the target patient 
population.
    We are finalizing the proposed safeguards, with some modifications 
at paragraphs 1001.952(gg)(2)-(8), as explained in more detail in the 
topical discussions below. In addition, we have added a list of 
entities ineligible to use the safe harbor at paragraph 1001.952(gg)(1) 
for the reasons set forth in the discussion of the definition of ``VBE 
participant'' at section III.B.2.e.
a. General Comments
    Comment: While some commenters expressed support for this proposed 
safe harbor, multiple commenters conveyed their concerns that this safe 
harbor may have limited application. For example, some commenters noted 
that the proposed safe harbor requirements, including the definition of 
``full financial risk,'' would limit the safe harbor to only large 
integrated delivery systems capable of providing nearly all Medicare 
and Medicaid covered services to a target patient population and would 
disadvantage small and rural practices and practices serving 
underserved areas. Other commenters highlighted a potential 
intersection between certain state insurance and licensure laws and the 
proposed safe harbor requirements that could, according to the 
commenters, limit the availability of safe harbor protection only to 
those entities that could comply with such state laws, some of which 
may require a VBE to be licensed as a health care services plan. To 
address this issue, a commenter requested revisions to the proposed 
safe harbor to make safe harbor protection available to advanced, risk-
bearing provider networks in states with such licensure requirements.
    Response: We designed this safe harbor to provide significant 
flexibility under the Federal anti-kickback statute in light of the 
level of financial risk assumed by the parties. We crafted the ``full 
financial risk'' definition, as well as the conditions of this safe 
harbor, to balance the additional flexibilities under the anti-kickback 
statute with appropriate safeguards against both risks associated with 
fee-for-service payment systems, such as overutilization and skewed 
decision-making, and risks present in risk-based arrangements, 
including stinting on care (underutilization), cherry-picking lucrative 
or adherent patients, and lemon-dropping costly or noncompliant 
patients. We believe that the definition of ``full financial risk,'' 
combined with the conditions of this safe harbor, appropriately balance 
the flexibilities afforded by this safe harbor with any identified 
program integrity risks.
    We understand that there currently are a limited number of 
providers assuming the level of risk required by this safe harbor. The 
purpose of implementing a full financial risk safe harbor is to remove 
one potential barrier to providers taking on more risk and having 
additional financial incentives to coordinate care. Providers assessing 
whether they can move to full financial risk in the future can consider 
this safe harbor and the flexibilities it offers under the Federal 
anti-kickback statute as one factor in that determination. There are 
other factors that parties would consider in the decision to assume a 
higher level of risk, including some considerations raised by the 
commenters. While safe harbors cannot address all factors that may 
prohibit a provider from taking on full financial risk, this safe 
harbor is designed to encourage more providers to do so. We also note 
that this safe harbor conditions protection on the VBE assuming full 
financial risk from the payor for the items and services. It does not 
require the VBE to assume other functions from the payor, such as 
enrollment, grievance and appeals, solvency standards, and other 
administrative functions performed by payors.
    We recognize that some states may have laws that limit providers 
and other health care entities from taking on full financial risk 
unless they form licensed health care plans or meet other licensure 
requirements. We have attempted to create significant flexibility under 
the Federal anti-kickback statute while recognizing that parties still 
must comply with applicable state laws. For example, this safe harbor 
provides flexibility around how the VBE assumes full financial risk 
from a payor. Such flexibilities provide payors, VBEs, and VBE 
participants with options to structure arrangements that are consistent 
with the safe harbor and state laws. Nothing in these safe harbors 
preempts any applicable state law (unless such state law incorporates 
the Federal law by reference). Other safe harbors may be available to 
parties unable--by virtue of any state law requirements--to structure 
an arrangement that satisfies the conditions of this safe harbor.
    Comment: A commenter suggested that we consider a new safe harbor 
or a fraud and abuse waiver for Medicare Advantage plans testing value-
based arrangements. The commenter asserted that such a safe harbor or 
waiver would allow entities not otherwise eligible for protection under 
the value-based safe harbors to participate in value-based 
arrangements.
    Response: We did not propose a safe harbor or a fraud and abuse 
waiver specific to Medicare Advantage plans, and thus we are not 
finalizing such safe harbor or waiver in this final rule. This safe 
harbor may be available to protect remuneration exchanged under certain 
Medicare Advantage plan arrangements, provided the plan enters into a 
contract or a value-based arrangement with a VBE pursuant to which the 
VBE assumes full financial risk from the

[[Page 77772]]

plan. We also note that there may be other existing safe harbors not 
modified by this final rule that are available to protect financial 
arrangements involving a Medicare Advantage plan, such as paragraphs 
1001.952(t) and (u), and the advisory opinion process remains 
available.
    Comment: While a commenter expressed support for OIG's and CMS's 
consistent definitions of full financial risk, others requested that 
OIG finalize a full financial risk safe harbor that further aligns with 
CMS's parallel full risk exception. These commenters generally urged 
OIG and CMS to impose the same risk thresholds and requirements for 
purposes of the full financial risk safe harbor and the CMS full risk 
exception.
    Response: As with the OIG Proposed Rule, in this final rule, we 
have endeavored to align our full financial risk safe harbor to the 
greatest extent possible with CMS's full risk exception. The definition 
of ``full financial risk'' we are finalizing is more closely aligned 
with the definition of ``full financial risk'' that CMS is finalizing 
in its full risk exception. However, reflecting statutory differences 
that exist between the Federal anti-kickback statute and the physician 
self-referral law, explained further in section III.A.1, the full 
financial risk safe harbor differs from CMS's full risk exception. For 
example, in recognition of the statutory differences between the two 
laws, the safe harbor includes conditions that differ from those in 
CMS's parallel exception, such as the requirement that the value-based 
arrangement be set forth in writing and that the VBE provide or arrange 
for a quality assurance program for services furnished to the target 
patient population.
b. Definitions
i. Full Financial Risk
    Summary of OIG Proposed Rule: We proposed at paragraph 
1001.952(gg)(9)(i) that a VBE would be at ``full financial risk'' for 
the cost of care of a target patient population if the VBE is 
financially responsible for the cost of all items and services covered 
by the applicable payor for each patient in the target patient 
population and is prospectively paid by the applicable payor.
    Summary of Final Rule: We are finalizing, with modifications, a 
definition of ``full financial risk'' at paragraph 1001.952(gg)(9)(i). 
The modifications, based on public comments, provide parties with 
additional flexibility in the manner in which the VBE assumes risk from 
the applicable payor. The definition of ``full financial risk'' now 
requires the VBE to be at risk on a prospective basis for the cost of 
all items and services covered by the applicable payor for each patient 
in the target patient population for a term of at least 1 year. 
``Prospective basis,'' as defined at paragraph 1001.952(gg)(9)(ii), 
means the VBE has assumed financial responsibility for the cost of all 
items and services covered by the applicable payor prior to the 
provision of items and services to patients in the target patient 
population.
    Comment: While at least one commenter supported the definition of 
``full financial risk,'' as proposed, the vast majority of commenters 
recommended that we revise the definition to encompass arrangements 
where the VBE assumes risk for less than all of the items and services 
covered by the applicable payor. For example, many commenters 
recommended that the VBE be required to have risk only for 
``substantially all'' items and services furnished to the target 
patient population, which commenters suggested could be defined as 75 
percent of such items and services. Other commenters requested that 
full financial risk include assuming risk for a much more specifically 
defined set of services (e.g., hospital inpatient and outpatient care 
or ongoing services related to breast care). Other commenters asked OIG 
to carve out certain high-cost or specialty items and services (e.g., 
organ transplants or pharmacy benefits) or new technologies that were 
not incorporated into rate calculations from the scope of items and 
services for which a VBE must be at risk.
    Some commenters requested that the definition of ``full financial 
risk'' include risk only for all of the items and services required to 
treat a particular disease or condition or an episode of care (e.g., 
risk for all of the items and services required to treat diabetes for 
patients with diabetes in the target patient population or an episode 
of care for a knee replacement). Another commenter asked OIG to permit 
partial capitation arrangements and, lastly some commenters contended 
that full financial risk should include risk for only the items and 
services to which the remuneration relates. Many of these commenters 
asserted that VBE participants would still be incentivized to maximize 
quality and efficiency of care even where the VBE assumes risk for less 
than all items and services provided to the target patient population 
by the applicable payor.
    Response: We are finalizing a definition of ``full financial risk'' 
that requires the VBE to be at risk on a prospective basis for the cost 
of all items and services covered by the applicable payor for each 
patient in the target patient population for a term of at least 1 year. 
We decline to extend safe harbor protection under this safe harbor 
where a VBE has assumed risk for only a subset of items and services, 
such as for 75 percent of items and services, for all items and 
services except certain high-cost or specialty items and services, or 
for only the items and services to which the remuneration relates, 
although we note that the substantial downside financial risk safe 
harbor may be available for such arrangements. Additionally, a VBE 
could assume full financial risk for patients with a particular disease 
condition (e.g., patients with diabetes) by selecting a target patient 
population comprised only of patients with diabetes, but the VBE must 
cover all items and services for those patients. Therefore, while a VBE 
must be at risk for all items and services furnished to the target 
patient population, the VBE can limit the number of patients for whom 
it assumes full financial risk through its selection of the target 
patient population, as long as the VBE selects the target patient 
population using legitimate and verifiable criteria, among other 
requirements.
    In light of the significant flexibility we are offering under this 
safe harbor, we believe the risk level we are requiring for VBEs is 
necessary to reduce traditional fraud and abuse concerns associated 
with payment systems that incorporate, in whole or in part, fee-for-
service reimbursement methodologies. While we appreciate the challenges 
associated with assuming risk for certain high-cost or specialty items 
and services or new technologies, VBEs may address such challenges 
through arrangements to protect against catastrophic losses, such as 
risk-adjustment or reinsurance agreements, without losing safe harbor 
protection.
    Comment: Some commenters asked OIG to clarify whether the VBE and 
its VBE participants can collectively be at risk for items and services 
to the target patient population, such as by each VBE participant being 
at risk only for the services it provides.
    Response: A value-based enterprise is a collection of two or more 
VBE participants. As such, some or all of the VBE participants that 
comprise the VBE can combine their respective risk to satisfy the 
definition of ``full financial risk'' as long as the VBE participants' 
collective risk amounts to risk for all items and services covered by 
the

[[Page 77773]]

applicable payor for the target patient population.
    Comment: A physicians' trade organization expressed concern that 
smaller practices that attempt to assume too much risk could result in 
the closures of community practices and consolidation. Another 
commenter highlighted that there may be substantial up-front 
investments that can strain any physician practice's limited resources 
but can be particularly challenging for small, rural, or underserved 
practices with smaller patient pools to spread risk.
    Response: We recognize that the full financial risk safe harbor 
requires a level of risk that many in the health care industry may not 
currently be able to assume. For parties seeking protection for 
remuneration exchanged pursuant to risk arrangements requiring a lower 
level of risk, the substantial downside financial risk safe harbor or 
the care coordination arrangements safe harbor may be available. This 
safe harbor does not require small, rural, or community practices or 
practices serving underserved populations to assume full financial risk 
or make substantial up-front investments on their own. Parties have 
flexibility in establishing a VBE, which must have at least two VBE 
participants but can have any number of additional VBE participants. We 
believe the ``VBE participant'' definition and the safe harbors in this 
final rule provide small, rural, and community practices and practices 
serving underserved populations options to enter into arrangements to 
assume higher levels of risk without having to integrate practices or 
become part of a larger health care system.
    Further, we believe that establishing a VBE with other providers, 
either similarly situated entities or larger entities, could help 
practices (including small, rural, and community practices) take on 
more risk and mitigate potential financial shocks. As value-based 
arrangements continue to proliferate, we believe there may be 
opportunities for these types of practices to form VBEs, take on risk, 
and potentially have success in reducing costs and coordinating care.
    Comment: Commenters requested that the definition of ``full 
financial risk'' expressly include payments based on global budgets, as 
well as capitation and other alternative payment methodologies.
    Response: While the definition of ``full financial risk'' does not 
expressly list global budget or capitation payment methodologies as 
permissible payment methodologies, we confirm that such prospective 
payment methodologies would satisfy the definition of ``full financial 
risk'' as long as the global budget or capitation payments covered the 
cost of all items and services covered by the applicable payor for the 
target patient population for a term of at least 1 year. Without 
additional detail related to the alternative payment methodologies 
referenced by the commenter, we are unable to opine on whether such 
payment methodologies would meet the definition of ``full financial 
risk.'' Parties also may request an advisory opinion from OIG to 
determine whether an arrangement meets the definition of ``full 
financial risk'' and the conditions of the full financial risk safe 
harbor or is otherwise sufficiently low risk under the Federal anti-
kickback statute to receive prospective immunity from administrative 
sanctions by OIG.
    Comment: A commenter requested that OIG explain why the proposed 
definition of ``full financial risk'' required that the payor 
prospectively pay the VBE.
    Response: We proposed a definition of ``full financial risk'' that 
required prospective payment, and we stated in the OIG Proposed Rule 
that we interpreted ``prospective'' to mean the anticipated cost of all 
items and services covered by the applicable payor for the target 
patient population had been both determined and paid in advance (as 
opposed to billing under the otherwise applicable payment systems and 
undergoing a retrospective reconciliation after items and services have 
been furnished). In this final rule, we are revising the definition of 
full financial risk to require risk on a prospective basis and defining 
``prospective basis'' to mean the VBE has assumed financial 
responsibility for the cost of all items and services covered by the 
applicable payor prior to the provision of items and services to 
patients in the target patient population. As such, the VBE no longer 
needs to be prospectively paid by the applicable payor prior to the 
provision of items and services to each patient in the target patient 
population. Instead, the VBE must simply assume financial 
responsibility prior to the provision of items and services.
    We are requiring the assumption of risk on a prospective basis not 
only in recognition of the additional flexibilities under the Federal 
anti-kickback statute that this safe harbor affords but also because 
risk assumption can serve to limit the potential harms that may result 
from financial incentives inherent to fee-for-service payments systems, 
such as overutilization and skewed medical decision-making. For 
example, if providers know the amount of reimbursement they will 
receive for providing items and services to the target patient 
population before providing such items and services, then the providers 
may be less likely to order excessive tests or otherwise provide 
unnecessary items and services to the patients.\54\
---------------------------------------------------------------------------

    \54\ Mark W. Friedberg, Peggy C. Chen, Chapin White et al., 
Effects of Health Care Payment Models on Physician Practice in the 
United States, RAND Corporation (2015); K. John McConnell, Stephanie 
Renfro, Richard C. Lindrooth et al., Oregon's Medicaid Reform And 
Transition To Global Budgets Were Associated With Reductions In 
Expenditures, Health Affairs (Mar. 2017); James C. Robinson, Stephen 
M. Shortnell et al., Quality-Based Payment for Medical Groups and 
Individual Physicians, INQUIRY: The Journal of Health Care 
Organization, Provision, and Financing (May 2009).
---------------------------------------------------------------------------

    Comment: We received various comments regarding how a payor could 
transfer risk to the VBE. For example, a commenter requested 
confirmation that the payor and VBE could engage in retrospective 
reconciliations. Another commenter asserted that OIG should add 
language to the safe harbor stating that risk, both at the enterprise 
level and at the VBE participant level, can be through front-end 
withholds or dues assessments and need not be through a back-end 
repayment. A commenter further asked whether, as long as the payment 
covers a particular period, the payor could pay the VBE at the end or 
in the middle of the coverage period.
    Response: Under the revised definition of ``full financial risk,'' 
a payor could pay the VBE at any point in the coverage period and 
engage in retrospective reconciliations, as long as the VBE has assumed 
full financial risk for a term of at least 1 year prior to the 
provision of items and services to patients in the target patient 
population. We also are not dictating the manner in which the VBE 
exchanges remuneration with VBE participants, so a VBE could impose 
front-end withholds or dues assessments on VBE participants.
    Comment: A commenter asserted that the OIG Proposed Rule's proposed 
definition of ``full financial risk'' allowed a payor to make payments 
to physician practices to offset losses that the practices incurred.
    Response: This safe harbor would not protect payments from a payor 
to a physician practice that is a VBE participant to offset losses the 
practice incurred because the safe harbor prohibits a VBE participant 
from claiming payment in any form from a payor for the items and 
services covered under the value-based arrangement. In other words, 
under the terms of this safe harbor, the VBE must assume full financial 
risk for the cost of all items

[[Page 77774]]

and services covered by the applicable payor; this means that any 
claims submitted to a payor by a VBE participant related to such items 
and services--including a claim for payment to offset losses incurred--
would fail this requirement. The VBE, however, may enter into 
reinsurance or other risk-adjustment arrangements and could address 
losses incurred by VBE participants by using reinsurance payments, for 
example, to reimburse VBE participants for such losses.
    Comment: Many commenters appreciated OIG's position that the 
definition of ``full financial risk'' would not prohibit a VBE from 
entering into arrangements to protect against catastrophic losses. 
Multiple commenters requested guidance on the risk mitigation terms 
that full-risk arrangements can include while satisfying the 
requirements of the safe harbor, including whether there is a 
particular threshold on the amount of loss coverage. A commenter 
specifically asked whether incentive arrangements requiring stop-loss 
protection to meet existing physician incentive regulations in Federal 
health care programs would qualify as protecting against catastrophic 
losses under the full financial risk safe harbor.
    Response: We are not imposing a specific limit on the amount of 
loss coverage a VBE may have, but as we stated in the OIG Proposed 
Rule, we would expect any stop-loss or other risk adjustment 
arrangements to act as protection for the VBE against catastrophic 
losses and not as a means to shift material financial risk back to the 
payor. Whether stop-loss protection required by the existing physician 
incentive regulations would be appropriate stop-loss protection for a 
VBE assuming risk pursuant to this safe harbor may depend on a number 
of factors, including the structure of the VBE, scope of the target 
patient population, and items and services covered by the applicable 
payor.
    Comment: A commenter expressed concern that, because the proposed 
definition of ``full financial risk'' requires the assumption of risk 
for the cost of all items and services covered by the applicable payor, 
it would by default necessitate the involvement of hospitals as VBE 
participants. The commenter appeared to believe that this would lead to 
further consolidation of the health care industry.
    Response: It is not the intent of this rule to foster industry 
consolidation. Rather, this rule aims to increase options for parties 
to create a range of innovative arrangements eligible for safe harbor 
protection. The safe harbor does not require all parties providing 
items and services to the target patient population to be VBE 
participants and thus does not require the VBE to enter into value-
based arrangements with all such parties. For example, a VBE may enter 
into a services contract with a hospital that is not a VBE participant 
for the provision of items and services to the target patient 
population, although we note that the VBE must be at risk from the 
payor for the items and services provided by such hospital to the 
target patient population.
    Accordingly, we do not view a hospital's participation in a value-
based arrangement as a driver of industry consolidation; rather, we 
view the voluntary nature of a hospital's participation, as well as the 
voluntary participation of all other individuals or entities in a 
value-based arrangement, as facilitating collaboration and the 
transition to value-based care. Individuals and entities are not 
required to integrate their practices or corporations to meet the 
definition of ``VBE,'' to be a VBE participant, or to rely on this safe 
harbor. These definitions provide individuals and entities flexibility 
to determine how best to structure a VBE and the associated value-based 
arrangements to meet value-based purposes. VBEs and VBE participants 
that assume full financial risk from a payor and enter into value-based 
arrangements that meet the conditions of this safe harbor likely 
require different, more closely coordinated arrangements than VBEs and 
VBE participants that rely on the care coordination arrangements safe 
harbor. However, both sets of entities have flexibility to determine 
with what types of VBE participants to work and what types of 
arrangements work best.
ii. Items and Services
    Summary of OIG Proposed Rule: We proposed to define ``items and 
services'' at paragraph 1001.952(gg)(9)(ii) as having the same meaning 
as that set forth in paragraph 1001.952(t)(2)(iv).
    Summary of Final Rule: We are finalizing, with modification, the 
proposed definition of ``items and services'' at paragraph 
1001.952(gg)(9)(iii) to mean health care items, devices, supplies, and 
services.
    Comment: A commenter expressed concern that the proposed definition 
of ``items and services'' would inadvertently exclude arrangements that 
the health care industry views as full risk because ``items and 
services'' was defined to include services reasonably related to the 
provision of health care items, devices, supplies, or services, 
including, but not limited to, non-emergency transportation, patient 
education, attendant services, social services (e.g., case management), 
utilization review and quality assurance. According to the commenter, 
the scope of ``items and services'' could add significant potential 
costs to parties seeking protection under the safe harbor. The 
commenter recommended that OIG revise the definition of ``items and 
services'' to include covered medical items and services but not items 
and services more in the nature of optional supplemental benefits.
    Response: In response to the commenter's concerns, we are modifying 
the proposed definition of ``items and services'' to mean only health 
care items, devices, supplies, and services. We are no longer cross-
referencing and incorporating the definition of ``items and services'' 
found in paragraph 1001.952(t)(2)(iv). Thus, a VBE may assume risk for 
items and services reasonably related to the provision of health care 
items, devices, supplies, or services such as non-emergency 
transportation, patient education, and social services (as provided for 
in the definition of ``items and services'' found in paragraph 
1001.952(t)(2)(iv)), but doing so is no longer a safe harbor 
requirement.
    The scope of items and services for which a VBE must be at risk 
depends on the items and services covered by the payor. We recognize 
that, across the health industry, what constitutes full risk for health 
care items, devices, supplies, and services varies greatly from program 
to program and plan to plan, and we have tailored this safe harbor 
requirement accordingly. For example, Medicare Advantage generally does 
not cover items and services for long-term care at nursing facilities, 
but Medicaid does. This safe harbor does not change the scope of items 
and services a payor must cover in order for a VBE to meet the 
definition of ``full financial risk.''
    As we explained in the OIG Proposed Rule, a VBE would be at ``full 
financial risk'' if it contracts or enters into a value-based 
arrangement with a Medicaid managed care organization and receives a 
fixed per-patient per-month amount to be at full financial risk if the 
fixed amount covered the cost of all items and services covered by the 
Medicaid managed care plan and furnished to the target patient 
population. Similarly, we would consider a VBE to be at ``full 
financial risk'' if it contracts or enters into a value-based 
arrangement with a Medicare Advantage plan to receive a prospective, 
capitated payment for all items and services covered by the

[[Page 77775]]

Medicare Advantage plan for a target patient population. Under this 
safe harbor, we are not protecting partial capitated arrangements that 
require the VBE to assume risk for only a limited set of items and 
services.
    Parties may utilize OIG's advisory opinion process to determine 
whether an arrangement meets the conditions of this safe harbor or is 
otherwise sufficiently low risk under the Federal anti-kickback statute 
to receive prospective immunity from administrative sanctions by OIG.
    Comment: While recognizing that the proposed definition of ``full 
financial risk'' ties risk to payor coverage, a commenter requested 
that OIG explicitly state the extent to which medication costs may be 
included in the items and services for which a VBE must be at risk 
under the safe harbor. Another commenter stated that, if prescription 
drugs are included in the definition of all items and services for 
purposes of the full financial risk safe harbor, it is important that 
pharmaceutical manufacturers be eligible to participate in the VBE.
    Response: To the extent the payor with which the VBE contracts to 
assume full financial risk covers prescription drugs, the VBE's risk 
must encompass prescription drugs. The definition of ``full financial 
risk'' requires that the VBE assume financial responsibility on a 
prospective basis for the cost of all items and services covered by the 
applicable payor for each patient in the target patient population. 
Conversely, if the contracting payor does not cover prescription drugs, 
the VBE does not need to assume risk for such costs.
    While we recognize that prescription drugs may be included in the 
definition of ``full financial risk,'' manufacturers of a drug or 
biological remain ineligible to give or receive protected remuneration 
under this safe harbor as finalized here. Such parties may be VBE 
participants, but they cannot exchange remuneration protected by this 
safe harbor. We refer readers to the section of this final rule 
addressing the definition of ``VBE participant'' for a discussion of 
our rationale.
iii. Other Defined Terms
    Summary of OIG Proposed Rule: We proposed in proposed paragraph 
1001.952(gg)(9) that the terms ``coordination and management of care,'' 
``target patient population,'' ``value-based activity,'' ``value-based 
arrangement,'' ``value-based enterprise,'' ``value-based purpose,'' and 
``VBE participant'' would have the meaning set forth in proposed 
paragraph 1001.952(ee).
    Summary of Final Rule: We are finalizing, with modifications, our 
proposed use of the value-based terminology at paragraph 
1001.952(gg)(9)(iv). We no longer use the term ``coordination and 
management of care'' in this safe harbor. Additionally, because 
paragraph 1001.952(gg)(1) makes certain entities ineligible to use the 
value-based safe harbors, we are finalizing the term ``manufacturer of 
a device or medical supply,'' with the same meaning set forth in 
paragraph 1001.952(ee)(14).
c. Entities Ineligible for Safe Harbor Protection
    Summary of OIG Proposed Rule: We proposed in proposed paragraph 
1001.952(ee) to limit the entities that could qualify as VBE 
participants, which would have the effect of limiting availability of 
the value-based safe harbors, including the full financial risk safe 
harbor at proposed paragraph 1001.952(gg), for those ineligible 
entities. The proposed definition of ``VBE participant'' is summarized 
more fully in section III.B.2.e of this preamble.
    Summary of Final Rule: We are not finalizing our proposal in 
proposed paragraph 1001.952(ee) to limit the entities that could 
qualify as VBE participants. As explained at section III.B.2.e, in the 
final rule we are identifying parties ineligible to rely on safe 
harbors in the safe harbors themselves. For the full financial risk 
safe harbor, we are finalizing a requirement that remuneration is not 
exchanged by any of the following entities: (i) Pharmaceutical 
manufacturers, wholesalers, and distributors; (ii) PBMs; (iii) 
laboratory companies; (iv) pharmacies that primarily compound drugs or 
primarily dispense compounded drugs; (v) manufacturers of devices or 
medical supplies; (vi) entities or individuals that manufacture, sell, 
or rent DMEPOS (other than a pharmacy or a physician, provider, or 
other entity that primarily furnishes services, all of whom remain 
eligible); and (vii) medical device distributors or wholesalers that 
are not otherwise manufacturers of devices or medical supplies. This 
list, set forth at paragraph 1001.952(gg)(1), effectuates proposals in 
the OIG Proposed Rule to make these entities ineligible to use this 
safe harbor for the exchange of remuneration pursuant to a value-based 
arrangement.
    Comments, our responses, and policy decisions regarding this issue 
can be found in the discussion of VBE participants in section III.B.2.e 
of this preamble.
d. VBE's Assumption of Risk From a Payor
    Summary of OIG Proposed Rule: We proposed at paragraph 
1001.952(gg)(1)that the VBE must assume full financial risk from a 
payor. We proposed that VBEs could assume full financial risk directly 
from a payor or through a VBE participant acting on behalf of the VBE.
    Summary of Final Rule: We are finalizing this requirement at 
paragraph 1001.952(gg)(2), with the following modifications. First, 
VBEs have two options to assume full financial risk from a payor. A VBE 
can assume risk from the payor through an arrangement that meets the 
definition of ``value-based arrangement,'' or a VBE can assume risk 
from a payor through a contract that places the VBE at full financial 
risk.
    The first option for risk arrangements requires the payor to be a 
VBE participant, which is permitted under our final definition of ``VBE 
participant.'' The payor (as a VBE participant) and the VBE can enter 
into a value-based arrangement for the VBE to assume full financial 
risk. As we proposed and are finalizing in this rule, the introductory 
paragraph to 1001.952(gg) protects remuneration exchanged pursuant to a 
value-based arrangement. Therefore, remuneration exchanged pursuant to 
a payor's and a VBE's value-based arrangement could be protected by 
this safe harbor, including remuneration exchanged to implement the 
full financial risk methodology, if the value-based arrangement meets 
all applicable conditions of the safe harbor.
    Under the second option, payors that do not wish to be part of the 
VBE may choose to enter into a written contract with the VBE that is 
not a value-based arrangement for the purposes of the VBE's assumption 
of full financial risk. Under this option, payors would not be VBE 
participants, the written contract between the payor and the VBE would 
not be a value-based arrangement, and the payor would not be subject to 
the other conditions of the safe harbor. In such circumstances, these 
contracts must only meet the condition at paragraph 1001.952(gg)(2), 
i.e., they must evidence the VBE's assumption of full financial risk 
from the payor. Remuneration exchanged pursuant to a risk assumption 
contract that is not a value-based arrangement is not protected by this 
safe harbor. The VBE and the payor would need to assess any potential 
remuneration exchanged pursuant to the risk arrangement contract and 
its compliance with the Federal anti-kickback statute.

[[Page 77776]]

    To enable the payor and VBE to use this safe harbor to protect 
remuneration exchanged pursuant to their value-based arrangement, we 
are providing at paragraph 1001.952(gg)(4) of the safe harbor that, 
even though the payor is a VBE participant, the payor is exempt from 
the prohibition against a VBE participant claiming payment in any form 
from the payor for items or services covered under the value-based 
arrangement.
    We are also modifying this requirement to clarify that the payor 
cannot act on behalf of the VBE; the VBE must be a distinct legal 
entity or represented by a VBE participant, other than a payor, that 
acts on the VBE's behalf.
    We summarize and respond to comments regarding this proposed 
condition as applied only to the full financial risk safe harbor below. 
For a summary of the comments received regarding the requirement that a 
VBE assume financial risk from a payor pursuant to a value-based 
arrangement, in both the substantial downside financial risk and full 
financial risk safe harbors and our responses, we refer readers to the 
discussion of this condition in the substantial downside financial risk 
safe harbor at section III.B.4.d.
    Comment: Commenters requested that OIG clarify that payors can act 
on behalf of the VBE to assume full financial risk.
    Response: We are revising the regulatory text in response to these 
comments to clarify that a single VBE participant may act on behalf of 
the VBE to assume full financial risk from a payor, provided it is not 
itself a payor. That is, the agent of the VBE and the payor from which 
the VBE is assuming full financial risk from may not be the same 
entity.
    Comment: Multiple commenters expressed concern that, because Indian 
health care is compensated through Indian Health Service appropriations 
and the Medicare, Medicaid, and CHIP programs, Indian health care 
providers could not be risk-bearing entities, as required in the 
proposed full financial risk safe harbor.
    Response: It is possible that Indian health care providers might 
not be risk-bearing entities for purposes of this safe harbor; that 
would be a programmatic matter outside the scope of this rulemaking. 
There may be other providers of varying types that are not able to, or 
choose not to, meet the requirements of this safe harbor. This would 
not foreclose Indian health care providers or other providers from 
engaging in care coordination arrangements and seeking safe harbor 
protection under the care coordination arrangements safe harbor at 
paragraph 1001.952(ee), which does not require the assumption of any 
risk (but is available for risk-bearing arrangements), or other 
available safe harbors, such as the safe harbor for personal services 
and management contracts and outcomes-based payments at paragraph 
1001.952(d). Moreover, the fact that an arrangement does not fit in a 
safe harbor does not make the arrangement unlawful. The OIG advisory 
opinion process is also available for providers seeking a legal opinion 
regarding their arrangements.
    Comment: A commenter requested that the safe harbor not be limited 
to items and services covered by a particular payor, but rather 
extended to all items and services provided to a VBE participant's 
patients, regardless of payor. For example, the commenter requested 
that the safe harbor protect risk-based arrangements between a health 
system and providers where the VBE assumes risk for all of the 
providers' patients, regardless of the patients' payors.
    Response: A VBE could assume full financial risk for all of the 
items and services provided to all of a VBE participant's patients, 
provided the VBE and VBE participant have defined the target patient 
population to include all of the VBE participant's patients, and if the 
VBE participant's patients are insured by multiple payors, the VBE has 
assumed full financial risk from each payor that insures a patient who 
is part of the target patient population. The risk that a VBE assumes 
is not limited to the items and services covered by the applicable 
payor that a VBE participant provides (e.g., only the items and 
services provided by the health system); rather, the VBE's risk 
encompasses all items and services covered by the applicable payor, 
regardless of whether a VBE participant or another provider provides 
such items and services.
e. Phase-In Period
    Summary of OIG Proposed Rule: We proposed at paragraph 
1001.952(gg)(1) that the full financial risk safe harbor would protect 
remuneration exchanged pursuant to value-based arrangements between a 
VBE and a VBE participant where the VBE is contractually obligated to 
assume full financial risk in the next 6 months. We solicited comments 
on whether such lead time should be shorter or longer.
    Summary of Final Rule: We are finalizing, with modification, a 
protected ``phase-in'' period at paragraph 1001.952(gg)(2). In response 
to comments requesting a longer phase-in period, we are extending the 
protected phase-in period for parties that have entered into a contract 
or a value-based arrangement to assume full financial risk from the 
proposed 6 months to 1 year.
    In contrast to the substantial downside financial risk safe harbor, 
we believe an extended 1-year phase-in period is warranted where a VBE 
is preparing to assume full financial risk for the total cost of items 
and services covered by the applicable payor for the target patient 
population.
    We refer readers to the substantial downside financial risk safe 
harbor section at III.B.4.e regarding the phase-in requirement for a 
summary of comments we received on this phase-in period, and our 
responses, as applicable to both the substantial downside financial 
risk safe harbor and full financial risk safe harbor and for a more 
detailed discussion of this standard. We did not receive comments 
regarding the phase-in period specific to the full financial risk safe 
harbor. Among other comments, commenters recommended a 1-year phase-in 
period for both safe harbors.
f. Writing
    Summary of OIG Proposed Rule: We proposed at paragraph 
1001.952(gg)(2) that the parties to the value-based arrangement must 
set forth the material terms of the value-based arrangement in a signed 
writing that includes the value-based activities to be undertaken by 
the parties. At proposed paragraph 1001.952(gg)(1), we proposed that 
the VBE have a signed writing with the payor that specifies the target 
patient population and contains terms evidencing the VBE's full 
financial risk.
    Summary of Final Rule: We are finalizing, with modification, a 
writing requirement for value-based arrangements at paragraph 
1001.952(gg)(3). The modification, based on public comments, clarifies 
that the writing requirement can be satisfied by a collection of 
documents. The writing requirement now states that the value-based 
arrangement must be set forth in writing, signed by the parties, and 
specify all material terms, including the value-based activities and 
the term. This writing requirement does not apply to contracts between 
a VBE and a payor that are not value-based arrangements.
    For further discussion of and responses to the general comments we 
received regarding a writing requirement, we refer readers to section 
III.B.3.d that discusses the writing requirement for purposes of the 
care coordination arrangements safe harbor. The general comments 
addressed

[[Page 77777]]

aspects of the writing requirement that were common to all three value-
based safe harbors. In this section, we discuss only the comments 
specific to the proposed full financial risk safe harbor's writing 
requirement.
    Comment: A commenter asked OIG to clarify whether, to the extent 
parties have multiple value-based arrangements for which they are 
seeking protection under this safe harbor, each value-based arrangement 
must be set forth in separate writings or whether one agreement could 
suffice.
    Response: This safe harbor, like the substantial downside financial 
risk safe harbor, does not dictate the manner in which parties document 
their value-based arrangements. For example, a VBE could choose to 
document the value-based arrangement it entered into with a payor and 
the value-based arrangement it entered into with a downstream VBE 
participant in a single writing; alternatively, it could maintain two 
separate writings for the two distinct value-based arrangements.
g. 1-Year Minimum Term of Value-Based Arrangement
    Summary of OIG Proposed Rule: In the OIG Proposed Rule, we proposed 
in paragraph 1001.952(gg)(2) to require that the term of the value-
based arrangement be for a period of at least 1 year.
    Summary of Final Rule: We are not finalizing this proposed 
requirement.
    Comment: A few commenters opposed the proposed requirement that the 
term of the value-based arrangement be for at least 1 year, with one 
commenter asserting that a value-based arrangement term requirement 
could impose unnecessary obstacles to beneficial innovation. Commenters 
also asked whether an arrangement would meet this requirement of the 
safe harbor if the parties terminate the arrangement during the first 
year but do not enter into a substantially similar arrangement until 
the expiration of the first year.
    Response: We are not finalizing the proposed requirement that the 
term of the value-based arrangement be for a period of at least 1 year. 
We believe the requirement for a VBE to assume full financial risk from 
the payor for a period of at least 1 year is a sufficient safeguard 
against gaming without also requiring the value-based arrangement to 
have a 1-year minimum term. Parties must still document the term of 
their value-based arrangement as a condition of meeting this safe 
harbor's writing requirement.
h. Remuneration Used To Engage in Value-Based Activities
    Summary of OIG Proposed Rule: We proposed at paragraph 
1001.952(gg)(4)(i) to require that the remuneration exchanged be used 
primarily to engage in the value-based activities set forth in the 
parties' signed writing.
    Summary of Final Rule: We are not finalizing this proposed 
requirement.
    Comment: A commenter asked whether, given the requirement that 
remuneration must be used primarily to engage in value-based 
activities, all activities of an integrated delivery system subject to 
global budget arrangements, either upstream or downstream, will relate 
to the value-based activities for the target patient population. 
Another commenter requested that we interpret this requirement to mean 
that, if substantially all of an integrated delivery system's 
activities include the assumption of financial risk for all services, 
the remaining incidental activities and associated remuneration among 
VBE participants also would be protected.
    Response: We are not finalizing the proposed requirement that all 
remuneration exchanged pursuant to the full financial risk safe harbor 
be used primarily to engage in value-based activities for the target 
patient population. We intended this proposed condition to safeguard 
against the exchange of remuneration to inappropriately induce 
referrals. However, based on comments received to this safe harbor and 
the substantial downside financial risk safe harbor (as detailed in 
section III.B.4.f), we do not think this safeguard is necessary in the 
full financial risk safe harbor, given this safe harbor's unique 
combination of safeguards, and in particular, the requirement that the 
VBE assume full financial risk from a payor for a target patient 
population and the safe harbor's limitation on exchanges of 
remuneration to those between the VBE and a VBE participant. For 
purposes of the substantial downside financial risk safe harbor, we 
addressed this issue more narrowly, excluding monetary remuneration 
exchanged pursuant to a risk methodology that meets the definition of 
``substantial downside financial risk'' or ``meaningful share'' from 
the requirement that remuneration exchanged be used predominantly to 
engage in value-based activities. However, for the reasons set forth 
above, we believe a more flexible approach is warranted in this safe 
harbor, and we are not finalizing the proposed condition.
    With respect to the comment regarding safe harbor protection for 
incidental activities and associated remuneration where substantially 
all of an entity's activities include the assumption of financial risk 
for all services, we note that the value-based safe harbors do not 
protect business models or necessarily all activities and remuneration 
flowing under, for example, an integrated delivery system. Rather, the 
full financial risk safe harbor, like the other value-based safe 
harbors, protects discrete streams of remuneration exchanged pursuant 
to a value-based arrangement, and parties would need to evaluate each 
stream separately to assess compliance with the Federal anti-kickback 
statute, and as applicable, any available safe harbor.
i. Direct Connection to Value-Based Purposes
    Summary of OIG Proposed Rule: We proposed at paragraph 
1001.952(gg)(4)(ii) to require that the remuneration be directly 
connected to one or more of the VBE's value-based purpose(s), at least 
one of which must be the coordination and management of care for the 
target patient population. We proposed that this condition would be 
interpreted consistent with the similar condition in the care 
coordination arrangements safe harbor.
    Summary of the Final Rule: We are finalizing, with modification, 
the requirement that remuneration exchanged between the VBE and a VBE 
participant under this safe harbor be connected to one or more value-
based purposes at paragraph 1001.952(gg)(5)(i). Based on public 
comment, we are modifying the provision to remove the requirement that 
all remuneration be connected to the purpose of coordinating and 
managing care for the target patient population.
    Comment: Commenters asked for examples of the types of arrangements 
the safe harbor could protect, and a commenter specifically asked 
whether the safe harbor would protect fee-for-service payments, bonus 
payments based on quality outcomes, or both from a VBE to a VBE 
participant. A commenter also asked whether a VBE could give 
remuneration to an owner of the VBE, where the owner is a VBE 
participant.
    Response: This safe harbor could protect arrangements for bonus 
payments based on quality outcomes or shared savings and losses 
arrangements, among other types of payment arrangements, as long as all 
requirements of the safe harbor are satisfied, including the 
requirement that

[[Page 77778]]

the remuneration exchanged must be directly connected to one or more 
value-based purposes. With respect to the commenter's question about 
fee-for-service payment, this safe harbor does not dictate the manner 
of payment between the VBE and the VBE participant for items and 
services rendered to the target patient population. Provided the VBE 
has assumed full financial risk from a payor and the VBE participant 
does not claim payment from the payor for the items and services 
furnished to the target patient population, the VBE could pay the VBE 
participant on a fee-for-service basis.
    Whether a VBE could give remuneration to an owner of the VBE, where 
the owner is a VBE participant, is a fact-specific determination. While 
the safe harbor, by its terms, does not preclude remuneration exchanged 
between a VBE and an owner of the VBE where the owner is a VBE 
participant, we highlight that this safe harbor does not protect an 
ownership or investment interest in the VBE or any distributions 
related to an ownership or investment interest.
    Unlike the similar requirement in the other value-based safe 
harbors, we are not requiring a direct connection to any specific 
value-based purpose under this safe harbor. This safe harbor is 
designed to protect the broadest scope of remuneration, and some 
remuneration may be more closely connected to one of the other value-
based purposes. Therefore, we are providing more flexibility for a VBE 
assuming full financial risk to determine the value-based purpose(s) to 
which the exchange of remuneration is directly connected. This includes 
remuneration exchanged pursuant to a value-based arrangement between 
the VBE and the payor (as a VBE participant) that effectuates the VBE's 
assumption of full financial risk from the payor. For a summary of 
comments received regarding the requirement for a direct connection to 
the coordination and management of care and further discussion of this 
requirement as proposed in the care coordination arrangements safe 
harbor, the substantial downside financial risk safe harbor, and the 
full financial risk safe harbor, we refer readers to the applicable 
section of this final rule for each safe harbor.
j. No Reduction in Medically Necessary Items or Services
    Summary of OIG Proposed Rule: We proposed at paragraph 
1001.952(gg)(4)(iii) to require that remuneration must not induce the 
VBE or VBE participants to reduce or limit medically necessary items or 
services furnished to any patient. We proposed to interpret this 
condition consistent with the similar condition proposed in the care 
coordination arrangements safe harbor.
    Summary of Final Rule: We are finalizing, with modification, this 
condition at paragraph 1001.952(gg)(6). The modification provides that 
the value-based arrangement (not merely the remuneration exchanged) may 
not induce the VBE or VBE participants to reduce or limit medically 
necessary items or services furnished to any patient.
    For a summary of comments received and our responses regarding this 
condition, as proposed in each of the value-based safe harbors, we 
refer readers to the care coordination arrangements and substantial 
downside financial risk safe harbor sections discussing this 
requirement at III.B.3.e and III.B.4.h, respectively.
k. Taking Into Account the Volume or Value of, or Conditioning 
Remuneration on, Business or Patients Not Covered Under the Value-Based 
Arrangement
    Summary of OIG Proposed Rule: We proposed at paragraph 
1001.952(gg)(5) that the VBE or VBE participant offering the 
remuneration could not take into account the volume or value of, or 
condition the remuneration on, referrals of patients outside of the 
target patient population or business not covered under the value-based 
arrangement. This proposed safeguard is identical to that included in 
the proposed care coordination arrangements and substantial downside 
financial risk safe harbors.
    Summary of Final Rule: We are finalizing, without modification, 
this condition, and relocating it to paragraph 1001.952(gg)(7). 
Comments received on this topic addressed the requirement as it applied 
to the value-based safe harbors generally; we did not receive separate 
comments on this requirement specific to this safe harbor. 
Consequently, we refer readers to the care coordination arrangements 
safe harbor section regarding this requirement at III.B.3.f for a 
summary of applicable comments, our responses, and a more detailed 
discussion of this standard.
l. Offer or Receipt of Ownership or Investment Interests
    Summary of OIG Proposed Rule: We proposed at paragraph 
1001.952(gg)(4)(iv) that the full financial risk safe harbor would not 
protect an ownership or investment interest in the VBE or any 
distributions related to an ownership or investment interest, and we 
solicited comments on this approach and, in particular, any operational 
challenges this approach might present.
    Summary of Final Rule: We are finalizing, without modification, 
this condition and relocating it to paragraph 1001.952(gg)(5)(ii).
    Comment: Similar to the substantial downside financial risk safe 
harbor, several commenters opposed this condition or, alternatively, 
requested that OIG clarify that it does not intend to prohibit VBE 
participants from establishing a corporate structure for a VBE in which 
participants may each receive some equity. A commenter asserted that, 
without modifying or clarifying OIG's approach to protecting an 
ownership or investment interest in the VBE or any distributions 
related to an ownership or investment interest, the safe harbor would 
unnecessarily restrict individuals and entities from dictating the 
corporate structure of the VBEs they elect to create. Another commenter 
stated that the safe harbor should protect ownership or investment 
interests where payors require that only a single entity, as opposed to 
a collection of entities, enter into the full financial risk 
arrangement.
    Response: We do not view protection for ownership or investment 
interests in a VBE as fundamental to parties entering into value-based 
arrangements under this safe harbor and decline to protect them under 
this safe harbor. We are concerned that, were we to protect such 
remuneration streams, such protection would serve only to align 
financial interests of the parties without benefitting the payor or 
target patient population. Remuneration in the form of ownership or 
investment interests presents a higher risk that offers of investment 
interests or returns on investment will be for the purpose of inducing 
referrals, without attendant care coordination, quality, or cost-
reduction benefits related to the target patient population or the 
payor. Parties seeking to protect a particular ownership or investment 
interest may look to existing safe harbors (e.g., the safe harbor for 
investment interests found at paragraph 1001.952(a)), and the advisory 
opinion process remains available.
    Regardless of whether a payor requires that a single entity, as 
opposed to a collection of entities, enter into a contract or a value-
based arrangement to assume full financial risk, the safe harbor itself 
requires a single individual or entity to contract or enter into a 
value-based arrangement with the payor to assume full financial risk 
(e.g., the VBE may directly contract with the

[[Page 77779]]

payor or a single VBE participant (other than a payor) may act on 
behalf of the VBE to contract with the payor). If a VBE participant 
that has assumed full financial risk as an agent of the VBE seeks to 
share its risk with other parties to the VBE, the safe harbor is 
available to protect such risk-sharing arrangements, provided they meet 
all requirements of the safe harbor.
m. No Remuneration From Individuals or Entities Outside the Applicable 
VBE
    Summary of OIG Proposed Rule: We proposed at paragraph 
1001.952(gg)(4)(v) that the full financial risk safe harbor would not 
protect any remuneration funded by, or otherwise resulting from 
contributions by, any individual or entity outside of the applicable 
VBE.
    Summary of Final Rule: We are not finalizing this proposed 
requirement, based on concerns--raised by commenters in the context of 
the same provision in the care coordination arrangements safe harbor--
that this condition could inadvertently restrict the exchange of 
beneficial remuneration that we intend to protect. While we are not 
finalizing this condition, we emphasize that remuneration exchanged 
outside of a value-based arrangement would not be protected by any of 
the value-based safe harbors. We did not receive separate comments on 
this requirement specific to this safe harbor. Consequently, we refer 
readers to the care coordination arrangements safe harbor and 
substantial downside financial risk safe harbor sections at III.B.3.e 
and III.B.4.j discussing this requirement for a summary of applicable 
comments, our responses, and a more detailed explanation of our 
rationale for not finalizing this standard.
n. Utilization Review and Quality Assurance Programs
    Summary of OIG Proposed Rule: We proposed at paragraph 
1001.952(gg)(6) that the VBE must provide or arrange for an operational 
utilization review program and a quality assurance program that 
protects against underutilization and specifies patient goals, 
including measurable outcomes, where appropriate. We noted that such 
proposed conditions would mirror those found in the managed care safe 
harbor at paragraph 1001.952(u) but explained that we were considering 
other ways to frame these proposed conditions to reflect the 
utilization review and quality assurance mechanisms in place today.
    Summary of Final Rule: We are finalizing, with modifications, this 
proposed condition at paragraph 1001.952(gg)(8). Based on public 
comment, the modifications afford parties additional flexibility in 
conducting quality and utilization reviews. Specifically, VBEs seeking 
protection under this safe harbor must provide or arrange for a quality 
assurance program for services furnished to the target patient 
population that: (i) Protects against underutilization of items and 
services furnished to the target patient population; and (ii) assesses 
the quality of care furnished to the target patient population. We are 
not finalizing the proposed requirement to have an operational 
utilization review program.
    Comment: Some commenters supported our proposal to require the VBE 
to provide or arrange for an operational utilization review program and 
a quality assurance program, while another commenter requested that OIG 
reconsider this requirement, stating that VBEs are not the equivalent 
of a managed care organization and that operational utilization review 
programs and quality assurance programs are robust, expensive programs 
that require significant lead time to implement. A couple of commenters 
asked OIG to explain the term ``operational,'' and a commenter 
specifically asked whether a utilization review program that is used 
only on an annual basis would be considered ``operational.'' Another 
commenter asked whether an existing utilization review program of a 
contracting payor or provider would meet this requirement.
    Response: We are revising the terminology used in order to afford 
parties additional flexibility consistent with our intent that a VBE 
provide or arrange for a program to protect against underutilization 
and specify patient goals. Specifically, VBEs must provide or arrange 
for a quality assurance program for services furnished to the target 
patient population that: (i) Protects against underutilization of items 
and services furnished to the target patient population; and (ii) 
assesses the quality of care furnished to the target patient 
population. Such a quality assurance program may include an operational 
utilization review program and specify patient goals; however, an 
operational utilization review program is no longer a requirement. 
Pursuant to this revised standard, parties may determine what 
activities and mechanisms are most suitable to assess the quality and 
appropriateness of care furnished to the target patient population, 
provided such mechanisms meaningfully protect against underutilization 
and assess the quality of care furnished to the target patient 
population.
    The flexibility we are providing to parties is in recognition that 
VBEs may be subject to varying requirements related to quality 
assurance programs based on State law or the terms of its value-based 
arrangement with the payor. Notwithstanding this additional 
flexibility, as with the condition proposed in the OIG Proposed Rule, 
this revised requirement effectuates our intent that a VBE provide or 
arrange for a program to protect against underutilization and specify 
patient goals.
    In response to commenters' specific inquiries, we acknowledge that, 
even with the additional flexibility afforded by our revisions to this 
condition, quality assurance programs are robust and potentially 
expensive undertakings. Thus, we are highlighting that this condition 
does not mandate that VBEs establish such review programs themselves; 
the VBE may also arrange for such programs. For example, VBEs may look 
to payors with which they are contracting or entering into value-based 
arrangements to assume full financial risk to share, or fully assume, 
this responsibility. In such circumstances, the VBE may reasonably rely 
on the payor's existing quality assurance program infrastructure 
provided it meets all safe harbor requirements.
o. No Marketing of Items or Services or Patient Recruitment Activities
    Summary of OIG Proposed Rule: We proposed at paragraph 
1001.952(gg)(7) to exclude safe harbor protection for remuneration 
exchanged pursuant to a value-based arrangement that included marketing 
items or services to patients or engaging in patient recruitment 
activities. We proposed to interpret this condition consistent with our 
interpretation of this same proposed requirement in the care 
coordination arrangements safe harbor.
    Summary of Final Rule: We are finalizing, with modifications, the 
limitation on marketing and patient recruitment at paragraph 
1001.952(gg)(5)(iii). Rather than prohibiting all marketing and patient 
recruitment activities, we modified the provision to prohibit the 
exchange or use of remuneration for the purpose of marketing items or 
services furnished by the VBE or VBE participants to patients or for 
the purpose of patient recruitment activities. We received only one 
comment on this requirement specific to this safe harbor, detailed 
below. We refer readers to the care coordination arrangements safe 
harbor's discussion regarding this requirement at section III.B.3.j for 
a summary of applicable comments, our responses, additional

[[Page 77780]]

explanation regarding this standard, and a rationale for the 
modification we are making.
    Comment: Without further explaining its position, a commenter 
stated that there is no need for any marketing or patient recruitment 
limitations in the full financial risk safe harbor.
    Response: Consistent with the other value-based safe harbors, we 
have modified the marketing requirement to be more limited in scope but 
to preclude protection for remuneration exchanged or used for the 
purpose of marketing items or services furnished by the VBE or a VBE 
participant to patients or patient recruitment activities. Although we 
agree that the VBE's assumption of full financial risk generally 
warrants greater flexibility in this safe harbor, we continue to 
believe that a prohibition on certain marketing and patient recruitment 
practices is an important fraud and abuse safeguard across all three 
value-based safe harbors for the reasons set forth in the discussion of 
the marketing condition in the care coordination arrangements safe 
harbor. In particular, with respect to the full financial risk safe 
harbor, we are concerned that remuneration under the value-based 
arrangement may be exchanged or used to engage in inappropriate patient 
recruitment activities to incentivize, for example, beneficiary 
enrollment in, or alignment to, a particular health plan.
p. Materials and Records
    Summary of OIG Proposed Rule: We proposed at paragraph 
1001.952(gg)(8) that the VBE or its VBE participants maintain 
documentation sufficient to demonstrate compliance with the safe 
harbor's conditions and to make such records available to the Secretary 
upon request. We solicited comments regarding whether we should require 
parties to maintain materials and records for a set period of time 
(e.g., at least 6 years or 10 years). We proposed to interpret this 
requirement as described in the OIG Proposed Rule's preamble discussing 
the proposed care coordination arrangements safe harbor.
    Summary of Final Rule: We are finalizing, with modification, the 
materials and records requirement at paragraph 10001.952(gg)(9). The 
final rule includes new language to specify that, for a period of at 
least 6 years, the VBE or its VBE participants must maintain materials 
and records sufficient to establish compliance with the conditions of 
the safe harbor. We did not receive separate comments on this 
requirement specific to this safe harbor; the comments received related 
to the value-based safe harbors generally. Consequently, for a more 
detailed discussion and a summary of and responses to the comments 
received regarding this requirement, we refer readers to section 
III.B.3.n discussing the materials and records condition in the care 
coordination arrangements safe harbor.
q. Downstream Arrangements
    Summary of OIG Proposed Rule: In the preamble, we noted that the 
proposed full financial risk safe harbor would apply only to 
remuneration exchanged between a VBE and a VBE participant pursuant to 
a value-based arrangement. We stated that the proposed safe harbor 
would not protect remuneration exchanged between or among VBE 
participants that are part of the same VBE, between a VBE participant 
and a downstream contractor, or between two downstream contractors. We 
explained that we were concerned about extending safe harbor protection 
to remuneration exchanged pursuant to these arrangements because the 
downstream parties may have assumed little or no financial risk, which 
could result in fee-for-service incentives, and therefore, a risk of 
overutilization or other traditional harms associated with fee-for-
service payments. We solicited comments on a variety of alternate 
approaches to protecting remuneration exchanged pursuant to certain 
downstream arrangements (e.g., additional safeguards in either the full 
financial risk safe harbor or another safe harbor).
    Summary of Final Rule: We are finalizing, without modification, the 
requirement that the exchange of remuneration must be between the VBE 
and a VBE participant in the introductory paragraph to 1001.952(gg). We 
are not extending safe harbor protection to remuneration that passes 
from one VBE participant to another VBE participant or a downstream 
contractor. As articulated in the substantial downside financial risk 
safe harbor section discussing downstream arrangements, we are limiting 
safe harbor protection to the exchange of remuneration between the VBE 
and a VBE participant because we believe it is important to provide the 
protection and regulatory flexibility the risk-based safe harbors 
afford only where the VBE is a party to the value-based arrangement. We 
are concerned that, without the VBE as a party, where neither party has 
assumed full financial risk and may continue to bill the applicable 
payor on a fee-for-service-basis, there is a heightened concern about 
traditional FFS fraud and abuse risks. We note that a VBE participant 
seeking to exchange remuneration with another VBE participant may look 
to the care coordination arrangements safe harbor or other safe 
harbors, such as the personal services and management contracts and 
outcomes-based payments safe harbor.
    For a summary of the comments received regarding this limitation, 
our responses, and a detailed explanation regarding our decision not to 
extend this safe harbor to downstream arrangements, we refer readers to 
our discussion of the parallel provision in the substantial downside 
financial risk safe harbor in section III.B.4.p. We did not receive 
comments on this requirement specific to this safe harbor that diverged 
from the comments summarized in the section describing the parallel 
provision in the substantial downside financial risk safe harbor.
r. Potential Additional Safeguards
    Summary of OIG Proposed Rule: We stated in the preamble that we 
were considering adopting two additional safeguards for purposes of the 
final rule: A cost-shifting prohibition and a requirement that parties 
submit information to the Department regarding their value-based 
arrangement.
    Summary of Final Rule: We are not finalizing the two additional 
proposed safeguards. Similar to the substantial downside financial risk 
safe harbor, we are not including a cost-shifting prohibition, in 
recognition that the assumption of full financial risk is intended to 
drive a reduction in costs, which may include Federal health care 
program costs. We did not receive comments on this alternative 
condition specific to this safe harbor that diverged from the comments 
summarized in section III.B.4.q of the substantial downside financial 
risk safe harbor preamble, and we refer readers to that section for a 
summary of comments received and our responses.
    We are likewise not finalizing a requirement for parties to submit 
information to the Department for the reasons previously articulated in 
the care coordination arrangements safe harbor's discussion of this 
alternative safeguard, including minimizing administrative burden. We 
did not receive comments on this condition specific to this safe harbor 
that diverged from the comments previously summarized in section 
III.B.4.p of the care coordination arrangements safe harbor preamble, 
and we refer readers to that section for a summary of comments and our 
responses.
    We received comments requesting additional safeguards to the full 
financial risk safe harbor that we did not

[[Page 77781]]

propose, and we summarize such comments below.
    Comment: Several commenters supported the addition of other 
safeguards that we did not propose in the preamble to the full 
financial risk safe harbor. For example, some commenters supported a 
requirement for value-based arrangements to include objective and 
quantifiable outcome measures, and a commenter asserted that the 
outcome measures, the methodology for measuring them, and how the 
measures affect cost should be transparent to the public. Other 
commenters suggested that we include the requirement that neither the 
value-based arrangement nor VBE participants limit parties' ability to 
make decisions in the best interest of their patients.
    Response: We are not requiring, in the context of the full 
financial risk safe harbor, that value-based arrangements include 
outcome measures (or any public transparency requirements related to 
such outcome measures) because we did not propose this as a 
requirement, and we do not believe that such a requirement would 
appreciably mitigate risk, given other conditions of the safe harbor. 
However, we note that we are separately requiring that the VBE provide 
or arrange for a quality assurance program for services furnished to 
the target patient population that: (i) Protects against 
underutilization of items and services furnished to the target patient 
population; and (ii) assesses the quality of care furnished to the 
target patient population. While outcome measurement is not a 
requirement of this safe harbor, as a practical matter, we anticipate 
that an assessment of the quality of care furnished to the target 
patient population pursuant to a quality assurance program may include 
quantitative or qualitative measures assessing, for example, 
performance on certain outcome measures. We did not propose and are not 
finalizing a requirement that neither the value-based arrangement nor 
VBE participants limit the parties' ability to make decisions in the 
best interest of their patients, nor do we think it would be necessary 
given other protections in the safe harbor.
6. Arrangements for Patient Engagement and Support To Improve Quality, 
Health Outcomes, and Efficiency (42 CFR 1001.952(hh))
    Summary of OIG Proposed Rule: We proposed to establish a new safe 
harbor at paragraph 1001.952(hh) to protect remuneration in the form of 
patient engagement tools and supports furnished directly by VBE 
participants to patients in a target patient population. The tools and 
supports could not be funded by anyone outside the VBE (proposed 
paragraph 1001.952(hh)(2)). We proposed to protect only in-kind 
preventive items, goods, or services, or in-kind items, goods, or 
services, such as health-related technology, patient health-related 
monitoring tools and services, or supports and services designed to 
identify and address a patient's social determinants of health 
(proposed paragraph 1001.952(hh)(3)(i)). We proposed that protected 
remuneration would need to have a direct connection to the coordination 
and management of care (proposed paragraph 1001.952(hh)(3)(ii)) and 
advance one of six enumerated goals related to patient care (proposed 
paragraph 1001.952(hh)(3)(vii)). The proposal included a $500 cap on 
the amount of protected remuneration a VBE participant could furnish to 
a patient on an annual basis, with an exception based on the good 
faith, individualized determination of a patient's financial need 
(proposed paragraph 1001.952(hh)(5)). The proposed safe harbor included 
several additional conditions, such as a requirement that provision of 
a tool or support would not result in medically unnecessary or 
inappropriate items or services reimbursed in whole or in part by a 
Federal health care program. Other proposed conditions are summarized 
more fully below.
    Summary of Final Rule: We are finalizing, with modifications, the 
patient engagement and support safe harbor at paragraph 1001.952(hh). 
The bases for the modifications are explained the preamble sections 
that follow. In particular, we have revised the language at paragraph 
1001.952(hh)(3)(i) to remove the specific illustrative categories of 
health-related technologies, patient health-related monitoring tools 
and services, and supports and services designed to identify and 
address a patient's social determinants of health. With respect to 
preventive items, goods, and services, we have moved the element of 
prevention to the list of enumerated goals that can be advanced by 
protected remuneration at paragraph 1001.952(hh)(3)(vi). The final 
language at paragraph 1001.952(hh)(3)(i) articulates our policy to be 
agnostic as to the types of in-kind tools and supports that can be 
protected by the safe harbor if all safe harbor conditions are met.
    Further, we are finalizing at paragraph 1001.952(hh)(1) a list of 
entities that may not furnish or otherwise fund or contribute to 
protected tools and supports under this safe harbor, which includes 
manufacturers, distributors, and wholesalers of pharmaceuticals; 
pharmacy benefit managers; laboratory companies; pharmacies that 
primarily compound drugs or primarily dispense compounded drugs; 
manufacturers of devices and medical supplies (unless the tool or 
support is digital health technology); entities or individuals that 
sell or rent DMEPOS (other than a pharmacy, a manufacturer of a device 
or medical supply, or a physician, provider, or other entity that 
primarily furnishes services); medical device distributors and 
wholesalers; and physician-owned medical device companies. Similar to 
our approach in the care coordination arrangements safe harbor at 
paragraph 1001.952(ee), a tool or support furnished or funded by a 
manufacturer of a device or medical supply (as defined in paragraph 
1001.952(ee)(14)) is eligible for safe harbor protection only if the 
tool or support is digital health technology (defined at paragraph 
1001.952(ee)(14)). As explained at section III.B.2.e above, we are 
listing ineligible entities in each safe harbor rather than excluding 
them in the definition of VBE participant.
    The final safe harbor protects only in-kind remuneration. The final 
safe harbor includes at paragraph 1001.952(hh)(5) the proposed $500 
annual, aggregate cap provision (without the proposed exception for 
tools and supports above the cap furnished based on good faith, 
individualized determinations of a patient's financial need). The final 
safe harbor also includes at paragraph 1001.952(hh)(3)(iv) the proposed 
requirement that the provision of a tool or support not result in 
medically unnecessary or inappropriate items or services reimbursed in 
whole or in part by a Federal health care program. Additional 
conditions of the final safe harbor are summarized by topic in 
discussions that follow.
a. General Comments
    Comment: Among the commenters offering general feedback on the 
proposed safe harbor, some commenters supported the proposed 
safeguards, others supported adding some or all of the additional 
considered safeguards on which we solicited comments, and others stated 
that certain proposed or additional safeguards would impose a 
significant administrative burden on stakeholders seeking protection 
under the safe harbor. A number of comments noted that the safe harbor 
would promote patient engagement, encourage adherence to treatment, and 
improve outcomes. Other commenters requested

[[Page 77782]]

specific changes or clarifications to various proposals.
    Response: We appreciate the commenters' suggestions regarding the 
scope and impact of this safe harbor, including the conditions we 
proposed and considered. As discussed below, we are finalizing a number 
of the proposed conditions, in some cases with modifications suggested 
by commenters. We also are removing or modifying some conditions in 
response to comments and adding some of the proposed conditions for 
which we solicited comments.
b. Entities Ineligible for Protection
    Summary of OIG Proposed Rule: We proposed to protect only tools and 
supports furnished by VBE participants, as defined in proposed 
paragraph 1001.952(ee)(12). This proposed definition excluded 
pharmaceutical manufacturers, laboratories, and manufacturers, 
distributors, and suppliers of DMEPOS. As a result, these entities 
would be ineligible to use this proposed safe harbor. The entities we 
proposed to make ineligible to participate in a VBE are described in 
more detail in section III.B.2.e of this preamble. We also indicated 
that the final rule might exclude additional entities from furnishing 
patient engagement tools and supports, including physician-owned device 
companies, compounding pharmacies, and medical device and supply 
manufacturers, wholesalers, and distributors.\55\ We solicited comments 
on several alternative frameworks for protected offerors and conditions 
related to protected offerors under this safe harbor, including whether 
the offeror should assume at least some downside financial risk.
---------------------------------------------------------------------------

    \55\ 84 FR 55703-06, 55722 (Oct. 17, 2019).
---------------------------------------------------------------------------

    Summary of Final Rule: As explained in section III.B.2.e of this 
preamble, the final definition of VBE participant has been expanded to 
make all entity types eligible as VBE participants. However, within 
each value-based safe harbor, we identify entities that are ineligible 
to rely on that particular safe harbor. For the patient engagement and 
support safe harbor, and as set forth in paragraph 1001.952(hh)(1), we 
are finalizing the following entities as ineligible to use the safe 
harbor to furnish protected remuneration to patients: (i) 
Pharmaceutical manufacturers, wholesalers, and distributors; (ii) PBMs; 
(iii) laboratory companies; (iv) pharmacies that primarily compound 
drugs or primarily dispense compounded drugs; (v) manufacturers of 
devices or medical supplies (except with respect to digital health 
technology, as described below); (vi) entities or individuals that sell 
or rent DMEPOS (other than a pharmacy, a medical device or supply 
manufacturer that also sells or rents DMEPOS, or a physician, provider, 
or other entity that primarily furnishes services, all of whom remain 
eligible); (vii) medical device distributors or wholesalers that are 
not otherwise manufacturers of devices or medical supplies; and (viii) 
medical device manufacturers, distributors, or wholesalers with 
ownership or investment interests held by physicians. This expanded 
list of excluded entities addresses our concerns, based on our 
longstanding enforcement and oversight experience, that certain types 
of entities present a higher risk of misusing this safe harbor 
primarily or significantly to offer remuneration to beneficiaries as a 
means to market their products and services rather than to improve the 
coordination and management of patient care.
    In this final rule, OIG recognizes the important role that digital 
health technology plays in advancing the Department's goals in 
connection with the Regulatory Sprint, including improving the 
coordination and management of patient care. Accordingly, at paragraph 
1001.952(hh)(1)(v), this final rule permits manufacturers of devices 
and medical supplies to furnish patient engagement tools or supports 
that constitute digital health technology, as defined at paragraph 
1001.952(ee)(14). On balance and in consideration of the full set of 
applicable safe harbor conditions, we have concluded that this policy 
would advance the benefits of improved care coordination without undue 
risk to patients or programs.
    With respect to whether an entity falls into a category of 
ineligible entities, we refer readers to the discussion of the various 
types of ineligible entities and entities with multiple lines of 
business at section III.B.2.e of this preamble. The same rationale set 
forth there for excluding each type of entity from the value-based safe 
harbors and the same analysis for categorizing entities with multiple 
lines of business apply to the patient engagement and support safe 
harbor.
    Comment: A number of commenters supported OIG's proposal to limit 
safe harbor protection to tools and supports furnished by VBE 
participants, as defined in the OIG Proposed Rule, because it helps 
ensure that the tools and supports are aligned with the goals of well-
coordinated care and improving value by incentivizing coordination and 
collaboration among a patient's providers. Commenters also supported 
making specific types of entities ineligible for protection under this 
safe harbor, such as pharmaceutical manufacturers and manufacturers, 
distributors, and suppliers of DMEPOS.
    Response: We are finalizing our policy that safe harbor eligibility 
is limited to VBE participants and, consequently, that tools and 
supports furnished or funded by certain types of entities would not be 
eligible for safe harbor protection. The final patient engagement and 
support safe harbor protects only remuneration provided by a VBE 
participant; this term, as defined in this final rule, does not limit 
or restrict what type of entity may be a VBE participant. However, this 
safe harbor does not protect tools and supports furnished or funded by 
the entities listed in paragraph 1001.952(hh)(1), even if such entities 
are VBE participants.
    We continue to believe that offering and furnishing patient 
engagement tools and supports by these ineligible entities elevates the 
risk of fraud and abuse. For example, as we stated in the OIG Proposed 
Rule, offers of tools or supports by pharmaceutical manufacturers to a 
patient could improperly influence the patient, as well as a 
clinician's decision to prescribe one drug over another. Such 
remuneration could influence a patient to request a particular drug 
that is more expensive or less clinically efficacious than other 
clinically equivalent drugs. This could both improperly influence 
patient choice and increase costs to Federal health care programs--two 
factors cited by Congress to consider when developing safe harbors--
without necessarily increasing quality. Similarly, we remain concerned 
that the entities identified as ineligible for this safe harbor may 
inappropriately use patient engagement tools and supports to induce the 
use of medically unnecessary items and services; market their products; 
or divert patients from a more clinically appropriate item or service, 
provider, or supplier without regard to the best interests of the 
patient. Accordingly, we are finalizing paragraph 1001.952(hh)(1) to 
specify that the entities listed above are ineligible to furnish, fund, 
or contribute to remuneration protected by the patient engagement and 
support safe harbor.
    Comment: Several commenters urged OIG to broaden the safe harbor to 
protect tools and supports offered by entities that are not VBE 
participants. Another commenter noted that many payors and providers 
have developed effective patient incentive programs that

[[Page 77783]]

have occurred outside the value-based care setting but nonetheless 
advance OIG's goals of improving adherence to a followup care plan, 
improving adherence to a treatment or drug regimen, enhancing the 
management of a disease or condition, or ensuring patient safety. 
Commenters also expressed concern that requiring VBE participation 
imposes an increased administrative burden on providers, which could be 
a barrier to offering patient engagement tools and supports. Another 
commenter added that limiting the safe harbor to VBE participants would 
effectively preclude single-provider entities from safe harbor 
protection.
    Response: As noted above, we are finalizing a condition that safe 
harbor protection is only available for tools and supports furnished by 
VBE participants, subject to additional conditions. In the preamble to 
the OIG Proposed Rule, we explained that safe harbor protection would 
only be available to VBE participants in order to align the proposed 
patient engagement and support safe harbor with the value-based 
framework proposed in that rule.\56\ Limiting safe harbor protection to 
VBE participants is an important condition because it requires entities 
to adhere to certain formalities that promote value-based objectives 
including, for example, articulating a value-based purpose and 
identifying a target patient population based on legitimate and 
verifiable criteria that are set out in writing and further the VBE's 
value-based purpose.
---------------------------------------------------------------------------

    \56\ 84 FR 55722 (Oct. 17, 2019).
---------------------------------------------------------------------------

    Moreover, we believe the modest administrative steps required to 
establish a VBE--namely, establishing an accountable body and creating 
a governing document--require that entities determine how to 
effectively promote value-based care (e.g., how the VBE participant 
intends to achieve its value-based purpose). In the context of patient 
engagement tools and supports, the VBE must connect the provision of 
tools and supports to the goal of furthering value-based care that 
underlies this rulemaking. We emphasize that we perceive the 
administrative steps required to establish a VBE as relatively minimal, 
and they should not pose a significant burden on providers and others 
that desire to furnish protected tools and supports. We also note that 
solo practitioners are not foreclosed from protection under this safe 
harbor. A solo practitioner could partner with another entity or 
individual--without changing the membership of the practitioner's own 
practice--to form a VBE. As a VBE participant, the solo practitioner 
would then be eligible to offer protected tools and supports to 
patients, provided the other conditions of the safe harbor are 
satisfied.
    Comment: Several commenters urged OIG to extend safe harbor 
protection to providers in rural or underserved areas even if they are 
not VBE participants. According to commenters, these practices may not 
have sufficient patient populations or resources to create or 
participate in a VBE.
    Response: We do not believe the modest administrative steps 
required to establish a VBE will be a barrier to most entities--
including providers serving rural or underserved patients--that are 
seeking to offer tools and supports to beneficiaries. Moreover, we 
believe that requiring entities to fulfill certain VBE-related 
requirements will help ground any offer or provision of patient 
engagement tools and supports in the value-based objectives central to 
this rule, namely the coordination and management of patient care. A 
VBE does not require a target patient population to be a particular 
size, and in any event a small practice or a provider in a rural or 
underserved community may partner with larger providers or other 
entities with more resources to form VBEs. Accordingly, the final rule 
does not offer providers in rural or underserved areas an exception to 
the safe harbor's condition that requires that the individual or entity 
offering or furnishing protected tools and supports be a VBE 
participant.
    Comment: Commenters recommended that tools and supports furnished 
or funded by various specific types of entities should be eligible for 
protection under this safe harbor. In particular, commenters 
recommended that pharmaceutical manufacturers; manufacturers, 
distributors, and suppliers of DMEPOS; and laboratories--all of which 
were ineligible for VBE participation per the definition of ``VBE 
participant'' in the OIG Proposed Rule--should be eligible to furnish 
or fund protected tools and supports under this safe harbor. Commenters 
also noted that pharmaceutical manufacturers; manufacturers, 
distributors, and suppliers of DMEPOS; and laboratories increasingly 
are diversified entities that include corporate affiliates and business 
units that provide a wide range of items and services, including health 
technologies, care coordination and clinical management, and other 
offerings and services. Commenters also urged that pharmacists, 
pharmacies, pharmacy benefit managers, dialysis facilities, and health 
technology companies should be eligible for protection under the 
patient engagement and support safe harbor.
    Response: Under the final rule, tools and supports furnished or 
funded by manufacturers, distributors, and wholesalers of 
pharmaceuticals; individuals and entities that sell or rent DMEPOS; 
pharmacy benefit managers; laboratory companies; pharmacies that 
primarily compound drugs or primarily dispense compounded drugs; 
medical device distributors and wholesalers; and physician-owned 
medical device companies are not eligible for protection under the 
patient engagement and support safe harbor. Based on our longstanding 
enforcement and oversight experience, there is a risk that these 
entities could misuse this safe harbor to offer remuneration to 
beneficiaries as a means to market their products and services rather 
than advancing the goal of improving the coordination and management of 
patient care. For the same reasons, medical device manufacturers are 
not eligible for protection under this safe harbor except to the extent 
the tools or supports provided are digital health technology.
    Similar to the care coordination arrangements safe harbor, we have 
taken a tailored, risk-based approach to address protection for the 
provision of digital health technology to patients. Among the entities 
that are otherwise ineligible for this safe harbor, we have identified 
manufacturers of devices or medical supplies as an entity type that 
should, to advance the policy goals of this rulemaking, have a limited 
pathway for protection when they provide digital health technologies as 
defined in this rule. Under the final rule, manufacturers of devices or 
medical supplies as defined in paragraph 1001.952(ee)(14) are eligible 
for protection under the patient engagement and support safe harbor, 
but only to the extent that the tools and supports they provide to 
patients meet the definition of digital health technology, as also 
defined in paragraph 1001.952(ee)(14). All VBE participants that are 
eligible to use this safe harbor may provide patients with digital 
health technology. Eligible VBE participants, other than a manufacturer 
of a device or medical supply, are not limited to digital heath 
technology as defined at paragraph 1001.952(ee)(14) as long as all safe 
harbor conditions are met.
    Under the final care coordination arrangements safe harbor, DMEPOS 
companies (i.e., entities or individuals that sell or rent DMEPOS 
(other than a pharmacy, a manufacturer of a device or medical supply, 
or a physician,

[[Page 77784]]

provider, or other entity that primarily furnishes services)) are also 
eligible for the limited technology participant pathway. However, for 
the patient engagement and support safe harbor, we are finalizing our 
proposal to make companies that sell or rent DMEPOS ineligible for the 
safe harbor without exception. We make this distinction based on the 
different roles and risks associated with entities and individuals that 
sell or rent DMEPOS when they interact directly with patients. Our 
enforcement experience reveals persistent and troubling fraud and abuse 
in sectors of the DMEPOS industry, including inducements paid to 
beneficiaries to order medically unnecessary products or to disclose 
their Medicare beneficiary identifier or other personal information. 
Entities and individuals that sell or rent DMEPOS have more pervasive 
and personal relationships with individual patients and sell more 
products directly to patients than manufacturers of medical devices and 
supplies. This restriction does not mean that patients cannot receive 
digital tools and supports related to DMEPOS under the safe harbor, but 
they cannot be provided or funded by entities and individuals that sell 
or rent DMEPOS. Arrangements between entities and individuals that sell 
or rent DMEPOS and patients would be subject to a case-by-case analysis 
for compliance with the Federal anti-kickback statute.
    Consistent with the discussion in section III.B.2.e.ii, the final 
rule lists ``an entity or individual that sells or rents'' DMEPOS as 
ineligible for safe harbor protection unless the entity or individual 
is a pharmacy, a manufacturer of a device or medical supply, or a 
physician, provider, or other entity that primarily furnishes services. 
This approach focuses on the nature of the entity's business rather 
than relying on unrelated definitions of ``distributor'' or 
``supplier.'' As explained in section III.B.2.e.ii, carving out 
pharmacies, providers, and other entities that primarily furnish 
services will ensure that these entities--which are likely to be at the 
front lines of care coordination--remain eligible for safe harbor 
protection.
    For purposes of the patient engagement and support safe harbor, a 
manufacturer of a device or medical supply is eligible for protection, 
as provided in paragraph 1001.952(hh)(1)(vi), even if it rents or sells 
DMEPOS. The multiple business lines analysis would not be needed. The 
definition for DMEPOS companies at paragraph 1001.952(hh)(1)(vi) is 
different from the definition of DMEPOS companies for the care 
coordination arrangements safe harbor to effectuate and clarify the 
policy goal that the patient engagement and support safe harbor protect 
digital technology provided by medical device and supply manufacturers.
    Regarding commenters' concern about the potential impact of the 
safe harbor's entity carve-outs on diversified entities that include 
corporate affiliates and business units that provide a wide range of 
items and services, we reiterate the discussion in section III.B.2.e.v 
above regarding entities with multiple lines of business.
    Among other specific entity types addressed by commenters, we note 
that the only entities not eligible to provide protected remuneration 
under this safe harbor are those entities listed in paragraph 
1001.952(hh)(1). Accordingly, many of the entities mentioned by 
commenters including many pharmacists and pharmacies and dialysis 
facilities could furnish protected tools and supports, provided all 
conditions of the safe harbor are satisfied. Pharmacy benefit managers 
are not eligible to furnish protected tools and supports under this 
safe harbor for the reasons set forth at section III.B.2.e. Health 
technology companies are eligible to be VBE Participants and furnish 
protected tools and supports. If the health technology company is a 
manufacturer of a device or medical supply, then it may only furnish 
protected tools and supports in the form of digital health technology. 
If the health technology company is an entity or individual that sells 
or rents DMEPOS covered by a Federal health care program (other than a 
pharmacy, a manufacturer of a device or medical supply, or a physician, 
provider, or other entity that primarily furnishes services) or any 
other type of ineligible entity, it may not use this safe harbor.
    As explained in more detail in section III.B.2.e.ii.f, pharmacies 
that primarily compound drugs or primarily dispense compounded drugs 
are ineligible for protection under the patient engagement and support 
safe harbor. We have significant concerns about fraud and abuse risks 
based on enforcement and oversight experience involving compounding 
pharmacies. Although pharmacies that primarily compound drugs or 
primarily dispense compounded drugs are ineligible for safe harbor 
protection, we believe most community pharmacies would remain eligible. 
As explained in section III.B.2.e.iv, we believe that many community 
and retail pharmacies have the potential to be VBE participants and 
further the coordination and management of patient care, including 
through the provision of patient engagement tools and supports. 
Accordingly, pharmacies (other than compounding pharmacies) are fully 
eligible for protection under this safe harbor.
    Comment: Some commenters objected to categorically limiting 
protection based on entity type altogether, urging OIG to focus on 
program integrity safeguards that could prohibit inappropriate behavior 
rather than carving out categories of entities from protection. A 
commenter suggested that, to the extent OIG retains its categorical 
approach in the final rule, it should clarify that parties will not be 
ineligible for safe harbor protection on the basis of corporate 
affiliates, shared ownership, or separate business units.
    Response: As noted in our response to the prior comment, the 
entities listed in paragraph 1001.952(hh)(1) may not furnish protected 
tools and supports under this safe harbor because of the risk that 
tools and supports from these entities could improperly influence 
patients or physicians. The final rule does not explicitly prohibit an 
entity that is a corporate affiliate or under shared ownership with an 
ineligible entity from offering protected tools and supports. For 
entities with multiple business lines, this preamble at section 
III.B.2.e.v describes the analysis to determine whether such an entity 
would be considered one of the ineligible entity types under this safe 
harbor. Notably, corporate affiliation--whether by majority ownership, 
common ownership, or another structure--has no bearing on eligibility 
for safe harbor protection under the patient engagement and support 
safe harbor.
    Comment: Several commenters recommended that OIG structure the 
patient engagement and support safe harbor to protect tools and 
supports offered by Indian health programs.
    Response: We are mindful of the important work done by Indian 
health programs and the critical needs of their patient populations for 
improved coordination and delivery of care. Indian health care 
providers that become VBE participants are eligible to use this safe 
harbor to provide tools and supports to beneficiaries. We did not 
propose and have not structured a specific safe harbor for Indian 
health programs. Providers interested in patient engagement programs 
can also use the local transportation safe harbor. It is important to 
note that arrangements that do not fit in a safe harbor are not 
necessarily unlawful, and the OIG advisory opinion process remains

[[Page 77785]]

available for providers seeking a legal opinion regarding an existing 
or proposed arrangement.
    Comment: In response to our solicitation of comments in the OIG 
Proposed Rule regarding a potential condition that safe harbor 
protection is only available to entities that assume downside financial 
risk, several commenters urged OIG not to adopt such a financial risk 
assumption requirement. One commenter opined that there is no logical 
connection between a provider's financial risk and the benefits of 
patient engagement. Another commenter noted that adding a financial 
risk requirement could limit application of this safe harbor to large 
practices and health systems, positing that small, rural, and 
underserved practices are unable to take on financial risk and 
therefore would not be able to provide tools and supports protected by 
the safe harbor should it include a requirement that protected offerors 
assume downside financial risk. A commenter noted that for a VBE with 
downside financial risk there is no incentive to provide an item, tool, 
support, or service that is not related to treating or preventing a 
disease or injury among a target patient population. As such, 
inherently, the VBE participant must believe the tool or support will 
provide a medical or health benefit to the patient to whom it is being 
given. Another commenter with experience as a risk-bearing ACO entity 
supported limiting this safe harbor to VBEs engaged in risk-bearing 
arrangements, citing a learning curve in the appropriate use of tools 
and supports, and highlighting that the assumption of downside 
financial risk may offset some of the traditional fraud and abuse 
concerns, such as overutilization.
    Response: We agree with commenters and believe that various 
providers and other entities--including those who have not assumed 
downside financial risk--could engage in beneficial patient engagement 
and support. Consequently, in an attempt to promote flexibility and 
innovation related to patient engagement and support, the safe harbor 
as finalized in this rule does not contain a financial risk 
requirement.
c. Limitations on Recipients
    Summary of OIG Proposed Rule: The proposed safe harbor protected 
only tools and supports furnished by a VBE participant to a patient 
within a defined ``target patient population,'' as that term is defined 
at proposed paragraph 1001.952(ee)(12)(ii), and without regard to payor 
type. We solicited comments on whether to broaden the category of 
patients who can receive protected tools and supports under this safe 
harbor to include, for example, any patient, so long as the tools and 
supports predominantly address needs of the target patient population 
and the tools and supports have a direct connection to the coordination 
and management of care for the patient.\57\
---------------------------------------------------------------------------

    \57\ 84 FR 55723 (Oct. 17, 2019).
---------------------------------------------------------------------------

    Summary of Final Rule: We finalize, with modification, our proposal 
to limit safe harbor protection to tools and supports provided to 
patients in a target patient population. The final safe harbor 
clarifies our intent that, to qualify for safe harbor protection, a 
tool or support must be furnished by a VBE participant to a patient in 
the target patient population of a value-based arrangement to which the 
VBE participant is a party. This language ensures that the remuneration 
is linked to the target patient population relevant to the VBE to which 
the VBE participant is a party. It further ensures that the 
remuneration has a direct connection to the coordination and management 
of care of the relevant target patient population, as set forth in the 
condition at paragraph 1001.952(hh)(3)(ii).
    Comment: Several commenters appreciated that we proposed protection 
for patient engagement tools and supports offered to a target patient 
population, notwithstanding payor type, and agreed as a general matter 
that the provision of protected tools and supports should be limited to 
the target patient population.
    Response: We have finalized the condition, as proposed. The safe 
harbor only protects remuneration provided to a patient in a target 
patient population.
    Comment: Some commenters suggested that this safe harbor not 
incorporate the definition of ``target patient population'' proposed at 
paragraph 1001.952(ee)(12)(ii), or that this safe harbor protect tools 
and supports given to certain patients outside the target patient 
population. Other commenters proposed alternative ``target patient 
population'' definitions or exceptions for rural and underserved 
communities outside of the VBE construct, as well as exceptions 
designed to address social determinants of health. Commenters also 
asked us to finalize a broad category of protected recipients without 
any defined parameters, such as limiting the scope of protected 
recipients to patients with a specific disease state or certain chronic 
conditions. Several commenters highlighted problems with and sought 
clarity regarding a VBE participant's inability to retrospectively or 
prospectively identify or assign patients to the target patient 
population, and whether a precise population was required to satisfy 
the definition of ``target patient population'' for purposes of this 
safe harbor.
    Response: The final safe harbor retains the conditions that a 
protected tool or support must be provided to a patient in the target 
patient population and must have a direct connection to the 
coordination and management of care of the target patient population. 
We believe that requiring a VBE participant to specify a target patient 
population prior to offering patient engagement tools and supports will 
help tie the tools and supports to the underlying value-based purposes 
of the VBE and will necessitate careful consideration of the objective 
characteristics of the patient population that likely will benefit from 
any offered tools and supports. We also believe that a connection to an 
objectively defined target patient population decreases the risk that 
valuable remuneration will be offered to patients as an inducement to 
seek care. We have incorporated the definition of ``target patient 
population'' as finalized at paragraph 1001.952(ee)(14)(v) for the sake 
of consistency and because VBE participants will have familiarity with 
the defined term through the creation of a VBE.
    As noted in the summary above, we also are finalizing the proposed 
requirement that only tools and supports furnished by VBE participants 
are eligible for protection under this safe harbor. This provision does 
not impose additional burdens on VBE participants. Establishing a VBE 
requires articulating a value-based purpose and defining a target 
patient population, which significantly contributes to meeting this 
condition. The requirement that a patient engagement tool or support be 
furnished by a VBE participant to a patient in a target patient 
population does not include any exceptions for patients in rural or 
underserved areas, or for remuneration intended to address social 
determinants of health. We emphasize, however, that VBE participants 
have considerable flexibility in determining how to define a target 
patient population, as long as the population is selected using 
legitimate and verifiable criteria that are set out in writing and 
further the VBE's value-based purpose. In addition, VBE participants 
could establish multiple target patient populations for the purposes of 
furnishing tools and supports to be protected by this safe harbor as 
long as all safe harbor conditions are satisfied.
    Comment: Many commenters supported the alternative language for

[[Page 77786]]

which we solicited comments, which would have protected tools and 
supports furnished to any patient, as long as the tools and supports 
predominantly address the needs of the target patient population, and 
the tools and supports have a direct connection to the coordination and 
management of care for the patient, noting, for example, that it can be 
challenging to make accurate prospective predictions of which patients 
are aligned with a target patient population at any given time.
    Response: In this final rule, we decline to protect remuneration 
furnished to patients outside a specified target patient population. 
Limiting protected tools and supports only to patients within the 
target patient population will help to ensure the tools and supports 
have a nexus to the VBE's underlying value-based purpose in a way that 
might be more attenuated under our alternative proposal.
    Comment: Some commenters recommended that the safe harbor protect 
the provision of tools or supports for patients whose conditions or 
circumstances are similar to those of the target patient population, 
highlighting the risk of penalties associated with providing tools and 
supports to patients who could benefit from them despite falling 
outside of the target patient population.
    Response: The final safe harbor requires VBE participants seeking 
protection under the patient engagement and support safe harbor to 
define the scope of the applicable target patient population to include 
patients likely to benefit from the relevant tools and supports. As 
discussed above in more detail in section III.B.2.c, the selection 
criteria--not the individual patients--must be identified in advance. 
Parties may modify their target patient population selection criteria 
prospectively by amending their existing value-based arrangement. VBE 
participants can retroactively attribute patients to the target patient 
population without amending the value-based arrangement if such 
patients meet the selection criteria established prior to the 
commencement of the value-based arrangement.
d. Furnished Directly to the Patient
    Summary of OIG Proposed Rule: We proposed to include a condition at 
proposed paragraph 1001.952(hh)(1) that the tool or support must be 
furnished directly to the patient by a VBE participant. We solicited 
comments on arrangements through which a VBE participant might order or 
arrange for the delivery of a tool or support from an independent third 
party. We also sought comment on whether to expressly permit a VBE 
participant to furnish the tool or support through someone acting on 
the VBE participant's behalf and under the VBE's direction, such as a 
physician practice that is a VBE participant providing a tool or 
support through an individual member of the practice or a nurse 
employed by the practice. We also solicited comments regarding whether 
to require patient notice if third parties are involved in the 
furnishing of the tool or support.
    Summary of Final Rule: We are finalizing, with modification, this 
condition at paragraph 1001.952(hh)(2). The final rule extends safe 
harbor protection to a VBE participant that provides patient engagement 
tools or supports through a third party that qualifies as an ``eligible 
agent,'' as defined in paragraph 1001.952(hh)(9).
    Comment: Most commenters did not support the condition requiring 
that tools or supports be furnished directly to the patient by the VBE 
participant, for several reasons. For example, commenters asserted 
that, depending on the size or sophistication of the VBE participant's 
practice, the VBE participant may outsource the furnishing of the tool 
or support, or otherwise not be present at the time it is furnished. 
Others suggested that a partner or an agent of a VBE participant, such 
as a vendor, contractor, or employee of the participant, should also be 
permitted to furnish the patient engagement tools or supports at the 
direction of the VBE participant, noting that for entities and 
individuals furnishing tools and supports, outsourcing the provision of 
such tools and supports to independent third parties is a common 
practice. Other commenters recommended protection of tools and supports 
provided by nontraditional or nonclinical (but health-related) third 
parties that address social determinants of health or transportation 
needs. For example, a health system commenter indicated that it 
contracts with vendors to provide digital devices and tools to 
patients. Another commenter also provided an illustrative example, 
explaining that to furnish a patient with a ``grab bar'' at home, it 
would purchase a grab bar through an online retailer and then contract 
with a local hardware vendor to install the grab bar. Another commenter 
recommended safe harbor protection for the provision of tools and 
supports through which the third party is under the control and 
oversight of the VBE participant and is otherwise eligible to 
participate in a VBE (as proposed in the OIG Proposed Rule).
    Response: We agree that the safe harbor should protect the 
provision of tools and supports through a person or entity acting on 
behalf of the VBE participant and under the VBE participant's 
direction, but only if certain conditions are met. Requiring that the 
tool or support be furnished directly to the patient by the VBE 
participant prevents entities that are ineligible to participate in a 
VBE from directly or indirectly furnishing tools or supports to 
patients. Also, as we explained in the OIG Proposed Rule, the 
requirement would help patients understand who is furnishing the tool 
or support and why. Notwithstanding, we have finalized a provision at 
paragraph 1001.952(hh)(2) that extends protection to tools and supports 
furnished through a VBE participant's ``eligible agent,'' assuming the 
other conditions of the safe harbor are met. For purposes of this 
paragraph, ``eligible agent'' means any person or entity that is not 
identified in paragraph 1001.952(hh)(1)(i)-(viii) as ineligible to 
furnish protected tools and supports. Thus, the eligible agent must be 
an individual or entity that could furnish protected tools and supports 
under paragraph 1001.952(hh)--even though the eligible agent does not 
itself need to become a VBE participant. The VBE participant's eligible 
agent could be, for example, employees and contractors of a practice 
when the VBE participant is the practice itself, or other third parties 
such as technology vendors or retailers. This condition also means that 
an entity precluded from furnishing or funding protected tools and 
supports under paragraph 1001.952(hh)(1) cannot be an eligible agent of 
a VBE participant for purposes of furnishing a protected patient 
engagement tool or support. Furthermore, this safe harbor does not 
protect any remuneration that flows through or is furnished by a third 
party that is not an eligible agent.
    Comment: Some commenters recommended that a tool or support be 
eligible for safe harbor protection if it is furnished to a caregiver 
or family member of a patient in the target patient population.
    Response: We agree that a tool or support should be eligible for 
safe harbor protection if it is furnished to a caregiver or family 
member of a patient in the target population, as long as the tool or 
support satisfies all conditions of the safe harbor conditions. As we 
stated in the OIG Proposed Rule, a tool or support would not be 
considered ``diverted'' if furnished to the patient indirectly through 
the patient's caregivers or family members, or through another 
individual acting on behalf of the patient. We provided

[[Page 77787]]

examples of such scenarios, including one in which a patient is unable 
to care for himself or herself and another person has legal authority 
or the patient's consent to do so, such as when a parent caring for a 
minor child with asthma accepts and installs an air purifier on behalf 
of the child.\58\ Although we included this discussion in the context 
of a proposed condition to mitigate potential diversion of patient 
engagement tools and supports--which is not being finalized in this 
rule--we nevertheless believe the discussion is applicable to the 
``furnished directly'' condition at paragraph 1001.952(hh)(2). 
Accordingly, intervening caregivers and family members or others acting 
on behalf of the patient may facilitate the provision of the tool or 
support without the remuneration running afoul of the ``furnished 
directly'' requirement if all other conditions of the safe harbor are 
satisfied.
---------------------------------------------------------------------------

    \58\ 84 FR 55728 (Oct. 17, 2019).
---------------------------------------------------------------------------

    Comment: Some commenters suggested that when a third party is 
providing the tool or support, the patient should be notified in 
writing or otherwise about the sponsor and other details about the 
vendor and the purpose of the tool or support. Other commenters 
objected to any additional notification requirements as burdensome to 
the provider and the patient.
    Response: We appreciate the commenters' suggestion but decline to 
impose such a notification requirement. The safe harbor only protects 
the provision of tools and supports that are recommended by a patient's 
health care professional, and many of the enumerated goals in the safe 
harbor also require the involvement of the patient's licensed health 
care professional. Based on these conditions, we believe beneficiaries 
are unlikely to receive tools or supports that otherwise meet the 
conditions of the safe harbor without an awareness of the source and 
purpose of those items or services. Furthermore, lack of awareness of 
the source and purpose also may diminish the likelihood for improved 
patient engagement. To best promote patient engagement and ensure the 
benefits of any tools and supports are realized, VBE participants have 
an incentive to clearly communicate about the tools and supports they 
provide without a formal patient notification requirement.
e. Funding Limitations
    Summary of OIG Proposed Rule: In proposed paragraph 
1001.952(hh)(2), we proposed to prohibit any third-party entity or 
individual outside of the VBE from financing or otherwise contributing 
to the provision of patient engagement tools or supports. In the OIG 
Proposed Rule, this condition would have prevented entities not 
eligible to become VBE participants from circumventing that limitation 
and seeking protection for tools and supports they furnished to 
patients under the patient engagement and support safe harbor.
    Summary of Final Rule: We are finalizing, with modifications, this 
condition at paragraph 1001.952(hh)(4). Specifically, the final 
regulation text states that the patient engagement tool or support must 
not be funded or contributed by a VBE participant that is not a party 
to the applicable value-based arrangement or by an entity listed at 
paragraph 1001.952(hh)(1)(i) through (viii). The modifications have 
been made to ensure that the specified entities ineligible for 
protection under this safe harbor at paragraph 1001.951(hh)(1) are not 
able to circumvent that restriction by indirectly funding or 
contributing to tools and support protected under this safe harbor. 
This condition also clarifies our intent that the VBE participant must 
be a party to the ``applicable value-based arrangement.'' In other 
words, the patient receiving the tool or support must be a member of 
the target patient population of a VBA to which the VBE participant is 
a party. This also ensures that the remuneration has a direct 
connection to the coordination and management of care of the target 
patient population of the applicable VBA to which the VBE participant 
is a party. The condition at paragraph 1001.952(hh)(4) effectuates our 
proposed policy to bar safe harbor protection for tools and supports 
funded by entities that, under the proposed rule, could not have been 
in a VBE (see section III.B.2.e.ii for discussion of these entities). 
The safe harbor does not protect any patient engagement tools and 
supports funded by or involving contributions from entities identified 
at paragraph 1001.952(hh)(1)(i) through (viii).
    Comment: Several commenters found this condition unduly 
restrictive, citing potential challenges with meeting this condition 
when delegating the provision of tools and supports or sharing a care 
coordinator with someone outside of the VBE. Another commenter stated 
that entities explicitly ineligible for participation in a VBE under 
the OIG Proposed Rule's definition of ``VBE participant'' play a vital 
role in supporting the care of patients, and without funding from such 
entities, hospitals and payors would be limited regarding what types of 
patient engagement tools and supports they could provide.
    Response: We are finalizing this condition with modifications. This 
condition is an important safeguard that prevents entities ineligible 
for safe harbor protection from circumventing the conditions of the 
safe harbor by doing indirectly what they cannot do directly. Regarding 
commenters' concerns about the impact of this condition on the ability 
to delegate the provision of tools or supports, we emphasize that, as 
discussed in the prior section of this preamble, VBE participants may 
provide tools and supports via an eligible agent, which can be any 
third party as long as the third party is not otherwise ineligible to 
furnish protected tools and supports under this safe harbor.
    Comment: A commenter supported this condition, noting that outside 
funding or contributions pose a risk of inappropriate steering to 
specific suppliers of products or services. Other commenters 
appreciated the purpose of this limitation but asked OIG to allow for 
certain donations from foundations or charities to a VBE, together with 
a safeguard prohibiting the donating third party from having direction 
or control over how the funds are spent. Another commenter stated that 
other types of entities such as construction companies may offer to 
modify homes with ramps and wider doors, among other things, without 
charge, and that this condition could prevent protection for such 
donations.
    Response: We appreciate that many entities would like to fund or 
otherwise contribute to protected patient engagement tools and supports 
provided by a VBE participant, including through charitable or 
otherwise arm's-length donations made to a VBE. Our goal in 
implementing the funding and contribution limitations is to ensure that 
entities that may not furnish protected tools and supports directly are 
unable to indirectly provide or fund protected tools and supports. We 
believe that limiting the types of entities that may fund protected 
tools and supports is an important safeguard against circumvention 
schemes, including potential arrangements involving foundations or 
charities. Without the funding and contribution limitations, it is 
possible that entities ineligible to provide tools and supports could 
indirectly fund such items or services through a foundation, charity, 
or other entity, which could make it difficult to determine the 
ultimate source of funding. We believe the final funding and 
contribution limitations described

[[Page 77788]]

here provide sufficient flexibility for VBE participants to provide 
protected tools and supports while safeguarding against the heightened 
risk of fraud and abuse related to tools and supports furnished to 
patients by the types of entities that are ineligible for safe harbor 
protection.
    Nothing in this condition would prevent a charity or foundation 
from providing tools and supports directly to patients, assuming such 
an arrangement complies with the Federal anti-kickback statute or 
Beneficiary Inducements CMP, if either statute is implicated. If the 
charity or foundation is not funded by health care entities, the 
arrangement might not implicate the statutes. Further, nothing in this 
safe harbor would prevent construction companies from modifying homes 
with ramps, widening doors, or providing other construction services 
for free to patients, provided those arrangements comply with the 
statute. Free services offered to a patient directly by a construction 
company that does not provide Federally reimbursable items or services 
or make referrals for them would not implicate the statutes, and 
therefore, safe harbor protection would not be needed. However, such 
free services offered through an intermediary that provides federally 
reimbursable items and services, such as a hospital, would need to be 
evaluated on a case-by-case basis under the statute; the arrangement 
between the construction company and hospital would not implicate the 
statute, but the arrangement between the hospital and patient might.
f. Nature of the Remuneration
    Commenters provided numerous suggestions regarding specific types 
of remuneration potentially protected under this safe harbor. In the 
sections below, we respond to such comments and provide examples of 
potentially protected types of remuneration, but we note that the 
examples or categories of items, goods, and services included here are 
neither exhaustive nor presumptively protected under this safe harbor. 
Specifically, we remind stakeholders that all conditions of the safe 
harbor must be squarely satisfied for the tools and supports to be 
protected by the safe harbor.
i. In-Kind Remuneration
    Summary of OIG Proposed Rule: At proposed paragraph 
1001.952(hh)(3)(i), we proposed to protect any in-kind preventive item, 
good, or service, or an in-kind item, good, or service such as health-
related technology, patient health-related monitoring tools and 
services, or supports and services designed to identify and address a 
patient's social determinants of health.
    Summary of Final Rule: We are finalizing, with modifications, the 
provision at paragraph 1001.952(hh)(3)(i). The final rule protects 
patient engagement tools and supports that are in-kind items, goods, 
and services provided they meet all applicable safe harbor conditions. 
We are not finalizing the regulatory text at proposed paragraph 
1001.952(hh)(3)(i) that provided specific examples of protected in-kind 
items, goods, or services (i.e., health-related technology, patient 
health-related monitoring tools and services, supports and services 
designed to identify and address social determinants of health). As 
finalized by this rule, paragraph 1001.952(hh)(3)(i) specifies that 
protection is offered only for in-kind items, goods, or services, 
without specifying categories of items, goods, or services. We believe 
including nonexhaustive categories in regulatory text was not necessary 
or helpful to explain the meaning of an ``in-kind item, good, or 
service.'' These changes are intended to ensure the final rule does not 
inadvertently preclude types or categories of tools or supports that 
could receive protection under the safe harbor. Provided that all safe 
harbor requirements are satisfied, the final rule protects a broad 
range of tools and supports that may include, among others, health-
related technology, patient health-related monitoring tools and 
services, and supports and services designed to identify and address a 
patient's social determinants of health. We have modified and 
reorganized the regulatory text to better effectuate this policy.
    Based on public comments, we confirm that preventive items, goods, 
or services can be protected under this safe harbor. However, we are 
not finalizing the proposed regulatory text at paragraph 
1001.952(hh)(3)(i) regarding preventive care. To make clear that 
preventive items, goods, or services can fit in the safe harbor, we 
have amended the goal of ``management of a disease or condition'' to 
read ``prevention or management of a disease or condition'' at 
paragraph 1001.952(hh)(3)(vi)(D).
    Comment: A number of commenters supported our overall approach to 
identify categories of protected in-kind remuneration instead of 
endeavoring to provide a comprehensive list of tools and supports 
eligible for safe harbor protection and believed that the categories 
proposed are--and should remain--sufficiently flexible to encompass a 
range of tools and supports across various care settings. Commenters 
stated that VBEs should have flexibility to determine the most 
appropriate tools and supports to provide as a part of the arrangements 
and recommended against OIG specifying a list of tools and supports 
that could, ultimately, stifle innovation, particularly with respect to 
tools and supports designed to address social determinants of health. 
Alternatively, some commenters encouraged us to provide greater 
specificity and more examples of protected patient engagement tools and 
supports based on comments received in response to the OIG Proposed 
Rule. For example, a commenter urged OIG to provide as many examples as 
possible of the tools and supports that would and would not be 
protected by this safe harbor in the preamble to the final rule. Others 
requested some examples but urged us to clarify that any examples are 
illustrative, not exhaustive.
    A commenter supported protection for tools and supports that impact 
positive behavioral change, such as receiving an annual wellness visit, 
participating in a smoking cessation program, or seeking care from a 
lower cost provider (e.g., receiving imaging services in a freestanding 
setting as opposed to a hospital outpatient department). The commenter 
also supported addressing a barrier to adhering to a care plan, such as 
providing cooking classes to facilitate the preparation of healthy 
meals, providing condition-specific groceries, or providing condition-
specific technology (e.g., electronic scales, internet service to 
facilitate data collection, or both). Another commenter listed examples 
of additional dialysis-related tools and supports that should be 
covered.
    Response: Rather than listing specific examples of tools and 
supports potentially eligible for protection under this safe harbor, 
the final safe harbor contains a list of goals at paragraph 
1001.952(hh)(3)(vi), at least one of which a tool or support must 
advance in order to qualify for safe harbor protection. We believe this 
provides substantial flexibility for VBE participants to offer a wide 
range of tools and supports.
    As noted above, we have omitted the examples of remuneration listed 
in proposed paragraph 1001.952.(hh)(3)(i). With respect to tools and 
supports designed to address a patient's social determinants of health, 
such remuneration is protected if it meets one of the final safe 
harbor's enumerated goals listed at paragraph 1001.952(hh)(3)(vi). This 
change is intended to ensure the final rule is agnostic about the 
specific types or

[[Page 77789]]

categories of tools and supports protected by this safe harbor. As a 
result, health-related technology and patient health-related monitoring 
tools and services are eligible for safe harbor protection if they meet 
the other conditions of the safe harbor, including at least one of the 
goals at paragraph 1001.952(hh)(3)(vi).
    We have provided some examples of categories and specific tools and 
supports in the discussion below at section III.B.6.f.iv related to 
social determinants of health, as well as general descriptions of 
certain health technologies potentially protected by this safe harbor. 
We also agree with commenters who suggested that any examples provided 
in this final rule's preamble should be illustrative rather than 
exhaustive, to provide for flexibility and innovation in the provision 
of patient engagement tools and supports. We intend for the safe harbor 
to protect a range of in-kind remuneration and agree that many of the 
tools and supports described by the commenters may satisfy the safe 
harbor if all other conditions of the safe harbor are met.
    Comment: A commenter stated that the proposed safe harbor is too 
narrow to truly drive patient engagement because, although it protects 
the provision of tools and supports to patients, it does not protect 
efforts to encourage the utilization of those tools or otherwise 
protect efforts to incentivize care adherence.
    Response: We disagree that the safe harbor lacks sufficient 
regulatory flexibility for the provision of tools and supports that 
promote patient engagement. In response to the suggestion that the safe 
harbor should protect efforts to encourage the utilization of protected 
tools and supports, we note that nothing in the safe harbor would limit 
the ability of VBE participants to educate patients about available 
tools and supports as long as the VBE participant does not use the 
patient engagement tools or supports to market other reimbursable items 
or services, or for patient recruitment purposes, as prohibited at 
paragraph 1001.952(hh)(6).
    In response to the suggestion that the safe harbor should protect 
efforts to incentivize care adherence, we note that a VBE participant 
must ensure that the tool or support advances an enumerated goal at 
paragraph 1001.952(hh)(3)(vi), several of which involve patient 
adherence. For example, the safe harbor protects tools and supports 
that advance goals for adherence to a treatment regimen, adherence to a 
drug regimen, and adherence to a followup care plan if all other 
conditions are met. In addition, we think that the conditions requiring 
a licensed health care professional to recommend the tool or support 
and requiring that the tool or support be directly connected to the 
coordination and management of care require the offeror to evaluate 
whether the tool or support will advance the enumerated goals listed in 
the safe harbor.
    Comment: A commenter requested OIG clarify its interpretation of 
the phrase ``preventive care item or service'' for the purposes of this 
safe harbor to ensure that the definition remains flexible enough to 
encompass rapidly advancing technology. Another commenter requested 
that we add ``primary and secondary prevention'' to the regulatory text 
of this safe harbor to clarify that various forms of preventive efforts 
are protected by the safe harbor. Another commenter requested that we 
add ``tertiary'' prevention. Commenters generally supported OIG's 
proposal to defer to VBE participants or physicians in determining: (i) 
What constitutes a preventive item or service for the purposes of this 
safe harbor; and (ii) the appropriate tools and supports to address 
such preventive care, asserting that physicians are in the best 
position to assess whether a particular item or service is preventive.
    Response: Tools and supports in furtherance of preventive care and 
services can be protected under this safe harbor if the other 
conditions are satisfied. The final safe harbor regulation does not 
identify a specific category of remuneration for preventive care items, 
goods, or services. Instead, preventive items, goods, and services 
could be protected under the safe harbor's general protection of in-
kind items, goods, or services that satisfy the conditions of the safe 
harbor, including advancing one of the safe harbor's enumerated goals. 
For example, a preventive item, good, or service could advance the goal 
of ``prevention or management of a disease or condition'' at paragraph 
1001.952(hh)(3)(vi)(D).
ii. Cash, Cash Equivalents, and Gift Cards
    Summary of OIG Proposed Rule: We proposed at proposed paragraph 
1001.952(hh)(3)(iii) to exclude protection for remuneration in the form 
of cash, cash equivalents, and gift cards, and we sought additional 
comments on whether the safe harbor should protect those forms of 
remuneration.
    Summary of Final Rule: We are finalizing, with modification, the 
proposed condition at paragraph 1001.952(hh)(3)(iii). The final 
regulatory text does not reference gift cards because some gift cards 
would be considered in-kind remuneration eligible for safe harbor 
protection. Cash, cash equivalents, and most gift cards are excluded in 
the final rule because the safe harbor is limited to in-kind 
remuneration.
    Comment: Several commenters echoed the concerns we raised in the 
OIG Proposed Rule regarding the risks of protecting cash, cash 
equivalents, and gift cards under the safe harbor, urging us to limit 
safe harbor protection to in-kind remuneration to reduce the risk of 
inappropriate patient steering or coercion.
    Response: We agree with these comments, and we believe restricting 
protection to in-kind remuneration in the final rule reflects OIG's 
longstanding concern about the fraud and abuse risks inherent to 
providing cash, cash equivalents, or gift cards to beneficiaries.
    Comment: A number of commenters urged OIG to protect gift cards 
under this safe harbor. In particular, several commenters suggested 
that we clarify that a voucher provided through a debit card-like 
mechanism that could be used to acquire tools or supports, such as food 
or transportation, would be considered ``in-kind'' under the safe 
harbor. Another commenter urged OIG to protect the provision of gift 
cards but suggested that prepaid debit cards should be excluded from 
protection, similar to existing OIG guidance regarding cash and cash 
equivalents.
    A commenter recommended protecting gift cards that may be redeemed 
only at certain stores for certain purposes consistent with OIG's 
previous guidance on cash and cash equivalents, as long as they are not 
advertised or otherwise included in prospective marketing or 
promotional efforts, and earned via active, verifiable participation in 
core elements of a beneficiary's treatment plan.
    A commenter noted that gift cards provide sufficient flexibility 
with less risk than cash, noting that a gift card may be exchanged for 
cash, but typically at a reduced value.
    Response: As we stated in the preamble to the OIG Proposed Rule, we 
would consider a voucher for a particular tool or support (e.g., a meal 
voucher or a voucher for a taxi) to satisfy the safe harbor's in-kind 
requirement. However, consistent with our treatment of these issues in 
prior regulations,\59\ we consider debit cards, rebate checks, and most 
gift cards to be cash equivalents and not a protected

[[Page 77790]]

form of in-kind remuneration under this safe harbor.
---------------------------------------------------------------------------

    \59\ 81 FR 88393 (Dec. 7, 2016).
---------------------------------------------------------------------------

    We are not, however, departing from OIG's existing guidance 
regarding limited-use gift cards.\60\ Gift cards that can be redeemed 
only for certain categories of items (such as fuel-only gift cards 
redeemable at gas stations) could meet the in-kind requirement under 
this safe harbor. Gift cards meet the in-kind requirement only if their 
potential use is limited to certain categories of items or services 
that meet the conditions of the safe harbor. For instance, a gift card 
for a service that delivers the ingredients necessary for a healthy 
meal would meet the in-kind requirement and could be protected if the 
other conditions of the safe harbor are satisfied. Gift cards offered 
by large retailers or online vendors that sell a wide variety of items 
(e.g., big-box stores) could easily be diverted from their intended 
purpose or converted to cash; we would consider such gift cards to be 
cash equivalents and therefore not eligible for protection under this 
safe harbor.
---------------------------------------------------------------------------

    \60\ 81 FR 88393 n. 19 (Dec. 7, 2016).
---------------------------------------------------------------------------

    Comment: A commenter posited that when gift cards are furnished to 
patients within the VBE context, the financial model of VBEs serves as 
an inherent safeguard against unnecessary and excessive utilization. 
The commenter asserted that when a VBE is financially at risk for 
improving outcomes, the VBE likely would not furnish gift cards to 
patients to drive unwarranted utilization and would be financially 
incentivized to encourage only beneficial utilization that improves 
health and helps manage the total cost of care.
    Response: Although we recognize that VBEs assuming downside 
financial risk may have incentives to avoid offering tools and supports 
to beneficiaries that could drive medically unnecessary utilization, we 
are not, as discussed above, requiring VBE participants under this safe 
harbor to assume some degree of financial risk. We believe that some of 
the risks associated with fee-for-service payment systems--such as 
overutilization--may continue to exist in VBEs where VBE participants 
continue to be paid on a fee-for-service basis. Therefore, there is a 
risk that VBEs would furnish gift cards to patients to drive 
inappropriate utilization, but such conduct would not be protected by 
this safe harbor and may implicate the Federal anti-kickback statute.
    Comment: Several commenters urged OIG to protect cash, cash 
equivalents, and gift cards under this safe harbor but to attach 
additional safe harbor conditions to such means of remuneration. For 
example, a commenter suggested that cash, cash equivalents, and gift 
cards should be protected as a reward for taking a particular action, 
but that remuneration should be provided only after a patient has taken 
the required action. Another commenter suggested that OIG protect cash, 
cash equivalents, and gift cards but impose a separate monetary cap 
that parallels OIG's nominal value guidance. The commenter also urged 
OIG to consider requiring that any patient eligible to receive a cash 
or cash-equivalent incentive would need to be an ``established 
patient'' as defined in the local transportation safe harbor, paragraph 
1001.952(bb).
    Other safeguards recommended by commenters specific to cash, cash 
equivalents, and gift cards include: Prohibiting the advertising of 
rewards; tying incentives to outcomes associated with the prescribed 
course of treatment; a requirement that incentives cannot be utilized 
to generate business or otherwise promote the utilization of 
unnecessary or inappropriate items and services; limiting the use of 
such incentives to items that promote health and wellness, such as 
nutritious food, exercise equipment, or health monitoring and tracking 
devices; and requiring entities to have an evidence-based reason to 
believe that cash, cash equivalents, or gift cards can increase patient 
adherence to recommended medical guidance. A commenter suggested that 
retrospective evaluation and auditing could be used to identify any 
potentially fraudulent activity relating to cash, cash equivalents, and 
gift cards.
    Response: We appreciate the commenters' suggestions for additional 
safe harbor conditions specific to the provision of cash, cash 
equivalents, and gift cards. Based on longstanding program integrity 
concerns, the final safe harbor only protects in-kind remuneration to 
include limited types of gift cards as described further above. OIG 
historically has had significant concerns about providing protection 
for providers' and other health care stakeholders' offers of cash or 
cash equivalents to patients, and our oversight experience suggests 
that cash and cash-equivalent remuneration raises substantial fraud and 
abuse risks, including the potential for inappropriate utilization of 
medically unnecessary items and services and improper patient steering. 
OIG tailored the final safe harbor's safeguards to in-kind tools and 
supports; therefore, it is not necessary to adopt additional conditions 
recommended by commenters specific to the provision of cash, cash 
equivalents, and gift cards.
    Comment: Commenters noted that cash and cash equivalents are a 
useful way to address social determinants of health and noted that cash 
and cash equivalents could facilitate patient access to transportation, 
counseling and coaching, meal preparation, existing and emerging self-
monitoring health technologies, and other supports that promote 
independence and positive health outcomes.
    Response: We recognize that cash and cash equivalents may be a 
useful way to address social determinants of health. We remain 
concerned, however, for the reasons explained above, that cash or cash-
equivalent remuneration to Federal health care program beneficiaries 
presents an elevated risk of fraud and abuse, and we are finalizing our 
proposal to protect only in-kind remuneration. Parties can structure a 
wide range of arrangements involving in-kind remuneration to address 
social determinants of health under the final safe harbor. For example, 
in lieu of cash, protected tools and supports could include vouchers or 
limited-use gift cards (e.g., to address transportation access to 
medical appointments to advance adherence to a followup care plan, a 
ride share voucher or gas card could be protected, provided all other 
safe harbor conditions are satisfied). Arrangements involving cash or 
cash equivalents used to address social determinants of health are not 
necessarily illegal; they would need to be evaluated under the anti-
kickback statute on a case-by-case basis, including the intent of the 
parties.
    Comment: A commenter asserted that expanding the safe harbor to 
protect gift cards, discount cards, and coupons toward future services 
would support the viability of smaller independent practices that 
operate in consolidated markets and are competing against hospitals and 
health systems.
    Response: We appreciate the commenter's concern regarding 
consolidation and the potential effects of our safe harbors on 
competition. This final safe harbor protects certain, limited 
categories of gift cards in accordance with OIG's previous guidance on 
cash equivalents and limited-use gift cards. We note that discount 
cards and coupons may qualify as protected in-kind remuneration as long 
as the other conditions of this safe harbor are satisfied. We do not, 
however, intend for this safe harbor to protect waivers or reductions 
in patient cost-sharing obligations, as discussed below. For example, a 
coupon designed

[[Page 77791]]

to cover only a patient's cost-sharing obligation would not be 
protected by this safe harbor. We also note that to the extent parties 
wish to have safe harbor protection for any discounts offered to 
beneficiaries, they would need to comply with the terms of the discount 
safe harbor at paragraph 1001.952(h) in order to receive safe harbor 
protection. Finally, to the extent the commenter is referencing gift 
cards, discount cards, and coupons that would reward patients for 
seeking care, such arrangements may not satisfy the prohibition on 
marketing and patient recruitment at paragraph 1001.952(hh)(6).
    Comment: A number of commenters offered general support for 
extending safe harbor protection to cash, cash equivalents, and gift 
cards provided to patients as rewards or incentives to promote various 
behaviors, including attending necessary appointments, adherence to a 
treatment regimen, or participation in a substance abuse treatment or 
behavioral modification program. Several commenters cited a body of 
research suggesting that cash incentives can be effective at improving 
patient engagement and adherence or behavioral modification. For 
example, a commenter cited behavioral economics research findings that 
even nominal amounts of cash or cash-equivalent remuneration can 
produce substantial improvements in overall health outcomes when used 
as an incentive to motivate patients to lead healthier lifestyles.
    Commenters also noted that gift cards may be employed as rewards 
for healthy patient behaviors and activities in a number of other 
contexts, including pursuant to certain section 1115 waiver programs, 
some Medicaid managed care organizations, and programs or initiatives 
related to Medicaid Incentives for the Prevention of Chronic Diseases.
    Response: In the OIG Proposed Rule, we solicited comments on 
including gift cards when they are provided to patients with certain 
conditions, such as substance abuse disorders and behavioral health 
conditions, as part of an evidence-based treatment program for the 
purpose of effecting behavioral change. We appreciate the responses 
from commenters and understand that incentives can effectively drive 
patient adherence to treatment programs, lead patients to follow 
healthier lifestyles, or effect other behavioral changes.
    For example, we recognize that research shows that contingency 
management interventions are the most effective currently available 
treatment for stimulant use disorders. Substance use disorder treatment 
programs utilizing contingency management often involve payments to the 
patient in the form of the opportunity to earn vouchers, gift cards, or 
even, in some models, salaries in exchange for desired prosocial 
behaviors or meeting specified goals. We also understand and 
acknowledge that there is a growing problem with stimulant (e.g., 
cocaine and methamphetamine) co-use with opioids. Combatting the opioid 
epidemic, including ensuring that patients have access to effective 
treatment programs, has been a top priority for the Administration, the 
Department, and OIG. In addition, many treatments involving contingency 
management interventions have been developed over decades by scientists 
supported by the Federal government through the National Institutes of 
Health.
    After weighing the potential benefits of contingency management and 
other programs designed to motivate beneficial behavioral change with 
the potential risks to program integrity--and understanding that many 
of these programs involve cash and cash-equivalent payments to 
patients--we are not expanding the patient engagement and support safe 
harbor to include cash and cash-equivalent payments offered as part of 
contingency management interventions or other programs to motivate 
beneficial behavioral changes. This does not mean that all such cash or 
cash-equivalent payments are unlawful, but they would be subject to 
case-by-case analysis under the Federal anti-kickback statute and 
Beneficiary Inducements CMP. In addition, we emphasize--as further 
discussed below--that in-kind remuneration and certain limited-use gift 
cards offered as part of contingency management interventions or other 
programs to motivate beneficial behavioral changes could receive 
protection under the patient engagement and support safe harbor if all 
safe harbor conditions are satisfied. Indeed, OIG's final rule offers 
many opportunities for those treating patients for substance use 
disorders to improve the coordination and management of patient care 
through value-based arrangements between providers that band together 
to improve care, the provision of in-kind incentives to patients to 
motivate them to meet treatment goals, and broader flexibilities for 
transportation arrangements under the existing local transportation 
safe harbor, which would meet an identified need for patients in rural 
areas seeking treatment. While not all such arrangements implicate the 
fraud and abuse statutes, arrangements involving community recovery 
support systems such as clubhouses and peer-to-peer focused support 
services would have broader access to safe harbor protection under the 
final rule.
    With respect to nominal amounts of cash or cash-equivalent 
remuneration mentioned by the commenter, we understand that some 
industry stakeholders believe OIG's guidance permits cash and cash-
equivalent incentive payments up to $75. This is a misunderstanding of 
OIG's guidance. The Conference Committee report accompanying the 
enactment of the Beneficiary Inducements CMP expressed Congress' intent 
that inexpensive gifts of nominal value be permitted.\61\ OIG has 
interpreted inexpensive gifts of nominal value to mean in-kind items 
and services with a retail value of no more than $15 per item or $75 in 
the aggregate per beneficiary on an annual basis.\62\ Gifts that 
implicate the Beneficiary Inducements CMP that exceed these dollar 
limits are not prohibited but are analyzed on a case-by-case basis for 
compliance under the statute. We highlight, however, that this nominal 
value guidance applies to the value of in-kind items and services, not 
to the value of incentive payments in the form of cash or cash 
equivalents. In other words, cash and cash-equivalent payments under 
$75 would not be covered by this guidance. Moreover, this guidance 
applies only with respect to the Beneficiary Inducements CMP and not to 
the Federal anti-kickback statute. Furthermore, we are aware that some 
industry stakeholders may be under a misimpression that OIG prohibits 
contingency management program incentives above $75. There is no OIG-
imposed $75 limitation on contingency management program incentives. 
Rather, the Federal anti-kickback statute may constrain the ability of 
individuals or entities to offer contingency management program 
incentives of any value to Federal health care program beneficiaries, 
depending on the facts of the arrangement. Moreover, in-kind incentives 
above the $75 annual, aggregate limit, and all cash or cash-equivalent 
incentives regardless of the amount, must be analyzed on the basis

[[Page 77792]]

of their specific facts for compliance with the Beneficiary Inducements 
CMP.
---------------------------------------------------------------------------

    \61\ See Joint Explanatory Statement of the Committee of 
Conference, section 231 of HIPAA, Public Law 104-191.
    \62\ OIG, Office of Inspector General Policy Statement Regarding 
Gifts of Nominal Value To Medicare and Medicaid Beneficiaries (Dec. 
7, 2016), available at https://oig.hhs.gov/fraud/docs/alertsandbulletins/OIG-Policy-Statement-Gifts-of-Nominal-Value.pdf.
---------------------------------------------------------------------------

    With respect to contingency management program incentives and other 
programs that offer incentives to motivate healthy behaviors--whether 
above or below $75 in value--we offer the following observations. In-
kind remuneration in connection with such programs can fit in the 
patient engagement and support safe harbor if all safe harbor 
conditions are met (including the $500 annual cap). As further 
explained in this section, the final safe harbor protects certain 
limited-use gift cards that advance one or more of the enumerated goals 
at paragraph 1001.952(hh)(3)(vi) and meet other safe harbor conditions, 
including that the remuneration must have a direct connection to the 
coordination and management of care of the target patient population. 
To the extent that a program involves salary payments to a bona fide 
employee for services furnished by the employee, the payments might 
qualify under the existing safe harbor for employees at paragraph 
1001.952(i).
    If a contingency management incentive that implicates the Federal 
anti-kickback statute, Beneficiary Inducements CMP, or both does not 
satisfy an existing safe harbor or exception (as applicable), that does 
not mean that such incentive automatically violates the statutes and is 
illegal. Contingency management incentive arrangements that do not 
comply with a safe harbor must be analyzed on a case-by-case basis for 
compliance with the Federal anti-kickback statute and Beneficiary 
Inducements CMP. In addition, incentives that are included in a service 
covered by a Federal health care program (i.e., the coverage includes 
the incentive itself) would not implicate the Federal anti-kickback 
statute or the Beneficiary Inducements CMP, provided that the 
applicable billing and coverage rules are followed including collection 
of any applicable patient cost-sharing obligations. In addition, 
incentives offered as part of a CMS-sponsored model may qualify for 
protection under the new safe harbor at paragraph 1001.952(ii). 
Further, we are aware that some incentives may be provided pursuant to 
or in connection with other government-sponsored demonstrations or 
other government-sponsored programs (including studies initiated, 
organized, funded, and managed by the National Institutes of Health). 
Participation in and adherence to the requirements of such 
demonstrations or programs would be a relevant factor in assessing the 
intent of the parties and the risk posed by the arrangement.\63\ 
Incentives offered to commercially insured patients or uninsured 
patients would not implicate the statutes. Application of the statutes 
is discussed in further detail in sections II.B and II.C of this 
preamble.
---------------------------------------------------------------------------

    \63\ See, e.g., OIG, OIG Adv. Op. No. 08-14 (Oct. 2, 2008), 
available at https://oig.hhs.gov/fraud/docs/advisoryopinions/2008/AdvOpn08-14.pdf (regarding a substance abuse treatment center's use 
of motivational incentives to reward a patient's achievement of 
certain treatment-related goals; in this advisory opinion, 
Requestor's program was developed and refined in connection with 
National Institute on Drug Abuse's government-sponsored research 
into implementation of motivational incentives as a treatment 
option, a fact that OIG viewed favorably).
---------------------------------------------------------------------------

    With respect to incentives in the form of cash or cash equivalents, 
we are concerned about heightened fraud and abuse risk. As noted in the 
OIG Proposed Rule, OIG historically has had significant concerns with 
allowing providers and others to offer cash or cash equivalents to 
patients, and our oversight and enforcement experience suggests that 
cash incentives can result in medical identity theft and misuse of 
patients' Medicare numbers, lead to inappropriate utilization (in the 
form of medically unnecessary items and services), and cause improper 
patient steering (including patients selecting a provider because the 
provider offers the most valuable incentives and not because of the 
quality of care the provider furnishes).\64\
---------------------------------------------------------------------------

    \64\ 84 FR 55275 (Oct. 17, 2019).
---------------------------------------------------------------------------

    Moreover, in the area of substance use disorder treatment, OIG and 
its law enforcement partners have substantial enforcement experience 
that demonstrates the pervasiveness of fraud in treatment programs that 
serve neither the best interests of patients nor taxpayers. For 
example, OIG has participated in enforcement actions resulting from 
allegations of significant fraud by substance use disorder treatment 
facilities, or ``sober homes,'' that take advantage of individuals with 
substance abuse disorders.\65\
---------------------------------------------------------------------------

    \65\ See, e.g., Press Release, U.S. Department of Justice, 
National Health Care Fraud and Opioid Takedown Results in Charges 
Against 345 Defendants Responsible for More than $6 Billion in 
Alleged Fraud Losses (Sept. 30, 2020), https://www.justice.gov/criminal-fraud/hcf-2020-takedown/press-release.
---------------------------------------------------------------------------

    We preclude cash or cash equivalents from protection under this 
safe harbor in recognition of the critical need to protect vulnerable 
patients from fraud. That said, as stated above, arrangements involving 
cash or cash equivalents used to promote adherence or healthy behavior 
modification do not necessarily violate the Federal anti-kickback 
statute; they would need to be evaluated under the anti-kickback 
statute on a case-by-case basis, including the intent of the parties. 
Parties may seek an OIG advisory opinion if they want assurance that 
their arrangement(s) comply with the statutes or would not be subject 
to OIG administrative enforcement sanctions, but having an advisory 
opinion is not mandatory. Declining to seek an OIG advisory opinion is 
not evidence that parties have improper intent under the Federal anti-
kickback statute.
    As stated above, in-kind incentives in connection with contingency 
management or other motivational programs can fit in the final safe 
harbor if all conditions are met. We note that offering incentives to 
patients as a reward for accessing care may not satisfy the prohibition 
on marketing and patient recruitment at paragraph 1001.952(hh)(6), 
depending on the facts and circumstances. We also emphasize that 
remuneration offered as a reward or incentive is not protected if it 
results in a beneficiary being furnished medically unnecessary care or 
inappropriate items or services reimbursed by a Federal health program, 
pursuant to the condition at paragraph 1001.952(hh)(3)(iv).
    Finally, to the extent that existing safe harbors might not address 
all facets of contingency management incentive programs, we are 
considering addressing them in future rulemaking.
    Comment: A commenter urged OIG to consider extending safe harbor 
protection to benefits such as direct payments from a provider to 
utility companies and the direct provision of technology (e.g., 
electronic scales and tablets to provide continuing condition-specific 
education).
    Response: Because the beneficiary does not directly receive cash or 
cash-equivalent remuneration, we consider the specific examples 
provided by the commenter to be in-kind remuneration, which may be 
protected by this safe harbor if the other conditions of the safe 
harbor are satisfied.
    Comment: A commenter observed that Congress has recognized the 
value of providing incentive payments to patients in allowing 
Accountable Care Organizations (ACOs) participating in the Medicare 
Shared Savings Program to make payments to patients who receive 
qualifying primary care services from providers participating in those 
ACOs.
    Response: We recognize that the ACO Beneficiary Incentive Program, 
which is administered by CMS as part of the Medicare Shared Savings 
Program, allows an ACO to make incentive payments to beneficiaries of 
up to $20 per qualifying service as an incentive to

[[Page 77793]]

encourage utilization of medically necessary primary care services if 
certain eligibility, recordkeeping, and notification requirements are 
met. Nothing in the new patient engagement and support safe harbor 
would prevent ACOs from continuing to participate in that program or 
from structuring ACO Beneficiary Incentive Payment programs to satisfy 
the requirements of the new safe harbor set forth at paragraph 
1001.952(kk), which protects payments under the ACO Beneficiary 
Incentive Program. Although we are not protecting similar incentives in 
this safe harbor, this decision does not reflect the programmatic value 
of the ACO Beneficiary Incentives.
    The patient engagement and support safe harbor will protect tools 
and supports furnished outside of the context of a program administered 
and monitored by CMS. Without that programmatic oversight, we believe 
the safeguards in this final rule, including limiting safe harbor 
protection to in-kind remuneration, are appropriate and necessary to 
protect Federal health care programs and beneficiaries from harms 
associated with fraud and abuse.
    Comment: A commenter urged OIG to update its 2016 Policy Statement 
Regarding Gifts of Nominal Value to Medicare and Medicaid Beneficiaries 
to revise its interpretation of ``nominal value'' from $15 per instance 
to $20 per instance, and from $75 in the aggregate per year to $100 in 
the aggregate per year.
    Response: We decline commenter's request to update our guidance on 
``nominal value'' \66\ in this rulemaking. We note that our nominal 
value guidance focuses only on OIG's Beneficiary Inducements CMP 
authorities, and not the anti-kickback statute.
---------------------------------------------------------------------------

    \66\ See OIG, Office of Inspector General Policy Statement 
Regarding Gifts of Nominal Value to Medicare and Medicaid 
Beneficiaries (Dec. 7, 2016), available at https://oig.hhs.gov/fraud/docs/alertsandbulletins/OIG-Policy-Statement-Gifts-of-Nominal-Value.pdf.
---------------------------------------------------------------------------

iii. Waiver or Reduction of Cost-Sharing Obligations
    Summary of OIG Proposed Rule: In the OIG Proposed Rule, we sought 
comments on a variety of issues relating to potential safe harbor 
protection for waivers or reductions of patient cost-sharing 
obligations in different circumstances, including waivers or reductions 
of patient cost-sharing in the context of the proposed value-based 
framework. We also noted that the requirements related to cost-sharing 
in the Medicare and Medicaid programs are a programmatic matter; cost-
sharing is required pursuant to statute, regulations, and other rules 
set forth by CMS and state Medicaid programs.
    Summary of Final Rule: We are not finalizing a condition to protect 
cost-sharing waivers or reductions under this safe harbor.
    Comment: Many commenters expressed support for protecting waivers 
of beneficiary cost-sharing obligations for remote patient monitoring, 
chronic care management, digital technologies that include care 
coordination functionality, and other care coordination services. A 
commenter argued that both patients and Federal health care programs 
benefit from waiving cost-sharing requirements for these items and 
services because reducing barriers to accessing preventive care can 
improve health outcomes for patients while also ensuring efficient use 
of taxpayer resources. Commenters also asserted that cost-sharing 
obligations can serve as a significant barrier to patient access for 
these and other care coordination items and services, and that 
providers' concerns regarding patients' fulfilling cost-sharing 
obligations could discourage providers from even offering these 
services. A commenter pointed out that protecting cost-sharing waivers 
could give flexibility to certain manufacturers to structure rewards 
programs that could incentivize patient behavior that may improve 
health outcomes, such as treatment adherence. One commenter noted that 
waivers of cost-sharing obligations are less prone to abuse than 
providing cash to patients but posited that waivers can still lead to 
undesirable effects such as cherry-picking and patient steering.
    Commenters also noted that collecting cost-sharing amounts may be 
administratively burdensome for providers, and for certain items and 
services the cost of collection often exceeds the cost-sharing amount 
to be collected. In order to address this issue, a commenter 
recommended that OIG protect waivers of cost-sharing amounts when the 
amount owed by the beneficiary is nominal, similar to OIG's Policy 
Statement Regarding Gifts of Nominal Value to Medicare and Medicaid 
Beneficiaries, or that OIG amend its interpretation of ``reasonable 
collection efforts'' under section 1128A(i)(6)(A)(iii)(II) of the Act 
so that these collection efforts do not include situations where the 
cost of collection by the provider exceeds the cost-sharing amount that 
the provider would potentially collect.
    Commenters also urged OIG to implement safe harbor protection for 
waivers or reductions of other types of cost-sharing obligations, 
including cost-sharing for services furnished through patient-centered 
medical homes and patient-centered specialty practices, such as visits 
that promote medication adherence, preventive care, and kidney disease 
education. A commenter suggested that OIG should protect full or 
partial cost-sharing waivers where care coordination arrangements 
result in cost savings to the health care system, which would allow 
patients to share in savings resulting from compliance with disease 
management or treatment programs.
    A number of commenters urged OIG to protect waivers of IHS 
beneficiaries' cost-sharing obligations for items and services 
furnished by Indian health programs, noting that the imposition of 
cost-sharing obligations can be a barrier to care coordination for 
those patients.
    Response: Cost-sharing waivers, or other tools and supports 
designed to effectuate a waiver of beneficiary cost-sharing, are not 
protected under the final patient engagement and support safe harbor. 
We appreciate commenters' suggestions regarding potential safe harbor 
protection for waivers or reductions of certain cost-sharing 
obligations, particularly in the context of value-based care and 
coordination of care. However, for a number of reasons we are not 
convinced that a safe harbor promulgated by OIG through regulation 
would be the appropriate mechanism to protect the waiver or reduction 
of a programmatic requirement. As we stated in the OIG Proposed Rule, 
beneficiary cost-sharing obligations are a programmatic requirement, 
and we do not believe it would be appropriate to broadly protect cost-
sharing waivers that could obviate a programmatic requirement created 
by statute to the extent requested by commenters. On several occasions, 
Congress has enacted limited and individualized statutory protection 
for cost-sharing waivers. For example, Congress enacted an exception to 
the anti-kickback statute that allows pharmacies to waive Medicare Part 
D cost-sharing under certain conditions, and we have promulgated 
corresponding, implementing regulations.\67\
---------------------------------------------------------------------------

    \67\ Section 1128B(b)(3)(G) of the Act; 42 CFR 1001.952(k)(3).
---------------------------------------------------------------------------

    In addition, commenters requested OIG provide safe harbor 
protection for the waiver of beneficiary cost-sharing for certain items 
and services (e.g., remote patient monitoring, chronic care management, 
digital technologies that include care coordination functionality, and 
other care coordination services). We do not think it would be 
appropriate or feasible for this rule to make

[[Page 77794]]

distinctions regarding cost-sharing waivers based on particular 
categories of services. We do not discern a reasonable basis for making 
such distinctions. We note that longstanding OIG guidance allows for 
waivers of cost-sharing amounts based on individualized, good faith 
determinations of financial need.
    In the OIG Proposed Rule, we stated that we were considering 
protecting cost-sharing waivers for certain specified services (e.g., 
care management services). We are not adopting the commenter's 
recommendation to waive nominal cost sharing amounts. As discussed 
above, we do not view a safe harbor to the Federal anti-kickback 
statute as an appropriate vehicle to address programmatic rules related 
to beneficiary cost sharing.
    In addition, we did not propose to amend our interpretation of 
``reasonable collection efforts'' under section 1128A(i)(6)(A)(iii)(II) 
of the Act and decline to do so in this final rule.
iv. Social Determinants of Health
    Summary of OIG Proposed Rule: For reasons described in the OIG 
Proposed Rule, including the connection of social determinants to 
health outcomes and costs,\68\ we proposed to protect at paragraph 
1001.952(hh)(3)(i) an in-kind item, good, or service such as, among 
others, supports or services designed to identify and address a 
patient's social determinants of health. In the OIG Proposed Rule, we 
cited the existence of substantial evidence that ``unmet social needs'' 
related to social determinants of health such as transportation, 
nutrition, and safe housing play a critical role in health outcomes and 
expenditures,\69\ two key policy goals of this rulemaking. We sought 
comment on which social determinants are most crucial to improving care 
coordination and transitioning to value-based care and payment.\70\ We 
also sought comments on how or whether to protect tools and supports 
designed to address social determinants of health, including whether to 
make distinctions among various categories of social determinants or to 
list specific permissible tools and supports.
---------------------------------------------------------------------------

    \68\ 84 FR 55723 (Oct. 17, 2019).
    \69\ 84 FR 55723 (Oct. 17, 2019).
    \70\ 84 FR 55724 (Oct. 17, 2019).
---------------------------------------------------------------------------

    Summary of Final Rule: We are finalizing, with modifications, 
paragraph 1001.952(hh)(3)(i). The modifications remove the illustrative 
example related to social determinants of health from paragraph 
1001.952(hh)(3)(i). Notwithstanding, the final rule at paragraph 
1001.952(hh) protects in-kind tools and supports that identify and 
address a patient's social determinants of health, provided that the 
tools and supports otherwise meet all applicable safe harbor 
conditions, including, among others, the $500 annual cap, the 
requirement for a direct connection to the coordination and management 
of the care of the target patient population, the requirement that the 
tool or support is recommended by the patient's licensed health care 
professional, and the requirement that the tool or support advances at 
least one of the enumerated goals set forth at paragraph (hh)(3)(vi) of 
the final rule. The five enumerated goals ensure that protected tools 
and supports have a close nexus to care coordination, quality of care, 
and health outcomes for patients.
    As with health-related technology and patient health-related 
monitoring tools and services, we are no longer including the specific 
example of tools and supports that identify and address social 
determinants of health in the final paragraph 1001.952(hh)(3)(i). 
Explicitly listing illustrative categories of protected remuneration is 
not necessary to effectuate the policy set out in the proposed rule 
that these categories and other types of tools and supports can be 
protected if all safe harbor conditions are met. This change ensures 
the final rule does not inappropriately limit the type or range of in-
kind tools and supports that could be protected by this safe harbor. 
This will allow the licensed health care professional to determine the 
specific type of tool or support that works best for the patient, as 
long as all conditions of the safe harbor are met.
    Comment: Numerous commenters urged us to extend explicit safe 
harbor protection to address various social determinants of health, 
focusing primarily on tools and supports to address food insecurity, 
housing instability, and transportation needs. Commenters also noted 
that identifying and addressing patients' social determinants of health 
through patient engagement tools and preventive care items will allow 
entities to improve patient outcomes while also reducing health care 
costs.
    Response: We agree that these types of tools and supports have the 
potential to improve patient outcomes while producing savings to 
Federal health care programs and patients. Tools and supports to 
address the categories of social determinants cited by the commenters 
may be eligible for safe harbor protection if they meet all safe harbor 
conditions including, among others, one of the safe harbor's enumerated 
goals at paragraph 1001.952(hh)(3)(vi). For examples of how the safe 
harbor could protect tools and supports that identify and address 
social determinants of health, we refer readers to the response 
directly below. We are finalizing this safe harbor without including 
tools and supports designed to identify and address social determinants 
of health as an example of protected remuneration in the regulatory 
text. This change will ensure the final rule avoids inadvertently 
constraining the types or categories of in-kind tools and supports 
protected by this safe harbor in order to foster beneficial innovation.
    Comment: We received a number of comments addressing the question 
of how to define social determinants of health and related tools and 
supports for the purpose of this new safe harbor. Many commenters urged 
us not to specify permissible tools and supports, but instead to adopt 
a flexible approach. Other commenters requested OIG provide a 
nonexclusive and nonexhaustive list illustrative of the types of 
permissible tools and supports that could receive protection under the 
safe harbor, indicating that such a list would provide clarity to the 
industry regarding the scope of tools and supports this safe harbor 
would protect without limiting flexibility and innovation. Another 
commenter sought clarification regarding how to interpret our proposed 
protection for tools and supports that address social determinants of 
health and other items and services such as preventive care items and 
services and health-related technology, including how to interpret the 
list of illustrative examples we provided in the preamble.
    Commenters provided examples of a wide range of categories of 
social determinants of health and the tools and supports that 
commenters argued should be protected under this safe harbor, which 
they consider most crucial to improving coordination and management of 
care and transitioning to value-based care and payment. The social 
determinants of health--and tools and supports to address such social 
determinants of health--cited by commenters include food insecurity, 
housing instability, transportation, nutrition education, supervised 
exercise, fitness training programs, household or vehicle modifications 
to promote mobility and independence, addiction recovery programs, 
mental health programs, payment of utility bills, and supports related 
to interpersonal violence.
    Some commenters offered extensive lists of social determinants of 
health relevant to specific health issues, such

[[Page 77795]]

as determinants that impact musculoskeletal care or chronic diseases. 
Another commenter urged OIG to use the framework developed by the 
Kaiser Family Foundation to make distinctions among categories of 
social determinants using the following categories: (i) Economic 
stability; (ii) neighborhood and physical environment; (iii) food; (iv) 
community and social context; and (v) health care system. Another 
commenter suggested OIG reference services offered as supplemental 
benefits within Medicare Advantage as well as the special supplemental 
benefits for the chronically ill included in the Creating High-Quality 
Results and Outcomes Necessary to Improve Chronic (CHRONIC) Care Act.
    Response: We appreciate commenters' suggestions regarding how best 
to identify and protect categories of social determinants of health and 
related tools and supports that should be protected under this safe 
harbor. We agree with the concern that an exclusive list of protected 
tools or supports in regulatory text could inappropriately constrain 
entities from offering the most useful types of tools and supports, and 
a rigid definition of social determinants of health could limit 
innovation related to tools and supports that may be protected by this 
final rule, if all conditions of the safe harbor are met. We are not 
providing a specific definition of ``social determinants of health'' 
for the purpose of this final rule, as one is not needed, nor are we 
providing an exclusive list of the types of tools and support that will 
receive safe harbor protection. We agree with the commenters that 
recommended flexibility.
    We offer below illustrative, but not exhaustive, examples of tools 
and supports related to identifying and addressing patients' needs 
related to social determinants of health that may qualify under the 
safe harbor if all safe harbor conditions are met. We provide this list 
of representative tools and supports to readers to explain our 
interpretation of the safe harbor; we emphasize that this list is 
neither exhaustive nor does it point to the Government's view of the 
effectiveness of the listed examples. Furthermore, we remind readers 
that the safe harbor is specifically focused on the coordination and 
management of patient care. There are other important aspects of 
addressing social determinants of health that are not covered by this 
rulemaking because they do not relate to the coordination and 
management of patient care. In some cases, other safe harbors such as 
the local transportation safe harbor, or other exceptions to the 
Beneficiary Inducements CMP, such as the financial-need-based exception 
and the promote access to care exception (both found at paragraph 
1003.110), may be available for incentives that address patients' needs 
related to social determinants of health.\71\ OIG's advisory opinion 
process is also available, and OIG has issued several advisory opinions 
addressing areas such as nutrition, lodging, and transportation.
---------------------------------------------------------------------------

    \71\ We remind readers that exceptions to the definition of 
``remuneration'' under the Beneficiary Inducements CMP apply only 
for the purposes of the definition of ``remuneration'' applicable to 
section 1128A of the Act (the Beneficiary Inducements CMP); they do 
not apply for purposes of section 1128B(b) of the Act (the Federal 
anti-kickback statute).
---------------------------------------------------------------------------

    Illustrative examples of tools and supports related to social 
determinants of care that could be structured to fit in the safe 
harbor, depending on the facts and circumstances, include the 
following: Provision of in-kind transportation, such as transit 
vouchers or rideshares organized by the VBE participant; home 
modifications such as grab bars, air filters or purifiers, and other 
physical or structural modifications that allow patients to live safely 
at home; temporary housing for an individual experiencing homelessness 
or living far from a hospital following a surgical discharge; providing 
broadband access to a patient to enable remote patient monitoring or 
virtual care; grocery or meal delivery services, nutrition supplements, 
and nutrition education; exercise or fitness programs or equipment; 
vehicle modifications; incentives as part of addiction recovery 
programs, including peer-to-peer programs and contingency management 
programs; incentives as part of mental health programs; and supports 
related to interpersonal violence. For each of the preceding examples, 
all safe harbor conditions would need to be met, including that the 
tool or support advances one of the goals enumerated in paragraph 
1001.952(hh)(3)(vi).
    In contrast, some tools and supports that could help address needs 
related to social determinants of health would be very unlikely to fit 
in the safe harbor. For example, tools and supports related to finding 
employment or housing-related tools and supports of a routine nature, 
such as routine or ongoing rent or utility payments, are unlikely to 
meet the requirements that they be directly related to coordination and 
management of patient care, be recommended by the patient's licensed 
health care professional, and advance an enumerated goal at paragraph 
1001.952(hh)(3)(vi).
    We emphasize that the changes to the regulatory text ensure this 
final rule is agnostic about the specific types of in-kind tools or 
supports protected by this safe harbor. This will give licensed health 
care professionals flexibility to determine and recommend the tool or 
support that would best address a patient's social determinants of 
health to foster coordination and management of patient care.
    Comment: A commenter urged OIG to identify an additional goal under 
paragraph 1001.952(hh)(3)(vi) for ``management of activities of daily 
living,'' to clarify that tools and supports may be protected if used 
to address social determinants of health.
    Response: We are not adopting this suggestion. As explained above, 
in-kind tools and supports used to address social determinants of 
health may be protected by the safe harbor if they meet all safe harbor 
conditions. Depending on the specific facts and circumstances, in-kind 
tools and supports for the management of activities of daily living 
could meet several of the enumerated goals in paragraph (hh)(3)(vi) 
including, for example, goals related to adherence to a followup 
treatment plan, prevention or management of a disease or condition, and 
ensuring patient safety. Such tools and supports would need to meet all 
other safe harbor conditions as well. The goals proposed in the OIG 
Proposed Rule and finalized in paragraph 1001.952(hh)(3)(vi) are 
intended to have a close nexus to the coordination and management of 
patient care. Ensuring that beneficiaries have the support they need to 
manage activities of daily living is critically important. However, for 
purposes of this safe harbor, a separate goal related to ``management 
of activities of daily living'' would not have the same close nexus.
    We note that nothing in this rule alters any existing program rules 
or benefits available to support activities of daily living.
    In particular, some health care benefits, such as long-term care 
services covered by Medicaid, utilize assessments of activities of 
daily living to determine the appropriate level of care for a patient. 
This safe harbor does not affect those rules. Additionally, some long-
term care benefits may also provide coverage for items or services to 
help manage a patient's activities of daily living that are similar or 
the same as the tools and supports protected by this safe harbor. 
Consistent with the discussion in section III.B.6.l on cost-shifting, 
if a provider furnishes covered

[[Page 77796]]

items or services that are covered by a Federal health care program and 
billed following normal rules, the provision of those items or services 
alone would not implicate the Federal anti-kickback statute.
v. Health-Related Technology and Patient Monitoring
    Summary of OIG Proposed Rule: Proposed paragraph 1001.952(hh)(3)(i) 
included health-related technology and patient health-related 
monitoring tools and services as examples of permissible tools and 
supports.
    Summary of Final Rule: We are not finalizing our proposal to 
include these examples in regulatory text. Paragraph 1001.952(hh)(3)(i) 
simply requires an in-kind item, good, or service, without qualifiers 
or examples. We confirm that health-related technology and patient 
health-related monitoring tools and supports can be protected 
remuneration if all safe harbor conditions are met.
    Comment: Commenters were encouraged that the OIG Proposed Rule 
recognized wearable monitoring devices as ``health-related technology 
and patient health-related monitoring tools and services'' that were 
potentially protected tools and supports, noting the power of such 
technologies in managing chronic illness and promoting patient 
adherence. A commenter asked OIG to consider how to ensure that the 
safe harbor does not stifle innovative health care provider 
arrangements for care coordination implemented via remote patient 
monitoring. The same commenter urged OIG to reexamine what constitutes 
an inducement and help health care stakeholders better understand these 
regulations by offering FAQs, guidance, or web-based access to 
additional information.
    Response: As noted above in the discussion relating to preventive 
care, we have simplified the safe harbor language to reflect the 
breadth of protected categories of remuneration. Accordingly, the safe 
harbor no longer specifically references health-related monitoring 
tools and services but instead requires that tools or supports are in 
the form of an in-kind item, good, or service that meets the other 
requirements of the safe harbor. This revision is in no way intended to 
limit the scope of remuneration protected by the safe harbor to exclude 
or otherwise limit health-related technology; rather, we intend the new 
text at paragraph 1001.952(hh)(3)(i) to reflect the breadth of tools 
and supports eligible for protection under the safe harbor.
    We believe the safe harbor, including this broadened language, will 
expand opportunities for innovation in how industry stakeholders engage 
and support patients, including arrangements involving remote patient 
monitoring. For instance, tools such as connected scales or blood 
pressure monitors that track and transmit data to a patient's licensed 
health care professional, or applications that allow a patient's mobile 
devices to monitor activity or other health data, could be protected, 
if all other conditions of the safe harbor are satisfied.
    Comment: Commenters sought clarification as to how telehealth tools 
and supports fit within the category of health-related technology. In 
particular, a commenter asked whether the new patient engagement and 
support safe harbor may be used to protect the provision of non-device-
based telehealth platforms and aggregators. Another commenter urged OIG 
to clarify that, as a general matter, multifunction equipment could 
comply with the Federal anti-kickback statute through a safe harbor and 
exception to the Beneficiary Inducements CMP.
    Response: In-kind telehealth supports can be protected under this 
safe harbor if the provision of such supports satisfies all of the safe 
harbor's conditions.\72\ For instance, a smartphone that facilitates 
telehealth services with a patient's licensed health care professional, 
or a platform or software that facilitates telehealth services, may be 
a protected form of remuneration under this safe harbor if all safe 
harbor conditions are satisfied. The commenter's request for additional 
OIG guidance on whether the provision of multifunctional equipment 
would implicate the Federal anti-kickback statute and Beneficiary 
Inducements CMP is a fact-specific inquiry. Tools and supports that may 
be protected by this safe harbor could include multifunctional 
equipment, as long as the tool or support advances one of the 
enumerated goals at paragraph 1001.952(hh)(3)(vi).
---------------------------------------------------------------------------

    \72\ We acknowledge that Federal health care program coverage of 
telehealth services and other care provided remotely has expanded 
and the regulatory framework applicable to telehealth services and 
other virtual care has shifted, at least temporarily, since the 
publication of the OIG Proposed Rule. In particular, in response to 
the unique circumstances resulting from the outbreak of COVID-19, 
the Secretary determined, pursuant to section 319 of the Public 
Health Service Act, that a public health emergency (PHE) exists and 
has existed since January 27, 2020 (COVID-19 Declaration). See 
Department of Health and Human Services, Determination that a Public 
Health Emergency Exists (Jan. 31, 2020), available at https://www.phe.gov/emergency/news/healthactions/phe/Pages/2019-nCoV.aspx. 
As a result of the PHE, various agencies have adopted temporary 
rules and guidance designed to ease access to telehealth services 
and other virtual care during the PHE. See for example CMS, Interim 
Final Rule with Comment Period, Medicare and Medicaid Programs; 
Policy and Regulatory Revisions in Response to the COVID-19 Public 
Health Emergency, 85 FR 19230 (Apr. 6, 2020).
---------------------------------------------------------------------------

    Comment: A commenter urged that patient communication and 
counseling services are aligned with the spirit of the proposed safe 
harbor and requested confirmation that these services constitute 
patient health-related monitoring tools and services.
    Response: We agree that patient communication and counseling 
services may qualify as protected in-kind remuneration if the 
conditions of the safe harbor are satisfied.
vi. Not Duplicative
    Summary of OIG Proposed Rule: We solicited comments on whether to 
require the VBE participant to confirm that the tool or support is not 
duplicative of, or substantially the same as, tools and services the 
patient already has.
    Summary of Final Rule: We are not finalizing this condition.
    Comment: A commenter supported requiring the patient to confirm 
that the tool or support is not duplicative of something already owned 
by the patient. A commenter stated that restrictions related to 
providing duplicative tools or services that the patient already has 
are unnecessary in light of the proposed safe harbor requirement 
prohibiting the sale or diversion of the item or service. Moreover, 
some commenters stated that this type of requirement would prove 
difficult to implement because even if a patient has a similar device 
or service, it does not mean that it has enough or the correct 
technology to accomplish the VBE's or VBE participant's care objectives 
and goals. Some commenters stated that this condition would be 
difficult to interpret and enforce, and some commenters asserted that 
the provision of duplicative tools and supports would be unlikely to 
result in patient inducement. Another commenter highlighted concern 
related to any such condition's intersection with providing updated or 
upgraded tools and supports that might technically duplicate tools and 
supports to which a patient already has access. A commenter asked what 
would be considered duplicative or substantially the same, asking 
specifically whether an updated smartphone to support the use of a 
monitoring application would be duplicative if a patient already owns a 
cell phone. The same commenter also inquired whether providing other 
updated technology--such as a newer version of a patient's glucose 
monitor--would be considered duplicative.

[[Page 77797]]

    A commenter stated that OIG should not require confirmation that 
the tools and supports provided to a patient are not duplicative of, or 
substantially the same as, tools and supports the patient already has, 
which the commenter believed fails to recognize that VBE participants 
may want to rely on the safe harbor to test the effectiveness of a 
particular tool or support.
    Response: In this final rule, we are not adopting a requirement 
that a VBE participant confirm that a tool or support is not 
duplicative of, or substantially the same as, tools or supports the 
patient already has. We appreciate the concerns raised by commenters 
regarding the practical challenges in implementing this requirement, 
including that it is difficult to determine which tools or supports 
would be considered duplicative.
    However, tools or supports that are duplicative of items or 
services that a patient already owns or has access to may not advance 
one of the goals listed at paragraph 1001.952(hh)(3)(vi) and therefore 
may not be eligible for safe harbor protection. For example, providing 
a patient with a new smartphone would not necessarily advance any of 
the enumerated goals if the patient already has a cell phone with 
sufficient functionality. For instance, the licensed health care 
professional's recommendation of a smartphone to transmit medication 
adherence reminders may not advance the patient's adherence to a drug 
regimen if the identified need for the smartphone--to transmit 
medication adherence reminders--is already achievable with the 
patient's existing cell phone. On the other hand, provision of a 
smartphone could promote adherence to a treatment regimen determined by 
the patient's licensed health care professional (pursuant to the goal 
listed at paragraph 1001.952(hh)(3)(vi)(A)) if, for example, the new 
smartphone adds functionality needed for remote monitoring that is not 
available on the patient's existing cell phone.
    In response to the comment regarding using the patient engagement 
and support safe harbor to test the effectiveness of tools or supports, 
the safe harbor protects remuneration that advances one or more of the 
enumerated goals under paragraph 1001.952(hh)(3)(vi). While protection 
under this safe harbor is not conditional on achieving one or more of 
these enumerated goals, a tool or support would not be eligible for 
safe harbor protection without a reasonable basis that it would advance 
at least one of the enumerated goals. The requirement to advance one or 
more of the listed goals means, at a minimum, that the VBE participant 
reasonably expects the tool or support to be effective in advancing a 
goal.
g. Marketing and Patient Recruitment
    Summary of OIG Proposed Rule: We proposed a condition at proposed 
paragraph 1001.952(hh)(3)(iv) that would exclude from safe harbor 
protection tools or supports used for patient recruitment or marketing 
of items or services to patients. Separately, we sought comment on 
whether to include a condition that would prohibit advertising of the 
patient engagement tools or supports offered by a VBE participant. We 
solicited comments on how best to preclude using tools and supports as 
a marketing or advertising strategy to recruit patients or otherwise 
influence referral sources, patients or otherwise, while still 
permitting beneficial educational efforts and activities that promote 
patient awareness of care coordination activities and available tools 
and supports.
    Summary of Final Rule: We are finalizing, with modifications, the 
proposed condition at paragraph 1001.952(hh)(6). Under the final rule, 
neither the VBE participant, nor an eligible agent of the VBE 
participant, may use the patient engagement tools or supports to market 
other reimbursable items or services or for patient recruitment 
purposes. The final safe harbor condition clarifies the limitation on 
marketing and patient recruitment consistent with our intent in the OIG 
Proposed Rule to preclude protection of tools and supports used solely 
for patient recruitment purposes or used to market other reimbursable 
items and services to patients. The final condition clarifies that the 
marketing prohibition only applies with respect to the marketing of 
items and services reimbursable by Federal health care programs. 
Providing remuneration to patients in order to market items or services 
not reimbursable by Federal health care programs is unlikely to 
implicate the anti-kickback statute and therefore would not need safe 
harbor protection. As discussed further below, this condition does not 
preclude a VBE participant from educating patients, such as providing 
objective patient educational materials to a patient or engaging in 
objective patient informational activities with respect to patients in 
the target population.
    Comment: Commenters generally supported our proposed prohibitions 
on marketing and patient recruitment but urged OIG to clarify that 
certain activities would not be prohibited, such as providing education 
and information to established patients or members of the target 
patient population about available resources, tools, and supports. For 
example, a commenter suggested that a health care facility operating an 
onsite food pantry should be able to post basic information, such as 
the food pantry's hours of operation, to ensure patient access. Another 
indicated that providers should be able to educate beneficiaries about 
how to access care and to increase awareness and utilization of 
services by describing available tools and supports on a provider's 
website or by offering free marketing items such as refrigerator 
magnets, stickers, and notepads.
    Other commenters opposed these conditions altogether or requested 
that we clarify the delineations between prohibited marketing, 
advertising, and patient recruitment as opposed to permissible patient 
education and awareness activities. Commenters warned that 
dissemination of information to patients and their providers is 
necessary for patients to achieve the health benefits intended by a 
particular patient engagement program. A commenter added that 
restricting advertising requires providers to determine which patients 
may benefit from available resources, rather than empowering patients 
to self-identify whether they may benefit from a given tool or support.
    Response: We agree with the commenters who supported conditions 
relating to marketing and patient recruitment, and we are finalizing 
these concepts in a revised safe harbor condition at paragraph 
1001.952(hh)(6). The patient engagement and support safe harbor does 
not protect the provision of tools or supports if the VBE participant 
uses the tools or supports to market other reimbursable items or 
services or for patient recruitment purposes. As noted in the proposed 
rule, the proposed condition was designed to preclude a VBE using a 
tool or support to market other reimbursable items and services, or 
using a tool for patient recruitment while permitting beneficial 
educational efforts and activities that promote patient awareness of 
care coordination activities and available tools and supports. We do 
not intend to protect tools or supports that serve solely as patient 
recruitment incentives.\73\
---------------------------------------------------------------------------

    \73\ 84 FR 55727 (Oct. 17, 2019).
---------------------------------------------------------------------------

    This condition does not preclude providers from educating their 
patients or otherwise providing information about available tools and 
supports to established patients. In other words, this

[[Page 77798]]

condition does not limit providers from offering objective information, 
education, and reminders to their patients, nor does it limit providers 
from offering tools and supports designed to educate patients and 
increase awareness and utilization of appropriate services.
    As an example, the following activity would not violate this 
condition: A physician VBE participant informs a patient with asthma 
that clean air in the home is important for keeping asthma symptoms 
under control. The physician explains that clean air conditioning 
filters and other air purifying machines are important for keeping the 
air in a home clean and healthy. The physician informs the patient that 
the VBE has a program to provide air filters, and the patient may be 
eligible to receive free air filters provided by the physician.
    However, the safe harbor does not protect a tool or support if used 
to recruit patients or used to market other reimbursable items or 
services. This condition protects against abusive marketing schemes 
where the patients are inappropriately induced to select providers or 
use items or services because they are being provided with free or low-
cost tools and supports. Importantly, the patient engagement and 
support safe harbor protects the provision of tools and supports to 
patients; it does not protect any marketing, advertising, or patient 
recruitment arrangements.
    As with the care coordination arrangements safe harbor's marketing 
and patient recruitment provision discussed in section III.B.3.j we use 
the terms marketing (e.g., promoting or selling something), recruitment 
(e.g., enlisting someone to do something), and education (e.g., 
informing, instructing, or teaching) in accordance with their common 
sense meanings. Additionally, we consider ``advertising'' to be a 
subset of ``marketing,'' so the prohibition of using tools or supports 
to market other reimbursable items or services also prohibits 
advertising. This approach best allows flexibility for VBE participants 
to engage in appropriate educational efforts. We offer illustrative 
examples in response to comments to aid stakeholders in applying the 
safe harbor provision.
    For example, a VBE participant could operate a non-billable 
diabetes remote monitoring program to help patients manage their 
diabetes and coordinate their care. As part of the program, the VBE 
participant offers patients with diabetes a free tablet to facilitate 
the remote monitoring program. Should the VBE participant seek to 
protect the tablet under this safe harbor, it would need to satisfy the 
marketing and patient recruitment condition at paragraph 
1001.952(hh)(6). To illustrate the scope of this condition, we offer 
the following examples of educational activities that would comply with 
this condition. First, the VBE participant may counsel a patient with 
diabetes about the benefits of the non-billable remote monitoring 
program and explain that such program includes a free tablet to 
facilitate the program. Second, the VBE may explain that the tablet is 
used to convey information such as nutritional information, recipes, 
wellness tips, and appointment reminders. In these illustrative 
examples, the VBE participant is not using the tablet to market other 
reimbursable items or services or for patient recruitment.
    By contrast, if the VBE participant uses the tablet to send 
patients text messages and notifications to induce them to obtain 
tests, equipment, supplies, or other reimbursable items and services, 
the condition at paragraph 1001.952(hh)(6) would not be satisfied; the 
VBE participant is using the tool and support (the tablet) to market 
other reimbursable items and services. Similarly, if the VBE 
participant advertises that patients will receive a free tablet if they 
register for the remote monitoring program and receive services, the 
VBE participant is using the tool and support to recruit patients and 
the provision of the tablet does not qualify for safe harbor 
protection. It would be the same result if the VBE participant used the 
provision of the tablet to market other reimbursable services or 
recruit patients through door-to-door marketing, telephone 
solicitations, direct mailings, or through sales pitches masquerading 
as ``informational'' sessions.
    In response to commenters, we clarify that notification to an 
entire target patient population about the availability of tools and 
supports does not necessarily raise concerns under this condition. 
Whether a notification to an entire patient population satisfies this 
condition would require a highly fact-specific assessment. For example, 
if a physician used an announcement to an entire target patient 
population about the availability of free air conditioning filters if 
those patients come in for an office visit (e.g., as an inducement to 
attract patients to schedule an appointment billable to a Federal 
health care program), that would constitute prohibited marketing or 
patient recruitment, even if the announcement also had an educational 
purpose. In contrast, if the announcement provided information on the 
need for asthma patients to ensure the air in the home is clean and to 
contact the physician for further information, that type of 
notification would not violate this condition. Again, we highlight that 
whether any particular communication satisfies this marketing condition 
would require a highly fact-specific assessment.
    Among the examples described by the commenters, a hospital posting 
general information such as the hours of operation of its food pantry 
to make patients aware of when the food pantry is open and enhance 
patient access would not run afoul of this condition. Providing free 
marketing items as described by a commenter such as refrigerator 
magnets, stickers, and notepads likely would not be protected by this 
safe harbor for multiple reasons. If provided for the purpose of 
marketing or patient recruitment, such items would not meet this 
condition. Furthermore, these items are unlikely to advance one of the 
enumerated goals at paragraph 1001.952(hh)(3)(vi) or have a direct 
connection to the coordination and management of care of the target 
patient population.\74\
---------------------------------------------------------------------------

    \74\ We note, however, that such items may be excluded from the 
definition of remuneration under the Beneficiary Inducements CMP if 
they are of nominal value. See for example 65 FR 24411 (Apr. 26, 
2000), available at https://oig.hhs.gov/authorities/docs/cmpfinal.pdf, and Special Advisory Bulletin: Offering Gifts and 
Other Inducements to Beneficiaries, August 2002, available at http://oig.hhs.gov/fraud/docs/alertsandbulletins/SABGiftsandInducements.pdf (Special Advisory Bulletin); Office of 
Inspector General Policy Statement Regarding Gifts of Nominal Value 
to Medicare and Medicaid Beneficiaries (Dec. 7, 2016), available at 
https://oig.hhs.gov/fraud/docs/alertsandbulletins/OIG-Policy-Statement-Gifts-of-Nominal-Value.pdf.
---------------------------------------------------------------------------

    In response to the commenter who asserted that restricting 
advertising requires providers to determine which patients may benefit 
from available resources, rather than empowering patients to self-
identify whether they may benefit from a given tool or support, we note 
that this condition is intended to preserve patient choice and protect 
vulnerable patients from the undue influence of coercive marketing. We 
also remind readers that any protected tool or support must satisfy the 
other conditions of the safe harbor as well, including that the patient 
engagement tool or support is recommended by the patient's licensed 
health care professional and advances one or more of the goals 
enumerated in the safe harbor. The protections in the safe harbor are 
designed to emphasize the patient's relationship with their provider in 
developing plans for treatment and care and the appropriate provision 
of tools and supports.

[[Page 77799]]

Consequently, the final safe harbor preserves patient choice and 
empowerment by relying on close communication and collaboration between 
patient and provider.
    A prohibition on marketing and patient recruitment serves as an 
important protection against inappropriate patient steering and 
overutilization of federally reimbursable items and services. Our 
enforcement experience demonstrates that using tools and supports to 
recruit patients or to otherwise market reimbursable items and services 
presents a risk of harms associated with fraud and abuse (e.g., 
overutilization, provision of unnecessary services to patients, and 
theft of patient's medical identity information).
    We highlight that this prohibition extends to eligible agents of 
the VBE participant. More specifically, to qualify for safe harbor 
protection, neither the VBE participant nor any eligible agent may 
exchange or use the patient engagement tools or supports to market 
other reimbursable items or services or for patient recruitment 
purposes. Under paragraph 1001.952(hh)(2), the patient engagement tool 
or support may be furnished directly to the patient (or the patient's 
caregiver, family member, or other individual acting on the patient's 
behalf) by a VBE participant that is a party to the value-based 
arrangement or its eligible agent. The modification of the marketing 
and patient recruitment prohibition in paragraph 1001.952(hh)(6) 
reflects the changes to paragraph 1001.952(hh)(2) related to eligible 
agents. The marketing and patient recruitment prohibition applies 
equally to the VBE participant and to the eligible agent that may be 
furnishing the tool or support as an agent of the VBE participant. For 
example, this final rule precludes safe harbor protection for tools and 
supports used by a patient recruiter to induce or recruit beneficiaries 
to receive items or services reimbursed by a Federal health care 
program.
    Comment: A commenter warned that an overly broad limit on 
advertising could be a barrier to providers giving basic information to 
patients. The commenter noted that OIG recognized this risk by limiting 
the scope of its advertising prohibition in the local transportation 
safe harbor, which explicitly allows posting shuttle route and schedule 
details.
    Response: First, we remind readers that arrangements need not have 
safe harbor protection to be lawful, and we observe that many health 
care entities lawfully provide basic information to patients (which may 
not even implicate the Federal anti-kickback statute) and even market 
services without the benefit of a safe harbor. Second, we believe the 
final prohibition on marketing and patient recruitment is not overly 
broad. It prohibits using patient engagement tools and supports to 
market other reimbursable items and services or for patient 
recruitment. It does not limit providers giving basic information 
directly to their patients; indeed, as explained above, many types of 
basic information would not even implicate the Federal anti-kickback 
statute (e.g., appointment reminders and mailings explaining the best 
hygiene practices to prevent influenza).
    As the commenter states, the local transportation safe harbor 
provides protection for a shuttle service that is not marketed or 
advertised (other than posting necessary route and schedule details). 
We do not believe a specific exception, similar to the route and 
schedule details exception included in the shuttle services provision 
of the local transportation safe harbor, is needed in the patient 
engagement and support safe harbor, nor would such an exception be 
feasible to address the wide range of tools and supports potentially 
protected by this safe harbor. The final safe harbor's condition 
related to marketing and patient recruitment does not prohibit a VBE 
participant from providing basic information relating to available 
patient engagement tools and supports to patients.
    For example, a hospital that also runs a food pantry could post the 
hours of operation of a food pantry. In contrast, should the hospital 
conduct a general advertisement to the public indicating, for example, 
that it has a free food program available to patients with diabetes 
(the target patient population) who come to the hospital to receive 
services, providing the support in the form of the free food program 
would fail to satisfy this condition and would not be protected by this 
safe harbor.
    We emphasize that the provision of tools and supports to Federal 
health care program beneficiaries by certain entities (which could be 
VBE participants consistent with revisions made by this final rule)--
such as a social services agency that does not bill Federal health care 
programs--would not implicate the Federal anti-kickback statute and, 
consequently, would not require safe harbor protection.\75\ Therefore, 
such entities would not be subject to this marketing and patient 
recruitment condition.
---------------------------------------------------------------------------

    \75\ We recognize the possibility that a hospital or other 
entity that bills Federal health care programs could provide funding 
to an entity that does not bill Federal health care programs in 
order to support the provision of tools and supports to Federal 
health care program beneficiaries. Such funding could constitute an 
indirect financial relationship between the funding source and the 
beneficiary that could implicate the Federal anti-kickback statute 
and, if so, that relationship would need to be assessed separately.
---------------------------------------------------------------------------

    Comment: A commenter urged OIG to ensure that the safe harbor 
allows sufficient flexibility to inform patients of the types of 
interventions designed to address social determinants of health that 
the VBE participant offers to support patients in achieving improved 
health outcomes and to furnish the best possible patient care. The 
commenter highlighted that in the context of tools and supports 
designed to address unmet social needs, patients may be reticent to 
self-identify absent appropriate outreach and advertising due to 
potential social stigmas associated with such needs. A commenter stated 
that a safe harbor condition prohibiting advertising could: (i) Reduce 
the ability of patients and providers to make fully informed decisions; 
(ii) lower the number of patients who have access to beneficial tools 
and supports; and (iii) hinder the ability to achieve the entity's 
value-based goals.
    Response: The safe harbor condition prohibiting use of the patient 
engagement tools and supports to market other reimbursable items and 
services or for patient recruitment is not intended to constrain a 
licensed health care professional from informing patients of the types 
of available tools and supports. The safe harbor also would not 
prohibit other types of VBE participants from providing educational 
information about available tools and supports to patients in the 
target population.
    Comment: A commenter asserted that a facility should be able to 
advertise the patient engagement tools and supports it offers, and if a 
patient elects a certain facility on that basis, then the patient has 
demonstrated active engagement in their care options.
    Response: We recognize the importance of activated and engaged 
patients and consumer choice. As previously stated, potential donors 
may provide educational information and inform patients about the 
availability of engagement tools and supports. This condition prohibits 
only using tools and supports to market other reimbursable items and 
services or for patient recruitment. This final condition is designed 
to prevent VBE participants from influencing patients' decision-making 
regarding billable health care items and services based on the offer of 
free tools and supports. We are

[[Page 77800]]

concerned that patients might be coerced into selecting items and 
services that are not in their medical best interests. We emphasize, 
however, that nothing in this final rulemaking constrains patient 
decision-making; notably, patients are free to select (or decline to 
select) providers based on their participation in a VBE, on the care 
coordination and management services they furnish, or on the tools and 
supports they offer.
    Comment: A commenter noted that a prohibition on advertising could 
disproportionately impact skilled nursing facilities and assisted 
living facilities whose patients are more likely to rely upon 
traditional advertising methods to understand their treatment options 
and alternatives.
    Response: This condition restricts VBE participants who wish to use 
the safe harbor from using the tools and supports to market other 
reimbursable items or services (e.g., an advertisement that offers to 
provide a free smartphone after a patient receives a service) or using 
such tools for patient recruitment. It does not prohibit a VBE 
participant, which could be a skilled nursing facility or assisted 
living facility, from otherwise advertising or marketing the patient 
care items and services they offer.
h. Direct Connection
    Summary of OIG Proposed Rule: At proposed paragraph (hh)(3)(ii), we 
proposed that the tool or support furnished to the patient must have a 
``direct connection'' to the coordination and management of care of the 
target patient population. We proposed to interpret ``direct 
connection'' to mean that the VBE participant has a good faith 
expectation that the tool or support will further the coordination and 
management of care for the patient. We solicited comments on whether to 
require a ``reasonable connection'' instead of a ``direct connection.'' 
We also solicited comments on an alternative proposal that would have 
required the VBE participant to make a bona fide determination that an 
arrangement to provide tools and supports is directly connected to the 
coordination and management of care for the patient. We solicited 
comments on whether the ``direct connection'' should be to any of the 
four value-based purposes described at proposed paragraph 
1001.952(ee)(12)(vii) instead of requiring a direct connection to the 
coordination and management of care for the patient.
    Summary of Final Rule: We are finalizing the condition, without 
modification, at paragraph 1001.952(hh)(3)(ii). Specifically, any 
protected tool or support must have a ``direct connection'' to the 
coordination and management of care of the target patient population. 
We are not finalizing any of the alternative proposals considered in 
the OIG Proposed Rule.
    Comment: A number of commenters supported our proposal to require 
that any protected tool or support furnished to a patient have a direct 
connection to the coordination and management of care.
    Response: We are finalizing this condition as proposed. As we 
explained in the OIG Proposed Rule, we do not believe it should be 
difficult for a VBE participant providing the patient engagement tool 
or support to clearly articulate the nexus between the tool or support 
and the coordination and management of care.
    Comment: We received several comments recommending that we require 
only a ``reasonable connection'' to coordination and management of 
care, rather than a ``direct connection.'' Many commenters expressed a 
preference for the ``reasonable connection'' standard because it gives 
entities greater flexibility in the provision of patient engagement 
tools and supports and is better aligned with the standard that a VBE 
participant must have a good faith expectation that the tool or support 
will promote the VBE's objectives. A commenter opposed the ``reasonable 
connection'' alternative because it would weaken the partnership 
between providers that are collaborating to coordinate and manage a 
patient's care.
    Response: We decline to modify the condition to require only a 
``reasonable connection.'' The safe harbor protects the provision of 
potentially valuable in-kind remuneration furnished to patients. It is 
appropriate for the offerors of potentially valuable remuneration to 
carefully evaluate the nexus between the tool or support and the 
coordination and management of patient care. In the final rule, we 
opted for the ``direct connection'' standard, which will ensure that 
the remuneration is closely linked to the goals of the Regulatory 
Sprint, including promoting care coordination and value-based care. In 
particular, the final safe harbor is designed to protect tools and 
supports that are designed to result in higher value and better 
coordinated care. The ``direct connection'' standard will help ensure 
that protected remuneration specifically and intentionally advances the 
goals of the Regulatory Sprint over other possible objectives.
    Comment: One commenter supported a condition requiring the VBE to 
make a bona fide determination that tools or supports have a direct 
connection to the coordination and management of care for a patient. 
However, numerous other commenters urged OIG not to adopt such a 
requirement, warning that it would be unduly burdensome and create 
administrative hurdles that would unnecessarily duplicate the 
determination made by a VBE in establishing value-based activities of 
the VBE and the role of the VBE participants in carrying out those 
activities.
    Response: To avoid introducing unnecessary administrative burdens, 
and because we believe the other safeguards sufficiently mitigate the 
risk of patient harm and program integrity concerns, we are not 
finalizing a requirement--considered in the preamble to the OIG 
Proposed Rule--that the VBE make a bona fide determination that the 
tool or support has a direct connection to the coordination and 
management of care. We note, however, that while safe harbors are 
voluntary, parties that seek protection for tools and supports under 
this safe harbor must strictly satisfy each of the safe harbor's 
conditions, including the requirement that the tool or support has a 
direct connection to the coordination and management of care. The VBE 
and VBE participants may establish satisfaction of this condition in a 
variety of ways without such a bona fide determination; of course, 
making such a bona fide determination could support satisfaction of 
this safe harbor condition.
    Comment: Several commenters suggested that OIG broaden the safe 
harbor to protect tools and supports that are directly connected to any 
of the four value-based purposes articulated in proposed paragraph 
1001.952(ee)(12)(vii), rather than requiring a direct connection to a 
single value-based purpose, that is, coordination and management of 
patient care. Commenters suggested that this would provide greater 
flexibility for entities to offer tools and supports connected to the 
other three value-based purposes.
    Response: We appreciate the commenters' input. However, we 
respectfully decline to adopt the commenters' suggestion. We believe 
the safe harbor is appropriately limited to the protection of tools and 
supports that are directly connected to the coordination and management 
of care, which empowers patients to fully participate in the care 
coordination activities that are the spirit of the

[[Page 77801]]

Regulatory Sprint. The other three value-based purposes described in 
paragraph 1001.952(ee)--improving the quality of care; appropriately 
reducing the costs to, or growth in expenditures of, payors without 
reducing the quality of care; and transitioning the health care 
delivery and payment systems to value-based care--are purposes that the 
applicable VBE participants, not patients, are in the best position to 
deliver.
    In contrast, the coordination and management of care more directly 
relates to the patient engagement goals of this safe harbor. At 
paragraph 1001.952(ee)(14)(i)), this final rule defines ``coordination 
and management of care'' to mean the deliberate organization of patient 
care activities and sharing of information between two or more VBE 
participants, one or more VBE participants and the VBE, or one or more 
VBE participants and patients, that is designed to achieve safer, more 
effective, or more efficient care to improve the health outcomes of the 
target patient population. This definition provides sufficient 
flexibility in designing arrangements for patient engagement that would 
be protected by this safe harbor because a broad range of tools and 
supports could be tailored to improving health outcomes and achieving 
safer and more effective care, while advancing one of the five 
enumerated goals at paragraph 1001.952(hh)(3)(vi). For instance, a 
program to provide grab bars or handrails to patients recovering from 
knee surgery to prevent falls at home could be properly tailored to 
improving health outcomes for these patients and designed to achieve 
safer, more effective care for this population.
    Comment: A commenter sought clarification regarding when an item 
has a direct connection to coordination and management of care, 
specifically requesting a list of scenarios that would qualify. Another 
commenter suggested that we not finalize a description of specific 
tools or supports that would be considered to have a direct connection 
to the coordination and management of care because doing so could 
frustrate the goals of fostering flexibility, adaptability, and 
innovation.
    Response: We agree with the commenter who suggested that we not 
finalize a description of specific tools or supports that would be 
considered to have a direct connection to the coordination and 
management of care. Consequently, we decline to provide a list of 
scenarios linking which tools and supports would qualify as having a 
direct connection to the coordination and management of a patient's 
care. In taking this approach, we hope to foster innovation and allow 
VBEs and VBE participants flexibility in appropriately identifying the 
nexus between the tool or support and the coordination and management 
of care. Revisiting our example of providing grab bars to patients 
recovering from knee surgery, the tool or support in that example has a 
direct connection to the coordination and management of care because it 
is intended to prevent falls and therefore provides safer and more 
effective care for the target patient population (knee surgery 
patients).
i. Medical Necessity
    Summary of OIG Proposed Rule: In the OIG Proposed Rule's paragraph 
1001.952(hh)(3)(v), we proposed that the tool or support must not 
result in medically unnecessary or inappropriate items or services 
reimbursed in whole or in part by a Federal health care program.
    Summary of Final Rule: We are finalizing, without modification, 
this condition and relocating it to paragraph 1001.952(hh)(3)(iv).
    Comment: A hospital association supported our proposal to protect 
only tools and supports that do not result in medically unnecessary or 
inappropriate items or services reimbursed by Federal health care 
programs.
    Response: We are finalizing this safeguard as proposed at paragraph 
1001.952(hh)(3)(iv).
    Comment: A commenter stated that any incentives protected by the 
final safe harbor should not be limited to incentives furnished to 
patients for attendance at medically necessary primary care or other 
clinically appropriate medical appointments, but also expanded to 
incentives for participating in community-based services that could 
impact clinical outcomes through addressing patients' social 
determinants of health.
    Response: This safe harbor protects tools and supports that advance 
one or more enumerated goals set out at paragraph 1001.952(hh)(3)(vi), 
which include goals related to adherence to treatment regimens and 
followup care plans, and prevention and management of diseases and 
conditions. For a specific discussion of our treatment of tools and 
supports that address social determinants of health, please see the 
discussion at III.B.6.f.iv. of this preamble. To qualify for protection 
under the safe harbor, any incentives for participation in community-
based services also would need to meet all other safe harbor 
conditions, including the condition that the remuneration cannot result 
in medically unnecessary or inappropriate items or services reimbursed 
in whole or in part by a Federal health care program. We also note that 
such community-based services would need to be recommended by the 
patient's licensed health care professional (per the condition at 
paragraph 1001.952(hh)(3)(v)) and have a direct connection to the 
coordination and management of care of the target population (per the 
condition at paragraph 1001.952(hh)(3)(ii)).
j. Licensed Health Care Professional Recommendation
    Summary of OIG Proposed Rule: We proposed a safe harbor condition 
at proposed paragraph 1001.952(hh)(3)(vi) that would provide safe 
harbor protection only for tools or supports recommended by the 
patient's licensed health care provider. Relatedly, we sought comments 
on whether to require a written certification, under 18 U.S.C. 1001 and 
1519, from a patient's licensed health care provider certifying that 
the particular tool or support is recommended solely to treat a 
documented chronic condition of a patient in a target patient 
population.
    Summary of Final Rule: We are finalizing, with modification, this 
condition at paragraph 1001.952(hh)(3)(v). Based on public comment, we 
are revising the language to clarify that the tool or support must be 
recommended by the patient's licensed health care ``professional'' 
rather than ``provider.'' The term ``provider'' is often used to mean a 
hospital or other entity that furnishes institutional health care 
services. We believe ``professional'' is a clearer description of our 
intent in the OIG Proposed Rule that this requirement emphasizes the 
importance of a health care professional's medical judgment, as well as 
the patient's relationship with a health care professional. We have 
made conforming changes in each enumerated goal in paragraph 
1001.952(hh)(3)(vi) that referenced a licensed health care provider. We 
are not finalizing the written certification requirement.
    Comment: A trade association representing physicians supported the 
proposal to require that a tool or support must be recommended by the 
patient's licensed health care provider. Another commenter stated that 
this requirement is a key fraud and abuse protection to ensure that the 
safe harbor is not used for improper purposes such as marketing or 
patient recruitment, or to steer patients to particular treatments. A 
commenter also noted that this requirement helps ensure the centrality 
of the patient-provider relationship.

[[Page 77802]]

    Another commenter expressed concern that a safe harbor condition 
requiring a licensed health care provider's recommendation would lead 
to underutilization of valuable tools and supports to treat social 
comorbidities. The commenter stated that many tools and supports that 
address social comorbidities do not stem from a single condition in 
isolation and, therefore, may not be evident to a treating clinician. 
Another commenter warned that this requirement could deter use of the 
new safe harbor because physicians do not typically recommend the types 
of tools and supports that would be most beneficial to patients. More 
often, according to the commenter, social workers, case workers, or 
others who may not be licensed clinicians would be in a better position 
to recommend such patient tools, including those that would address 
social determinants of health.
    A commenter also urged OIG to include a requirement that clinicians 
offering any patient engagement tools and supports instruct patients on 
how to use them appropriately.
    Response: We agree with commenters who support the condition 
because it protects against harms resulting from fraud and abuse and 
supports the centrality of the patient-provider relationship. As we 
explained in the preamble to the OIG Proposed Rule, this condition is 
designed to ensure that the remuneration is specifically focused on 
patient care and to underscore the importance of quality of care, the 
health care provider's medical judgment, and the patient's relationship 
with their provider in developing plans for treatment and care. The 
condition also ensures that the professional recommending the tool or 
support has undergone some degree of review and is subject to some 
level of oversight by a licensing body.
    In response to the assertion that this condition would lead to 
underutilization of valuable services to treat social comorbidities, we 
believe the patient's licensed health care professional is in the best 
position to determine whether the tool or support is directly connected 
to the coordination and management of the patient's care, advances an 
enumerated goal at paragraph 1001.952(hh)(3)(vi), and will not result 
in medically unnecessary or inappropriate reimbursable items and 
services, as required by the safe harbor. The licensed health care 
professional recommending the tool or support can be any type of 
licensed health care professional, which should be sufficiently broad 
to ensure this safe harbor protects beneficial patient engagement tools 
and supports, including those cited by commenters in various 
submissions. We recognize that social workers, case workers, and others 
who may not be licensed clinicians play an important role in patient 
care and are often well-positioned to recommend patient tools, 
including those that would address social determinants of health. 
However, for purposes of this safe harbor, we are requiring a 
recommendation by a licensed health care professional for the reasons 
noted above.
    We did not propose a definition of ``licensed health care 
provider'' or ``licensed health care professional.'' We intended to 
require the recommendation of a licensed health care professional, who 
would be a person chosen by the patient. The term ``licensed health 
care professional'' could include, for example, the following health 
care professionals, assuming they are appropriately licensed by an 
appropriate State licensing body for each respective profession: 
Physicians (including doctors of medicine, osteopathy, dental surgery, 
dental medicine, podiatric medicine, and optometry); osteopathic 
practitioners; chiropractors; physician assistants; nurse 
practitioners; clinical nurse specialists; certified registered nurse 
anesthetists; physical therapists; occupational therapists; clinical 
psychologists; qualified speech-language pathologists; qualified 
audiologists; and registered dietitians or nutrition professionals.\76\
---------------------------------------------------------------------------

    \76\ This illustrative list of health care professionals 
includes professionals eligible as of 2020 to participate in the 
Merit-based Incentive Payment System (MIPS), available at https://qpp.cms.gov/mips/how-eligibility-is-determined.
---------------------------------------------------------------------------

    Comment: A commenter warned that requiring a licensed provider's 
recommendation could incentivize a provider to recommend a tool or 
support for which the provider can subsequently receive remuneration.
    Response: To the extent the tool or support is a billable item or 
service, we would expect the provider to bill appropriately. The tool 
or support would not require safe harbor protection because it would be 
furnished by the provider as a covered service. If the provider were to 
waive any beneficiary cost-sharing, such cost-sharing waiver would not 
be protected by this safe harbor.
    Comment: We solicited comments on whether to require a written 
certification, under 18 U.S.C. 1001 and 1519, from a patient's licensed 
health care provider certifying that the particular tool or support is 
recommended solely to treat a documented chronic condition of a patient 
in a target patient population. A commenter opined that requiring a 
licensed health care provider to document in writing their 
recommendation of the tool or support along with the justification, and 
requiring the offeror to maintain this documentation, is a reasonable 
safeguard. The commenter surmised that such documentation need not be 
in the form of a prescription or physician referral but could take the 
form of a recommendation that is documented in the care plan or 
approved by the care team. A commenter supportive of the certification 
requirement recommended that it be enforced through administrative or 
civil penalties, rather than potential criminal liability under 18 
U.S.C. 1001 and 1519. Other commenters warned that imposing a 
certification requirement would be overly burdensome and could have a 
chilling effect on provider recommendations, even where the benefits of 
the tool or support are clear.
    A commenter warned that requiring physicians to certify that a tool 
or support is used to treat a documented chronic condition could lead 
to a fragmented approach that looks at each condition in isolation, 
rather than offering coordinated support for all of a patient's health 
care needs.
    Response: We are not finalizing a requirement that the patient's 
licensed health care professional certify that the tool or support is 
recommended solely to treat a documented chronic condition. The final 
safe harbor includes a number of other conditions designed in 
combination to safeguard against the risk of harms resulting from fraud 
and abuse including, among other conditions in the safe harbor, that 
the patient engagement tool or support must have a direct connection to 
the coordination and management of care, be recommended by the 
patient's licensed health care professional, and advance one or more 
enumerated goals.
    Comment: Commenters also noted that the proposed certification 
requirement, especially with criminal penalties attached, would create 
a significant barrier to providing patient engagement tools and 
supports under this safe harbor. In addition, commenters cited concerns 
that a focus on documented chronic conditions would inappropriately 
narrow the protections afforded by this safe harbor.
    Response: As stated above, we are not finalizing a requirement that 
the patient's licensed health care professional certify that the tool 
or support is recommended solely to treat a documented chronic 
condition. We

[[Page 77803]]

believe the other safeguards are sufficient to allow innovative tools 
and supports for a wide array of enumerated goals while safeguarding 
against the harms resulting from fraud and abuse.
k. Advances Specified Goals
    Summary of OIG Proposed Rule: Under the proposed condition at 
paragraph 1001.952(hh)(3)(vii), the tools and supports must advance one 
or more of the following enumerated goals: (i) Adherence to a treatment 
regimen as determined by the patient's licensed health care provider; 
(ii) adherence to a drug regimen determined by the patient's licensed 
health care provider; (iii) adherence to a followup care plan 
established by the patient's licensed health care provider; (iv) 
management of a disease or condition as directed by the patient's 
licensed health care provider; (v) improvement in measurable evidence-
based health outcomes for the patient or the target patient population; 
or (vi) ensuring patient safety.
    Summary of Final Rule: We are finalizing, with modifications, the 
requirement at paragraph 1001.952(hh)(3)(vi). Specifically, we are not 
finalizing the proposed goal relating to improvement in measurable 
evidence-based health outcomes for the patient or for the target 
patient population because it is largely captured by the other goals. 
The final rule revises the goal of ``management of a disease or 
condition'' to read ``prevention or management of a disease or 
condition'' to incorporate the element of prevention that was included 
at proposed paragraph 1001.952(hh)(3)(i). We are replacing references 
in this section to ``licensed health care providers'' with ``licensed 
health care professionals'' consistent with the preamble discussion in 
the previous section regarding this terminology.
    Comment: Several commenters supported protection for these 
enumerated goals and appreciated that we did not specify which tools 
and supports would advance the specific goals to allow flexibility for 
VBE participants and promote innovation in patient engagement 
mechanisms, tools, and supports, particularly with respect to rapidly 
evolving technologies. A commenter requested that OIG add protection 
for adherence to a ``prevention regimen'' and prevention of a disease 
to the safe harbor's list of specified goals. Another commenter noted 
that the enumerated goals proposed could limit the offering of 
innovative tools and supports designed to address social determinants 
of health because such tools and supports may not directly link to the 
goals set forth in the OIG Proposed Rule.
    Response: We are finalizing these goals as proposed, with the 
omission of the proposed goal relating to evidence-based health 
outcomes and modifications to include prevention of a disease or 
condition and to use the term licensed health care professionals. To 
avoid inadvertently limiting which tools and supports advance specified 
goals and provide VBE participants flexibility and the opportunity to 
innovate, we are not providing an exhaustive list of tools and 
supports. Indeed, one particular patient engagement tool may satisfy a 
number of these enumerated goals. For instance, a device or program 
that reminds a patient to take a medication or attend a scheduled 
office visit might advance the goals related to adherence to a 
treatment regimen, drug regimen, or follow-up care plan, or advance 
goals related to prevention or management of a disease or ensuring 
patient safety depending, in part, on the functionality and purposes of 
the device or program. In response to a commenter's suggestion, we 
revised the goal at paragraph 1001.952(hh)(3)(vi)(D) to read ``the 
prevention or management of a disease or condition'' so that this safe 
harbor is available to protect preventive items, goods, or services 
that meet the other safe harbor conditions. Adding a specific goal 
relating to preventive items and services also effectuates a change 
discussed above, in section III.B.6.e.i, in which we removed the 
reference to preventive items, goods, or services that had appeared in 
proposed paragraph 1001.952(hh)(3)(i). Furthermore, we note that this 
change is consistent with section 1128A(i)(6)(D) of the Act, which 
excepts certain remuneration given to individuals to promote the 
delivery of preventive care from the definition of ``remuneration'' for 
purposes of the Beneficiary Inducements CMP, as further interpreted in 
the regulatory exception at paragraph 1003.101.
l. Prohibition on Cost-Shifting
    Summary of OIG Proposed Rule: We sought comments on whether the 
final rule should include a safe harbor condition that would prohibit 
VBE participants that furnish patient engagement tools and supports 
from: (i) Billing Federal health care programs, other payors, or 
individuals for those tools or supports; (ii) claiming the value of a 
tool or support as a bad debt for payment purposes under a Federal 
health care program; or (iii) otherwise shifting the burden of the 
value of a tool or support on a Federal health care program, other 
payors, or individuals.
    Summary of Final Rule: We are not finalizing this proposed 
condition.
    Comment: Several commenters supported this proposed condition. A 
commenter agreed that entities offering tools and supports should not 
receive payment for the value of those items or services, but the 
commenter asserted that an explicit safe harbor condition prohibiting 
receiving payment for tools and supports is unnecessary.
    Other commenters suggested different variations on this 
prohibition, urging that any safe harbor condition related to billing 
for tools and supports should permit entities to bill commercial payors 
for tools and supports when, for example, a provider has negotiated 
reimbursement terms that permit certain costs to be passed on to third-
party payors. Another commenter urged that OIG prohibit all direct 
billing of any costs related to protected tools and supports to 
patients but otherwise allow direct billing for tools and supports to 
nonpatient third parties. One commenter opposed this cost-shifting 
prohibition altogether, arguing that because tools and supports could 
result in overall cost savings to payors, those items and services 
should be reimbursable.
    Response: We are not finalizing this condition. In light of the 
combination of safeguards in the final rule, we do not believe the 
addition of a cost-shifting prohibition would add appreciable 
additional protection for programs or patients. We acknowledge that VBE 
participants may have a variety of arrangements with payors, including 
reimbursement terms that permit certain costs to be passed on to third-
party payors, and we do not want to foreclose safe harbor protection 
for such VBE participants. With respect to direct billing of payors or 
individuals for tools and supports, if the tool or support is a covered 
item or service under a Federal health care program and a VBE 
participant appropriately obtains full payment for such tools or 
supports in accordance with applicable coverage and billing rules, then 
the VBE participant has not transferred any remuneration to a 
beneficiary, and the arrangement would not implicate the Federal anti-
kickback statute. In other words, if a provider or supplier furnishes 
items or services that are covered items or services under a Federal 
health care program, the provision of those items or services alone 
would not implicate the Federal anti-kickback statute.
    However, we would note there could be circumstances under which a 
VBE participant, when furnishing a covered item or service, does give a 
Federal

[[Page 77804]]

health care program beneficiary something of value, thereby implicating 
the Federal anti-kickback statute. For example, the Federal anti-
kickback statute would be implicated by a provider waiving or reducing 
any required cost-sharing obligations for the covered item or service 
incurred by a Federal health care program beneficiary or providing 
extra items and services--those that are not part of the covered item 
or service--for free. Furthermore, nothing in this rule exempts parties 
from responsibility for compliance with all applicable coverage and 
billing rules. In addition, nothing in this safe harbor transforms an 
item or service--which is not otherwise billable or allowable under the 
relevant cost-reporting rules--into a billable or allowable item or 
service.
    Comment: Several commenters warned that the proposed prohibition on 
billing Federal health care programs would render Indian health care 
providers ineligible for protection under this new safe harbor because 
they are federally funded.
    Response: As noted, we are not finalizing this condition.
m. No Selection Based on Payor
    Summary of OIG Proposed Rule: In the OIG Proposed Rule, we stated 
that we were considering and solicited comments on whether to include a 
``consistent provision'' condition, which would require VBE 
participants to provide the same patient engagement tools or supports 
to an entire target patient population or otherwise consistently offer 
tools or supports to all patients who satisfy specified, uniform 
criteria.\77\ We noted that such condition would protect against a VBE 
participant targeting certain patients to receive tools and supports 
based on, for example, the patient's insurance or health status, 
resulting in targeting of particularly lucrative patients to receive 
tools and supports (cherry-picking) while avoiding high-cost patients 
(lemon-dropping). We solicited comments regarding: (i) Whether such a 
provision would limit certain VBE participants' ability to offer tools 
and supports due to financial constraints; and (ii) why offering tools 
and supports to a smaller subset of a target patient population would 
be appropriate and not elevate fraud and abuse risks, including cherry-
picking and lemon-dropping.
---------------------------------------------------------------------------

    \77\ 84 FR 55729 (Oct. 17, 2019).
---------------------------------------------------------------------------

    Summary of Final Rule: We are finalizing a condition at paragraph 
1001.952(hh)(8) that the availability of patient engagement tools and 
supports cannot be determined in a manner that takes into account the 
type of insurance coverage of the patient.
    Comment: A number of commenters expressed concern that a consistent 
provision requirement could result in requiring VBE participants to 
provide tools and supports to an overly broad population, including 
patients for whom such tools or supports are not clinically appropriate 
or who do not want the tools or supports. Some commenters posited that 
VBE participants need flexibility to tailor the types of tools or 
supports to the particular patient and recommended that we protect 
remuneration directed at particular subsets or subpopulations of target 
patient populations of a VBE, such as higher-risk or higher-cost 
patients, or only those patients within the target patient population 
who achieve a certain goal. Other commenters suggested that because not 
all patients within the target patient population may benefit from any 
tool or support, offerors should be permitted to establish in advance 
specified criteria by which to evaluate patients for the 
appropriateness of any tool or support. For instance, a commenter 
suggested that it would be appropriate to limit the provision of 
particular tools and supports to subpopulations (e.g., it would be 
appropriate to exclude patients residing in an assisted living facility 
who receive significant support with their activities of daily living 
when furnishing a support such as installing grab bars in patients' 
homes to prevent falls). A commenter also noted that some patients may 
refuse tools and supports, which could undermine compliance with a 
consistent provision requirement.
    Response: We acknowledge commenters' concerns regarding the 
practical challenges of including a consistent provision requirement 
for safe harbor protection. We have instead adopted a condition that 
the availability of patient engagement tools and supports cannot be 
determined in a manner that takes into account the type of insurance 
coverage of the patient, which largely addresses the concerns that 
caused us to consider a consistent provision requirement, with fewer 
practical challenges. Under this condition, VBE participants offering 
protected tools or supports must do so without regard to the patient's 
payor type, but nothing in this safe harbor would require a VBE 
participant to offer tools or supports when they cannot be used or 
accepted, nor would it require patients to accept unwanted tools or 
supports in order for the safe harbor to apply. As a practical matter, 
this condition also would prevent a VBE--assuming at least one VBE 
participant intends to provide protected tools and supports to 
patients--from defining its target patient population in a manner that 
takes into account patients' payor type.
    This requirement addresses the concern we expressed in the OIG 
Proposed Rule related to the possibility of discriminatory provision of 
tools and supports based on a patient's payor type, but without some of 
the complications highlighted by commenters, including concerns 
regarding cost. It is possible that a particular tool or support if 
offered on a neutral basis unrelated to payor type could result in the 
provision of tools and supports primarily to Federal health care 
program beneficiaries. Such remuneration would still be protected under 
the safe harbor as long as the decision to offer tools and supports was 
based on a patient's individual need rather than the patient's payor 
type, and assuming the remuneration otherwise meets the requirements of 
the safe harbor. More specifically, offering or furnishing tools and 
supports to patients based on clinical characteristics, such as 
presence of a specified chronic condition, or geographical 
considerations, such as a common ZIP Code, would not be precluded even 
if the patient population receiving the tools and supports 
disproportionally has the same insurance. By way of further 
illustration, in the case of a geriatric practice providing tools and 
supports to patients above a certain age or with a particular illness, 
it is possible that all or virtually all patients would be Medicare 
beneficiaries. However, so long as patients receiving the tools and 
supports are not selected based on their Medicare insurance status, the 
requirement would not be violated. Stated another way, for purposes of 
this safe harbor, we would not view a VBE participant offering or 
furnishing tools and supports to a population disproportionately 
comprised of Medicare beneficiaries to run afoul of this condition 
provided that the decision to offer tools or supports is not based upon 
the patient's Medicare insurance status. As another further example, a 
VBE could define its target patient population--and therefore limit the 
scope of potential recipients of tools and supports--based on 
individual or family income, which might overlap substantially with 
Medicaid or dual-eligible populations but would not be strictly 
determined based on an individual's enrollment in Medicaid or as dually 
eligible for both Medicare and Medicaid.

[[Page 77805]]

    This condition ensures that a potential donor uses actual needs or 
related characteristics outside of payor status to determine the 
appropriate target patient population rather than the potential value 
of future Federally reimbursable items and services provided to such 
population. In addition, nothing in this condition would prevent a VBE 
participant from offering protected tools and supports only to a 
population of uninsured individuals, which we would not consider to be 
a determination based on the type of insurance coverage (indeed, as a 
preliminary matter, such remuneration would be unlikely to implicate 
the Federal anti-kickback statute or Beneficiary Inducements CMP).
    Comment: A commenter posited that requiring consistent provision 
across the entire target patient population undercuts the requirement 
that the tool or support be recommended by the patient's licensed 
health care practitioner, which includes clinical judgment of the 
clinician and avoids unnecessary waste and other fraud and abuse 
concerns. The commenter also noted that VBEs would be forced to create 
many iterations of the target patient population with minute 
differences to avoid these concerns, which it described as unfeasible.
    Response: We believe the final safe harbor does not raise the risks 
identified by the commenter because the condition in its final form 
does not require consistent provision of tools or supports to every 
patient in an entire target patient population specified by the VBE 
participant. The final safe harbor also would not require VBE 
participants to establish different target patient populations merely 
to satisfy a consistent provision requirement. The commenter is correct 
that the condition requiring a licensed health care professional's 
recommendation is designed to preclude from safe harbor protection 
tools and supports provided to patients who do not need them to advance 
one of the enumerated goals of this safe harbor.
    Comment: Several commenters suggested that providers should have 
the ability to test the effectiveness of the tool or support before 
committing to widespread provision, noting that VBE participants are in 
the best position to make determinations regarding how to allocate 
limited resources, including whether to offer tools and supports to 
patients. Other commenters highlighted that small practices may be 
unable to offer any tools or supports due to financial constraints if 
they were required to provide them consistently across a population.
    Response: We appreciate these comments regarding potential 
challenges associated with requiring consistent provision of tools and 
supports across a target patient population. The condition limiting 
selection based on payor, as finalized, largely accomplishes the goals 
of a consistent provision requirement without triggering the types of 
limitations highlighted by these and other commenters. In addition, we 
agree that VBE participants in collaboration with any applicable VBE 
are in the best position to make a determination regarding whether to 
offer and provide a tool or support to patients and emphasize that this 
determination remains solely at the discretion of a VBE participant (in 
collaboration with the VBE(s) in which the VBE participant 
participates).
    We are confident the final safe harbor affords VBE participants 
sufficient flexibility to furnish protected tools and supports and 
assess their effectiveness, as long as all conditions of the safe 
harbor are met. For example, a VBE participant may wish to initially 
establish a narrowly construed target patient population based on 
specific criteria that limits the size and scope of the patients to 
whom the VBE participant offers or provides certain tools and supports. 
After engaging with that limited target patient population, the VBE 
participant could then identify a new, broader target patient 
population to whom it offers or provides the same tools and supports. 
This type of assessment period--and subsequent expansion to a larger, 
more broadly construed target patient population--could be protected if 
all conditions of the safe harbor are met, including that the tool or 
support advances one of the safe harbor's enumerated goals. The 
requirement to advance one or more of the listed goals means, at a 
minimum, that the VBE participant reasonably expects the tool or 
support to be effective in advancing a goal.
    We reiterate that safe harbors are voluntary and that this safe 
harbor does not require any individual or entity to offer free or 
reduced-cost tools or supports to patients; it sets forth conditions 
and limitations to ensure safe harbor protection for the provision of 
such tools or supports. VBE participants are free to evaluate the costs 
and overall cost savings associated with the provision of patient 
engagement tools and supports, and to structure such arrangements in 
economically viable ways as long as such structure does not directly 
take into account a patient's payor status.
    Comment: A commenter supported a prohibition on discriminating 
based on insurance or payor type to avoid lemon-dropping or cherry-
picking.
    Response: We appreciate the comment and note that we have adopted a 
condition designed to prevent lemon-dropping or cherry-picking as it 
relates to payor type or lack of insurance. In addition, requirements 
for selecting a target patient population and for involvement of the 
patient's licensed health care professional provide additional 
protections against selecting only lucrative patients (cherry-picking) 
or selectively refusing tools and supports for expensive patients 
(lemon-dropping).
n. Monitoring Effectiveness
    Summary of OIG Proposed Rule: We solicited comments on whether to 
add a condition requiring offerors to use reasonable efforts to monitor 
the effectiveness of the tool or support in achieving the intended 
coordination and management of care for the patient. We also solicited 
comments on whether to add a safeguard that would require monitoring to 
ensure that the tool or support does not result in diminished quality 
of care or patient harm.
    Summary of Final Rule: We are not finalizing these conditions 
because they are not necessary in light of the totality of other 
conditions we are finalizing in this rule.
    Comment: Some commenters supported our proposal to require offerors 
to use reasonable efforts to monitor: (i) The effectiveness of the tool 
or support in achieving its intended purpose; and (ii) to ensure the 
tool or support does not result in diminished care or patient harm. 
Other commenters opposed this proposal, warning that it would impose an 
administrative burden that could negatively impact the ability of 
small, rural, and underserved practices to offer tools and supports. 
Another commenter noted that it can take a substantial period of time 
to realize the effects of any intervention and the measurement of these 
effects often utilize outcome measures that may be unreliable. Some 
commenters stated that it would be reasonable for the safe harbor to 
require the offeror of a particular tool or support to document and 
demonstrate outcomes associated with the tool or support, and monitor 
use, impact, and quality of such tools and supports. A commenter 
recommended that if OIG adopts a monitoring requirement, it should 
allow flexibility to entities in designing a monitoring program in 
acknowledgment

[[Page 77806]]

of the good faith monitoring efforts undertaken.
    Response: We acknowledge the concerns raised by commenters, and we 
are not finalizing a monitoring requirement in this final rule. We note 
that the safe harbor separately requires that tools and supports must 
advance one or more of the specific goals articulated at paragraph 
1001.952(hh)(3)(vi). Although the final safe harbor does not contain a 
prospective monitoring requirement, the requirement to advance one or 
more of the listed goals means, at a minimum, that the VBE participant 
reasonably expects the tool or support to be effective in advancing a 
goal.
o. Retrieval of Items and Goods
    Summary of OIG Proposed Rule: We solicited comments on whether to 
include a condition requiring the offeror to make a reasonable effort 
to retrieve the tool or support in certain circumstances, such as when 
the patient is no longer in the target patient population or the 
offeror is no longer a VBE participant. We also solicited comments on 
whether a minimum value should trigger any retrieval requirement and 
other issues related to the practicality of retrieval.
    Summary of Final Rule: We are not finalizing a retrieval 
requirement in the final safe harbor.
    Comment: Some commenters supported the proposal to require a 
reasonable effort to retrieve the tool or support if certain conditions 
are met, such as when the patient is no longer within the target 
patient population or when the tool or support is valued above a 
certain threshold (applying appropriate depreciation). Others requested 
that we clarify that any required retrieval efforts would only need to 
be reasonable and not hold offerors to unrealistic requirements to 
retrieve tools or disable software.
    One commenter suggested that in order to ensure that an offeror's 
decision to cease retrieval is not driven by an attempt to 
inappropriately influence beneficiaries, we could require that 
decisions regarding whether and how to retrieve items be reviewed and 
approved by the VBE's accountable body or person responsible for the 
financial and operational oversight of the VBE.
    Other commenters stated that a retrieval requirement would be 
administratively burdensome, impossible or wasteful for nontransferable 
consumables, counter to clinical recommendations where a patient still 
benefits from the tool or support and may prevent potential offerors 
from providing tools and supports or discourage patients from accepting 
them. Some commenters noted that the reduced value or obsolescence of 
the tool or support could render recovery unnecessary, futile, or 
disproportionate in cost to the value of the tool or support. Another 
commenter noted that retrieval could be impractical or insensitive 
following a patient's death and urged us not to finalize the 
requirement for that reason. Other commenters recommended that if we do 
finalize this requirement, we include exceptions for patient harm and 
death and consider only two written attempts at retrieval to be 
reasonable.
    One commenter noted that offerors may have limited legal right to 
tools and may be unable to retrieve them. Commenters asked us to 
clarify that if retrieval is not required, offerors still retain the 
right to recover tools and supports if they deem it reasonable and 
necessary or otherwise make a business decision to retrieve the tool or 
support.
    Response: We agree with commenters who highlighted the 
administrative burdens and other challenges associated with any 
retrieval requirement, and we are not finalizing this requirement. We 
note, however, that offerors are free to make retrieval efforts or 
require the return of tools and supports where it would not harm the 
patient, as long as the decision to retrieve or the extent to which 
retrieval policies are applied is consistent and not undertaken in a 
manner that takes into account the volume or value of referrals of 
Federal health care program business. We further note that the safe 
harbor separately requires that tools and supports must advance one or 
more of the specific goals articulated at paragraph 
1001.952(hh)(3)(vi). Although the final safe harbor does not contain a 
retrieval requirement, the requirement to advance one or more of the 
listed goals means that the VBE participants should cease providing 
tools or supports they find to be ineffective. In addition, we note 
that the structure of the safe harbor would necessitate termination of 
ongoing services (e.g., recurring monthly fees associated with a 
fitness center membership) if the individual is no longer part of the 
target patient population or the entity is no longer a VBE participant.
p. Monetary Cap
    Summary of OIG Proposed Rule: We proposed a monetary cap on the 
tools and supports protected under this safe harbor. Specifically, at 
proposed paragraph 1001.952(hh)(5), we proposed that the aggregate 
retail value of protected tools or supports furnished to a patient by a 
VBE participant may not exceed $500 per year unless the tools and 
supports are furnished to a patient based on a good faith, 
individualized determination of the patient's financial need. We 
solicited comments on whether this figure strikes the right balance 
between: (i) Flexibility for beneficial tools and supports; and (ii) a 
limit on the amount of protected remuneration to shield patients from 
being improperly influenced by valuable gifts and to protect Federal 
health care programs from overutilization or inappropriate utilization. 
We asked whether $500 was too high or too low, and whether a number of 
other safeguards or alternatives would be more appropriate.
    Summary of Final Rule: We are finalizing, with modifications, an 
annual $500 monetary cap at paragraph 1001.952(hh)(5). The final rule 
does not include an exception to the cap requirement that would permit 
exceeding the monetary cap for patients with demonstrated financial 
need. Based on public comments, we are including an inflation adjuster.
    Comment: Several commenters supported a monetary cap for many 
reasons, including that it provides a bright-line safeguard for program 
integrity purposes. Other commenters disagreed with any monetary cap 
for several reasons, such as finding it unnecessary due to the 
combination of other proposed conditions or asserting that any monetary 
cap would be unreasonable because the delivery of care--and tools and 
supports related to such care--depends on each patient's particular 
needs. Many commenters supported an exception to the proposed cap based 
on financial need, while some were concerned with the administrative 
burden associated with administering a financial need policy, which 
would require individualized determinations of financial need rather 
than bright-line limits. A commenter suggested that OIG define 
financial need using a validated social need screening tool, such as 
the Hunger Vital Sign, a validated, two-question tool used by health 
care providers and community-based organizations to identify risk for 
food insecurity among youth, adolescents, and adults.
    Response: We agree with commenters who stated that a monetary cap 
provides bright-line guidance to VBE participants on the value of 
acceptable tools and supports. To this end, we are finalizing a 
straightforward annual, aggregate $500 cap, subject to an inflation 
adjuster. The final rule does not include the proposed condition that 
would have allowed the cap to be exceeded, without limitation

[[Page 77807]]

on amount, in instances of good faith, individualized determination of 
a patient's financial need. Because we are not finalizing this 
condition, we do not need to define financial need.
    OIG is mindful that different patients may have different needs and 
for some patients tools and supports exceeding a retail value of $500 
in the aggregate per year could help improve coordination of their 
care, improve health outcomes, and have other beneficial impacts, 
particularly for patients with financial need. Nothing in this final 
rule makes it necessarily unlawful, in individual cases, for a provider 
or other party to furnish for free or below fair market value tools and 
supports that exceed $500 per year (nor does this rule make 
remuneration under $500 automatically immune from sanctions under the 
Federal anti-kickback statute and Beneficiary Inducements CMP unless it 
meets all safe harbor conditions). Such arrangements would be evaluated 
on a case-by-case basis under the statutes, including with respect to 
the intent of the parties. We note that there may be lawful avenues for 
providers to offer tools and supports to patients who need tools and 
supports that exceed an aggregate of $500 annually, particularly those 
experiencing financial need. For example, the local transportation safe 
harbor, found at paragraph 1001.952(bb), remains available to protect 
certain local transportation furnished to patients, provided that the 
local transportation satisfies the requirements of the safe harbor. 
With respect specifically to the Beneficiary Inducements CMP, 
exceptions exist for remuneration that promotes access to care and 
poses a low risk of harm and for renumeration offered to patients 
experiencing financial need; the requirements for these exceptions are 
found at paragraph 1003.110.\78\
---------------------------------------------------------------------------

    \78\ We remind readers that exceptions to the definition of 
``remuneration'' under the Beneficiary Inducements CMP apply only 
for the purposes of the definition of ``remuneration'' applicable to 
section 1128A of the Act (the Beneficiary Inducements CMP); they do 
not apply for purposes of section 1128B(b) of the Act (the Federal 
anti-kickback statute).
---------------------------------------------------------------------------

    In addition, for arrangements involving tools and supports that may 
exceed the monetary cap, that implicate the Federal anti-kickback 
statute, Beneficiary Inducements CMP or both, and do not meet any other 
safe harbor to the Federal anti-kickback statute or exception to the 
Beneficiary Inducements CMP, the advisory opinion process remains 
available. OIG has previously issued favorable advisory opinions to 
health care industry stakeholders seeking to furnish free or below fair 
market value tools and supports to patients when such tools and 
supports do not squarely satisfy a safe harbor to the Federal anti-
kickback statute, an exception to the Beneficiary Inducements CMP, or 
both.\79\
---------------------------------------------------------------------------

    \79\ See, e.g., OIG, OIG Adv. Op. No. 17-01, available at 
https://oig.hhs.gov/fraud/docs/advisoryopinions/2017/AdvOpn17-01.pdf 
(Mar. 10, 2017) (regarding a hospital system's proposal to provide 
free or reduced-cost lodging and meals to certain financially needy 
patients); OIG, OIG Adv. Op. No. 19-03 (Mar. 6, 2019), available at 
https://oig.hhs.gov/fraud/docs/advisoryopinions/2019/AdvOpn19-03.pdf 
(regarding a program offered by a medical center that provides free, 
in-home followup care to eligible individuals with congestive heart 
failure and the proposed expansion of this program to include 
certain individuals with chronic obstructive pulmonary disease).
---------------------------------------------------------------------------

    Comment: Several commenters asked for clarity regarding how to 
calculate the ``retail value'' of the tools or supports. A commenter 
asked OIG to define retail value as the commercial value of the tool or 
support to the recipient instead of its fair market value. Several 
commenters agreed that if OIG finalized any cap to the annual aggregate 
value of protected tools and supports, the cap should apply separately 
to each VBE participant, rather than at the VBE level or the value-
based arrangement level, citing the administrative burden associated 
with tracking caps for patients receiving tools and supports from 
different VBE participants. Others suggested that the cap should adjust 
for inflation over time automatically or through other mechanisms.
    Response: The aggregate retail value of patient engagement tools 
and supports furnished by a VBE participant to a patient may not exceed 
$500 on an annual basis. The retail value of the tools and supports 
should be measured at the time they are provided to the patient. 
Specifically, for purposes of this safe harbor, the retail value is the 
commercial cost the patient would have incurred at the time the VBE 
participant provides the tool or support if the patient had procured 
the tool or support on the open market on their own. We note that, as 
proposed, this cap applies per VBE participant and per patient, not at 
the VBE level or the value-based arrangement level. A patient may 
receive a number of tools and supports from a number of VBE 
participants (in one or more VBE) through the course of a year, as long 
as no single VBE participant individually provides more than $500 in 
aggregate value to the patient per year. The VBE participant providing 
the tool or support is responsible for tracking the aggregate retail 
value of the tools or supports that it--and only it--provides to the 
patient through the course of a year.
    VBE participants are not required to monitor the value of tools and 
supports provided by other parties--even within the same VBE--to a 
particular patient. This should ease any burden of tracking the value 
of tools in connection with the aggregate, annual cap. Finally, in 
response to commenters' suggestions, we are finalizing an annual 
adjustment to the monetary cap to account for inflation. Under this 
provision, the monetary cap will be adjusted for inflation to the 
nearest whole dollar effective January 1 of each calendar year using 
the Consumer Price Index-Urban All Items (CPI-U) for the 12-month 
period ending the preceding September 30. OIG will publish an 
announcement on its website after September 30 of each year reflecting 
the increase in the CPI-U for the 12-month period ending September 30, 
and the new monetary cap applicable for the following calendar year.
    Comment: A number of commenters suggested increasing the dollar 
limit of the cap for all tools and supports. Some commenters suggested 
alternatives, such as per-occurrence limitations on value, coupled with 
a higher cap. Others proposed increasing the cap or adding additional 
exceptions to the cap for categories of tools and supports or specific 
tools and supports such as disposable and nondurable items and 
supplies; recurring services; ongoing costs for the tool or support 
(e.g., batteries and software upgrades); transportation; housing and 
home safety items and services; certain digital or other health-related 
technologies; home monitoring devices; tools and supports that address 
chronic or complex disease management; tools and supports for the 
seriously injured; harm-reduction items (e.g., helmets and medication 
lockboxes); and other tools and supports that address a patient's 
social determinants of health. Several commenters asked OIG to consider 
increasing the cap to account for changes in technology or care 
innovation over time. Some commenters recommended permitting a higher 
cap when the VBE's accountable body or responsible person determines 
the circumstances support it. Others recommended a tiered cap system 
based on outcomes or on the amount of risk a VBE participant bears.
    Response: The generally applicable $500 cap establishes a bright-
line limitation for VBE participants seeking protection under this safe 
harbor. We believe the safe harbor conditions, including the monetary 
cap, strike an appropriate balance between giving flexibility to VBE 
participants to provide beneficial tools and supports to

[[Page 77808]]

patients and protecting programs and patients from the improper 
influence of valuable remuneration. We are not finalizing exceptions to 
the $500 cap because we believe exceptions would add complexity to this 
safe harbor and would raise compliance challenges. Further, tools and 
supports of higher value could improperly influence patients to select 
treatments or providers not in their best interests, potentially 
leading to the harms against which the Federal anti-kickback statute is 
designed to protect.
q. Diversion or Resale
    Summary of Proposed Rule: We proposed, at proposed paragraph 
1001.952(hh)(4), a condition that would have excluded from safe harbor 
protection tools or supports if the offeror knew, or should have known, 
that the tool or support was likely to be diverted, sold, or utilized 
by the patient other than for the express purpose for which the tool or 
support was provided.
    Summary of Final Rule: We are not finalizing this proposed 
condition.
    Comment: Several commenters supported this condition, while another 
urged us to consider how such limitation may inadvertently restrict 
access to these tools. A commenter posited that it is not feasible for 
a VBE participant to determine the likelihood of diversion and proposed 
instead limitations on categories of tools and supports that are likely 
to be abused, such as cell phones. The commenter suggested protection 
only for tools and supports that are not likely to be abused or those 
likely to improve health, such as helmets, car seats, and medication 
lockboxes.
    Response: We agree with the commenter who questioned the 
feasibility of a VBE participant determining the likelihood of 
diversion. We are not finalizing this provision. Other safeguards we 
are finalizing in this safe harbor adequately address the concern that 
a recipient of a tool or support is receiving it for appropriate 
purposes. For instance, the requirement that a licensed health care 
professional recommend the tool or support and that it be directly 
connected to the coordination and management of care should mitigate 
the risk that a tool or support is likely to be diverted or resold. 
Similarly, the monetary cap, the requirement that a tool or support 
advance an enumerated goal, and the restriction on marketing and 
patient recruitment further limit the risk of diversion or resale.
r. Materials and Records
    Summary of Final Rule: We proposed at proposed paragraph 
1001.952(hh)(6) that VBE participants providing tools and supports 
under this safe harbor make available to the Secretary, upon request, 
all materials and records sufficient to establish that the tool or 
support was distributed in compliance with the conditions of the safe 
harbor. We noted that we were considering a requirement that VBE 
participants retain materials and records sufficient to establish 
compliance with the safe harbor for a set period of time, such as 6 or 
10 years. We did not propose specific parameters regarding the creation 
or maintenance of documentation in order to allow for flexibility. We 
solicited comments on several alternative safeguards.
    Summary of Final Rule: We are finalizing, with modification, a 
requirement at paragraph 1001.952(hh)(7) that materials and records 
sufficient to establish compliance with the safe harbor be made 
available to the Secretary, including that those records be kept for a 
period of at least 6 years.
    Comment: One commenter stated that a rigid documentation 
requirement would make clinicians hesitant to use the safe harbor. 
Another commenter questioned the need for the proposed condition, 
noting that such documentation is already part of the existing 
compliance programs. The same commenter further questioned whether OIG 
would bring an investigation or pursue a Federal anti-kickback case 
based solely on the failure to satisfy a documentation requirement 
rather than underlying substantive safeguards. A commenter found 
documentation--particularly regarding the goals proposed at paragraph 
1001.952(hh)(3)(vii)--to be excessive or impractical. Another commenter 
suggested that it would be appropriate for offerors to retain 
documentation under this condition for a period of 6 years.
    Response: We disagree with the characterization of this 
documentation requirement as rigid. The condition does not require a 
signed writing in advance of the provision of tools and supports to a 
patient, nor does it propose any specific parameters on the type or 
form of documentation. It simply requires that parties make available, 
on request, documentation sufficient to show that tools or supports 
were provided in accordance with the safe harbor's conditions. Safe 
harbors offer voluntary protection from liability under the Federal 
anti-kickback statute for specified arrangements, and no entity or 
individual is required to fit within a safe harbor. Failure to fit 
within a safe harbor does not mean a party has violated--or even 
implicated--the Federal anti-kickback statute; it simply means the 
party may not look to the safe harbor for protection for that 
arrangement. It would be prudent for any party relying on a safe harbor 
to protect certain arrangements to document compliance with that safe 
harbor in some form. For purposes of this safe harbor, we are requiring 
VBE participants to retain relevant documentation for a minimum of 6 
years. This retention period was recommended by a number of commenters 
and it is consistent with the retention period required by the value-
based safe harbors finalized in this rule. In addition, because a 6-
year retention requirement is already present in several existing CMS 
regulations, we expect that many parties are familiar with this 
retention period and that the maintenance of records is part of their 
routine business practices.
s. Notice to Patients
    Summary of OIG Proposed Rule: We solicited comments on whether to 
require the VBE to provide a patient receiving a tool or support with 
written notice identifying the VBE participant and describing the 
nature and purpose of the tool or support.
    Summary of Final Rule: We are not finalizing this requirement.
    Comment: A commenter suggested that verbal, not written, notice 
should suffice. Another commenter stated that if such notice is 
required, OIG should develop consumer-tested templates to convey the 
information in an objective, easily understood way that will not 
mislead beneficiaries or create false expectations or reliance on 
protected tools and supports. Another commenter objected to any notice 
requirement as burdensome and questioned whether OIG would use 
investigative resources based on a claim of deficient notice.
    Response: We are not finalizing this requirement. We believe that 
the appropriate time for the patient to understand the purpose of the 
tool or support is at the time a licensed health care professional is 
recommending it for the individual patient. While we are not requiring 
any formal notice to a patient in this final rule, we expect providers 
will naturally communicate the purpose of the tool or support to the 
patient at the time it is recommended in furtherance of the 
coordination and management of care.

[[Page 77809]]

t. Other Comments
    Comment: A commenter asked OIG to clarify that its proposed rule 
does not mean that certain existing or hypothetical practices involving 
tools and supports to beneficiaries implicate, or constitute violations 
of, the Federal anti-kickback statute, such as certain group education 
or certain types of gift cards. Other commenters requested that OIG 
clarify, in the context of value-based arrangements or otherwise, that 
the safe harbor protects remote physiologic monitoring tools and 
services at no or low cost, and furthermore that providing access to 
software-based platforms for patient-generated health data analytics or 
telemedicine at no or low cost does not violate the Federal anti-
kickback statute.
    Response: We decline to provide further guidance related to the 
various comments summarized above because any analysis of whether any 
of the various practices and conduct implicate the Federal anti-
kickback statute or would be protected by this safe harbor would depend 
on the facts and circumstances specific to the practice or conduct. We 
note, however, that the provision of at least some of the tools and 
supports described above (e.g., tools that facilitate remote 
monitoring) could be protected by this safe harbor. Parties may seek an 
OIG advisory opinion for a determination regarding a proposed or 
existing arrangement.
    Comment: A commenter requested clarification regarding the 
intersection of the proposed safe harbor and the existing safe harbors 
or exceptions to the definition of ``remuneration'' under the 
Beneficiary Inducement CMP. Another commenter asked whether an entity 
is precluded from using the so-called ``promotes access to care 
exception'' \80\ if it becomes a VBE. Furthermore, the commenters asked 
whether an entity that is a VBE can use both the new safe harbor and 
the existing exception with the same patients. A commenter asked that 
we adopt a CMP exception corresponding to the patient engagement and 
support safe harbor.
---------------------------------------------------------------------------

    \80\ Section 1128A(i)(6)(F) of the Act; 42 CFR 1003.110.
---------------------------------------------------------------------------

    Response: The Federal anti-kickback statute and Beneficiary 
Inducements CMP are separate statutes with separate safe harbors and 
exceptions, respectively. Any remuneration implicating the Federal 
anti-kickback statute need only satisfy one safe harbor to be protected 
under the statute. Similarly, any remuneration implicating the 
Beneficiary Inducements CMP need only satisfy one exception under that 
statute to be protected. As a matter of law, arrangements that fit in 
an anti-kickback safe harbor are also protected under the Beneficiary 
Inducements CMP.\81\ This means that the final safe harbor for patient 
engagement and support offers protection under the Beneficiary 
Inducements CMP as well as the Federal anti-kickback statute. The 
converse is not true, however. Arrangements that fit in an exception to 
the Beneficiary Inducements CMP are not automatically protected under 
the anti-kickback safe harbor. A party that is a VBE participant can 
use any exception under the Beneficiary Inducements CMP for which its 
arrangement qualifies. In some cases, an arrangement that does not fit 
in the new safe harbor for patient engagement and support might qualify 
for protection under the ``promotes access to care exception'' or 
another CMP exception; this protection would not apply to the anti-
kickback statute.
---------------------------------------------------------------------------

    \81\ A practice permissible under the Federal anti-kickback 
statute, whether through statutory exception or regulations issued 
by the Secretary, is also excepted from the Beneficiary Inducements 
CMP. Section 1128A(i)(6)(B) of the Act.
---------------------------------------------------------------------------

    Comment: A commenter noted that this safe harbor does not have a 
corresponding exception under the physician self-referral law.
    Response: The commenter is correct. The physician self-referral 
law, section 1877 of the Act, does not prohibit remuneration exchanged 
between physicians or entities and patients, so a corresponding 
exception would not be necessary.
7. CMS-Sponsored Model Arrangements and CMS-Sponsored Model Patient 
Incentives (42 CFR 1001.952(ii))
    Summary of OIG Proposed Rule: We proposed to create a new safe 
harbor at paragraph 1001.952(ii) to: (i) Permit remuneration between 
and among parties to arrangements (e.g., distribution of capitated 
payments, shared savings or losses distributions) under a model or 
other initiative being tested or expanded by the Innovation Center 
under section 1115A of the Act or under the Medicare Shared Savings 
Program under section 1899 of the Act (collectively ``CMS-sponsored 
models''); and (ii) permit remuneration in the form of incentives 
provided by CMS-sponsored model participants and their agents under a 
CMS-sponsored model to patients covered by the CMS-sponsored model. We 
proposed certain additional conditions, including a requirement that 
patient incentives have a direct connection to the patient's health 
care.
    Summary of Final Rule: We are finalizing, with modifications, the 
safe harbor as proposed at paragraph 1001.952(ii). We are revising the 
introductory text of paragraphs 1001.952(ii)(1) and (2) to clarify that 
CMS determines the specific types of financial arrangements and 
incentives to which safe harbor protection will apply; safe harbor 
protection will not necessarily apply to every possible financial 
arrangement or incentive that CMS-sponsored model parties may wish to 
implement as they participate in the Medicare Shared Savings Program or 
an Innovation Center model. We are finalizing without substantive 
change the remainder of proposed paragraph 1001.952(ii)(1) regarding 
the conditions for safe harbor protection of financial arrangements 
under a CMS-sponsored model.
    We are finalizing with some modification the conditions for safe 
harbor protection of CMS-sponsored model patient incentives at 
paragraph 1001.952(ii)(2). First, this final rule specifies at 
paragraph 1001.952(ii)(2)(ii) that the patient incentive must have a 
direct connection to the patient's health care unless the participation 
documentation expressly specifies a different standard, in which case 
that standard must be met. Second, as explained more fully below, we 
are moving certain language from the proposed definition of ``CMS-
sponsored model patient incentive'' in paragraph 1001.952(ii)(3) to the 
conditions of safe harbor protection in paragraph 1001.952(ii)(2). 
Third, we are modifying the safe harbor to provide at paragraph 
1001.952(ii)(2)(iii) that an individual other than the CMS-sponsored 
model participant or its agent may furnish an incentive to a patient 
under a CMS-sponsored model if that is specified by the participation 
documentation.
    Finally, we are relocating the general substance of the provision 
that permits patients to retain incentives they received under the CMS-
sponsored model from paragraph 1001.952(ii)(2)(v) to new paragraph 
1001.952(ii)(4)(iii). We are finalizing the safe harbor definitions at 
paragraph 1001.952(ii)(3) largely as proposed. As noted above, we are 
relocating a portion of the definition of ``CMS-sponsored model patient 
incentive'' to the conditions of safe harbor protection in paragraph 
1001.952(ii)(2). In addition, we are clarifying the definition of 
``CMS-sponsored model arrangement'' to refer to ``a financial 
arrangement,'' which is consistent with our discussion of the 
definition in the OIG Proposed Rule.\82\ Last, we made two minor 
technical

[[Page 77810]]

revisions to the definition of ``CMS-sponsored model party.''
---------------------------------------------------------------------------

    \82\ 84 FR 55731 (Oct. 17, 2019).
---------------------------------------------------------------------------

    We are addressing the duration of safe harbor protection at new 
paragraph 1001.952(ii)(4). We are making a technical edit to the 
introductory language in proposed paragraph 1001.952(ii)(2) to replace 
the phrase ``if all of the conditions of paragraph (ii)(2)(i) through 
(v) are met of this section'' with ``if all of the following conditions 
are met.''
    Modifications to the scope of the safe harbor, conditions of 
protection, and its duration are summarized and explained in the 
preamble sections that follow.
a. General Comments
    Comment: We received several comments that generally supported 
finalizing a safe harbor for CMS-sponsored models and agreed with the 
goals set forth in the OIG Proposed Rule. For example, a commenter 
posited that the safe harbor could encourage greater voluntary 
participation in new CMS-sponsored models. Commenters also expressed 
support for a simplified and standardized approach rather than 
disparate OIG waivers, with tailored conditions, for CMS-sponsored 
models.
    Some commenters expressed concern about the impact of any safe 
harbor on existing waivers of the fraud and abuse laws issued by OIG 
that currently apply to CMS-sponsored models, and about our ability or 
willingness to issue future waivers. For example, a commenter noted 
that there are benefits to model-specific waivers that may not be 
realized in a safe harbor.
    Response: A goal of this safe harbor is to provide uniformity and 
predictability for those participating in CMS-sponsored models, which 
are testing innovations to improve quality and lower cost. As we stated 
in the OIG Proposed Rule, this safe harbor does not supersede OIG's 
existing fraud and abuse waivers for CMS-sponsored models. Existing 
model waivers will continue in effect in accordance with the waiver 
terms. A CMS-sponsored model party may structure arrangements that 
might otherwise implicate the Federal anti-kickback statute, 
Beneficiary Inducements CMP, or both to meet the terms of an applicable 
fraud and abuse waiver or any applicable safe harbor. In addition, the 
promulgation of this safe harbor does not preclude OIG from issuing 
model-specific waivers in the future. We note, however, that we would 
expect OIG's issuance of model-specific waivers in the future to be 
infrequent. We expect that model participants in new CMS-sponsored 
models will be able to use this new safe harbor.
b. Scope of the Safe Harbor and Definitions
    Summary of OIG Proposed Rule: We proposed to create a new safe 
harbor at paragraph 1001.952(ii) to protect certain financial 
arrangements and patient incentives related to the Medicare Shared 
Savings Program under section 1899 of the Act and models established 
and tested by CMS under section 1115A of the Act. At proposed paragraph 
1001.952(ii)(3), we proposed to define the following terms that shape 
the scope of the safe harbor: ``CMS-sponsored model, ``CMS-sponsored 
model arrangement,'' ``CMS-sponsored model participant,'' ``CMS-
sponsored model party,'' ``CMS-sponsored model patient incentive,'' and 
``participation documentation.''
    Summary of Final Rule: We are finalizing, with modifications, the 
defined terms. We have modified the definition of ``participation 
documentation'' by removing the phrase ``is currently in effect.'' This 
phrase is unnecessary in the context of a definition. Temporal language 
is more appropriate in the new paragraph 1001.952(ii)(4) that specifies 
the duration of safe harbor protection. In addition, we have modified 
the definition of ``participation documentation'' by replacing the 
reference to ``cooperative agreement'' with the phrase ``legal 
instrument setting forth the terms and conditions of a grant or 
cooperative agreement.'' The purpose of this change is to accommodate 
future CMS-sponsored models that may be implemented by a type of grant 
that is not a cooperative agreement and to accurately characterize the 
relevant documentation for such forms of Federal funding.
    Comment: We received several comments recommending that we expand 
the safe harbor beyond ``CMS-sponsored models,'' as we proposed to 
define that term. For example, some commenters requested protection for 
arrangements and patient incentives related to other waivers, 
demonstrations, value-based arrangements, and commercial payors such 
as: (i) Arrangements under State Innovation Waivers granted pursuant to 
section 1332 of the Affordable Care Act; (ii) arrangements involving 
commercially insured patients that operate ``alongside'' an arrangement 
related to the CMS-sponsored model if the commercial arrangement is 
identical in all respects to the CMS-sponsored model arrangement; (iii) 
arrangements needed to support CMS-approved Medicaid Alternative 
Payment Models and delivery system initiatives; (iv) arrangements 
established in the Medicare Physician Fee Schedule and Merit-based 
Incentive Payment System (MIPS); and (v) arrangements between 
organizations participating in any CMS-led or CMS-supported 
demonstration authorized by statute.
    Some commenters also sought to have the safe harbor protect tools 
and supports furnished to patients who are: (i) Approved by CMS through 
a Medicaid section 1115 waiver; (ii) approved by CMS as a State Plan 
Amendment; or (iii) allowed through Supplemental Benefit for 
Chronically Ill Enrollees in the Medicare Advantage program. Another 
commenter recommended that the safe harbor protect arrangements under 
any model where the Secretary has sufficient authority to waive the 
Federal fraud and abuse laws.
    In contrast, we received support for limiting the scope of 
protection to what we set forth in the OIG Proposed Rule, with some 
commenters opposing broadening the safe harbor to protect remuneration 
for models or demonstrations under other sections of the Act. For 
example, a commenter opposed broadening the scope of the safe harbor, 
suggesting that it is appropriate for the Federal anti-kickback statute 
to serve as ``backstop.''
    Response: We have carefully considered the comments requesting 
expansion of this safe harbor beyond CMS-sponsored models, as that term 
is as defined in the OIG Proposed Rule. We are finalizing the scope of 
the safe harbor as proposed. This safe harbor is designed to work in 
tandem with the Innovation Center's models under section 1115A of the 
Act and the Medicare Shared Savings Program under section 1899 of the 
Act. It permits a certain amount of flexibility, which is sufficiently 
low risk because CMS includes program integrity safeguards in the 
Medicare Shared Savings Program and the Innovation Center models. There 
may be variation in program integrity safeguards and oversight in other 
initiatives, even if the authorizing statute permits the waiver of 
fraud and abuse laws.
    We are tailoring the scope of the safe harbor to include the 
Medicare Shared Savings Program under section 1899 of the Act and 
models established and tested by CMS under sections 1115A and of the 
Act. Both the Medicare Shared Savings Program and Innovation Center 
models are: (i) Designed to coordinate and redesign care; and (ii) 
contain program integrity oversight and safeguards. In addition, the 
Innovation Center oversees the development, testing, and monitoring of 
models.

[[Page 77811]]

Furthermore, CMS-sponsored model participants may undergo certain 
screening to participate in a model or the Medicare Shared Savings 
Program and may be subject to documentation and reporting requirements 
to promote transparency in the model or program. This level of CMS 
involvement and oversight may not be present in many of the programs, 
waivers, and demonstrations cited by the commenters. To the extent that 
the Department has the authority to issue fraud and abuse waivers for 
the Medicare Shared Savings Program or Innovation Center models, the 
issuance of any such waivers remains an option to protect certain 
arrangements in those programs. In addition, other safe harbors may 
protect many arrangements that may otherwise implicate the Federal 
anti-kickback statute and Beneficiary Inducements CMP, and that 
participants in the types of programs described above may desire to 
implement.
    Comment: A commenter asked that this safe harbor protect a broad 
range of incentives given to patients such as transportation, nutrition 
support, home monitoring technology, and gift cards.
    Response: This safe harbor protects patient incentives for which 
CMS has determined that this safe harbor is available. Thus, CMS 
defines in the participation documentation the scope of the model or 
program and the arrangements or incentives permitted under the model or 
program. Depending on the particular CMS-sponsored model's parameters, 
the safe harbor could protect a broad range of incentives, including 
those cited by the commenter. If the CMS-sponsored model prohibits a 
particular type of incentive, then it would not be protected by this 
safe harbor. Similarly, we note that CMS defines which entities may 
provide an incentive. For example, if the CMS-sponsored model is a 
State-based model where the State or State Medicaid agency implements 
the model through care-delivery partners in a State, the Innovation 
Center may expressly specify that such State partners may provide CMS-
sponsored model patient incentives under the model on behalf of the 
State.
    We are modifying the proposed definition of ``CMS-sponsored model 
patient incentive'' at paragraph 1001.952(ii)(3)(v) for simplicity and 
to consolidate at paragraph 1001.952(ii)(2) language regarding the 
conditions of safe harbor protection.
    We proposed to define ``CMS-sponsored model patient incentive'' to 
mean remuneration not of a type prohibited by the participation 
documentation and is furnished consistent with the CMS-sponsored model 
by a CMS-sponsored model participant (or by an agent of the CMS-
sponsored model participant under the CMS-sponsored model participant's 
direction and control) directly to a patient under the CMS-sponsored 
model. We are moving the phrase ``furnished consistent with the CMS-
sponsored model'' to paragraph 1001.952(2)(v), and we are moving the 
requirement regarding who may furnish the patient incentive to 
paragraph 1001.952(2)(iii). We are relocating the language so it will 
appear where the other conditions for patient incentives are enumerated 
under paragraph 1001.952(ii)(2), rather than including these 
requirements within the definition of ``CMS-sponsored model patient 
incentive.'' We do not intend for this to be a substantive change.
    Comment: A commenter recommended expanding the safe harbor to 
include incentives given to patients who the CMS-sponsored model 
participant believes in good faith are covered, or within a reasonable 
period will be covered, by a CMS-sponsored model. The commenter noted 
as an example that the Comprehensive ESRD Care Model has shown that 120 
or more days may elapse between the time when a Medicare beneficiary 
commences dialysis treatment and the time by which the ESRD Seamless 
Care Organization receives confirmation of beneficiary alignment.
    Response: As with the scope of permissible types of incentives, the 
Innovation Center defines the scope of patients who may be eligible to 
receive such incentives. We recognize that, depending on how the 
Innovation Center has designed the model, a CMS-sponsored model 
participant may not know exactly which beneficiaries are in the model 
or aligned to the model participant at the time the beneficiary could 
benefit from a patient incentive. By definition, a ``CMS-sponsored 
model patient incentive'' is remuneration that is not of a type that is 
prohibited by the participation documentation. Also, as a condition of 
safe harbor protection, the incentive must be furnished consistent with 
the CMS-sponsored model. To the extent that the Innovation Center 
intends for incentives to be furnished before any beneficiary alignment 
is finalized, and the participation documentation or programmatic 
requirements do not prohibit such incentives, an incentive given before 
final alignment could still meet the condition set forth in paragraph 
1001.952(ii)(2)(v) and qualify for safe harbor protection if all other 
terms of the safe harbor are met.
    Comment: A commenter noted that we proposed to define ``CMS-
sponsored model'' to include a model expanded under section 1115A(c) of 
the Act and requested further clarity on how this safe harbor would 
apply to ``Phase II'' testing of an Innovation Center model. The 
commenter noted that risks and benefits of financial arrangements and 
patient incentives under a model may change within a given model's 
design due to a change in scope.
    Response: The safe harbor would protect arrangements and incentives 
consistent with the CMS-sponsored model regardless of the model's phase 
of testing. We agree with the commenter that risks and benefits of 
financial arrangements and patient incentives under such models may 
change, but the Innovation Center would continue to set the parameters 
of what is being tested. If a CMS-sponsored model participant's 
arrangements or incentives meet the terms of the safe harbor, which 
incorporates elements of the model design, then the arrangements or 
incentives would be protected.
c. Conditions for Safe Harbor Protection
    Summary of OIG Proposed Rule: We proposed safeguards to ensure that 
arrangements protected by this safe harbor operate as intended by CMS, 
including requirements that: The remuneration not induce the furnishing 
of medically unnecessary services or reduce or limit medically 
necessary care (proposed at paragraph 1001.952(ii)(1)(ii)); the 
remuneration not induce referrals of patients outside the CMS-sponsored 
model (proposed at paragraph 1001.952(ii)(1)(iii)); the parties make 
materials and records available to the Secretary upon request (proposed 
at paragraphs 1001.952(ii)(1)(v) and 1001.952(ii)(2)(iii)); the parties 
satisfy programmatic requirements imposed by CMS (proposed at 
paragraphs 1001.952(ii)(1)(vi) and 1001.952(ii)(2)(iv)); and a patient 
incentive offered under the safe harbor have a direct connection to 
patient care (proposed at paragraph 1001.952(ii)(2)(ii)).
    Summary of Final Rule: We are finalizing, with modifications, the 
conditions of this safe harbor. Specifically, paragraph 
1001.952(ii)(2)(ii) is finalized with a modification to provide that 
the CMS-sponsored model patient incentive must have a direct connection 
to the patient's health care, unless the participation documentation 
specifies a different standard. We are liberalizing and relocating to 
paragraph 1001.952(ii)(2)(iii) language regarding

[[Page 77812]]

who may furnish a CMS-sponsored model patient incentive. Specifically, 
a CMS-sponsored model patient incentive must be furnished by a CMS-
sponsored model participant (or by an agent of the CMS-sponsored model 
participant under the CMS-sponsored model participant's direction and 
control), unless otherwise specified by the participation 
documentation. We also are moving to paragraph 1001.952(ii)(2)(v) the 
proposed language specifying that a CMS-sponsored model patient 
incentive must be ``furnished consistent with the CMS-sponsored 
model.'' As proposed, the relocated provisions were essentially 
conditions of safe harbor protection. To improve the clarity of the 
final rule, we are moving the provisions to appear with the other 
conditions for protecting CMS-sponsored model patient incentives.
    Comment: A commenter suggested that safe harbor protection should 
apply as long as the remuneration at issue meets all programmatic 
requirements and the terms of the model participation agreements or 
other participation documentation. The commenter expressed concern that 
incorporating additional substantive requirements in the safe harbor 
beyond the model's contractual and programmatic requirements could: (i) 
Limit the ability to tailor program integrity requirements for specific 
models; and (ii) potentially lead to inconsistent or conflicting 
formulations of similar concepts such as between the safe harbor and 
the model's contractual and programmatic requirements. The commenter 
illustrated this concern by explaining that the Innovation Center may 
test a model that allows for the provision of patient incentives that 
have no direct connection to the patient's health care and instead 
includes a different safeguard. Another commenter, while supporting the 
all-encompassing approach to the safe harbor, stated that the specific 
requirements regarding protected parties are redundant because they are 
already currently embedded within most of the Innovation Center model 
participation requirements. Another commenter urged OIG to look 
carefully at the safe harbor conditions and modify any conditions that 
impose an undue burden or that are unclear.
    Response: We appreciate the desire to streamline the safe harbor's 
conditions as much as possible. However, if we were to add a condition 
requiring satisfaction of all programmatic requirements and all terms 
of the model participation agreements and other participation 
documentation to ensure safe harbor protection, then some arrangements 
or incentives might not be protected due to potentially inadvertent 
failures to satisfy model requirements that may not bear on the 
particular financial arrangement or patient incentive. We recognize 
that implementing a safe harbor rather than continuing with model-by-
model fraud and abuse waivers may result in an approach less tailored 
to the specific model. Similarly, in an effort to encompass an array of 
possible models, we may have introduced some redundancy through defined 
terms or safe harbor conditions that also could appear in programmatic 
requirements for a particular CMS-sponsored model. However, we believe 
the benefits of having a safe harbor available that provides 
consistency and certainty to parties considering participation in a 
CMS-sponsored model outweigh the concerns related to any possible 
redundancy.
    The conditions we are finalizing generally either rely on 
parameters CMS will specify as part of the CMS-sponsored model or 
address important program integrity concerns and resemble conditions 
previously included in model-specific waivers (e.g., the condition 
prohibiting parties from offering, paying, soliciting, or receiving 
remuneration in return for, or to induce or reward, any Federal health 
care program referrals or other Federal health care program business 
generated outside of the CMS-sponsored model). CMS defines the 
parameters of the model, which includes the types of financial 
arrangements and incentives that could receive safe harbor protection. 
Finally, as we noted in the OIG Proposed Rule, the condition requiring 
that the patient incentive have a direct connection to the patient's 
health care is consistent with the design of all CMS-sponsored models 
contemplated as part of this safe harbor.
    However, to provide additional flexibility for the Innovation 
Center to design future models and in response to commenters, we are 
modifying the condition such that CMS may specify in the participation 
documentation a standard other than ``direct connection to the 
patient's health care.'' If CMS does not specify a particular standard 
that would contrast with a ``direct connection to the patient's health 
care,'' then this standard remains. In other words, if CMS does not 
specify any particular standard to which the incentive must relate, 
then the standard is that it must directly relate to the patient's 
health care. If, for example, a CMS-sponsored model permitted 
incentives related to social determinants that might not ``directly'' 
relate to a patient's health, and the participation documentation 
specified that the incentive must bear a ``reasonable'' connection to 
the patient's health, then compliance with the ``reasonable 
connection'' standard would satisfy the safe harbor condition.
    As we stated in the OIG Proposed Rule, to reduce administrative 
burden, parties under a CMS-sponsored model would have flexibility to 
determine which type of documentation would best memorialize the 
arrangement such that they could demonstrate safe harbor compliance, 
including through a collection of documents as opposed to one 
agreement.\83\
---------------------------------------------------------------------------

    \83\ 84 FR 55732 (Oct. 17, 2019).
---------------------------------------------------------------------------

    Comment: A commenter expressed concern that the safe harbor 
condition requiring an arrangement to satisfy ``other programmatic 
requirements'' would leave the protection for these arrangements 
significantly uncertain.
    Response: The regulatory text that we proposed and are finalizing 
requires that the CMS-sponsored model participant satisfies (or CMS-
sponsored model parties satisfy) such programmatic requirements as may 
be imposed by CMS in connection with the use of this safe harbor. The 
phrase ``other programmatic requirements'' appeared in the preamble of 
the OIG Proposed Rule \84\ and needed to be considered in the context 
of the totality of the condition. The programmatic requirements that 
parties would have to satisfy to qualify for safe harbor protection 
would be set out in the CMS-sponsored model's participation 
documentation or would be otherwise publicly available. Therefore, we 
disagree with the commenter that the protection would be uncertain, 
since any programmatic requirements specified by the Innovation Center 
and incorporated into the safe harbor by reference in this condition 
would be in participation documentation or otherwise would be publicly 
available.
---------------------------------------------------------------------------

    \84\ Id.
---------------------------------------------------------------------------

    Comment: A commenter recommended that OIG specify that the safe 
harbor is automatically applicable to CMS-sponsored models absent any 
affirmative exclusion of a CMS-sponsored model from protection by the 
safe harbor by OIG, rather than requiring the Innovation Center to 
specify that the safe harbor applies to a particular model.
    Response: We did not propose and are not adopting this 
recommendation because safe harbor protection may not be necessary to 
test all models or for every arrangement within a model that the 
Innovation Center may test under section 1115A of the Act. This 
approach

[[Page 77813]]

allows the Innovation Center to evaluate each model and determine 
whether waivers are necessary for parties to enter into certain 
arrangements to effectuate the purposes of the particular model. CMS 
has broad authority to develop and define the Innovation Center models, 
what the models are testing, and the scope of participation in the 
models. It is important, therefore, that CMS affirmatively state that 
the safe harbor would be available for specific CMS-sponsored model 
arrangements and CMS-sponsored model patient incentives within a 
particular model or initiative. As we stated in the OIG Proposed Rule, 
CMS would determine whether the safe harbor protection would be 
available for arrangements or patient incentives under the particular 
CMS-sponsored model.\85\ We also explained that we would expect CMS to 
notify CMS-sponsored model participants, through participation 
documentation, or other public means as determined by CMS, when CMS-
sponsored model participants may use this safe harbor under a CMS-
sponsored model.\86\ To ensure that it is clear that CMS determines the 
arrangements or incentives (and not just the models, in general) for 
which safe harbor protection is available, this final rule makes a 
technical correction to the proposed regulatory text to remove ``in a 
model'' in paragraph 1001.952(ii)(1) and ``under a model'' in paragraph 
1001.952(ii)(2).
---------------------------------------------------------------------------

    \85\ 84 FR 55731 (Oct. 17, 2019).
    \86\ Id.
---------------------------------------------------------------------------

    Because this safe harbor was not available when existing models 
began, we recognize that the applicable participation documentation 
would not affirmatively reference that this safe harbor is available 
for particular arrangements or incentives as required by paragraphs 
1001.952(ii)(1) and (2). Consequently, we clarify that for the Medicare 
Shared Savings Program and any existing model that has a fraud and 
abuse waiver issued by OIG, CMS may determine that this safe harbor is 
available for specific CMS-sponsored model arrangements and CMS-
sponsored model patient incentives that began prior to issuance of this 
final rule. To do so, CMS would at its discretion issue a public notice 
or notice to individual CMS-sponsored model participants that such 
parties can seek protection for such arrangements under this safe 
harbor as of the effective date of that notice. For example, if a 
particular CMS-sponsored model has a waiver for patient engagement 
incentives, the parties may rely either on the fraud and abuse waiver 
or, following notice from CMS that this safe harbor may be available 
for protection of future incentives, this safe harbor provided all of 
the waiver's or safe harbor's conditions, as applicable, are met.
d. Duration
    Summary of OIG Proposed Rule: We proposed that the duration of safe 
harbor protection would align with the duration of the participation 
documentation under a CMS-sponsored model, including a period of time 
after that model ends to allow for reconciliation.\87\ We indicated 
that we might finalize one or a combination of the following options: 
(i) Terminating protection after the end of the performance period or 
within a certain time period after the end of a performance period; 
(ii) terminating protection upon termination of the CMS-sponsored model 
participation documentation or within a certain period of time after 
that; and (iii) terminating protection after the last payment or 
exchange of anything of value made by a CMS-sponsored model party under 
a CMS-sponsored model occurs, even if the model has otherwise 
terminated. We also solicited comments on whether a CMS-sponsored model 
participant should be able to continue to provide the outstanding 
portion of any service to a patient if the service was initiated before 
its participation documentation terminated or expired.
---------------------------------------------------------------------------

    \87\ Specifically, the OIG Proposed Rule stated that the ``safe 
harbor would protect the last payment or exchange of value made by 
or received by a CMS-sponsored model party following the final 
performance period that the CMS-sponsored model participant that is 
a party to the arrangement participates in the CMS-sponsored 
model.'' 84 FR 55733 (Oct. 17, 2019).
---------------------------------------------------------------------------

    Summary of Final Rule: We are adding a new paragraph 
1001.952(ii)(4) that specifies timeframes for when safe harbor 
protection begins and ends. The details of each timeframe are explained 
in greater detail below.
    Comment: While generally agreeing with our proposal that most safe 
harbor protections should end at the conclusion of the model, a 
commenter suggested that there are some instances when OIG should 
consider extended safe harbor protection for CMS-sponsored model 
patient incentives. For example, a commenter recommended that OIG 
continue safe harbor protection if ceasing protection would affect 
continuity of care for patients or if the protected incentives promoted 
positive outcomes for the patient. Similarly, another commenter 
recommended that patients be allowed to retain any incentives received 
prior to the termination or expiration of the participation 
documentation of the CMS-sponsored model participant. Furthermore, the 
commenter also recommended protecting participants who continue to 
provide the same service to a patient for a terminated model if the 
service was initiated before the model was terminated or expired.
    Response: We agree with commenters, in part. The proposed 
regulatory text at paragraph 1001.952(ii)(2)(v) stated that patients 
would be permitted to retain any incentives received prior to the 
termination or expiration of the participation documentation of the 
CMS-sponsored model participant. We are finalizing that proposed 
provision in this final rule, but it is now included in paragraph 
1001.952(ii)(4)(iii).
    We also agree that there are circumstances where it may be 
appropriate to continue protection for patient incentives given after 
the date on which the model concludes. However, this safe harbor 
protects only patient incentives that are furnished consistent with the 
CMS-sponsored model. In the OIG fraud and abuse waiver context, we have 
protected patient incentives that continued past expiration or 
termination of an agreement for a certain period of time. For example, 
in connection with the Bundled Payments for Care Improvement (BPCI) 
Advanced Model, we indicated that the waiver for beneficiary incentives 
would continue to apply for patients who were in a ``clinical episode'' 
that began during an ``Agreement Performance Period,'' as those terms 
were defined in the Participation Agreement for that particular model, 
recognizing that the clinical episode might not conclude before the end 
of the Agreement Performance Period.\88\ However, not all models may be 
tied to particular clinical episodes. If a model ends, or a particular 
CMS-sponsored model participant's participation documentation 
terminates, the safe harbor would not protect patient incentives 
indefinitely, even if the incentive benefits or improves outcomes for a 
particular patient. More specifically, we are providing at new 
paragraph 1001.952(ii)(4)(iii) that safe harbor protection would 
continue for incentives given on or after the first day on which 
patient care services may be furnished under the CMS-sponsored model as 
specified by CMS in the

[[Page 77814]]

participation documentation and no later than the last day on which 
patient care services may be furnished under the CMS-sponsored model, 
unless a different timeframe is established in the participation 
documentation (e.g., a clinical episode if such a concept is 
incorporated into a model). Thus, if the participation documentation 
expressly specifies a period of time beyond the end of a final 
performance period or other termination event during which a CMS-
sponsored model patient incentive may be given, then that incentive 
would be protected during that extended timeframe, assuming all other 
safe harbor conditions are met. If the participation documentation does 
not specify an extended timeframe, then this safe harbor protects only 
incentives furnished until the last day on which patient care services 
may be furnished under the CMS-sponsored model (e.g., the last day of 
the final performance period). In addition, for clarity, we are 
specifying that protection for CMS-sponsored model patient incentives 
begins on or after the first day on which patient care services may be 
furnished under the CMS-sponsored model as specified by CMS in the 
participation documentation. In general, this would be the first day of 
the first performance period during the model.
---------------------------------------------------------------------------

    \88\ See Notice of Amended Waivers of Certain Fraud and Abuse 
Laws in Connection With the Bundled Payments for Care Improvement 
Advanced Model (Jan. 1, 2020), available at https://www.cms.gov/files/document/notice-amended-waivers-certain-fraud-and-abuse-laws-connection-bundled-payments-care-improvement.pdf.
---------------------------------------------------------------------------

    This approach is generally consistent with timeframes incorporated 
into fraud and abuse waivers for existing models. We further note that 
some arrangements that cease to meet the requirements of this safe 
harbor could be structured to fit into the safe harbor for patient 
engagement and support at paragraph 1001.952(hh).
    Comment: With respect to CMS-sponsored model arrangements, a 
commenter recommended that the safe harbor protect the last payment or 
exchange of value made or received by a CMS-sponsored model party 
following the final performance period in which the CMS-sponsored model 
participant that is a party to the arrangement participates, even if 
the model has otherwise terminated.
    Response: We agree, and it was our intent in the OIG Proposed Rule 
that the safe harbor protect remuneration exchanged pursuant to CMS-
sponsored model arrangements for a limited period of time after the 
CMS-sponsored model expires or is terminated to allow for necessary 
reconciliation. We are addressing the duration of safe harbor 
protection in new paragraph 1001.952(ii)(4), which provides greater 
clarity than addressing the issue in certain defined terms. We address 
both the start date and end date for protection in a manner that aligns 
with the particular CMS-sponsored model. The start or end date for 
protection may differ depending on whether the CMS-sponsored model is 
governed by participation documentation in the form of a legal 
instrument setting forth the terms and conditions of a grant or a 
cooperative agreement. For remuneration provided in connection with 
arrangements under a CMS-sponsored model governed by participation 
documentation other than a legal instrument setting forth the terms and 
conditions of a grant or cooperative agreement, the safe harbor 
protects the exchange of remuneration between CMS-sponsored model 
parties that occurs on or after the first day on which services under 
the CMS-sponsored model begin and no later than six months after the 
final payment determination made by CMS. The first day on which 
services begin is often the first day of the first performance period 
of a model, which may be referred to in the participation documentation 
as the ``Start Date.'' If a CMS-sponsored model has an ``implementation 
period'' included in the participation documentation, the first day on 
which ``services under the CMS-sponsored model begin'' would be the 
first day of the implementation period, unless otherwise specified by 
CMS in the participation documentation. For a CMS-sponsored model 
governed by a legal instrument setting forth the terms and conditions 
of a grant or cooperative agreement, the safe harbor protects the 
exchange of remuneration between CMS-sponsored model parties that 
occurs on or after the first day of the period of performance (as 
defined at 45 CFR 75.2), which is specified in the Notice of Award, or 
such other date specified in the participation documentation and no 
later than six months after closeout occurs pursuant to 45 CFR 75.381.
    We emphasize, however, that the safe harbor protects only 
remuneration between or among CMS-sponsored model parties under a CMS-
sponsored model arrangement for which CMS has determined that this safe 
harbor is available, and that a ``CMS-sponsored model arrangement'' 
includes only ``a financial arrangement between or among CMS-sponsored 
model parties to engage in activities under the CMS-sponsored model . . 
. .'' Therefore, the safe harbor does not protect remuneration 
exchanged between CMS-sponsored model parties for activities such as 
care coordination or other patient-care activities that occur before 
the model begins or beyond the termination or expiration of the model. 
Any such activities that are undertaken after the model expires or is 
terminated are not ``activities under the model.'' \89\ Payment that is 
made within the specified timeframe in paragraph 1001.952(ii)(4)(i) or 
(ii) for such services that were completed prior to termination or 
expiration of the final model performance period can be protected, 
similar to reconciliation payments that would necessarily be completed 
after expiration or termination of the final model performance period. 
In addition, CMS may specify that no remuneration may be exchanged 
after termination of the participation documentation if a participant 
is terminated from the CMS-sponsored model for cause. Any such 
remuneration would be prohibited by the model and thus not protected by 
the safe harbor. We also recognize that some CMS-sponsored model 
participants might want protection for certain arrangements that begin 
before a model starts (``pre-participation''). This safe harbor 
protects only financial arrangements among, and patient incentives 
furnished by, parties participating in the CMS-sponsored model. Any 
pre-participation arrangements not governed by participation 
documentation (in contrast to arrangements in an implementation period 
that is part of a CMS-sponsored model, as explained above) would need 
to comply with existing law, including another safe harbor, or CMS 
could request a fraud and abuse waiver be issued to cover activities in 
the pre-participation time period.
---------------------------------------------------------------------------

    \89\ In contrast, some CMS-sponsored models may require various 
administrative or analytical services that can occur only after a 
model terminates or expires (e.g., data or financial analysis, 
including services related to the reconciliation process). 
Remuneration related to those required activities, which would be 
described in the participation documentation, would be protected by 
this safe harbor, if all conditions are met.
---------------------------------------------------------------------------

8. Cybersecurity Technology and Related Services (42 CFR 1001.952(jj))
    Summary of OIG Proposed Rule: We proposed to establish a new safe 
harbor at paragraph 1001.952(jj) to protect nonmonetary donations of 
certain cybersecurity technology and related services to help improve 
the cybersecurity posture of the health care industry. We proposed to 
define ``cybersecurity'' as the process of protecting information by 
preventing, detecting, and responding to cyberattacks, and we proposed 
to include within the scope of covered technology any software or other 
types of information technology, other than hardware. In an effort to 
foster

[[Page 77815]]

beneficial cybersecurity donation arrangements without permitting 
arrangements that might negatively impact beneficiaries or Federal 
health care programs, we proposed a number of conditions on 
cybersecurity donations protected by the safe harbor. We also included 
an alternative proposal to protect donations of cybersecurity hardware 
in more limited circumstances. These proposals are summarized in more 
detail in following sections of this preamble.
    Summary of Final Rule: We are finalizing, with modifications, the 
safe harbor at paragraph 1001.952(jj). The modifications are summarized 
in more detail in following sections. This safe harbor will protect 
arrangements intended to address the growing threat of cyberattacks 
impacting the health care ecosystem. In addition to software and other 
types of information technology, the final safe harbor will protect 
certain cybersecurity hardware donations that meet conditions in the 
safe harbor. We are not finalizing our alternative proposal to require 
parties to conduct a risk assessment prior to donating hardware.
a. General Comments
    Comment: Most commenters generally supported OIG's proposed 
cybersecurity technology and related services safe harbor, with several 
commenters supporting the safe harbor as proposed. Some commenters 
highlighted that patients and providers of all sizes benefit when small 
and under-resourced providers can better protect themselves against 
cybersecurity threats. For example, a commenter stated that the safe 
harbor would significantly benefit small and rural provider groups that 
lack the required resources to install needed cybersecurity measures. 
Another commenter stated that four in five physicians in the United 
States currently have experienced some form of cybersecurity attack 
compromising patient privacy.\90\ According to a commenter, with the 
growing cost of cybersecurity software, it is essential that 
stakeholders be able to donate cybersecurity software to entities with 
which they interact that may not be able to afford the software. This 
commenter highlighted the threat that infiltrated data systems could 
lead to the corruption of health records, while another commenter 
explained that patient safety is the most critical concern when 
cyberattacks occur, especially when they impact a patient's electronic 
health records or medical devices. At least one of these commenters 
noted that cyberattacks could result in disclosure of sensitive patient 
information and could alter the treatment that a patient is prescribed, 
among other negative consequences.
---------------------------------------------------------------------------

    \90\ See Healthcare and Public Health Sector Coordinating 
Councils, Health Industry Cybersecurity Practices: Managing Threats 
and Protecting Patients, available at https://www.phe.gov/Preparedness/planning/405d/Documents/HICP-Main-508.pdf.
---------------------------------------------------------------------------

    Response: We agree that there is an urgent need to improve 
cybersecurity hygiene in the health care industry to protect patients 
and the health care ecosystem overall. As discussed in more detail 
below, we are finalizing the safe harbor, with several modifications.
    Comment: A small number of commenters expressed general concerns 
about the proposal. One commenter warned that the safe harbor should 
not be used to further intentional or unintentional anticompetitive 
behavior, while another commenter stated that a safe harbor of this 
kind is bound to be abused, regardless of the types of safeguards OIG 
implements. Another commenter asked OIG to reconsider this safe harbor 
and whether cybersecurity protection and any donations related to the 
same are understood sufficiently at this time to warrant a safe harbor.
    Response: While we appreciate the concerns expressed by these 
commenters, we believe that this safe harbor can be an important tool 
to help the health care industry address the prevalent and increasing 
cybersecurity threats facing the industry, which can negatively impact 
the quality of care delivered to beneficiaries, among other things.\91\ 
Any donation of valuable technology or services to physicians or other 
sources of Federal health care program referrals may pose the risk of 
harms associated with fraud and abuse, and such risk may increase as 
the value of the donated technology or services increases. Similarly, 
any time a health care industry stakeholder is permitted to give 
something for free or at a reduced cost to actual or potential referral 
sources, there is a risk that such donation or discount will affect 
competition because entities with greater financial resources may be in 
a better position to provide the donation or discount or a more 
valuable donation or discount. However, we believe that the combination 
of safeguards in the safe harbor, as finalized, appropriately balances 
the risks against the potential benefits of properly structured 
donations to help address the critical cybersecurity needs of the 
health care industry.
---------------------------------------------------------------------------

    \91\ See for example Health Care Industry Cybersecurity Task 
Force, Report on Improving Cybersecurity in the Health Care 
Industry, June 2017 (HCIC Task Force Report), available at https://www.phe.gov/preparedness/planning/cybertf/documents/report2017.pdf 
(recommending safe harbor protection for cybersecurity donations).
---------------------------------------------------------------------------

b. Purpose of Donation
    Summary of OIG Proposed Rule: We proposed in proposed paragraph 
1001.952(jj)(1) to limit safe harbor protection to donated technology 
and services that are necessary and used predominantly to implement and 
maintain effective cybersecurity. We solicited comments on the breadth 
of protected technology and services, particularly surrounding 
multifunctional technologies and services that might have use or value 
to a recipient beyond implementing and maintaining effective 
cybersecurity, such as donations that are otherwise used in the normal 
course of a recipient's business, which we did not propose to protect.
    Summary of Final Rule: We are finalizing, with modifications, our 
proposal to limit the applicability of the cybersecurity safe harbor to 
technology and services that are necessary and used predominantly to 
implement, maintain, or reestablish cybersecurity. However, in the 
final cybersecurity safe harbor as established here, this limitation 
will be placed in the introductory paragraph of 1001.952(jj), instead 
of a condition in 1001.952(jj)(1). (The remaining conditions of the 
safe harbor will be finalized with redesignated numbering to account 
for this organizational change; for example, proposed paragraph 
1001.952(jj)(2)(i) will be finalized at paragraph 1001.952(jj)(1)(i), 
and so forth). We are also removing the phrase ``certain types of'' 
before ``cybersecurity technology and services'' from the introductory 
paragraph to avoid ambiguity regarding the scope of the safe harbor. As 
finalized, the cybersecurity safe harbor introductory paragraph will 
read as follows: As used in section 1128B of the Act, `remuneration' 
does not include nonmonetary remuneration (consisting of cybersecurity 
technology and services) that is necessary and used predominantly to 
implement, maintain, or reestablish effective cybersecurity, if all of 
the conditions in paragraphs (jj)(1) through (4) of this section are 
met.
    This organizational change does not alter the scope of remuneration 
protected by the safe harbor. This reorganization of the final 
cybersecurity safe harbor is intended to ensure consistency with the 
EHR safe harbor, without altering or affecting the substance of the 
``necessary and used predominantly'' standard as discussed in the 
proposed rule. As finalized, the introductory paragraph of the

[[Page 77816]]

cybersecurity safe harbor mirrors the introductory paragraph in the EHR 
safe harbor at paragraph 1001.952(y), which provides that donated items 
or services must be necessary and used predominantly to create, 
maintain, transmit, receive, or protect electronic health records. We 
believe this consistency is especially important insofar as certain 
cybersecurity software may be donated under both safe harbors.
    Comment: A number of commenters supported the ``necessary and used 
predominantly'' standard. A commenter noted that this provision would 
ensure the legitimacy of donations and help differentiate the 
technology and services that may have multiple uses beyond 
cybersecurity. Another commenter urged OIG to require a clear nexus 
between the cybersecurity donation and the business relationship. The 
commenter explained that the cybersecurity technology should be 
necessary for the provision of the services involved, such as when a 
hospital donates cybersecurity technology to a physician to ensure the 
secure transfer of personal health information and thus improve care 
coordination for shared patients. The commenter stated that this safe 
harbor should not protect cybersecurity technology donations that are 
used as a way to entice new business.
    Response: The goal of this condition is to ensure that donations 
are made to address the legitimate cybersecurity needs of donors and 
recipients, not to induce new Federal health care program business. We 
decline to adopt the ``clear nexus'' standard suggested by the 
commenter, and we reiterate that the donation must be ``necessary'' 
under this condition. It is unlikely that a donation would be necessary 
for the donor or recipient to implement, maintain, or reestablish 
effective cybersecurity if it is not connected to the underlying 
services furnished by either party (e.g., ensuring the secure transfer 
of information between the parties).
    We explained in the OIG Proposed Rule that the core function of the 
donated technology or service must be to protect information by 
preventing, detecting, and responding to cyberattacks. We also provided 
a nonexhaustive list of examples of technology and services that we 
believed would be necessary and used predominantly to implement, 
maintain, or reestablish effective cybersecurity.\92\
---------------------------------------------------------------------------

    \92\ These examples included any services associated with 
developing, installing, and updating cybersecurity software; any 
kind of cybersecurity training services, such as training recipients 
how to use cybersecurity technology, how to prevent, detect, and 
respond to cyber threats, and how to troubleshoot problems with the 
cybersecurity technology (e.g., ``help desk'' services specific to 
cybersecurity); and any kind of cybersecurity services for business 
continuity and data recovery services to ensure the recipient's 
operations can continue during and after a cyberattack. 84 FR 55735-
55736 (Oct. 17, 2019). Additional examples are in this final rule.
---------------------------------------------------------------------------

    We are not finalizing a risk assessment condition (described in 
more detail in section III.B.8.g), but parties remain free and are 
encouraged as a general matter to obtain a risk assessment to evaluate 
their cybersecurity needs. We are finalizing a condition whereby donors 
may not directly take into account the volume or value of referrals or 
other business generated between the parties when determining the 
eligibility of a potential recipient for donated technology or 
services, or the amount or nature of the technology or services to be 
donated. This should address the concern regarding parties that 
improperly use the safe harbor for donations to entice new business.
    Comment: Another commenter suggested that in cases where 
cybersecurity is built into software that gives physicians access to a 
hospital's computer system, the technology and services should be 
deemed to be necessary and used predominantly to implement and maintain 
cybersecurity.
    Response: Software that gives physicians access to a hospital's 
computer system may be protected if it meets all conditions of the safe 
harbor. However, software that has multiple functions, one of which is 
cybersecurity, would not meet the necessary and predominant use 
standard in the introductory paragraph at 1001.952(jj). Conversely, if 
software has multiple functions but cybersecurity is the predominant 
function, then that software may be eligible for protection under this 
safe harbor. Available safe harbor protection of specific software 
would require an analysis of the facts and circumstances specific to 
particular arrangement. The advisory opinion process remains available 
for parties that seek an individualized determination from our office.
    Comment: A commenter representing the dental industry urged OIG to 
permit, with appropriate safeguards, both nonmonetary donations and 
monetary remuneration for the purchase of cybersecurity technologies 
and services. The commenter suggested that permitting monetary 
remuneration in appropriate circumstances could help alleviate the 
final rule's unintended adverse effects on competition, such as when a 
donor wishes to supply cybersecurity technology to two competing small 
providers, and one of the small providers has already purchased the 
technology but the other has not. The commenter asserted that 
protecting monetary reimbursement to the first provider and an in-kind 
donation to the second provider would be fairer than protecting a 
donation to one competitor and not the other.
    Response: We respectfully disagree with the suggestion to protect 
monetary remuneration or reimbursement for cybersecurity technology and 
services. As explained elsewhere in this final rule, we view cash and 
cash-equivalent remuneration to potential referral sources as 
inherently higher risk under the Federal anti-kickback statute and the 
Beneficiary Inducements CMP. We also highlight that the example 
provided by the commenter likely would not satisfy the other conditions 
of this safe harbor even if it protected monetary remuneration in the 
form of reimbursement. For instance, reimbursing a provider for 
technology and services already obtained by a provider would not 
satisfy the condition that the donation be necessary and predominantly 
used to implement, maintain, or reestablish effective cybersecurity. In 
particular, if the recipient already has an effective cybersecurity 
program, any monetary reimbursement likely would be viewed as 
duplicative and not used to implement, maintain, or reestablish 
effective cybersecurity, in addition to being outside the scope of 
remuneration protected by this safe harbor, which is limited to in-kind 
remuneration.
    Comment: A commenter suggested that the scope of permissible 
cybersecurity services under paragraph 1001.952(jj)(1) should be broad 
and varied, provided that the donated services substantially further 
the interests of strengthening cybersecurity for the end user. The 
commenter agreed with our proposal that donors should have the 
discretion to choose the level of cybersecurity technology and services 
they donate to physicians (or other health care providers) based on a 
risk assessment of the potential recipient or based on the risks 
associated with the type of interface between the parties.
    Response: We are not adopting the commenter's suggestion. Requiring 
the donation to be necessary and used predominantly to implement, 
maintain, or reestablish effective cybersecurity is an appropriate 
safeguard that limits safe harbor protection to the legitimate 
cybersecurity needs of donors and recipients.

[[Page 77817]]

a. Protected Donors
    Summary of OIG Proposed Rule: We did not propose in regulatory text 
to restrict the types of individuals and entities that may qualify for 
protection under this safe harbor as donors, but we indicated that we 
were considering some restrictions. We solicited comments on whether 
particular types of individuals and entities should be ineligible for 
protection under the safe harbor.
    Summary of Final Rule: We are finalizing a policy to protect all 
donors, without any limitations on the type of individual or entity 
donating cybersecurity technology and services, as long as the other 
conditions of the safe harbor are satisfied.
    Comment: A number of commenters recommended that the safe harbor 
protect a broad range of donors, with commenters suggesting that 
limitations on donors could stifle advances in care coordination, 
health information security, or both. Commenters stated that other 
conditions of the safe harbor, including the written agreement 
requirement and restrictions on taking into account referrals, would 
effectively safeguard against potential abuses. Commenters provided a 
number of examples of entities encompassing a range of stakeholder 
types that desire to make cybersecurity donations. A commenter 
highlighted potential industry confusion regarding whether the proposed 
safe harbor would protect donations by cybersecurity vendor firms to 
patients and requested clarification that such donations do not 
implicate the Federal anti-kickback statute.
    Response: We agree with the commenters who urged protection for a 
broad range of donor entities and individuals, and we are finalizing an 
agnostic approach to the types of individuals and entities that may 
donate technology and services protected by this safe harbor. The need 
to improve the cybersecurity posture of the health care industry is 
paramount to restrictions on donors traditionally found in other safe 
harbors, such as paragraph 1001.952(y). Donations of cybersecurity 
technology and services are self-protective measures the industry can 
take because a cybersecurity breach to a recipient's system can have a 
devastating impact on the donor and others connected to its system.
    As we stated in the OIG Proposed Rule, the donor-type restrictions 
included in the EHR safe harbor at paragraph 1001.952(y) are necessary 
in that safe harbor and distinguishable from the cybersecurity safe 
harbor because donations under the EHR safe harbor facilitate the 
exchange of clinical information between a recipient referral source 
and the donor, and present a greater risk that the donation is for the 
donor to secure additional referrals from the recipient or otherwise 
influence referrals or other business generated. We are confident that 
the other safeguards in this safe harbor appropriately address the 
risks associated with permitting parties to donate valuable technology 
and services to potential referral sources such that a limitation on 
the scope of protected donors is not necessary.
    In response to the comment inquiring about donations from 
cybersecurity vendor firms, such donations may not implicate the 
Federal anti-kickback statute or the Beneficiary Inducements CMP (e.g., 
when the donor is not in a position to induce, influence, or even 
receive referrals of Federal health care program business or to 
influence a beneficiary's selection of a particular practitioner, 
provider, or supplier). Any analysis of donations by cybersecurity 
vendor firms would require an evaluation of the facts and circumstances 
to determine whether the Federal anti-kickback statute or the 
Beneficiary Inducements CMP is implicated.
    Comment: Several organizations representing individuals and 
entities in the laboratory industry recommended making laboratories 
ineligible as protected donors. For example, a commenter stated that 
the same concerns surrounding inclusion of pathology practices and 
laboratories under the EHR safe harbor apply to cybersecurity 
donations. According to a commenter, when laboratories were protected 
donors under the EHR safe harbor, physicians implicitly or explicitly 
conditioned referrals on EHR donations, and EHR vendors encouraged 
physicians to request more costly EHR software and services from 
laboratories, putting laboratories in an untenable position. The 
commenter expressed concern that the same could happen with 
cybersecurity donations if laboratories were protected under this safe 
harbor. Another commenter added that protecting laboratories and 
pathology practices under the safe harbor could negatively affect 
access to health care services, quality, competition, costs to Federal 
health care programs, and utilization, and that the proposed condition 
related to the volume and value of referrals would not sufficiently 
curb the risk of abuse.
    Response: We appreciate the concerns raised by commenters 
representing the laboratory industry, particularly in light of the 
industry's experience with the EHR safe harbor. As finalized, the 
cybersecurity safe harbor does not contain any limitations on the type 
of individual or entity eligible for protection. All individuals and 
entities, including laboratories, play a role in protecting the health 
care ecosystem from cybersecurity threats. The promulgation of this 
regulation, however, does not require laboratories to donate 
cybersecurity technology or services, nor does it restrict laboratories 
from charging fair market value for any cybersecurity technology and 
services furnished.
    To address the concerns about potential recipients conditioning 
referrals on donations, we are finalizing a condition at paragraph 
1001.952(jj)(1)(ii) that prohibits recipients from conditioning 
referrals and future business on a cybersecurity donation. Donations or 
solicitations of cybersecurity technology and services conditioned on 
business or in exchange for Federal health care program referrals would 
not be protected by this new safe harbor and would be highly suspect 
under the Federal anti-kickback statute.
b. Permitted Recipients
    Summary of OIG Proposed Rule: The proposed safe harbor would 
protect donations of cybersecurity technology and related services to 
any individual or entity without limitation, including when the 
recipient is a patient. We indicated that we were considering whether 
additional or different safeguards would be appropriate, particularly 
when the recipient is a patient, and solicited comments on this topic.
    Summary of Final Rule: We are finalizing, without modification, our 
proposal to protect donations of cybersecurity technology and related 
services to any individual or entity without limitation and without any 
additional or different safeguards for any recipient.
    Comment: A number of commenters agreed with the proposal to protect 
all potential recipients of cybersecurity donations, including 
patients. A commenter stated that it is valuable to provide patients 
with a limited amount of cybersecurity protection to protect patient 
medical records, particularly as patients and providers become more 
interconnected. Another commenter recommended protecting donations to 
patients to facilitate secure transmission of data from devices 
prescribed to patients and secure communication between the patient and 
the health care provider. A commenter noted that with the expected 
increase of patient-generated health data there will be an increased 
need to ensure that all data

[[Page 77818]]

sources and endpoints, including remote monitoring systems used by 
patients, use good cybersecurity practices.
    Response: We agree with commenters that the scope of protected 
recipients should be unrestricted and should include patients; in 
particular, cybersecurity donations to patients can serve as a valuable 
tool in protecting health information, devices, and communications in 
an increasingly interconnected environment.
    Comment: Commenters suggested additional safeguards to ensure 
prevention of fraud and abuse with respect to donations to patients 
including: (i) A monetary limit on the donation; (ii) measures that 
would limit the donation to something the patient does not already 
possess; and (iii) restrictions against any type of multifunctional 
software or device. Another commenter perceived, with the growth of 
application programming interface (API) connections, a need to use 
techniques such as those outlined by the Open Web Application Security 
Project (OWASP) to protect the confidentiality and integrity of the 
patient's health record. Conversely, another commenter suggested that 
it is unlikely that a patient would be incentivized to seek treatment 
from a provider solely because of the offer of cybersecurity protection 
due to the limited nature of these cybersecurity donations.
    Response: We believe that the final rule has appropriate safeguards 
against fraud and abuse with respect to donations to patients without 
the addition of conditions specific to such donations. For example, we 
are finalizing the restrictions against donors and recipients 
conditioning referrals and other business on cybersecurity donations. 
We also are finalizing the requirement in the introduction paragraph to 
1001.952(jj) that a donation be necessary and used predominantly for 
cybersecurity purposes, as explained in more detail section III.B.8.b.
    If a patient already possesses appropriate technology and services, 
a donation of duplicative or equivalent technology and services likely 
is unnecessary for cybersecurity purposes, and multifunctional 
donations are unlikely to satisfy the predominant use standard. There 
may be specific facts and circumstances in which the safe harbor would 
protect replacement cybersecurity technology. For example, if a 
potential recipient's technology is outdated and poses a security risk, 
replacement cybersecurity technology would likely be necessary 
depending on the specific facts and circumstances.
    We have designed this safe harbor while recognizing the critical 
need to protect patient data and privacy from cyberattacks. The safe 
harbor conditions, as finalized, help ensure that cybersecurity 
donations to patients address that critical need and mitigate the risk 
of fraud or abuse stemming from such donations. Additional safeguards 
specific to donations to patients are not needed. This safe harbor also 
does not change other laws, regulations, or other requirements related 
to the privacy and security of patient data. Parties seeking to donate 
cybersecurity technology to a patient may have other obligations under 
other laws to safeguard patient data.
    The safe harbor does not require donations to meet specific 
standards to protect patient data from cyberattacks or other 
cybersecurity threats. Parties are free to choose the cybersecurity 
technology or services that best meet their needs and achieve 
cybersecurity goals as long as the donation meets all conditions of the 
safe harbor. For example, while not required for safe harbor 
protection, parties could elect to agree that any donated technology 
must satisfy certain third-party standards, is certified by a third 
party, or is certified or approved through another method to ensure the 
donation can provide necessary cybersecurity safeguards. Voluntarily 
meeting a third-party standard does not mean the donation is protected 
by this safe harbor. To receive safe harbor protection, donated 
technology or services must otherwise satisfy the conditions of the 
safe harbor.
    Comment: A commenter recommended that OIG consider limiting 
recipients to those entities with an ``established relationship'' with 
the donor, such that there is evidence that the donor and recipient 
interface. The commenter offered as an example a requirement that a 
physician practice has to have providers who are members of a health 
system's medical staff in order for such practice to receive a 
protected donation from the health system. For a protected donation by 
a physician practice to a patient, the commenter suggested requiring 
the patient be an ``established patient'' of the practice.
    Response: For this cybersecurity safe harbor, we are not adopting 
the commenter's recommendation to require an established relationship 
between the donor and the recipient. Although we have incorporated a 
similar ``established patient'' concept in the local transportation 
safe harbor at paragraph 1001.952(bb), we believe such limitation might 
work against the stated goal of this safe harbor to enable widespread 
improvements to the cybersecurity of the connected health care 
ecosystem through appropriate donations. We note that other safeguards 
included in the final safe harbor, such as the requirement in the 
introduction paragraph to 1001.952(jj) that the donation be necessary 
and used predominantly to implement, maintain, or reestablish effective 
cybersecurity, as well as restrictions against marketing or related to 
the volume and value of referrals and other business generated, serve 
to protect against the concerns addressed by the ``established 
patient'' concept in other safe harbors, such as the local 
transportation safe harbor, and are more workable for this safe harbor.
    Comment: A commenter stated that donations of technology to a 
patient may need to be treated differently from donations to a practice 
or provider because any donation to a patient would rely on a single 
software use license, which is difficult to implement and manage. 
Furthermore, the commenter stated that a donation to a patient may 
require additional services to implement such technology on patients' 
devices, which is not practical to offer on a large scale. According to 
the commenter, providers donating such technology may not have the 
resources to provide support services to patients and may wish to 
donate technical support services via third parties. But the commenter 
highlighted that using third parties to provide such services may 
create additional risks for providers and confusion for patients.
    Response: We appreciate that cybersecurity technology and services 
donations to patients involve different considerations, and we 
anticipate that donors will evaluate those considerations before making 
donations to patients. Safe harbors are voluntary, and providers are 
under no obligation to donate cybersecurity technology and services to 
patients or to structure arrangements to satisfy the conditions of the 
safe harbor finalized here. As we stated in the OIG Proposed Rule, 
protected donations may include services associated with installing and 
updating cybersecurity software as well as cybersecurity training 
services, such as training recipients on how to use the technology and 
troubleshoot problems with the cybersecurity technology. The donor 
could furnish such donated services on its own or contract with a third 
party to furnish such services.
    We reiterate that a donation to patients also must be necessary. 
The determination of which cybersecurity technology and services are 
necessary for patients likely will look much different than such 
determination with

[[Page 77819]]

respect to health care entities. Patients' interaction with or access 
to a health care provider's system or network is often more limited 
than another health care provider's interaction or access. For example, 
patients may interact or access a health care provider's system through 
a patient portal or by authorizing a third party to access their 
electronic health data through a mobile application. In those 
instances, cybersecurity likely is built into the patient portal, the 
authentication mechanism, or the API services used by the mobile 
application. We expect that providers evaluating potential donations to 
patients would take into account existing cybersecurity measures and 
the nature of the patient's interaction with or access to systems when 
determining whether any donation to the patient is necessary.
e. Definition of ``Cybersecurity''
    Summary of OIG Proposed Rule: We proposed to define 
``cybersecurity'' as the process of protecting information by 
preventing, detecting, and responding to cyberattacks. The proposed 
definition was derived from the National Institute for Standards and 
Technology (NIST) ``Framework for Improving Critical Infrastructure 
Cybersecurity'' (NIST CSF).\93\ We intended to define cybersecurity 
broadly to avoid unintentionally limiting donations.
---------------------------------------------------------------------------

    \93\ See NIST CSF, Version 1.1 (Apr. 2018), available at https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf.
---------------------------------------------------------------------------

    Summary of Final Rule: We are finalizing this definition with 
certain clarifications at paragraph 1001.952(jj)(5)(i).
    Comment: Several commenters agreed with the proposed definition of 
``cybersecurity,'' derived from the NIST CSF, and commenters generally 
agreed that the final rule should include a broad definition to provide 
sufficient flexibility. A commenter was generally supportive of the 
definition of ``cybersecurity'' but believed it should include the 
process of protecting information through ``identifying'' and 
``recovering'' from cyberattacks, to account for the entire lifecycle 
of a cyberattack. The commenter surmised that the addition of 
``recovering'' would protect ``backup services'' that support 
reestablishing cybersecurity and reduce the impact of ransomware 
extortion. Relatedly, several commenters noted that the OIG Proposed 
Rule omitted the word ``reestablish'' in the first condition at 
paragraph 1001.952(jj)(1), making it inconsistent with the parallel 
exception to the physician self-referral law as proposed by CMS.
    Commenters urged OIG to adopt text that includes ``reestablish'' in 
the first condition at paragraph 1001.952(jj)(1). Specifically, several 
commenters recommended that paragraph 1001.952(jj)(1) read, ``[t]he 
technology and services are necessary and used predominantly to 
implement, maintain, or reestablish effective cybersecurity'' (emphasis 
added). Commenters asserted that the inclusion of ``reestablish'' in 
the safe harbor would make explicit that the safe harbor protects post-
incident activities, such as the donation of a consultant's time to 
assist with conducting root cause analyses and identifying needed 
procedural improvements.
    Response: We agree that we should rely on the NIST CSF as a basis 
to define ``cybersecurity'' and believe that this definition, as 
finalized, provides sufficient flexibility while also providing an 
appropriately defined scope of what is protected under the safe harbor 
consistent with the goals of the safe harbor. As explained in the OIG 
Proposed Rule, the goal of this definition is to broadly define 
cybersecurity and avoid unintentionally limiting the scope of 
donations. For this reason, we also removed the phrase ``certain types 
of'' before ``cybersecurity technology and services'' from the initial 
paragraph at 1001.952(jj) to avoid ambiguity; cybersecurity technology 
and services that meet all conditions of the safe harbor are protected.
    We are not adding additional terms to the definition because the 
definition of ``cybersecurity'' is derived from the NIST CSF 
glossary.\94\ We believe the use of the NIST CSF definition, in 
combination with the conditions of this safe harbor, provides donors 
and recipients needed flexibility while also mitigating the risks of 
fraud and abuse. The NIST CSF is widely accepted across public and 
private sectors, all types of industries, and international 
organizations. It provides a commonly understood language for donors 
and recipients seeking to use this safe harbor to improve their 
cybersecurity posture. While this safe harbor does not condition 
protection of donations on compliance with the NIST CSF, we encourage 
potential donors and recipients to ensure a comprehensive, systematic 
approach to identifying, assessing, and managing cybersecurity risks.
---------------------------------------------------------------------------

    \94\ Id. at 45.
---------------------------------------------------------------------------

    The additional terms suggested by commenters, such as 
``identifying'' and ``recovering,'' also appear in the NIST CSF. The 
NIST CSF organizes basic ``cybersecurity activities'' into five 
functions: Identify, protect, detect, respond, and recover.\95\ The 
definition of ``cybersecurity'' in this safe harbor likely would apply 
to donations of cybersecurity technology and services that are used 
predominantly and are necessary for these five functions and the 
related subfunctions and cybersecurity outcomes that are part of the 
NIST CSF. We have not been persuaded to adopt a more specific 
definition of cybersecurity by incorporating specific terminology from 
the NIST CSF and we are finalizing the definition as proposed for the 
policy reasons explained above.
---------------------------------------------------------------------------

    \95\ Id. at 6.
---------------------------------------------------------------------------

    In response to commenters who said that the term ``reestablish'' 
was not in the first condition at paragraph 1001.952(jj)(1), we are 
finalizing a clarification to extend protection to donations that are 
necessary and used predominantly to implement, maintain or reestablish 
effective cybersecurity. This change is reflected in the final version 
of the initial paragraph for 1001.952(jj). As we noted in the preamble 
to the OIG Proposed Rule, protected donations would include business 
continuity software that mitigates the effects of a cyberattack and 
data recovery services to ensure that the recipient's operations can 
continue during and after a cyberattack. Additionally, as we stated in 
the OIG Proposed Rule, we intend to align closely with the 
corresponding CMS exception where appropriate.\96\
---------------------------------------------------------------------------

    \96\ 84 FR 55734 (Oct. 17, 2019).
---------------------------------------------------------------------------

    We note that the safe harbor does not, however, protect payments of 
any ransom to or on behalf of a recipient in response to a cyberattack, 
which we would not view as ``reestablishing'' effective cybersecurity 
(nor would we view it as nonmonetary remuneration, as required for 
protection under the safe harbor). Although we believe the proposal 
sufficiently included this concept, for the reasons stated above we 
have added the word ``reestablish'' in the final version of the 
introductory paragraph to 1001.952(jj) to provide clarity and to align 
with CMS's corresponding physician self-referral law exception for 
cybersecurity donations.
    Comment: A commenter applauded the definition of ``cybersecurity'' 
for being fairly broad and including donations of APIs. The commenter 
requested, however, that the definition be modified to account for the 
so-called three pillars of information security: Confidentiality of 
information, integrity of information, and availability of information.

[[Page 77820]]

    Response: We are not modifying the definition of cybersecurity. As 
discussed previously, our intention was to broadly define 
``cybersecurity'' and use terminology within an industry-recognized 
standard. We believe the NIST CSF definition of cybersecurity meets 
those policy goals.
    We recognize, however, that the three pillars of confidentiality, 
integrity, and availability of information are fundamental concepts to 
cybersecurity. The NIST CSF similarly recognizes these pillars. An 
outcome category under the ``protect'' function includes that data 
``are managed consistent with the organization's risk strategy to 
protect the confidentiality, integrity, and availability of 
information.'' \97\ Therefore, the definition of ``cybersecurity,'' 
which includes ``the process of protecting information,'' accounts for 
these principles while also providing flexibility and certainty to 
donors as to the scope of protected cybersecurity donations.
---------------------------------------------------------------------------

    \97\ See NIST CSF, Version 1.1, pg. 32 (Apr. 16, 2018) available 
at https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf.
---------------------------------------------------------------------------

    Comment: A commenter stated that the proposed definition of 
cybersecurity seems oversimplified and is not comprehensive. The 
commenter suggested that the definition of ``cybersecurity'' should be 
inclusive of any unauthorized use, even without deliberate criminal 
activity or a specific cyberattack, and recommended broadening the 
definition accordingly. Another commenter noted that the proposed 
definition of ``cybersecurity'' includes the term ``cyberattack,'' 
which the commenter found both vague and representative of only one 
type of threat to electronic data. The commenter encouraged OIG to 
adopt the definition found on the Department of Homeland Security (DHS) 
website, which describes cybersecurity as ``the process of protecting 
networks, devices, and data from unauthorized access or use and the 
practice of ensuring confidentiality, integrity, and availability of 
information.'' The commenter requested that any change to the 
definition be employed consistently across other relevant safe harbors 
(e.g., paragraph 1001.952(y)).
    Response: We decline to modify the definition. First, the safe 
harbor definition of ``cybersecurity'' does not limit donations of 
cybersecurity technology and services to those that prevent only 
criminal misconduct. The definition of ``cybersecurity'' is agnostic to 
the intent--criminal or otherwise--of an ``unauthorized user.'' We also 
believe the definition used in this final rule, derived from the NIST 
CSF, is broad enough to address the commenter's concerns about 
``unauthorized users'' as well as the definition from the DHS website. 
Specifically, our final regulatory definition of ``cybersecurity'' is 
broad enough to result in safe harbor protection for technology and 
services that protect networks, devices, and data from unauthorized 
access or use, including those that ensure the confidentiality, 
integrity, and availability of information.
    Comment: One commenter stated that the proposed definition of 
``cybersecurity'' fails to capture all aspects of security controls 
relevant to patient information, systems processing, or retention of 
patient information. The commenter recommended the following definition 
for cybersecurity: ``[p]revention of damage to, protection of, and 
restoration of computers, electronic communications systems, electronic 
communications services, wire communication, and electronic 
communication, including information contained therein, to ensure its 
availability, integrity, authentication, confidentiality, and 
nonrepudiation; or the prevention of damage to, unauthorized use of, 
exploitation of, and--if needed--restoration of electronic information 
and communications systems, and the information they contain, in order 
to strengthen the confidentiality, integrity, and availability of these 
systems; or the process of protecting information by preventing, 
detecting, and responding to attacks.''
    Response: We are not adopting this suggestion. Notwithstanding, we 
believe that the principles underlying the commenter's definition, 
which are derived from NIST and other Federal Government sources, 
generally are included in the definition of ``cybersecurity.'' Further, 
we are not modifying the definition of cybersecurity as suggested by 
the commenter because some of the commenter's proposed additions to 
regulatory text could be misread to protect multifunctional equipment. 
For example, ``restoration of computers, electronic communications 
systems, electronic communications services, wire communication, and 
electronic communication,'' could be misread by donors to protect 
donations of multifunctional hardware and other multifunctional 
donations (e.g., computers or entire communications systems) as part of 
restoration efforts, which are not protected by this safe harbor. The 
safe harbor protects donations of cybersecurity technology and services 
that are necessary and used predominantly to implement, maintain, or 
reestablish effective cybersecurity.
    Comment: Several commenters suggested that OIG finalize a broad and 
industry-neutral definition of ``cybersecurity'' to permit flexibility 
for future changes, adaptions, and variations in the dynamic world of 
cybersecurity. A commenter stated that the proposed safe harbor is 
shortsighted and should include a more comprehensive definition of 
potential technology solutions for cybersecurity attacks.
    Response: We agree with commenters that the cybersecurity safe 
harbor should be broad and rely on an industry-neutral definition. 
Consequently, we are finalizing a definition derived from the NIST CSF. 
The NIST CSF is industry agnostic and applies to any critical 
infrastructure in the United States, which includes health care. We are 
not using a definition that would incorporate specific technology 
solutions for cyberattacks. Such an approach could make the safe harbor 
definition obsolete as new cybersecurity technologies are developed and 
implemented. We believe the broad, neutral definition finalized here 
allows donors and recipients the flexibility to determine which 
cybersecurity technology and services are necessary and predominantly 
used to implement, maintain, or reestablish effective cybersecurity. 
Additionally, we note that effective cybersecurity is broader than 
technology solutions. Protected donations of cybersecurity technology 
and services are just one component of cybersecurity. Regardless of the 
conditions of this safe harbor, we encourage parties to consult 
cybersecurity industry standards such as the NIST CSF to ensure a 
comprehensive, systematic approach to identifying, assessing, and 
managing cybersecurity risks.
f. Definitions of ``Technology'' and Protection of Hardware
    Summary of OIG Proposed Rule: We proposed at proposed paragraph 
1001.952(jj)(6) to define ``technology'' as any software or other type 
of information technology, other than hardware. In the preamble to the 
OIG Proposed Rule, we noted our concern about donations of valuable, 
multifunctional hardware being disguised as payments for referrals, but 
also recognized that some hardware may in fact be limited to 
cybersecurity functionality, such as two-factor authentication dongles, 
and indicated that we were considering including such hardware in the 
safe harbor.

[[Page 77821]]

    Summary of Final Rule: We are finalizing, with modification, our 
proposed definition at paragraph 1001.952(jj)(5)(ii). Based on public 
comments, the modified final rule provides that donations of certain 
hardware will be permitted under the exception as long as the donation 
satisfies the other conditions of the safe harbor. In particular, we 
highlight that the introductory paragraph for 1001.952(jj) requires 
that donations be necessary and used predominantly for effective 
cybersecurity. In most cases, multifunctional hardware would not be 
used predominantly for effective cybersecurity and thus would fall 
outside the scope of protection of this safe harbor.
    Comment: Some commenters agreed with using the NIST CSF as a basis 
for the definition of ``technology'' and recommended that any final 
regulation allow sufficient latitude for various types of technology 
classifications (software and certain hardware components) and not be 
limited to a one-size-fits-all paradigm. Some commenters agreed with 
excluding hardware from the definition of ``technology'' and, 
therefore, from protection under this safe harbor, citing program 
integrity risks. A large number of commenters objected to the exclusion 
of hardware from the definition of ``technology.'' Many commenters 
highlighted that the line between hardware, software, services, and 
other technology that is neither hardware, software, nor a service, is 
increasingly blurred and such technologies are often packaged together 
as a bundle. Others suggested that hardware donations are a 
foundational requirement to operationalize cybersecurity best 
practices. Some commenters noted that certain cybersecurity software 
requires specific hardware and sought protection for such hardware. For 
example, a commenter noted that firewalls involve the use of both 
hardware and software and suggested that many clinicians would not have 
the technical knowledge to configure the firewalls. A commenter 
recommended permitting donation of low-cost hardware and possibly 
adding a dollar threshold that could not be exceeded for the total 
donation.
    Other commenters highlighted that failing to extend safe harbor 
protection to multifunctional cybersecurity hardware (or software) 
would limit the utility of the safe harbor because cybersecurity 
technology often is not standalone in nature. Commenters provided 
examples of multifunctional hardware they deemed beneficial to 
cybersecurity hygiene, such as encrypted servers, encrypted drives, 
upgraded wiring, physical security systems, fire retardant or warning 
technology, and high-security doors.
    Response: Consistent with our solicitation of comments in the OIG 
Proposed Rule and in careful consideration of the responses from 
commenters, this final rule expands the definition to include certain 
hardware. To receive safe harbor protection, donations of such hardware 
must satisfy all of the conditions of the safe harbor, and specifically 
the requirement that the hardware be necessary and used predominantly 
to implement, maintain, or reestablish effective cybersecurity. We 
intend this condition to make donations of multifunctional hardware 
ineligible for safe harbor protection in most cases, even if such 
hardware is low-cost, because such donations likely would not satisfy 
the predominant use condition. For instance, some of the examples 
provided by commenters would not satisfy the predominant use standard 
because by design they have functions that extend well beyond 
cybersecurity, including servers, drives, upgraded wiring, physical 
security systems, fire retardant or warning technology, and high-
security doors. For example, although the donation of an encrypted 
server might improve the recipient's cybersecurity, the server likely 
would not be used predominantly for effective cybersecurity because the 
recipient is likely to use it predominately for other purposes, such as 
hosting its computing infrastructure. We note, however, that the safe 
harbor protects services, including installing cybersecurity software. 
Therefore, if an entity donates cybersecurity software, it can also 
install and configure such software on a recipient's system. We do not 
believe a monetary cap is necessary for this safe harbor.
    Comment: A number of commenters urged OIG to expand protection for 
single-function hardware technologies that have limited or no 
functionality outside of cybersecurity, such as computer privacy 
screens, two-factor authentication dongles and security tokens, facial-
recognition cameras for secure access, biometric authentication, secure 
identification card and device readers, intrusion detection systems, 
data backup systems, and data recovery systems. Some commenters opposed 
any such expansion.
    Response: We agree with commenters that certain hardware is limited 
to cybersecurity uses and, as stated above, have finalized the 
definition of ``technology'' so that safe harbor protection includes 
such hardware. However, in order to receive safe harbor protection, 
donations of hardware must satisfy all of the conditions of the safe 
harbor and, specifically, the predominant use requirement in the 
initial paragraph to 1001.952(jj). Some of the examples provided by 
these commenters including computer privacy screens, two-factor 
authentication dongles, security tokens, facial-recognition cameras for 
secure access, biometric authentication, secure identification card and 
device readers, intrusion detection systems, data backup, and data 
recovery systems could be protected by the safe harbor if all 
conditions of the safe harbor are satisfied because their functionality 
could be predominantly for effective cybersecurity.
    We are not finalizing the additional proposed condition that would 
have required donors and recipients to conduct a risk assessment prior 
to donating hardware as a means of attaining safe harbor protection for 
hardware. As finalized, the safe harbor protects hardware donations the 
same way that software and service donations are protected, that is by 
meeting all conditions of the safe harbor.
    Comment: A commenter explained that it is important for OIG to 
recognize and make clear that typically it is not the actual software 
that is purchased by providers because the software is owned by the 
vendor. Instead, providers purchase the rights to use the software, 
which is accomplished through licensing. Therefore, with regards to 
donations, the software itself will not be donated; it will be the 
license to use that software. The commenter also recommended allowing 
installment and repairs to be among the types of technology and 
services, the donation of which is protected by the safe harbor.
    Response: We also recognize that in some instances, providers 
purchase the rights to use the software, which is accomplished through 
licensing, and donate that use or license rather than the software 
itself. Donating such licenses can be protected under this safe harbor 
in the same way that donating software is protected, if all conditions 
of the safe harbor are met. We also agree with the commenter that 
installment and repairs can be included among the protected technology 
and services, provided that the donations of such installment and 
repairs squarely satisfy the safe harbor's conditions, including that 
the donation is necessary and used predominantly to implement, 
maintain, or reestablish effective cybersecurity.
g. Alternate Proposal
    Summary of OIG Proposed Rule: We included an alternate proposal to 
allow parties to donate hardware, subject to

[[Page 77822]]

the other conditions of the proposed safe harbor, if such hardware is 
reasonably necessary based on a risk assessment of the donor and 
recipient.
    Summary of Final Rule: We are not finalizing this alternate 
proposal.
    Comment: Several commenters supported including hardware and did 
not agree that a risk assessment should be required for protected 
donations of hardware. A commenter observed that while donors should be 
free to require and even donate a cybersecurity risk assessment, 
adopting such a requirement to protect donations of hardware could slow 
the proliferation of cybersecurity technology. A commenter objected to 
requiring a written risk assessment from either party, or in multiparty 
arrangements from any party. Another commenter stated that OIG should 
not adopt a security framework tying cybersecurity technology to 
particular industry standards and should not require the preparation of 
special security risk assessments or management documents. Instead, the 
commenter recommended that OIG recognize any safeguard that advances 
the HIPAA security standards.
    Response: For the reasons stated above, we are not finalizing this 
alternative proposal. Parties may have other legal obligations to 
conduct risk assessments, and this safe harbor does not affect any such 
requirements. Furthermore, we are not requiring cybersecurity 
technology and service donations to meet specific standards. Parties 
also remain free to donate cybersecurity risk assessments under this 
safe harbor if all of the other conditions are satisfied. Parties are 
encouraged to perform risk assessments to determine donor and recipient 
vulnerability to cyberattacks and to assist in creating their own 
cybersecurity programs.
    Comment: Several commenters recommended requiring a risk assessment 
to receive protected hardware or other donated cybersecurity products 
for various reasons. For example, a commenter highlighted that a risk 
assessment can determine what type of protection is needed when there 
are vulnerabilities and ensure that the cybersecurity product is 
effective once implemented. A commenter requested that it not be a 
requirement for the recipient to perform any risk assessment, as they 
may not have the appropriate knowledge and expertise to do so. Instead, 
the commenter suggested that the recipient have the option to perform 
the risk assessment if they have the knowledge and expertise to do so; 
otherwise, it could be completed by the donor or a qualified third 
party.
    Several commenters suggested that any definition or scope of ``risk 
assessments'' should rely on definitions set out by NIST publications 
and further suggested that OIG should rely on the comprehensive NIST 
definition. Some commenters requested that OIG provide template risk 
assessment documentation.
    A commenter suggested that parties be required to maintain the 
initial risk assessment, which could be used to compare the 
``baseline'' risk assessment to a future risk assessment to help 
understand whether any previously identified gaps were resolved.
    Response: For reasons previously stated, we are not requiring a 
risk assessment as a condition of this safe harbor. We agree that 
cybersecurity risk assessments are valuable tools that can evaluate 
vulnerabilities and identify cybersecurity solutions, and parties 
remain free to obtain such risk assessments, or to donate them as long 
as the conditions of this safe harbor are met. For example, one method 
parties might use to establish that a donation was necessary for 
cybersecurity is to utilize findings from a legitimate risk assessment 
to demonstrate that a recipient had a vulnerability that was necessary 
to mitigate.
h. Scope of Protected Technology and Services
    Summary of OIG Proposed Rule: We proposed to protect a broad range 
of technology and services, excluding hardware, and solicited comments 
on this approach.
    Summary of Final Rule: We are finalizing protection for a broad 
range of technology and services, including certain hardware. We 
provide additional clarity on the scope of this protection and several 
examples below.
    Comment: Most commenters recommended that we finalize protection 
for a broad range of donations, and some requested specific language or 
clarifications. In particular, several commenters asked OIG to consider 
the implications of cloud-based and subscription-based products and 
services. Another commenter requested OIG provide clarity related to 
the scope of protected donations through examples of the types of 
software and services allowed (e.g., provision of a full-time 
cybersecurity officer). Some commenters also noted that a 
cybersecurity-specific help desk may not be realistic and recommended 
that OIG protect donations of general help desk services, whether 
through the donor's IT department or the vendor's help desk services. A 
commenter urged OIG to protect patches and software updates.
    Response: As finalized, the safe harbor protects donations of a 
broad range of cybersecurity technology and services. This includes 
certain cybersecurity hardware, as discussed above, as well as a 
multitude of cybersecurity services and technology. Cybersecurity 
services and technology would include both locally installed 
cybersecurity software and cloud-based cybersecurity software, 
including patches and updates of such software or patches and updates 
of other software or programs if the patch or update is predominantly 
for cybersecurity purposes. Protected donations, however, are 
constrained by the initial paragraph to 1001.952(jj), which requires 
that the donation is necessary and used predominantly to implement, 
maintain, or reestablish effective cybersecurity. This safe harbor is 
intended to cover a wide range of cybersecurity technology and services 
that have specific functionality, as constrained by the initial 
paragraph for 1001.952(jj). This approach means that most technology 
and services that include cybersecurity as one function of multiple 
functions will not be protected by this safe harbor. For instance, 
depending on the facts and circumstances of a particular arrangement, 
donating a virtual desktop that includes access to programs and 
services beyond cybersecurity software likely would not be protected 
because the donation likely would include functions not necessary and 
predominantly used to implement, maintain, or reestablish effective 
cybersecurity, such as claims and billing applications. We explicitly 
decided not to protect technology or services that may provide some 
beneficial cybersecurity effects as one feature of a broader suite of 
services because that broad scope of protection could apply to nearly 
any technology or service. We believe such a broad scope of protection 
under this safe harbor would elevate the risk that valuable donations 
could improperly influence the recipient. Understanding those 
tradeoffs, we conclude that the significant need for the health care 
system to improve cybersecurity is better served by this safe harbor 
only protecting cybersecurity technology and services that have 
specific functionality, as constrained by the initial paragraph to 
1001.952(jj), but with fewer other conditions that would limit certain 
aspects of a donation (e.g., a monetary cap on the value of a 
donation).
    Donors and recipients that would like to protect the donation of 
technology or services that are not necessary or are

[[Page 77823]]

used predominantly to implement, maintain, or reestablish cybersecurity 
should assess those potential arrangements under the Federal anti-
kickback statute as well as other potentially applicable safe harbors, 
such as the EHR safe harbor at paragraph 1001.952(y). Alternatively, 
the advisory opinion process remains available to parties seeking a 
legal opinion regarding the scope of the safe harbor as applied to a 
specific set of facts and circumstances.
    For the same reasons, we are not extending protection for donations 
of general IT help desk services because cybersecurity is not the 
predominant use of such services. However, we are aware of 
cybersecurity-specific software and services that include customer 
service and help desk features for cybersecurity assistance. Such help 
desk services, if they are necessary and predominantly used for 
implementing, maintaining, or reestablishing cybersecurity, could meet 
the introductory paragraph for 1001.952(jj) and may be protected by 
this safe harbor if all other conditions are met. Relatedly, donating 
services through a donor organization's primary service desk or IT help 
desk, limited to reporting cybersecurity incidents, could satisfy this 
requirement because the service or help desk responsibilities would be 
used predominately for cybersecurity incident reporting. Staffing a 
recipient's practice with a full-time cybersecurity officer, however, 
would only be protected by this safe harbor if that officer's duties 
were used predominately for implementing, maintaining, or 
reestablishing effective cybersecurity and were necessary. If the 
officer performed general information technology services or provided 
other non-cybersecurity value to the recipient's business, then the 
donation may not meet the requirements in the initial paragraph for 
1001.952(jj).
    Comment: A commenter asked OIG to clarify that services such as 
assurance, assessment, and certification programs that incorporate 
cyber-risk management could receive safe harbor protection.
    Response: To the extent the assurance, assessment, and 
certification programs that incorporate cybersecurity risk management 
suggested by the commenter satisfy all of the conditions of the safe 
harbor, including the requirements in the initial paragraph for 
1001.952(jj), they could be protected. We note, however, that if 
cybersecurity is just one component or feature of the assurance, 
assessment, and certification programs referenced by the commenter, 
then the other features are not likely to be necessary and used 
predominantly to implement, maintain, or reestablish effective 
cybersecurity, and the cybersecurity safe harbor would not protect the 
referenced services, although they could be protected under another 
safe harbor.
    Comment: A commenter expressed concern that the OIG Proposed Rule 
would create separate safe harbors for various types of technology, 
resulting in a piecemeal approach to tools that must work together to 
drive care coordination. The commenter urged OIG to broaden the 
cybersecurity items and services safe harbor and the EHR safe harbor to 
be flexible enough to protect technology that can help facilitate the 
movement to value-based care. Several commenters specifically 
recommended that any final cybersecurity safe harbor protect data 
analytics and reporting functionalities. Another commenter asked that 
OIG clarify that arrangements involving sharing data and technology, 
including cybertechnologies that keep the data secure, are not illegal 
remuneration when used for care coordination purposes.
    Response: We recognize that multiple safe harbors may protect 
various types of technology donations. Several safe harbors finalized 
elsewhere in this final rule protect certain remuneration to facilitate 
care coordination and the transition to value-based care, such as the 
value-based safe harbors at 1001.952(ee)-(gg). Data analytics, 
reporting functionalities, and other information technology used to 
facilitate the movement to value-based care may be protected under 
these safe harbors, provided the arrangement squarely satisfies the 
conditions of any applicable safe harbor. However, we note that 
cybersecurity items in and of themselves likely would not meet the 
definition of the ``coordination and management of care,'' as explained 
in the preamble above. Relatedly, data analytics and other information 
technology, when coupled with a cybersecurity donation, would not meet 
the requirement that the donation be necessary and used predominantly 
to implement, maintain, or reestablish effective cybersecurity.
    We emphasize that arrangements involving sharing data could 
potentially involve remuneration that implicates the Federal anti-
kickback statute. For instance, while standing on its own, basic 
sharing of patient records for purposes of care coordination or 
treatment of patients is unlikely to implicate the statute, the 
provision of data analysis, data aggregation, or other services of 
independent value to the recipient likely would be the sort of 
remuneration that implicates the statute. Any assessment of Federal 
anti-kickback statute implications, available safe harbor protection, 
and potential liability under the statute, would require an analysis of 
the facts and circumstances specific to the particular arrangement.
    Data analytics and other information technology that may be 
protected by the value-based safe harbors at 1001.952(ee)-(gg) can 
include built-in cybersecurity protections. For example, those safe 
harbors do not require the data analytics software to be free from 
cybersecurity protections to meet their conditions. Such software might 
normally include security features, such as a secure login and 
authentication, as part of the normal software development and could be 
protected by the value-based safe harbors, depending on the facts and 
circumstances.
    Where parties seek safe harbor protection for the donation of 
technology, parties do not need to protect separate functions of that 
technology under different safe harbors if the donation meets the terms 
of a single safe harbor. This cybersecurity safe harbor is intended 
only to protect cybersecurity technology and services. Other safe 
harbors protect donations that may include cybersecurity features as 
part of a broader donation, without regard to whether the cybersecurity 
features would meet the requirements of the cybersecurity safe harbor 
(e.g., a donation of data analytics software that includes 
cybersecurity features may be protected by the value-based safe harbors 
at 1001.952(ee)-(gg), or an EHR system with cybersecurity features may 
be protected by the EHR safe harbor at 1001.952(y)).
    Unless the data analytics and reporting functionality is 
predominantly used to analyze and report on cybersecurity threats or 
attacks (rather than more broadly facilitating the movement to value-
based care), then it typically would not satisfy the initial paragraph 
for 1001.952(jj), which requires that the cybersecurity donation be 
necessary and used predominantly to implement, maintain, or reestablish 
effective cybersecurity.
    Comment: A commenter recommended that OIG clarify the scope of what 
the cybersecurity technology and services must protect, such as 
cybersecurity to protect electronic health records, medical devices, or 
other information technology that uses, captures, or maintains 
individually identifiable health information. The commenter stated that 
the proposed safe harbor was silent as to the ``object'' of the 
cybersecurity protection and an explicit statement setting broad 
parameters about the purpose of

[[Page 77824]]

donated cybersecurity technology and services would provide guidance 
and cover future technology advances. Another commenter encouraged OIG 
to permit donations related to medical device cybersecurity, which the 
commenter identified as a growing area of vulnerability. The commenter 
posited that promoting the security of medical devices would create 
added protection for patient privacy and safety.
    Response: We are not defining the ``object'' or ``subject'' of the 
cybersecurity protection. The safe harbor protects a wide range of 
cybersecurity technology and services that are necessary and used 
predominantly to implement, maintain, or reestablish effective 
cybersecurity. If all other conditions of the safe harbor are 
satisfied, this could include cybersecurity donations in connection 
with medical devices, EHR, and other information technology.
    Comment: A commenter supported the inclusion of a broad array of 
cybersecurity services as part of the safe harbor, including numerous 
examples from the OIG Proposed Rule. In addition, the commenter 
recommended adding services to the list included in the OIG Proposed 
Rule, such as consulting services deployed not to conduct only a risk 
assessment or analysis, but to work with the practice to develop and 
implement specific cybersecurity policies and procedures. The commenter 
also suggested protection for subscription fees to vendor security 
products that assist practices in developing policies and procedures in 
support of a risk assessment. Another commenter requested that OIG 
provide further examples of what would and would not be protected by 
the safe harbor.
    Response: We provided examples of items and services that would be 
protected by this safe harbor in the preamble to the OIG Proposed Rule 
that are still valid under the final rule and provide additional 
examples in this final rule.\98\ The examples included in the OIG 
Proposed Rule apply to the safe harbor, as finalized, and continue to 
illustrate the scope of the technology and services potentially 
protected by the safe harbor. We emphasize that we intend for the safe 
harbor to protect a broad array of technology and services. Donations 
of services that meet all conditions of this safe harbor would be 
protected. That would include donations where the donor arranges for or 
otherwise pays for third-party vendors or consultants to provide 
cybersecurity services that are necessary and used predominantly to 
implement, maintain, or reestablish effective cybersecurity. We note, 
however, that reimbursing a recipient or providing monetary 
remuneration for such services would not be protected by this safe 
harbor because the safe harbor only protects nonmonetary remuneration.
---------------------------------------------------------------------------

    \98\ 84 FR 55735-6 (Oct. 17, 2019).
---------------------------------------------------------------------------

    The advisory opinion process remains available for parties seeking 
a legal opinion regarding the scope of the safe harbor as applied to a 
specific set of facts and circumstances.
    Comment: A commenter asked OIG to include protection for 
implementation, management, and remediation services within the scope 
of this safe harbor, as these will fully optimize donations.
    Response: The safe harbor would protect donations that include 
implementation, management, and remediation services, including those 
provided through a third party, if all conditions of the safe harbor 
are satisfied. As we stated in the OIG Proposed Rule, the safe harbor 
may protect services such as developing, installing, and updating 
cybersecurity software, and training recipients how to use it. We also 
stated in the OIG Proposed Rule that ``cybersecurity as a service'' may 
be protected, which includes third-party services for managing and 
monitoring the cybersecurity of a recipient.
    Comment: While many commenters expressed concern about the 
effectiveness of the safe harbor if it does not protect a broad scope 
of technology and services, other commenters recommended limiting the 
scope of protected technology and services. A commenter noted that 
effective cybersecurity protection could require a whole suite of 
services, such as active management, monitoring, and developing an 
effective response system if an issue arises, and it may not be 
possible for an outside entity to provide such a broad range of 
services.
    Response: This safe harbor protects a wide range of cybersecurity 
technology and services that satisfy the conditions of the safe harbor. 
It is intended to remove one actual or perceived barrier to improving 
the cybersecurity posture of the health care industry. While this safe 
harbor does not and cannot solve all cybersecurity issues for the 
health care industry, OIG believes that cybersecurity donations are 
just one tool that the health care system can use to improve its 
cybersecurity. We encourage providers and other actors to engage in 
other cybersecurity efforts, consistent with industry standards and 
applicable laws, to improve the cybersecurity of the entire health care 
system.
i. Monetary Cap
    Summary of OIG Proposed Rule: We solicited comments on whether the 
safe harbor should include a monetary value limit on the total amount 
of donations that a donor can make to a recipient.
    Summary of Final Rule: We are not finalizing a condition imposing 
any monetary limit.
    Comment: A commenter recommended that if the final safe harbor 
protects hardware, OIG should not impose any cap on the value of the 
donated hardware. Another commenter encouraged OIG to finalize the safe 
harbor without imposing a monetary limit on the value of applicable 
remuneration. Some commenters recommended a cap as a potential 
safeguard.
    Response: We are not finalizing any monetary cap on the value of 
remuneration protected by this safe harbor. We believe most 
cybersecurity donations are made for purposes of self-preservation from 
the risk of cyberattack. Therefore, donors are incentivized to donate 
what is required to achieve effective cybersecurity and not make 
excessive donations beyond the scope of what is needed to protect 
themselves. Furthermore, the initial paragraph for 1001.952(jj) limits 
donations of technology and services to those necessary and used 
predominantly to implement, maintain, or reestablish cybersecurity, 
which also serves to limit any excessive value of donations. The 
conditions at paragraphs 1001.952(jj)(1) and (2) ensure that the 
cybersecurity safe harbor does not protect donations that are tied to 
Federal health care program referrals or are otherwise conditioned on 
Federal health care program business. These conditions help mitigate 
the risk that more valuable donations may lead to more referrals or 
future business.
    The threat-reduction purpose of cybersecurity technology and the 
conditions of the safe harbor work together to limit the risk of fraud 
or abuse caused by improper donations and a monetary cap is not needed 
for the cybersecurity safe harbor.
j. Deeming Provision
    Summary of OIG Proposed Rule: We solicited comments on whether to 
create a provision in the final rule that would allow donors and 
recipients to demonstrate compliance with the condition at paragraph 
1001.952(jj)(1) by meeting certain additional standards. Specifically, 
we suggested a ``deeming provision'' that would allow donors or 
recipients to demonstrate that the donation satisfies proposed 
paragraph

[[Page 77825]]

1001.952(jj)(1) if it furthers a recipient's ability to comply with a 
written cybersecurity program that reasonably conforms to a widely 
recognized framework or set of standards, such as one developed or 
endorsed by the National Institute of Standards and Technology (NIST) 
or another American National Standards Institute-accredited standards 
body, such as the International Organization for Standardization.
    Summary of the Final Rule: We are not finalizing a ``deeming 
provision.''
    Comment: A number of commenters supported the inclusion of a 
``deeming provision'' in the final rule and offered suggestions on how 
to implement such a provision. Several commenters suggested that the 
``deeming provision'' should apply if the donation furthers a 
recipient's compliance with a written cybersecurity program that 
reasonably conforms to a widely recognized cybersecurity framework, 
such as one developed by NIST, or guidelines developed by the 
Department of Health and Human Services Office for Civil Rights (OCR) 
in collaboration with the Office of the National Coordinator for Health 
Information Technology (ONC). One commenter recommended that any 
reference to cybersecurity standards, frameworks or risks be based on 
existing independent frameworks, ideally drawn from NIST standards.
    Response: We are not finalizing a ``deeming provision'' for the 
cybersecurity safe harbor. We are concerned that a deeming provision 
could have the inadvertent effect of protecting multifunctional 
hardware, software, or other technology and services because the 
donation conforms to a written cybersecurity protocol following 
industry standards. Specifically, if a donor or recipient were to 
demonstrate that a donation of hardware furthered its compliance with a 
written cybersecurity program that includes items such as laptops, 
servers, or other types of multifunctional hardware, parties may use 
the ``deeming provision'' in attempting to protect hardware that is not 
necessary or used predominantly to implement, maintain, or reestablish 
effective cybersecurity. Although we are not finalizing a voluntary 
``deeming provision,'' parties are encouraged to consider implementing 
cybersecurity programs that follow widely recognized industry 
frameworks. Parties may also voluntarily include their own standards to 
apply to donations.
    However, even if donations further compliance with a written 
cybersecurity program that is consistent with a widely recognized 
industry cybersecurity framework or a party's own standards, that does 
not automatically mean that any cybersecurity donation is ``deemed'' 
necessary or used predominantly to implement, maintain, or reestablish 
effective cybersecurity. Parties should undertake a careful analysis of 
any donations for which they seek safe harbor protection to ensure 
compliance with all conditions of the safe harbor.
    Comment: Some commenters urged that any reference to standards or 
frameworks used in any ``deeming provision'' be illustrative and not 
exclusive, so as to avoid unnecessary constraints and allow for the 
application of future frameworks. Another commenter agreed with 
inclusion of a ``deeming provision'' but recommended that such 
provision remain voluntary. Several commenters objected to any 
``deeming provision,'' noting that it would add an unnecessary burden 
without providing any meaningful protection against fraud and abuse. A 
commenter stated that physicians may struggle to understand what 
``reasonable conformance'' looks like or when a framework or standard 
is considered ``widely recognized.'' A commenter stated that a 
stringent ``deeming provision'' could create additional barriers to 
mitigating the risks of cybersecurity threats. One commenter sought 
clarity on the ``deeming provision,'' asking whether the recipient must 
show financial need to satisfy the ``deeming provision,'' and another 
commenter supported a ``deeming provision'' when the cost of the 
donation of technology and services exceeds a specified monetary limit.
    Response: Safe harbors are voluntary; this safe harbor does not 
require any individual or entity to offer free or discounted 
cybersecurity technology or services, nor does it require any 
individual or entity to structure any donations of cybersecurity 
technology and services to satisfy the conditions of the safe harbor. 
Notwithstanding, for the reasons stated above we are not finalizing a 
``deeming provision'' in this safe harbor. We also agree with the 
commenter that parties may struggle to understand what ``reasonable 
conformance'' looks like or when a framework or standard is considered 
``widely recognized.'' Without selection of one or more specific 
frameworks, any ``deeming provision'' could be subject to manipulation.
    Comment: One commenter suggested that OIG adopt the same ``deeming 
provision'' that appears in the EHR safe harbor at paragraph 
1001.952(y)(2).
    Response: We decline to adopt the commenter's suggestion. The 
``deeming provision'' included in the EHR safe harbor at paragraph 
1001.952(y)(2) relates to donations of EHR items and services 
satisfying the interoperability condition in paragraph 1001.952(y)(2) 
using ONC Certification standards rather than the ``necessary and used 
predominantly'' standard in this cybersecurity safe harbor. Therefore, 
the commenter's suggested ``deeming provision'' is not applicable in 
this context and, for the reasons stated above, we are not finalizing 
any ``deeming provision'' in this safe harbor.
k. Volume and Value Condition
    Summary of OIG Proposed Rule: We proposed at paragraph 
1001.952(jj)(2) that donations would not be protected under this safe 
harbor if donors directly take into account the volume or value of 
referrals or other business generated between the parties when 
determining the eligibility of a potential recipient for the technology 
or services, or the amount or nature of the technology or services to 
be donated. Donations also would not be protected if donors condition 
donations of technology or services, or the amount or nature of the 
technology or services to be donated, on future referrals. Similarly, 
we proposed at paragraph 1001.952(jj)(3) that donations would not be 
protected if the recipient or the recipient's practice (or any 
affiliated individual or entity) makes the receipt of technology or 
services, or the amount or nature of the technology or services, a 
condition of doing business with the donor.
    Summary of Final Rule: We are finalizing, without modification, 
these conditions, but renumbering them as 1001.952(jj)(1) and (2).
    Comment: Commenters generally supported the provision restricting 
donors from directly taking into account the volume or value of 
referrals or other business generated between the parties when 
determining the eligibility of a potential recipient for the technology 
or services, or the amount or nature of the technology or services 
donated. Commenters also supported OIG's proposal that potential 
recipients should not be permitted to condition future business with 
the donor on the receipt of cybersecurity donations. A commenter 
recommended that OIG set guardrails to ensure that industry 
stakeholders do not donate cybersecurity in order to influence referral 
patterns. Some commenters also agreed that OIG should not finalize a 
list of selection criteria that, if met, would be deemed not to 
directly take into account the volume or value of referrals or other 
business generated between the parties, similar to the provision within 
the EHR safe harbor at paragraph

[[Page 77826]]

1001.952(y)(5). A commenter agreed that donations of cybersecurity 
technology and services do not present the same risks as donations of 
EHR software and information technology. Thus, a list is unnecessary.
    Response: We are finalizing paragraphs 1001.952(jj)(1) and (2) as 
proposed. We agree with commenters who recommended that we not include 
a list of selection criteria deemed not to directly take into account 
the volume or value of referrals, similar to paragraph 1001.952(y)(5). 
We agree with the commenter who described such a list as unnecessary. 
Additionally, the safe harbor conditions we are finalizing, viewed in 
their totality, guard against donations to influence referral patterns, 
so additional guardrails are unnecessary.
    Comment: A commenter representing hospitals and health systems 
expressed concern that the provision of cybersecurity technology and 
related services to physician practices could increase the risk of 
fraud and abuse if the donations are used as a bargaining chip, thus 
facilitating cost-shifting from entities in need of such services and 
potential donors, rather than cooperation between the entities. Another 
commenter representing the laboratory industry expressed concerns about 
physicians starting or encouraging ``bidding wars'' between 
laboratories, insinuating that the laboratory that offers or makes the 
most generous donation will get the physician's referrals (and, 
likewise, some laboratories in fact may act inappropriately and promise 
a donation in exchange for future referrals).
    Response: We acknowledge the commenters' concerns about 
inappropriate donations designed to induce referrals. We are finalizing 
paragraphs 1001.952(jj)(1) and (2) as proposed to preclude such conduct 
from protection under this safe harbor. Like the commenters, we are 
concerned about the ``bargaining chip'' and ``bidding war'' scenarios, 
and we emphasize that donors that condition donations on referrals--and 
potential recipients who demand donations as a condition of doing 
business or continuing to do business--would not qualify for protection 
under this safe harbor. Furthermore, such offers and solicitations may 
violate the Federal anti-kickback statute.
    Comment: A provider trade association noted that donations of 
cybersecurity technology and services are typically made by software 
developers and medical device manufacturers, not providers. The same 
trade association cautioned that cybersecurity-related donations should 
be based on risk to the donor's own software, systems, or network, and 
suggested that such donations should be available to all similar 
entities with similar risk assessments and without regard to business 
relationships or affiliations.
    Response: As we stated above, this safe harbor is agnostic to the 
types of individuals and entities donating the protected cybersecurity 
technology and services. We believe the requirement that donations be 
necessary and used predominantly to implement, maintain, or reestablish 
effective cybersecurity, combined with requirements related to the 
volume and value of referrals and other business generated, provide 
safeguards to ensure that donations are made for necessary 
cybersecurity purposes.
    In response to the commenter's suggestion that donations should be 
made available to similarly situated entities, we note that the safe 
harbor is voluntary. A donor can choose the entities to which it 
donates. Furthermore, it is likely impracticable that donors would make 
donations available to all similar entities with similar risk 
assessments. Even in those circumstances, the donor and a potential 
recipient may have needs that are different than those for other 
similarly situated entities based on the specific cybersecurity needs 
inherent in connecting to the specific systems with which the donor 
interacts. We emphasize that determining whether a cybersecurity 
donation meets the conditions of the safe harbor requires an analysis 
of the specific facts and circumstances.
l. Recipient Contribution
    Summary of OIG Proposed Rule: We did not propose a requirement that 
donors of cybersecurity technology and services collect a monetary 
contribution from recipients. In connection with our alternative 
proposal that would cover hardware, we solicited comments on whether we 
should require a contribution from a recipient if a donation included 
hardware.
    Summary of Final Rule: We are not finalizing a contribution 
requirement as a condition to this safe harbor, regardless of whether 
hardware is included in the donation.
    Comment: Many commenters agreed with our proposal not to require a 
recipient of protected cybersecurity technology and services to 
contribute to the overall cost of the donation. Commenters suggested 
that a contribution requirement in the context of this safe harbor may 
act as a barrier to donations because it may be: (i) Administratively 
burdensome to calculate or track contributions; (ii) imprecise; or 
(iii) cost-prohibitive for recipients who lack adequate resources to 
contribute. A commenter stated that the pressing requirement to upgrade 
the cybersecurity of the nation's health care systems should not be 
held hostage to the ability of capital-constrained medical practices to 
pay money for such security. Several commenters agreed with our 
conclusion in the OIG Proposed Rule that forgoing a contribution 
requirement in this safe harbor would free recipients' resources to 
invest in other technology not protected by the safe harbor, such as 
updating legacy technologies. Several commenters requested that donors 
have the option to require a contribution from recipients.
    Response: We agree with commenters who recommended against 
including a contribution requirement in this safe harbor. Rather than 
investing resources in a contribution, the final rule frees up 
recipients to invest resources in other technology not protected by the 
safe harbor, such as updating legacy multifunctional hardware that may 
pose a cybersecurity risk or simply investing in their own computers, 
phones, and other hardware foundational to their businesses, caring for 
patients, and interacting with their providers. Additionally, we are 
finalizing only those conditions that are critical to guarding against 
fraud and abuse in the context of cybersecurity donations in order to 
provide regulatory flexibility for donations intended to counterbalance 
the significant cybersecurity threats against the nation's health care 
ecosystem.
    We have concluded that a contribution requirement would be 
burdensome in the context of cybersecurity donations because the 
necessity of donated services may vary unpredictably--varying weekly or 
even daily--in response to cybersecurity threats. We understand that 
cybersecurity patches and updates are frequent and would need to be 
applied or aggregated across an entire set of recipients using the same 
technology or services, further complicating contribution amounts for 
each end user. Also, we are concerned that recipients might be 
unwilling or unable to accept cybersecurity donations due to 
potentially unpredictable costs they might incur after the initial 
donation. In the context of cybersecurity donations, a contribution 
requirement would pose a barrier to donations that, on balance, is 
outweighed by the need for widespread improvement of

[[Page 77827]]

cybersecurity hygiene in the health care industry.
    As we stated in the OIG Proposed Rule, donors are free to require 
recipients to contribute to the costs of donated cybersecurity 
technology and services as long as the determination of a contribution 
requirement, or the amount of the contribution, does not take into 
account the volume or value of referrals or other business between the 
parties. For example, if a donor donates without any required 
contribution cybersecurity services to a high-referring physician 
practice but requires a low-referring physician practice to contribute 
to the cost of such services, the donor could violate the conditions at 
paragraph 1001.952(jj)(1)(i) and (ii).
    Comment: Several commenters supported a contribution requirement 
for various reasons. One commenter representing the laboratory industry 
discussed that industry's experience with the EHR safe harbor at 
paragraph 1001.952(y), concluding that absent a contribution 
requirement, vendors have little incentive to offer competitive 
pricing. The commenter stated that its experience with EHR donations 
may extend to cybersecurity donations, and cybersecurity technology 
vendors' sales representatives may urge physicians that require 
cybersecurity software and services to direct their requests to 
laboratories likely to make a donation, increasing the demand for the 
vendors' cybersecurity technology. Another commenter suggested that 
although recipients should have a vested interest in the products they 
are using, a 15 percent contribution may be too high for some 
providers, suggesting that a smaller contribution could be a fair 
compromise. A number of commenters requested a carve-out to any 
finalized contribution requirement for small and rural providers, those 
in medically underserved areas, and federally qualified health centers. 
Several commenters argued for consistency in any contribution 
requirement across safe harbors, noting that because cybersecurity is 
part and parcel of other technology it could impose undue complications 
to require recipients to contribute to some donations but not others. 
Several commenters asserted that OIG should consider a flexible 
contribution requirement that would provide for a comparable investment 
across provider types rather than a flat percentage contribution.
    Response: For the reasons stated in the preceding response, we have 
concluded that a contribution requirement of any percentage is not 
appropriate for this safe harbor. Donations of cybersecurity technology 
and services do not present the same type or magnitude of risks as 
donations of electronic health records software and other information 
technology. As we stated in the OIG Proposed Rule, cybersecurity 
donations, if legitimate, are more likely to be based on considerations 
such as security risks--especially the exposure of the donor when 
connecting to the recipient--and are less likely to be based on 
considerations relating to the volume and value of referrals or other 
business generated. We believe the safeguards in the final safe harbor, 
including restrictions against recipients conditioning their referrals 
or business on donations, are sufficient to account for the potential 
pressure from vendors. Furthermore, suspected fraud and abuse can be 
reported to OIG's hotline at https://oig.hhs.gov/fraud/report-fraud/index.asp.
m. Patching and Updates
    Summary of Proposed Rule: Related to the issue of recipient 
contribution, the OIG Proposed Rule discussed the unique, practical 
difficulties of a contribution in the context of cybersecurity patching 
and updates.
    Summary of Final Rule: We are not finalizing any specific 
regulatory text relating to patching and updates. We view these as 
protected under the safe harbor if all other conditions of the safe 
harbor are satisfied.
    Comment: Several commenters asked that we protect the costs or 
services associated with ongoing cybersecurity software updates and 
other patches. A commenter highlighted that patching and updates are 
critical to managing cybersecurity risks, and that prohibiting their 
donation could neutralize any benefits resulting from any final safe 
harbor. A commenter noted that, given the fast-paced nature of 
developments in cybersecurity, it is likely that new tools will need to 
be deployed on at least an annual basis. Another commenter requested 
clarification regarding whether accepting a routine or critical update 
would result in loss of safe harbor protection, noting that patching is 
sometimes given to providers for free (because it is built into the 
contracts with vendors) and some patches may be focused on security 
while others may be more general.
    Response: We agree with commenters that patching and updates are 
critical to managing cybersecurity risks, and this final safe harbor 
protects such patches and upgrades if all conditions of the safe harbor 
are squarely satisfied. We note that this final rule does not require a 
contribution from the recipient, as discussed above, so routine patches 
and upgrades given for free to recipients will not result in loss of 
safe harbor protection, as long as all safe harbor conditions are met. 
Donors who collect a percentage contribution from any recipient, 
according to the written agreement with the recipient, may need to 
collect a contribution for any patches and updates pursuant to the 
terms of the parties' agreement. It is possible for donors to structure 
any required recipient contribution in a number of ways as long as 
neither the decision to collect the contribution nor the amount or 
nature of the contribution is based on the volume or value of referrals 
or other business generated between the parties. For example, a donor 
is free to structure donations that require a percentage or sum certain 
contribution for the initial cybersecurity donation but not for 
subsequent patches and upgrades as long as the donor does so 
consistently and according to the terms of the written agreement.
n. Writing Requirement
    Summary of OIG Proposed Rule: We proposed at proposed paragraph 
1001.952(jj)(4) that a donor and recipient set forth a written 
agreement that is signed by the parties and that describes the 
technology and services being provided, and the amount of the 
recipient's contribution, if any.
    Summary of Final Rule: We are finalizing, with modification, a 
writing requirement at paragraph 1001.952(jj)(3). We are not requiring 
that the writing be a single document, and we made certain 
clarifications, including that the signed documentation must include a 
general description of the technology and services provided.
    Comment: Commenters generally supported a writing requirement. A 
commenter asserted that a written agreement between donors and 
recipients of cybersecurity technology and services will bring 
transparency to the donation process. Another commenter agreed that a 
signed agreement is necessary to ensure that both parties understand 
what is being donated and the terms of the agreement, including long-
term maintenance and support of the technology.
    Response: We agree with commenters that a writing requirement will 
bring transparency to the donation process and ensure that the parties 
understand the scope of the donation and the responsibilities of both 
parties. The safe harbor's writing requirement mandates that parties 
articulate in writing a general description of the donation, and if the 
donor will require a contribution

[[Page 77828]]

the parties must specify that amount. We anticipate that parties would 
include in their general description of the donation some details about 
the initial technology or service provided as well as any provision of 
long-term maintenance, support, patching, or updates they intend to 
include within the scope of the donation. We do not anticipate that 
parties will specify every unforeseen item or service that might be 
necessitated by a future update.
    Comment: A commenter stated that a written agreement between donors 
and recipients is an acceptable safeguard as long as any requirement 
for such agreement is reasonable in scope. The commenter stated that 
required terms and conditions in the agreement should be limited, given 
the nature of the donation and the relationship between the parties. 
For example, the commenter stated that the safe harbor's writing 
requirement should not compel written terms other than to describe: (i) 
The technology, services, or both to be donated; (ii) commercial terms 
as necessary to meet the safe harbor; and (iii) warranties by each 
party to use such technology in compliance with applicable laws and 
regulations. The commenter also urged OIG to provide a publicly 
accessible template cybersecurity donation agreement or standard 
cybersecurity donation terms.
    Response: We have designed the final writing requirement to be 
reasonable in the context of the other conditions in the cybersecurity 
safe harbor. We decline to add the specific examples of terms and 
conditions to regulation text or provide any template cybersecurity 
donation agreement or standard cybersecurity donation terms for parties 
to use, as suggested by the commenter. This condition requires that 
parties include a general description of the cybersecurity technology 
and services to be provided and, if any contribution is required, the 
parties must specify the amount. The parties are free to add other 
terms to their documentation related to a cybersecurity donation.
    Comment: A commenter appreciated our preamble explanation of the 
safe harbor's writing requirement but requested that the proposed 
regulatory text include the word ``general'' or ``generally'' so that 
donors and recipients do not unnecessarily include every item or 
potential service in a written agreement. The commenter urged OIG to 
revise the regulatory text of the writing requirement to read as 
follows: ``[generally] describes the technology and services being 
provided. . . .'' The commenter also requested clarification concerning 
any value-related writing requirements. The commenter stated that the 
proposed regulatory language includes the amount of the recipient's 
contribution (if any), while the preamble states that the written 
agreement requires a reasonable estimate of the value of the donation. 
The commenter supported only including the recipient's contribution (if 
any), but requested that if we include a writing requirement related to 
specifying the value of the donation, then OIG should require the 
writing to include a reasonable estimate of the value of the donation 
so as to not introduce any concept of fair market value or the need to 
hire a valuation consultant to determine a reasonable estimate.
    Response: We appreciate the commenter's concern about the language 
included in the proposed regulation text at proposed 1001.952(jj)(4), 
and we are finalizing a writing requirement that includes some changes 
suggested by the commenter. Specifically, the final regulatory text of 
this safe harbor's writing requirement at paragraph 1001.952(jj)(3) 
requires that the signed writing include a general description of the 
technology and services being provided and the amount of the 
recipient's contribution, if any. Through this final writing 
requirement, we do not intend to: (i) Introduce any fair market value 
requirement; (ii) force parties to determine the fair market value of 
the donation; or (iii) compel the parties to hire a valuation 
consultant. For purposes of this condition, we interpret ``the amount 
of the recipient's contribution, if any'' to mean either the sum 
certain a donor will collect as contribution or, if the donor will 
collect a percentage of the total value of the donation, the percentage 
that will be applied. To be clear, this safe harbor does not include a 
recipient contribution requirement; however, if the donor chooses to 
require that the recipient contribute, that contribution must be 
documented in writing. We also note that if the scope of the donation 
changes materially over time, such as when a donor provides more or 
fewer technology or services than originally anticipated in the scope 
of the arrangement, or if the parties alter the contribution 
requirement (if any), we think that best practices would have the 
parties document such modifications in writing. If the donor requires a 
contribution that applies to the initial value of the donation but not 
the subsequent value of patching and upgrades, we anticipate that the 
writing would specify such terms.
    Comment: A commenter objected to OIG's proposed documentation 
requirement, stating that it should be scaled back to avoid imposing 
burdensome writing requirements on the parties. The same commenter 
argued that a simple acknowledgement that the software donation has 
been or will be made available should be sufficient.
    Response: We do not believe the writing requirement should be 
scaled back. This condition, as finalized, imposes no greater--and 
indeed, may require less--burden on the parties to the written 
agreement than would otherwise be expected in a commercial transaction 
involving the exchange or use of cybersecurity technologies or services 
of this nature between parties, such as a user agreement or purchase 
order.
    Comment: A commenter noted that the OIG safe harbor would require a 
signed written agreement between a donor and recipient, while the 
corresponding physician self-referral law exception would require only 
``written documentation.'' The commenter recommended that OIG revise 
the safe harbor to require only written documentation, as opposed to a 
formal written agreement.
    Response: The formality of a signed writing serves as an important 
safeguard by transparently documenting the parties' donation and formal 
agreement to any obligations in connection with such donation. However, 
we are persuaded not to require that the writing be set forth in a 
single, written agreement. We have revised the writing requirement to 
permit a ``collection of documents'' approach. To receive safe harbor 
protection, the general description of the technology and services 
being provided and the amount of the recipient's contribution, if any, 
must be set forth in writing and signed by the parties. The terms do 
not need to be set forth in a single, signed writing, although we 
believe this approach is a best practice from a compliance perspective. 
As explained in section III.A.1. of this preamble, some conditions of 
our safe harbors are different from CMS's final rule by design in light 
of the different statutory schemes.
o. Cost-Shifting
    Summary OIG Proposed Rule: We proposed at proposed paragraph 
1001.952(jj)(5) that the donor not shift the costs of the technology or 
services to any Federal health care program.
    Summary of Final Rule: We are finalizing, without modification, the 
condition at paragraph 1001.952(jj)(4). We received general support for 
the proposed safeguards in the safe harbor, but we did not receive 
specific

[[Page 77829]]

comments on the proposed prohibition against cost-shifting. Donor 
Liability
    Comment: Several commenters urged OIG to provide guidance on a 
donor's potential liability for cybersecurity events affecting any 
recipients of cybersecurity donations. Several commenters, including an 
organization dedicated to serving chief information officers, chief 
medical information officers, chief nursing information officers, and 
other senior health care IT leaders asserted that without some way to 
protect cybersecurity donors from being held responsible for 
cybersecurity incidents involving recipients, providers would be 
reluctant to donate technology or services for fear of the downstream 
risk they might incur. A few commenters suggested that OIG create 
protections for donors that safeguard them from risks stemming from 
cybersecurity incidents experienced by recipients. Another commenter 
similarly urged OIG to collaborate with OCR to develop a mechanism to 
limit the donor's liability for cybersecurity events that may occur at 
the recipient's location. Commenters recommended that OIG create 
protections for donors that indemnify them from risks stemming from 
cybersecurity incidents experienced by donors and clarify whether a 
donor can be indemnified from an OCR action related to a breach when 
such indemnification provisions are included in the parties' written 
contract.
    Response: Issues relating to downstream liability, indemnification, 
or other contracting and business tort issues are beyond the scope of 
this rulemaking. However, we highlight that the safe harbor does not 
prevent parties from addressing these issues through contracts or other 
agreements, and we note that the facts and circumstances of any 
remuneration under such agreements may require separate analysis under 
the Federal anti-kickback statute.
    Comment: One commenter characterized the safe harbor as protecting 
recipients from liability concerning fines, ransom, and litigation 
risk.
    Response: We agree that the general effect of a cybersecurity 
donation should help improve a recipient's cybersecurity, thereby 
potentially reducing the recipient's liability risk for fines, ransom, 
and litigation stemming from a cyberattack. We clarify, however, that 
donations protected under this safe harbor do not include monetary 
remuneration to a recipient, or on behalf of a recipient, for any 
fines, ransom, or litigation stemming from a cyberattack.
p. Other Comments
    Comment: A provider trade association cautioned that hospitals and 
health systems that donate or subsidize cyber products and services 
should not use those as a pretext for discouraging or inhibiting the 
exchange of patient health information between providers.
    Response: We note that this safe harbor does not exempt entities 
and individuals from other applicable State and Federal laws and 
regulations related to the commenter's concerns about entities' conduct 
that may inappropriately interfere with, prevent, or materially 
discourage the exchange of patient health information between 
providers. The ONC regulation entitled ``21st Century Cures Act: 
Interoperability, Information Blocking, and the ONC Health IT 
Certification Program'' \99\ implements provisions of the 21st Century 
Cures Act \100\ (Cures Act) that are designed to address occurrences of 
information blocking. If patients, providers, or others believe that a 
health care provider, health IT developer of certified health IT, or 
health information network or health information exchange is engaging 
in information blocking, we encourage reporting complaints to HHS 
through the Report Information Blocking portal (https://healthit.gov/report-info-blocking).
---------------------------------------------------------------------------

    \99\ 85 FR 25642 (May 1, 2020).
    \100\ 21st Century Cures Act, Public Law 114-255, 130 Stat. 
1033.
---------------------------------------------------------------------------

    Comment: In the preamble to the OIG Proposed Rule related to this 
safe harbor, we distinguished certain features of cybersecurity 
donations from EHR donations. A commenter asked OIG to clarify its 
statement that electronic health record donations ``present a greater 
risk that [sic] one purpose of the donation is for the donor to secure 
additional referrals from the recipient or otherwise influence 
referrals or other business generated.'' \101\ Specifically, the 
commenter urged us to clarify that this reference to ``one purpose'' is 
not intended to introduce the one-purpose test into the rulemaking.
---------------------------------------------------------------------------

    \101\ 84 FR 55737 (Oct. 17, 2019).
---------------------------------------------------------------------------

    Response: The Federal anti-kickback statute has been interpreted to 
cover any arrangement in which one purpose of the remuneration was to 
obtain money for the referral of services or to induce further 
referrals, and nothing in this final rule changes such interpretation. 
In other words, offering remuneration to a purchaser or referral source 
potentially implicates the Federal anti-kickback statute if one purpose 
is to induce the purchase or referral of Federal health care program 
business. Donations of EHR, like any other thing of value, constitute 
remuneration for purposes of the Federal anti-kickback statute. Whether 
a particular arrangement including a donation of EHR or cybersecurity 
technology and services violates the statute would depend on the facts 
and circumstances of such an arrangement, including whether the 
arrangement complies with a safe harbor.
    With respect to the statement the commenter cited from the OIG 
Proposed Rule, we confirm that we are not introducing the so-called 
one-purpose test as a condition of the safe harbor at 1001.952(jj).
9. Electronic Health Records Items and Services (42 CFR 1001.952(y))
    Summary of OIG Proposed Rule: We proposed changes to the EHR safe 
harbor at paragraph 1001.952(y), which protects certain arrangements 
involving the donation of interoperable EHR software or information 
technology and training services. First, we proposed to amend the safe 
harbor to clarify that safe harbor protection has always been available 
for certain cybersecurity software and services, and to expand the safe 
harbor's potential protection of the donation of software and services 
related to cybersecurity. Next, we proposed to update the condition at 
paragraph 1001.952(y)(2) to specify that for software to be ``deemed'' 
interoperable, it must be certified by a certifying body on the date it 
is donated. We proposed to modify paragraph 1001.952(y)(3), which 
already prohibited conduct similar to ``information blocking'' to align 
with the proposed information blocking definition and related 
exceptions in the ONC, HHS Notice of Proposed Rulemaking ``21st Century 
Cures Act: Interoperability, Information Blocking, and the ONC Health 
IT Certification Program'' (ONC NPRM).\102\ We also proposed to 
eliminate: (i) The condition at paragraph 1001.952(y)(7) that prohibits 
the donation of equivalent items or services to allow donations of 
replacement technology; and (ii) the sunset provision at paragraph 
1001.952(y)(13) to make the safe harbor permanent. Finally, we proposed 
to revise the definitions of ``interoperable'' and ``electronic health 
record'' and add a definition of ``cybersecurity,'' and include all 
definitions relevant to the safe harbor at proposed paragraph 
1001.952(y)(14). We also solicited comments on whether we should modify 
or eliminate the 15 percent contribution requirement and whether

[[Page 77830]]

we should expand the scope of protected donors.
---------------------------------------------------------------------------

    \102\ 84 FR 7424 (Mar. 4, 2019).
---------------------------------------------------------------------------

    Summary of Final Rule: We are finalizing, with modifications, the 
changes we proposed to paragraph 1001.952(y). We are finalizing our 
proposal to eliminate the sunset provision and the provision that 
prohibits the donation of equivalent EHR items and services. We are 
finalizing the language explicitly protecting cybersecurity software 
and services and the definition of ``cybersecurity.'' We also are 
finalizing our revision to paragraph 1001.952(y)(2) to update the 
deeming provision, with a minor clarification. We are not finalizing 
paragraph 1001.952(y)(3) related to information blocking or our 
proposed modifications to the definition of ``electronic health 
record.'' We are finalizing our modifications to the definition of 
``interoperable,'' but we are not including the phrase ``without 
special effort on the part of the user.'' This final rule also revises 
paragraph 1001.952(y)(1) to expand the scope of protected donors to 
certain entities such as accountable care organizations and health 
systems. The final rule maintains the 15 percent contribution 
requirement but also includes flexibilities in connection with 
administering that requirement.
a. Cybersecurity
    Summary of OIG Proposed Rule: To clarify that the safe harbor 
protected cybersecurity software and services related to EHRs, we 
proposed to amend the introductory language of paragraph 1001.952(y) by 
including the phrase ``including certain cybersecurity software and 
services'' and adding the term ``protect.'' We also proposed to include 
in paragraph 1001.952(y)(14) a definition for ``cybersecurity'' to mean 
``the process of protecting information by preventing, detecting, and 
responding to cyberattacks.''
    Summary of Final Rule: We are finalizing, without modification, the 
introductory language of paragraph 1001.952(y) except for a technical 
correction by not including the word ``certain.'' We also finalize the 
definition of ``cybersecurity,'' as proposed.
    Comment: We received several comments in support of expressly 
providing safe harbor protection for certain cybersecurity software and 
services that protect electronic health records.
    Response: We are finalizing protection for cybersecurity software 
and services, as described in more detail below. We note that, to avoid 
confusion, we made a technical correction by removing the term 
``certain'' in the introductory paragraph of the EHR safe harbor. This 
change has no substantive effect. This safe harbor protects 
cybersecurity software and services as long as the donation meet all 
conditions.
    Comment: A commenter expressed concern that the EHR safe harbor's 
cybersecurity proposal and the separately proposed cybersecurity safe 
harbor (proposed at paragraph 1001.952(jj)) have significant overlap 
and could lead to confusion if both were finalized. As such, the 
commenter suggested that if OIG were to finalize a separate 
cybersecurity safe harbor, the proposed cybersecurity-related 
clarifications to the EHR safe harbor would not be necessary. The 
commenter requested that if OIG were to finalize protection for certain 
cybersecurity software and services within the EHR safe harbor, the 
agency clarify that the predominant purpose of the software or service 
must be cybersecurity associated with the electronic health records. 
Similarly, another commenter suggested that creating separate safe 
harbors for electronic health records and cybersecurity is taking a 
piecemeal approach to tools that must work together for care 
coordination.
    Response: We recognize that there is a certain amount of overlap 
between the cybersecurity safe harbor finalized in this rule and the 
EHR safe harbor amended by this final rule. Regardless of this 
acknowledged overlap, it is useful to clarify in the EHR safe harbor 
that cybersecurity software and services with the predominant purpose 
of protecting electronic health records can be protected under the EHR 
safe harbor provided the donation satisfies all other safe harbor 
conditions. For example, if one party is donating an EHR system that 
could be protected under the EHR safe harbor and that EHR system 
includes cybersecurity functions to protect the electronic health 
records that might not have appeared to meet the safe harbor's previous 
standard of being necessary and used predominantly to create, maintain, 
transmit, or receive electronic health records, then parties seeking 
safe harbor protection may want to structure the donation arrangement 
to satisfy the conditions of the EHR safe harbor rather than 
potentially also looking to the cybersecurity safe harbor. However, the 
new cybersecurity safe harbor also would remain available for the 
protection of cybersecurity technology and services if conditions of 
that safe harbor were met. If, in contrast to the example above, the 
cybersecurity donation were to include a broader suite of products and 
services that do not have a predominant purpose to protect the 
electronic health records (but are used predominantly to implement, 
maintain, or reestablish effective cybersecurity), then parties seeking 
safe harbor protection may want to evaluate the arrangement in the 
context of the standalone cybersecurity safe harbor.
    Comment: Some commenters asked us to broaden the scope of 
cybersecurity protection within the EHR safe harbor to, for example, 
protect cybersecurity hardware such as network appliances. One 
commenter asked that the safe harbor protect without exception 
cybersecurity hardware, software, infrastructure, and services. Another 
commenter suggested that if the expanded safe harbor does not protect 
hardware, it should permit donors to place cybersecurity hardware at 
the recipient's location as long as the donor retains title to or a 
leasehold interest in the equipment. A commenter noted that in order to 
protect donors from cyberattacks, the safe harbor should protect the 
donation of any cybersecurity technology and related services without a 
contribution requirement to protect any protected health information 
shared for groups of patients.
    Response: We are not expanding this safe harbor to protect 
additional services or hardware, regardless whether the hardware is 
donated or loaned to a recipient. The EHR safe harbor is designed to 
protect donations of EHR software and services, and expressly excludes 
hardware. By including the word ``protect'' in paragraph 1001.952(y), 
we are clarifying that the scope of the safe harbor applies to 
cybersecurity software or information technology and training services 
that are necessary and used predominantly to protect electronic health 
records. There is a separate, standalone safe harbor intended to 
protect broader cybersecurity donations available at paragraph 
1001.952(jj). That safe harbor, as finalized in this rule, protects 
cybersecurity hardware and does not have a contribution requirement.
b. Deeming Provision
    Summary of OIG Proposed Rule: We proposed minor modifications to 
the deeming provision at paragraph 1001.952(y)(2) by changing ``it has 
been certified by a certifying body'' to read ``it is certified by a 
certifying body.'' We also proposed to remove reference to ``editions'' 
of certification criteria to align with proposed changes to the 
certification program.
    Summary of Final Rule: We are finalizing, with modification, our 
proposal to revise the condition at

[[Page 77831]]

paragraph 1001.952(y)(2). We are clarifying that for software to be 
``deemed'' interoperable, it must be certified by a certifying body 
authorized by ONC to certification criteria identified in the then-
applicable version of 45 CFR part 170. We are making a technical edit 
to conform the terminology in our deeming provision to the terminology 
used in 45 CFR part 170. Specifically, we are removing the phrase 
``electronic health record'' preceding ``certification criteria'' 
because it has been removed from 45 CFR 170 as of June 30, 2020. We are 
also deleting the word ``editions.''
    Comment: Commenters generally agreed with our proposal to clarify 
that software would be deemed interoperable under the safe harbor if, 
on the date it is donated, it ``is certified'' by a certifying body 
authorized by ONC rather than ``has been certified.'' Some commenters 
had questions about our removal of the phrase ``an edition'' before 
``the electronic health record certification criteria'' and inquired 
whether we should specify that the criteria are the ``latest'' or 
``current'' certification criteria.
    Response: We agree with comments that we should clarify our 
intention for the software to be certified to the then-current 
certification criteria. However, rather than inserting new language the 
deeming provision will read: ``[f]or purposes of this paragraph (y)(2), 
software is deemed to be interoperable if, on the date it is provided 
to the recipient, it is certified by a certifying body authorized by 
the National Coordinator for Health Information Technology to 
certification criteria identified in the then-applicable version of 45 
CFR part 170.'' The version of paragraph 1001.952(y)(2) being finalized 
maintains nearly identical language from OIG's 2013 final rule 
addressing the electronic health records safe harbor (2013 EHR Final 
Rule) except that we changed ``it has been certified by'' to ``it is 
certified by'' \103\ and, as noted above, we removed the phrase 
``electronic health record'' before ``certification criteria.'' We note 
that this latter change does not alter the scope of remuneration 
protected under this safe harbor; despite removing the phrase in the 
deeming provision, the safe harbor continues to protect only items and 
services that are used predominantly to create, maintain, transmit, 
receive, or protect electronic health records that meet all criteria of 
the safe harbor.
---------------------------------------------------------------------------

    \103\ 78 FR 79202 (Dec. 27, 2013).
---------------------------------------------------------------------------

    Comment: A commenter opposed the concept of an ``optional'' deeming 
provision, asserting that it is critical to require that software be 
certified by a certifying body authorized by ONC to further support the 
goal of value-based arrangements.
    Response: We agree that interoperability is a critical condition of 
the EHR safe harbor, but we disagree with the commenter that 
certification by a certifying body authorized by ONC should be the only 
way of meeting this standard. This certification provides donors and 
recipients with assurance that their product is interoperable for 
purposes of this safe harbor, but such certification is not a 
requirement for safe harbor protection.
    Comment: A commenter suggested that the proposed change to the 
deeming provision creates compliance uncertainty in the context of an 
ongoing software donation. In particular, the commenter was concerned 
that the proposed wording change would mean that any time after the 
initial donation the EHR software loses its certification, the 
continued provision of the software including maintenance would 
implicate the fraud and abuse laws. Other commenters supported the 
proposal to require software to be certified at the time it is provided 
to a recipient, with a commenter noting that any updates to donated 
systems should also be certified to the most recent standards. A 
commenter asked that physicians not participating in the Quality 
Payment Program be granted a 5-year grace period under the 
interoperability deeming provision so that their donated EHR software 
need only be certified to the 2015 edition.
    Response: The deeming provision in paragraph 1001.952(y)(2) is 
optional. Certification of donated software by a certifying body 
authorized by ONC is not required to meet the terms of the safe harbor; 
the safe harbor requires that, to receive protection, the software must 
be interoperable at the time it is provided to the recipient. To the 
extent physicians or other health care providers are seeking protection 
of donated EHR items and services under the safe harbor, the donated 
EHR software need only be interoperable (as defined at paragraph 
1001.952(y)(14)(iii)) to satisfy the condition at paragraph 
1001.952(y)(2).
    If an EHR item or service loses its certification, it would no 
longer satisfy the deeming provision. Therefore, new donations of such 
EHR items or services, including updates and patches of the software 
would not satisfy the safe harbor's deeming provision. However, if the 
EHR items or services were still interoperable (as defined at paragraph 
1001.952(y)(14)(iii)), then the safe harbor would protect continued 
donation of such software and services, including patches, as long as 
all other conditions are met.
c. Information Blocking
    Summary of OIG Proposed Rule: We proposed modifying paragraph 
1001.952(y)(3) by incorporating a reference to the information blocking 
definition and related exceptions in 45 CFR part 171. We solicited 
comments on this approach.
    Summary of Final Rule: We are not finalizing the proposed 
modification to paragraph 1001.952(y)(3) and instead are deleting this 
condition from the safe harbor.
    Comment: We received a number of comments about our proposal to 
incorporate the ``information blocking'' prohibition from the 21st 
Century Cures Act (Cures Act) \104\ or the ONC NPRM into the safe 
harbor at paragraph 1001.952(y)(3). While commenters did not 
necessarily disagree that information blocking should be prohibited, 
commenters raised a number of questions and concerns regarding how such 
a provision would work in a safe harbor. For example, although we 
received from commenters support for our proposal to update the safe 
harbor to include a condition that would preclude safe harbor 
protection for arrangements that lead to ``information blocking'' as 
that term is used in the Cures Act, a number of commenters expressed 
concern about relying on the ONC NPRM, which was not yet final. 
Commenters were particularly concerned about the array of exceptions to 
the definition of ``information blocking'' and incorporation of the 
definition of ``electronic health information'' as proposed in the ONC 
NPRM.
---------------------------------------------------------------------------

    \104\ 21st Century Cures Act, Public Law 114-255, 130 Stat. 
1033.
---------------------------------------------------------------------------

    Some commenters asked that we clarify which party is responsible to 
ensure that information blocking does not occur. For example, some 
commenters noted that a donor cannot control what happens to software 
after it is donated. Similarly, several commenters recommended removing 
or revising the condition that a donor (or any person on a donor's 
behalf) does not engage in a practice constituting information 
blocking, explaining that a vendor may engage in information blocking 
without the donor's knowledge. Commenters expressed contrasting 
opinions about the proposed knowledge standard, with some commenters 
recommending that it apply to both health care providers and health 
plans that voluntarily use the safe

[[Page 77832]]

harbor to protect donations under this safe harbor, while others 
recommending that health plans be subject to the ``knows, or should 
know'' standard because health plans are not health care providers and 
do not have direct patient care responsibilities.
    Another commenter noted that if a determination of information 
blocking against either a donor or recipient occurs at some time after 
a donation, the recipient may be vulnerable to unexpected costs or lose 
access to its health information technology if the arrangement suddenly 
ends.
    Another commenter suggested that, rather than including a 
prohibition on information blocking (as such term is defined in the 
Cures Act or in 45 CFR part 171) as a safe harbor condition, OIG should 
assume that information blocking will not be tolerated and will be 
enforced through other authorities.
    Response: Based on the comments and assessing the final rule 
published by ONC, ``21st Century Cures Act: Interoperability, 
Information Blocking, and the ONC Health IT Certification Program'' 
(ONC Final Rule),\105\ we are not finalizing the proposed information 
blocking condition, and we are removing the existing paragraph 
1001.952(y)(3), which prohibits the donor or any person on the donor's 
behalf from taking any action to limit or restrict the use, 
compatibility, or interoperability of the donated EHR items or 
services. This condition, when originally implemented in OIG's 2006 
final rule creating the electronic health records safe harbor (2006 EHR 
Final Rule),\106\ was intended to help ensure that transfers of health 
information technology will further the policy goal of fully 
interoperable health information systems and will not be misused to 
steer business to the donor.\107\ The 2013 EHR Final Rule also 
explained that the Department was considering other policies to improve 
interoperability, and noted that those policy efforts are better suited 
than this anti-kickback statute safe harbor to consider and respond to 
evolving functionality related to the interoperability of electronic 
health record technology.\108\ At that time, the Department had few 
other authorities to directly address information blocking. However, 
there are now other enforcement authorities designed to address 
information blocking. For example, the Cures Act gave ONC and OIG more 
direct authority to address information blocking.\109\ Additionally, 
CMS has separate authority to require certain providers and suppliers 
to attest that they have not knowingly and willfully limited or 
restricted the compatibility or interoperability of their certified 
electronic health record technology.\110\
---------------------------------------------------------------------------

    \105\ 85 FR 25642 (May 1, 2020).
    \106\ 71 FR 45110 (Aug. 8, 2006).
    \107\ 71 FR 45127.
    \108\ 78 FR 79214 (Dec. 27, 2013).
    \109\ Sec. 4002 and 4004 of the Cures Act.
    \110\ See 81 FR 77008, 77028 (Nov. 4, 2016).
---------------------------------------------------------------------------

    In addition, the Cures Act and the ONC Final Rule recognize that 
certain practices likely to interfere with, prevent, or materially 
discourage access, exchange, or use of electronic health information 
may nonetheless be reasonable and necessary. That is why the Cures Act 
directed the Secretary to identify exceptions to the definition of 
``information blocking.'' The ONC Final Rule implements eight 
exceptions that apply to practices likely to interfere with, prevent, 
or materially discourage access, exchange, or use of electronic health 
information provided the practice meets the conditions of an exception. 
However, the condition at paragraph 1001.952(y)(3) as implemented by 
the 2006 EHR Final Rule conditioned safe harbor protection on a party 
not taking ``any action to limit or restrict the use, compatibility, or 
interoperability'' of the donated EHR items or services. The condition 
did not account for actions that may be reasonable and necessary, such 
as implementing privacy and security measures.
    Recognizing these developments, we agree with the commenter that 
these new authorities are better suited than a safe harbor condition to 
deter information blocking and penalize individuals and entities that 
engage in information blocking. We also agree with commenters that a 
recipient is unlikely to have the capabilities to determine whether a 
donor (or someone on the donor's behalf) engaged in information 
blocking, which includes a level of intent set by statute, or met an 
exception to information blocking as set forth in the ONC Final Rule.
    Given these potential issues with the proposed modifications to 
paragraph 1001.952(y)(3) and limitations of the original condition in 
paragraph 1001.952(y)(3) discussed previously, the condition may no 
longer be an effective way to achieve the policy goals that served as 
the original basis for this condition. Removing the condition at 
paragraph 1001.952(y)(3) is responsive to commenters that had questions 
about the scope of information blocking practices, how OIG would 
determine the party responsible, how the information blocking knowledge 
standard in the Cures Act and ONC Final Rule would be assessed in 
context of this safe harbor, and how the condition would apply to 
parties that may not be subject to the information blocking provision 
in section 3022 of the Public Health Service Act (PHSA).
    We emphasize, however, that we are maintaining the interoperability 
condition in paragraph 1001.952(y)(2). We believe this condition and 
the optional deeming provision will ensure that donations of EHR items 
and services that meet the conditions of this safe harbor further the 
Department's policy goal of an interoperable health system and prevent 
donations being made with the intent to lock in referrals by limiting 
the flow of electronic health information.
    OIG remains committed to taking action against individuals and 
entities that engage in information blocking, using specific 
authorities to do so. Separate from this rule, OIG published a notice 
of proposed rulemaking related to information blocking 
enforcement.\111\ That proposed rule, among other things, proposes the 
basis and procedures for information blocking enforcement. As stated in 
that proposed rule, addressing the negative effects of information 
blocking is consistent with OIG's mission to protect the integrity of 
HHS programs as well as the health and welfare of program 
beneficiaries.\112\
---------------------------------------------------------------------------

    \111\ 85 FR 22979 (Apr. 24, 2020).
    \112\ Id.
---------------------------------------------------------------------------

d. Sunset Provision
    Summary of OIG Proposed Rule: We proposed to eliminate the sunset 
provision at paragraph 1001.952(y)(13). As an alternative, we also 
proposed an extension of the sunset date for the final rule.
    Summary of Final Rule: We are finalizing this proposal by deleting 
the sunset provision at paragraph 1001.952(y)(13).
    Comment: We received nearly universal support for removing the 
sunset provision in paragraph 1001.952(y)(13), which requires that all 
protected EHR donations must occur on or before December 31, 2021. 
Commenters asserted that the elimination of the sunset date would 
provide certainty for the ongoing protection of donations of EHR items 
and services. One commenter who generally supported making the safe 
harbor permanent recommended that OIG delay doing so until the ONC NPRM 
is finalized and available for stakeholder consideration.
    Response: We agree that eliminating the sunset provision provides 
certainty,

[[Page 77833]]

and we are finalizing our proposal to make this safe harbor permanent 
and, as we note above, the ONC Final Rule was issued on May 1, 2020.
e. Contribution Requirement
    Summary of OIG Proposed Rule: We did not propose specific changes 
to the 15 percent contribution requirement at paragraph 
1001.952(y)(11). Instead, we considered and solicited comments on three 
alternatives: (i) Eliminating or reducing the percentage of the 
contribution required for small or rural practices; (ii) reducing or 
eliminating the 15 percent contribution requirement in this safe harbor 
for all recipients; or (iii) modifying or eliminating the contribution 
requirement for updates to previously donated EHR software or 
technology.
    Summary of Final Rule: We are retaining the 15 percent contribution 
requirement at paragraph 1001.952(y)(11) but removing the requirement 
that payment of the contribution be made in advance for updates to 
existing EHR systems. To make this modification, we have added new 
paragraphs at 1001.952(y)(11)(i) and (ii). Paragraph 1001.952(y)(11)(i) 
describes that contributions for initial and replacement EHR items and 
services must be made in advance of the donation and contributions for 
updates to previously donated EHR item and services need not be paid in 
advance. Paragraph 1001.952(y)(11)(ii) is the new location of the 
condition that the donor does not finance the recipient's contribution 
amount; it does not include any substantive changes.
    Comment: A large number of commenters on this topic recommended 
that we remove the 15 percent contribution requirement for all 
donations and for all recipients. Commenters provided several reasons 
to remove the contribution requirement (paragraph 100.952(y)(11)). For 
example, some commenters suggested that this requirement restricts the 
use of EHRs with interoperable capabilities; that this is not an 
effective deterrent to inappropriate EHR donations; and that the 
percentage is an arbitrary amount that limits the use of important 
patient tools. Commenters noted that any transition to improve EHR 
technology can streamline physicians' workflows; alleviate burdens; 
allow physicians to spend more time with their patients; and allow 
(assuming that the donated technology is truly interoperable) the 
sharing of patient records with near equal ease with other providers 
using certified EHR technology. Some commenters questioned whether a 
recipient contribution reduces the risk of steering and inappropriate 
referrals.
    Commenters noted that the donation of EHR technology can be 
beneficial to recipients who may be unsatisfied with their EHR platform 
but lack the resources to transition to a new platform. A commenter 
noted that the contribution requirement may be an unreasonable 
constraint on how health systems and hospitals finance the needed 
infrastructure to implement new value-based payment models and promote 
the coordination of care. Commenters cited the added burden involved in 
setting the contribution amount in writing and the necessary, ongoing 
monitoring to ensure compliance. Commenters also highlighted that 
eliminating the requirement would align this safe harbor with the 
proposed cybersecurity safe harbor at paragraph 1001.952(jj) for which 
OIG did not propose to include a contribution requirement.
    Commenters that supported eliminating the contribution requirement 
as a condition to this safe harbor still supported allowing the donor 
to require a contribution. For example, a commenter suggested that any 
contribution requirement should be left up to market forces and 
negotiation between the parties. Another commenter stated that the 
contribution amount should be at the discretion of the donor as long as 
the donor consistently and fairly applies their policy to all 
recipients. Finally, a commenter suggested that the contribution 
requirement should only be eliminated if the scope of protected donors 
remains the same.
    Response: We understand the donation recipients' desires to 
eliminate the 15 percent contribution requirement. However, after 
careful consideration, we continue to believe that the contribution 
requirement is an important safeguard against fraud and abuse in light 
of the specific risks of inappropriate generation of referrals 
presented by donation of EHR items and services. When recipients of 
valuable remuneration have some responsibility to contribute to the 
cost of the items or services, they are more likely to make 
economically prudent decisions and accept only what they need or will 
use. As we note below, however, we are adding some flexibilities in 
connection with administering the contribution requirement.
    Comment: Some commenters raised concerns about eliminating the 
contribution requirement. For example, one commenter believed that 
physician adoption and use of an EHR system is improved when they have 
a certain level of buy-in and share in the financial cost. Similarly, 
other commenters suggested that 15 percent represents a fair 
contribution amount, serves as a reasonable safeguard to reduce 
wasteful spending, and that it is important for recipients to have a 
stake in the purchased technology.
    Response: We agree with commenters that the contribution amount is 
fair and provides a reasonable safeguard. For these and other reasons 
discussed in this final rule, we are maintaining the 15 percent 
contribution requirement.
    Comment: We received support for eliminating the recipient 
contribution requirement for at least a subset of recipients. Some 
commenters specifically referenced removing the requirement for all 
physicians. A majority of these commenters recommended removing the 
contribution requirement for at least small and rural providers or 
providers serving underserved populations. Some commenters expressed 
concern about how we would define ``small'' or ``rural'' if we limited 
the exception to those classes of individuals or entities. A number of 
commenters requested that the concept of ``small and rural'' practices 
be defined broadly and to specifically include free clinics, charitable 
clinics, and charitable pharmacies. We also received a recommendation 
to adopt the definition of ``small practice'' used in the CMS Quality 
Payment Program.\113\ Various commenters requested that the 
contribution requirement be eliminated for safe harbor protection 
applicable to Indian health care provider recipients. We also received 
comments regarding other potential recipients for whom the contribution 
requirement may be a financial burden, such as critical access 
hospitals, disproportionate share hospitals, and essential hospitals. A 
commenter recommended that ``underserved practices'' should be defined 
as those in: (i) Medically underserved areas, as designated by the 
Secretary under section 330(b)(3) of the PHSA; (ii) primary health care 
geographic health professional shortage areas, as designated by the 
Secretary under section 332(a)(1)(A) of the PHSA; or (iii) a critical 
access hospital. A commenter recommended defining ``rural practices'' 
as those located in rural areas, as defined in the local transportation 
safe harbor at paragraph 1001.952(bb).
---------------------------------------------------------------------------

    \113\ 42 CFR 414.1305.
---------------------------------------------------------------------------

    Commenters noted that for cash-strapped entities, the contribution 
requirement is a financial burden. For example, certain tribal 
organizations

[[Page 77834]]

highlighted the financial burden of the EHR safe harbor's contribution 
requirement for Indian health care providers and asserted any 
contribution requirement may inappropriately divert funding away from 
patient care. Some commenters noted that the 15 percent contribution 
can be a significant barrier for physician adoption of EHR technology, 
even for practices that may not qualify as small or rural practices. 
Some commenters noted that the burden is not only in the actual cost of 
the contribution but also the administrative tasks associated with 
tracking and calculating the 15 percent.
    Response: As we explain above, we are retaining the 15 percent 
contribution requirement for all recipients seeking protection for EHR 
donations under the EHR safe harbor. We agree with the commenters who 
expressed concern about defining subgroups of entities to exempt from 
this requirement. Even if we were to adopt certain definitions existing 
in other regulations or definitions suggested by commenters, some of 
those designations can change over time (e.g., a physician practice may 
qualify as a ``small practice'' at some but not other points in time 
depending on staffing changes), which could create confusion about 
implementation of the contribution requirement and raise corresponding 
safe harbor compliance concerns. In addition, the fraud and abuse risks 
associated with EHR donations apply regardless of the geography or size 
of the donation recipient. If cost is a barrier for a particular 
recipient, the recipient could request an advisory opinion about an 
arrangement without a 15 percent contribution requirement.
    Comment: In response to our solicitation of comments on 
possibilities to reduce any uncertainty and administrative burden 
associated with assessing a contribution for each update, some 
commenters addressed other aspects of the contribution requirement. For 
example, a commenter expressed concern about the requirement that 
contributions must be made in advance. This commenter noted that 
recipients may unintentionally fall outside the safe harbor due to 
inadvertent late payments and requested that OIG add a remedy period 
for mistakes to be corrected without losing safe harbor protection. 
Another commenter recommended eliminating the requirement that fees be 
collected prior to the receipt of services and recommended instead to 
require a commercially reasonable collections process.
    Response: Consistent with our solicitation of comments on 
uncertainty and administrative burden, and our statement in the OIG 
Proposed Rule that we were considering modifying the contribution 
requirement as it relates to updates, we are removing the requirement 
that payment of the contribution be made in advance for updates to 
existing EHR systems. We recognize that updates may need to take place 
quickly to remedy security or other problems in an EHR system, and we 
understand the commenter's concern about inadvertent late payments 
under such circumstances. We believe it is reasonable and does not 
create additional risk to bill a recipient for its contribution after 
providing the update. The safe harbor does not require a specific 
billing method. In other words, a donor could choose to bill a 
recipient separately for each update or could bill the recipient 
monthly or quarterly to combine the contribution claims for all updates 
during a select period of time.
    We are not, however, removing the requirement that contributions be 
made in advance of an initial donation (including the donation of a 
replacement system). Parties seeking safe harbor protection can 
effectively plan for an initial donation, with all expenses known up 
front, so that there is not the same administrative burden or 
uncertainty that parties may experience when invoicing for periodic 
updates, and, therefore, there is less risk of inadvertent late 
payments. Because the need for safe harbor protection would not be 
triggered until the initial donation happens, and the parties have the 
ability to wait to make the donation until the contribution is paid, we 
are not adopting a cure period for late payments associated with 
initial or replacement donations.
    Comment: A number of commenters asked that if OIG retains a 
contribution requirement on the initial EHR donation, the contribution 
requirement be eliminated for updates to the original donation. 
Commenters noted that the updates may ensure that the donation 
continues to function as needed and to meet current Federal standards 
for data exchange. In contrast, a commenter recommended OIG consider 
retaining a contribution requirement only for the provision of 
replacement technology while eliminating it for the original donation 
and any updates to that original system.
    Response: As explained above, we are retaining the contribution 
requirement for updates but will no longer require that the 
contribution for updates be made in advance. We recognize that updates 
are crucial for the continuing functionality of a system. However, we 
do not think it is feasible to retain a contribution requirement for 
certain donations and eliminate it for others. If we were to adopt that 
policy, parties might structure donations to game the difference 
between donation types. For example, if a recipient were not required 
to contribute to updates, parties could structure the ``initial'' 
donation to consist of a functionality with a small cost and 
consequently a small required contribution, with the most valuable 
functionality deemed to be an ``update'' with no required contribution. 
We believe the risk posed by such arrangements would reduce the 
effectiveness of the contribution requirement as a safeguard against 
fraud and abuse. For this reason, all donations protected by this safe 
harbor require a recipient contribution.
    Comment: A commenter requested that if a contribution requirement 
is retained, the parties use either the fair market value or the 
underlying cost of the donation as the base amount from which the 
contribution is calculated. The commenter believed that this would 
reduce the administrative burden of compliance, which might allow 
smaller providers to donate protected EHR.
    Response: The relevant standard in the safe harbor is that ``the 
recipient pays 15 percent of the donor's cost for the items and 
services.'' We did not propose to change this cost-based standard and 
are not finalizing any change. In 2006, when we initially finalized the 
EHR safe harbor, we provided an explanation about calculating the cost 
of these items and services.\114\ The cost should be clear when a donor 
is purchasing an item or service from a vendor. However, we recognized 
some software or other modules may be internally developed. We 
recommended that parties should use a reasonable and verifiable method 
for allocating costs and maintain documentation of such allocation. We 
explained there, and maintain here, that the method for allocating 
costs would be scrutinized to ensure that they do not inappropriately 
shift costs in a manner that provides an excess benefit to the 
recipient or results in the recipient effectively paying less than 15 
percent of the donor's true cost for the technology.\115\
---------------------------------------------------------------------------

    \114\ 71 FR 45133 (Aug. 8, 2006).
    \115\ 71 FR 45133 (Aug. 6, 2006).
---------------------------------------------------------------------------

    Comment: A commenter encouraged HHS to study whether the 15 percent 
recipient contribution requirement has in fact prevented some or many 
physicians practices from adopting EHR technology, whether the safe 
harbor has produced lasting partnerships and ongoing incentives to use 
technology, and whether technology donations

[[Page 77835]]

potentially protected by the safe harbor have resulted in market 
consolidation or channel capture that has led to increased costs for 
consumers.
    Response: Any decision by HHS to study the effectiveness or other 
impact of the safe harbor and its conditions is outside the scope of 
this rulemaking.
    Comment: A commenter recommended not requiring the 15 percent 
contribution for cybersecurity donations under this safe harbor. The 
commenter noted that some organizations will permit practices to use 
their EHR systems only if the practice has certain cybersecurity 
protections, and thus the commenter suggested that the party requiring 
the cybersecurity protection should pay any costs associated with it.
    Response: We are not finalizing separate requirements for different 
types of donations within this safe harbor. If a party seeks to protect 
a donation of cybersecurity software or services under the conditions 
of the EHR safe harbor, then a contribution is required. However, 
parties that seek to protect a cybersecurity donation without a 
recipient contribution could structure the donation to meet the safe 
harbor for cybersecurity technology and related services at paragraph 
1001.952(jj).
f. Equivalent Technology and Scope of Protected Donations
    Summary of OIG Proposed Rule: We proposed to delete the condition 
that prohibits the donation of equivalent items or services at 
paragraph 1001.952(y)(7) to allow donations of replacement EHR 
technology.
    Summary of Final Rule: We are finalizing this proposal by deleting 
paragraph 1001.952(y)(7).
    Comment: Commenters broadly supported removing the safe harbor 
condition at paragraph 1001.952(y)(7) that prohibits the protection of 
EHR donations if a recipient possesses items or services equivalent to 
those to be donated. Commenters provided a number of reasons for their 
support of the elimination of this condition, highlighting that some 
physician practices may be working with an EHR system that no longer 
meets their needs, is outdated, or is otherwise substandard because 
they cannot afford the full cost to replace the system. A commenter 
recommended that OIG eliminate this condition but require a documented 
rationale for a need for replacement technology.
    Response: We agree with the commenters and are finalizing our 
proposal to remove the condition at paragraph 1001.952(y)(7) that 
prohibits the donation of equivalent items and services. We recognize 
that there may be valid business or clinical reasons for a recipient to 
replace an entire system rather than update existing technology. Under 
this safe harbor, replacement technology is treated the same as a new 
donation and would need to meet all conditions of the safe harbor to 
receive protection. For example, a recipient of replacement technology 
would be required to pay at least 15 percent of the donor's cost for 
the items and services before receiving the items and services. We 
believe that treating a donation of replacement technology the same as 
a new donation strikes an appropriate balance by making necessary 
replacements financially feasible for recipients while maintaining 
safeguards to limit the risk of recipients inappropriately soliciting 
or accepting unnecessary technology.
    Comment: Commenters recommended revisions to the language related 
to the scope of protected donations. For example, a commenter requested 
that the safe harbor be expanded to include training, maintenance, and 
upgrades of EHRs. Similarly, a commenter recommended revising the 
language to items and services in the form of software, other 
information technology, and related services, including implementation, 
training and support services. A commenter asked whether the safe 
harbor would still potentially protect the ``services'' listed as 
examples in the 2006 EHR Final Rule such as connectivity, broadband, 
wireless, clinical support, information services related to patient 
care, and maintenance. Another commenter was concerned that the safe 
harbor protected only donations of technology that have been certified 
by ONC. Other commenters asked for a significantly expanded scope of 
potentially protected donations including but not limited to: (i) 
Hardware; (ii) technology related to information sharing; (iii) cloud-
based items and services; (iv) practice management and revenue cycle 
systems and services; (v) clearinghouse services; and (vi) industry-
supported data collection and analytics.
    Response: As we note elsewhere in this section, we are removing the 
condition at 1001.952(y)(7) from the safe harbor to protect donations 
of replacement technology and clarifying the safe harbor to explicitly 
protect cybersecurity software and services if all safe harbor 
conditions are satisfied. The safe harbor already could protect some of 
the items or services suggested by commenters, such as maintenance and 
training. The modifications to this safe harbor as finalized, do not 
narrow the scope of items or services that could receive safe harbor 
protection; the examples listed in the 2006 EHR Final Rule could still 
receive safe harbor protection under the amended safe harbor finalized 
in this rule.\116\ We also wish to highlight, as we explain elsewhere, 
that the safe harbor does not require that donated software is 
certified as interoperable by a certifying body authorized by ONC; the 
safe harbor requires that donated software is interoperable. Per the 
terms of the ``deeming provision,'' certified software is deemed to be 
interoperable. The scope of electronic health record items and services 
protected by this safe harbor and the optional deeming provision give 
donors and recipients appropriate flexibility to determine which items 
and services should be donated given their circumstances. For example, 
long-term care and post-acute care recipients may need different types 
of electronic health record items and services than a physicians group 
practice needs.
---------------------------------------------------------------------------

    \116\ Specifically, we stated in the 2006 EHR Final Rule that we 
interpret `` `software, information technology and training services 
necessary and used predominantly' for electronic health records 
purposes to include the following, by way of example: Interface and 
translation software; rights, licenses, and intellectual property 
related to electronic health records software; connectivity 
services, including broadband and wireless internet services; 
clinical support and information services related to patient care 
(but not separate research or marketing support services); 
maintenance services; secure messaging (e.g., permitting physicians 
to communicate with patients through electronic messaging); and 
training and support services (such as access to help desk 
services). We interpret the scope of covered electronic health 
records technology to exclude: Hardware (and operating software that 
makes the hardware function); storage devices; software with core 
functionality other than electronic health records (e.g., human 
resources or payroll software, or software packages focused 
primarily on practice management or billing); or items or services 
used by a recipient primarily to conduct personal business or 
business unrelated to the recipient's clinical practice or clinical 
operations. Furthermore, the safe harbor does not protect the 
provision of staff to recipients or their offices. For example, the 
provision of staff to transfer paper records to the electronic 
format would not be protected.'' 71 FR 45125.
---------------------------------------------------------------------------

    We did not propose and thus are not finalizing in this safe harbor 
any expansion that would protect donated hardware. For any of the other 
software or services for which commenters requested safe harbor 
protection, the standard remains as we proposed, i.e., that the items 
or services must be necessary and used predominantly to create, 
maintain, transmit, receive, or protect electronic health records. For 
example, some technology related to information sharing could meet this 
standard, such as the donation of software or services related to 
application programming interfaces (APIs) used to support the exchange 
of

[[Page 77836]]

electronic health information. Parties seeking to rely on the safe 
harbor need to analyze the EHR donation arrangement to ensure that it 
squarely meets all of the safe harbor's conditions.
g. Protected Donors
    Summary of OIG Proposed Rule: We solicited comments on either 
removing the restrictions on protected donors in paragraph 
1001.952(y)(1)(i) or revising the paragraph to protect donations from 
entities with indirect responsibilities for patient care, such as 
health systems or accountable care organizations that are neither 
health plans nor submit claims for payment.
    Summary of Final Rule: This final rule expands the scope of 
protected donors to certain entities that are comprised of the types of 
individuals or entities listed as protected donors in paragraph 
1001.952(y)(1)(i)(A). To effectuate this change, we added paragraphs 
1001.952(y)(1)(i)(A) and (B), which describe the entities previously 
considered protected donors to include the new entities considered 
protected donors as established by this final rule.
    This final rule expands the scope of protected donors to certain 
entities that are comprised of the types of individuals or entities 
listed as protected donors in paragraph 1001.952(y)(1)(i)(A), as 
described in more detail below.
    Comment: We received a range of comments in response to our 
suggestion that we may consider expanding the scope of protected 
donors. At one end of the spectrum, we received a suggestion not to 
change the scope of protected donors at all. At the other end, a 
commenter stated that the safe harbor should protect donations from all 
entities. However, the most common recommendation from commenters on 
this topic was to expand the scope of protected donors to entities with 
indirect responsibility for patient care such as health systems, 
accountable care organizations, clinically integrated entities, and 
other entities that bear financial risk in patient outcomes. Commenters 
noted that these types of entities have little incentive to abuse the 
safe harbor and that protecting donations from certain entities that do 
not bill the Federal health care programs would facilitate expanded use 
of technology that may reduce the cost of care and increase care 
coordination. We also received a request to continue excluding 
laboratories from the scope of protected donors.
    Response: We agree with commenters who recommended expanding the 
scope of protected donors to include entities comprised of the types of 
entities currently covered as protected donors (e.g., parent companies 
of hospitals, health systems, and accountable care organizations). We 
see little added risk to protecting donations of interoperable 
electronic health records software or information technology and 
training services by entities such as health systems or accountable 
care organizations. These entities may have financial risk for patient 
outcomes and generally do not directly receive referrals. However, we 
believe the risk is too high to expand safe harbor protection to 
donations from all entities. We continue to have concerns about 
protecting EHR donations made by laboratories or manufacturers or 
suppliers of items. Accordingly, donations made by these entities will 
continue to be ineligible for protection under the EHR safe harbor.
    Comment: A commenter asked whether the safe harbor protects 
donations from pharmaceutical manufacturers that participate in Federal 
health care programs.
    Response: Pharmaceutical manufacturers generally do not bill 
Federal health care programs and are not comprised of entities that 
bill Federal health care programs and therefore are not protected 
donors under the safe harbor. While we recognize that some 
manufacturers have implemented programs that include more direct 
contact with patients and payors, the concerns we expressed in the 
preamble to the 2006 EHR Final Rule \117\ continue to exist today. If a 
manufacturer that operates its business in a way that it believes would 
meet the terms of this safe harbor has questions about whether any 
donation would be protected by the safe harbor or present a low risk of 
fraud and abuse under the Federal anti-kickback statute, the advisory 
opinion process remains available.
---------------------------------------------------------------------------

    \117\ 71 FR 45128 (``We have not included as protected donors 
pharmaceutical . . . manufacturers. . . . These entities do not 
provide health care items or services to patients or submit claims 
for those services. Our enforcement experience demonstrates that 
unscrupulous manufacturers have offered remuneration in the form of 
free goods and services to induce referrals of their products. Given 
this enforcement history, and the lack of a direct and central 
patient care role that justifies safe harbor protection for the 
provision of electronic health records technology, we are not 
including manufacturers as protected donors. We believe there is a 
substantial risk that, in many cases, manufacturers' primary 
interest in offering technology to potential referral sources would 
be to market their products.'')
---------------------------------------------------------------------------

    Comment: A commenter requested that the safe harbor protect 
donations made only by donors that provide EHR access to pharmacists. 
The commenter stated that some health information technology systems 
block pharmacists' visibility into relevant clinical information from 
other health care providers.
    Response: The safe harbor does not limit the scope of protected 
donors to donors that grant EHR access to a specified range of 
providers or suppliers. However, for a donation to be protected, it 
must be interoperable and should not inappropriately interfere with, 
prevent, or materially discourage access, exchange, or use of 
electronic health information (e.g., inappropriately limit visibility 
to relevant clinical information). To the extent that patients, 
providers, or others believe that a health care provider, health IT 
developer of certified health IT, health information network, or health 
information exchange is engaging in information blocking, we encourage 
reporting complaints to HHS through the Report Information Blocking 
portal, which is available at https://healthit.gov/report-info-blocking.
    Comment: A commenter requested that the EHR safe harbor protect 
donations made by multiple donors for different types of technology to 
a single recipient, as long as the technology meets the 
interoperability requirements. The commenter recommended the safe 
harbor specifically protect the donation of supplemental, nonequivalent 
EHR applications that supplement a recipient's current EHR system and 
noted that such applications could come from different donors. The 
commenter further proposed the safe harbor require a clinical necessity 
analysis for ``add-on'' EHR applications in addition to replacement 
technology.
    Response: Nothing in the amended safe harbor, as it is being 
finalized, would prevent safe harbor protection of donations of ``add-
on'' EHR applications or donations from multiple donors. Protection 
offered by this safe harbor is not limited to EHR products that include 
within a single product a sufficiently comprehensive array of functions 
to constitute an ``EHR system.'' Instead, as explained in the 2006 EHR 
Final Rule, the safe harbor also applies to donations of software that 
serve a specific function related to electronic health records, such as 
interface and translation software and secure messaging. In some 
instances, those functions may be part of a larger EHR software 
product, or they may be implemented via standalone software that 
interacts with a provider's electronic health record system. If each 
donation squarely satisfies the requirements of the amended safe 
harbor--including the requirement that the software is or the 
information technology and training services are

[[Page 77837]]

necessary and used predominantly to create, maintain, transmit, 
receive, or protect electronic health records--such donations could be 
protected regardless of whether the technology is donated by one or 
multiple donors.
    We did not propose and thus are not finalizing a condition that 
requires a clinical necessity analysis of donations. Such condition 
would not be necessary in the safe harbor given the totality of its 
conditions.
h. Definitions
i. Electronic Health Record
    Summary of OIG Proposed Rule: We proposed to modify the definition 
of ``electronic health record'' in paragraph 1001.952(y)(14)(iv) to 
mean: ``a repository of electronic health information that: (A) Is 
transmitted by or maintained in electronic media; and (B) relates to 
the past, present, or future health or condition of an individual or 
the provision of healthcare to an individual.''
    Summary of Final Rule: We are not finalizing the proposed 
definition of electronic health record and instead retain the previous 
definition. This final rule moves the definition of ``electronic health 
record'' to paragraph 1001.952(y)(14)(iv).
    Comment: Several commenters expressed general support for our 
proposed revision to the definition of ``electronic health record,'' 
particularly to the extent that the definition would align with the 
definition included in the Cures Act. However, a number of commenters 
were concerned about our proposal to use the term ``electronic health 
information'' as the ONC NPRM proposed to define such term. Commenters 
asserted that the regulatory definition proposed by ONC is overly broad 
and may extend far beyond what Congress intended under the Cures Act. 
For example, a commenter argued that under the proposed definition a 
patient's computer or mobile telephone could be considered an 
electronic health record if the patient obtained a copy of their health 
record through electronic transmittal. Commenters also made several 
suggestions to limit the scope of ``electronic health information.''
    Response: As we stated in the OIG Proposed Rule, we did not intend 
for our proposed modifications to the definition of ``electronic health 
record'' to make a substantive change to the scope of protection.\118\ 
We thank commenters for highlighting the complexities that our changes 
inadvertently might have introduced. To remain true to our intent, we 
are not finalizing any proposed changes to the definition of 
``electronic health record.'' We will retain the existing definition in 
the safe harbor, which appears at paragraph 1001.952(y)(14)(iv).
---------------------------------------------------------------------------

    \118\ See 84 FR 55742 (Oct. 17, 2019).
---------------------------------------------------------------------------

    Comment: A commenter recommended that the definition of 
``electronic health record'' should be standardized across all Federal 
regulations, as permitted by the relevant statutory framework. However, 
the commenter expressed doubt that changing the definition of 
``electronic health record'' as OIG proposed would keep up with a 
dynamic redefinition of how electronic health care is provided.
    Response: A suggestion to standardize definitions across Federal 
regulations is outside the scope of this final rule. As noted above, we 
are not finalizing any changes to the definition.
    Comment: A commenter recommended that OIG define the parameters of 
the EHR safe harbor to ensure that the scope of covered technology 
under the ``electronic health record'' definition protects products 
beyond those that are standalone EHRs (e.g., products that connect to, 
amplify the capabilities of, or leverage the data in EHRs to promote 
coordination and management of care). According to the commenter, there 
are emerging technologies that leverage data in EHRs without creating 
new records and enable patients to leverage technology to maintain 
longitudinal records. To modernize the safe harbor to accommodate these 
developments, a commenter asked that OIG clarify that the term 
``repository'' in the current and proposed definition of EHR is not 
limited to existing models of EHR. The commenter also recommended that 
OIG delete ``predominantly'' from the safe harbor or otherwise broaden 
the remuneration protected by the safe harbor by adding the italicized 
words in the following phrase from the EHR definition: ``software or IT 
functionality necessary and used predominantly to support or improve 
[italics added] the creation, maintenance, transmission, receipt or use 
of EHR.''
    Response: By proposing to revise the definition of ``electronic 
health record,'' we did not intend to change the scope of protection 
under the safe harbor. We are retaining the existing definition of 
``electronic health record'' and are not adopting the commenter's 
suggestion. Emerging technologies that leverage EHR data may be 
protected by the safe harbor. The term ``repository'' carries its 
common meaning: A place where something such as data can be stored and 
managed. If emerging technologies are necessary and used predominantly 
to create, maintain, transmit, receive, or protect electronic health 
records, and all of other conditions of the safe harbor are met, then 
donations of such technologies would be protected.
    Donations of software or information technology services do not 
need to be necessary and used predominately for all five functions 
listed in paragraph 1001.952(y)(1) to be protected. Rather, the 
software or information technology services must meet at least one of 
the five functions. For example, if software is not used to create an 
electronic health record but is necessary and used predominately to 
transmit electronic health records, donations of such software may be 
protected by this safe harbor if all other conditions are met. If an 
entity has questions about whether specific technology donations would 
be protected by the safe harbor or present a low risk of fraud and 
abuse under the Federal anti-kickback statute, the advisory opinion 
process remains available.
    Comment: A commenter supported the current definition of 
``electronic health record'' rather than the proposed revisions to the 
definition. However, the commenter asked OIG to further clarify this 
definition so that it would include a longitudinal electronic record of 
patient health information generated by one or more encounters in any 
care delivery setting that automates and streamlines the clinician's 
workflow.
    Response: We are adopting the recommendation to retain our current 
definition of ``electronic health record.'' We agree that the 
commenter's example of a longitudinal electronic record appears to meet 
this definition. However, we recommend that parties conduct their own 
analysis of the particular facts and circumstances of any arrangement 
as applied to the definition. The advisory opinion process remains 
available for parties that seek an individualized determination.
ii. Interoperable
    Summary of OIG Proposed Rule: We proposed to update the definition 
of the term ``interoperable'' to align with the statutory definition of 
``interoperability'' added by the Cures Act to section 3000(9) of the 
PHSA and move it to paragraph 1001.952(y)(14)(iii). We proposed to 
define ``interoperable'' as able to ``(A) securely exchange data with, 
and use data from other health information technology without special 
effort on the part of the user; (B) allow for complete access, 
exchange, and use of all electronically accessible health information 
for authorized use under applicable State or Federal law; and (C)

[[Page 77838]]

does not constitute information blocking as defined in 45 CFR part 
171.''
    Summary of Final Rule: We are finalizing, with modifications, an 
updated definition of ``interoperable'' in paragraph 
1001.952(y)(14)(iii). We are removing the phrase ``without special 
effort on the part of the user'' in paragraph 1001.952(y)(14)(iii)(A), 
and we are not finalizing proposed paragraph 1001.952(y)(14)(iii)(C) 
that would have incorporated the information blocking regulations in 
the definition of interoperability.
    Comment: We received general support for our effort to update the 
definition of ``interoperable.'' However, some commenters asked for 
further clarification of the phrase ``without special effort on the 
part of the user.''
    Response: First, we are finalizing the first two proposed criteria 
of the ``interoperability'' definition except, as explained below, we 
are removing the phrase ``without special effort on the part of the 
user.'' We are removing the third criterion we proposed in the 
``interoperable'' definition: ``[d]oes not constitute information 
blocking as defined in 45 CFR part 171.'' That criterion raises similar 
issues that we discussed in section 9.c above regarding the information 
blocking condition at former paragraph 1001.952(y)(3). Removal of that 
condition is consistent with our rationale described in more detail 
above.
    We had proposed for the first prong of the definition of 
``interoperable'' that it mean able to ``[s]ecurely exchange data with 
and use data from other health information technology without special 
effort on the part of the user.'' While the phrase ``without special 
effort on the part of the user'' is used in the definition of 
``interoperability'' in the Cures Act,\119\ the phrase ``without 
special effort'' also is used in conditions of certification in the 
Cures Act.\120\ As we make clear above in section 9.b, while software 
certified by ONC is ``deemed'' to be interoperable, certification is 
not required for safe harbor compliance. Therefore, to avoid any 
implication that we are incorporating a certification requirement into 
the definition of ``interoperable'' as it is used in this safe harbor, 
we are removing the reference to ``without special effort on the part 
of the user.''
---------------------------------------------------------------------------

    \119\ Section 4003(a)(2), Public Law 114-255, 130 Stat. 1033.
    \120\ Id.
---------------------------------------------------------------------------

    Comment: A commenter expressed concern about the Federal 
Government's definition of ``interoperability,'' as defined in the ONC 
NPRM, which the commenter believes inappropriately focuses solely on 
high volumes of data transferred or access to every piece of health 
information ever collected. The commenter asserted that we should 
prioritize the transfer of and access to secure, meaningful data in 
order to avoid: (i) Confusing patients who lack context; and (ii) 
overburdening physicians with irrelevant information.
    Response: First, as we note elsewhere in this section, we are 
revising this safe harbor such that the definition of ``interoperable'' 
no longer refers to the definition proposed in the ONC NPRM. Second, 
interoperability of donated EHR items and services is an important 
condition of the safe harbor. The definition adopted in this final rule 
states that ``interoperable'' means ``able to'' securely exchange data 
and ``allow for complete access, exchange, and use of'' certain health 
information. In other words, this definition does not require the 
transfer of massive quantities of data; it requires that such transfers 
be possible.
i. Other Comments
    Comment: A commenter suggested that OIG continue to consider how 
data is being shared and ensure that information blocking is not 
occurring. The commenter specifically recommended that the safe harbor 
require that all VBE participants be able to review and have access to 
information on different EHR systems used in any value-based 
arrangement and have the ability to import and export data that can 
help further the purpose of the value-based arrangement. In addition, 
the commenter recommended that physicians and others providing care to 
beneficiaries under value-based arrangements should have the ability to 
select the EHRs that are best suited for the applicable patient 
population.
    Response: The safe harbor does not mandate how or which types of 
EHR software or information technology services a donor or recipient 
may select. Because we are finalizing a change to eliminate the 
restriction on donations of equivalent technology, we hope that parties 
will have more flexibility to receive protected donations of EHR 
software that best suit the needs of the parties. However, we emphasize 
that this safe harbor is not specific to or limited to EHR software or 
information technology services donated in the context of value-based 
arrangements. The value-based safe harbors finalized here at paragraphs 
1001.952(ee),(ff), and (gg) could be available to protect the donation 
of health information technology pursuant to a value-based arrangement, 
provided all conditions of an applicable safe harbor are squarely 
satisfied. In addition, for the reasons that we explain in detail 
above, we are not finalizing information blocking provisions as 
conditions of this safe harbor.
    OIG remains committed to addressing information blocking through 
other authorities. Parties should submit information blocking 
complaints to HHS through the Report Information Blocking portal 
(https://healthit.gov/report-info-blocking).
    Comment: A commenter asked OIG to clarify when certain arrangements 
such as data sharing arrangements could implicate the Federal anti-
kickback statute. The commenter posited that when technology is shared 
for transitions of care or to streamline and improve the referral 
process as a matter of CMS policy, it does not implicate the Federal 
anti-kickback statute.
    Response: A ``data sharing arrangement'' can vary greatly in the 
scope of data or services being exchanged. Simply transmitting 
individual patient data for transitions of care between, for example, 
an acute care provider and post-acute care provider would not implicate 
the statute. However, sharing specific patient data for care of that 
patient is distinct from a data sharing arrangement that involves 
aggregating data for research, marketing, or other purposes unrelated 
to treating the specific patients whose data is being shared. With 
respect to technology for data sharing, many types of ``technology'' 
would constitute remuneration under the Federal anti-kickback statute 
but, as we have repeatedly stated, certain limited-use technology that 
is integral to the services an individual or entity provides would not 
implicate the statute.\121\ The parties to a particular data sharing 
arrangement would need to perform an analysis of the facts and 
circumstances to determine whether any data or technology shared 
constitutes remuneration under the statute and, if so, whether a safe 
harbor such as the EHR safe harbor could protect the donation. The 
advisory opinion process is also available for a legal opinion 
regarding the facts and circumstances of a particular arrangement.
---------------------------------------------------------------------------

    \121\ 78 FR at 79210 (``The donation of free access to an 
interface used only to transmit orders for the donor's services to 
the donor and to receive the results of those services from the 
donor would be integrally related to the donor's services. As such, 
the free access would have no independent value to the recipient 
apart from the services the donor provides and, therefore, would not 
implicate the anti-kickback statute.'').

---------------------------------------------------------------------------

[[Page 77839]]

10. Personal Services and Management Contracts and Outcomes-Based 
Payment Arrangements (42 CFR 1001.952(d))
    Summary of OIG Proposed Rule: We proposed to modify the existing 
safe harbor for personal services and management contracts at paragraph 
1001.952(d). For paragraph 1001.952(d)(1) we proposed to: (i) 
Substitute for the requirement that aggregate compensation under these 
agreements be set in advance a requirement that the methodology for 
determining compensation be set in advance; (ii) eliminate the 
requirement that if an agreement provides for the services of an agent 
on a periodic, sporadic, or part-time basis, the contract must specify 
the schedule, length, and the exact charge for such intervals; and 
(iii) change the paragraph numbering. These proposals are summarized at 
sections III.B.10.a and b below.
    We also proposed to create new paragraphs 1001.952(d)(2) and (3) to 
protect certain outcomes-based payments (as defined). The proposals for 
this new protection are summarized at section III.B.10.c, d, and e 
below.
    Summary of Final Rule: We are finalizing the modifications to the 
existing safe harbor for personal services arrangements at paragraph 
1001.952(d)(1), as proposed. We are finalizing the new provisions for 
outcomes-based payments at paragraphs 1001.952(d)(2) and (3), with 
modifications summarized at sections III.B.10.c, d, and e below.
a. Elimination of Requirement To Set Aggregate Compensation in Advance
    Summary of OIG Proposed Rule: We proposed to substitute for the 
requirement that aggregate compensation under these agreements be set 
in advance a requirement that the methodology for determining 
compensation be set in advance in paragraph 1001.952(d)(1).
    Summary of Final Rule: We are finalizing this modification as 
proposed.
    Comment: Commenters on this topic overwhelmingly supported the 
proposed removal of the requirement to set aggregate compensation in 
advance and its replacement with a requirement that the compensation 
methodology be set in advance. Commenters offered a variety of reasons 
for their support. For example, a commenter valued these changes 
because they provide enhanced flexibility to independent medical groups 
and other providers seeking to develop innovative care delivery models. 
Another commenter suggested that this change allows for greater 
flexibility in personal services arrangements while continuing to 
incorporate safeguards that limit potential abuse.
    Another commenter explained a view that incentive compensation in 
comanagement arrangements or bundled payment arrangements often has to 
be structured in a formulaic manner, and it is not possible for 
hospitals and physicians to know at the beginning of the arrangement 
whether and to what extent the physicians may meet the requirements for 
earning incentive compensation or the actual amount of compensation 
available. The commenter believed the proposed change would address 
this existing impediment to safe harbor protection. The commenter also 
appreciated that the proposed change would more closely parallel the 
set-in-advance requirement under the physician self-referral law 
exception for personal services arrangements at 42 CFR 411.357(d), 
which would simplify a stakeholder's analysis of protection under the 
safe harbor and exception when both laws apply to an arrangement.
    Response: We are finalizing this provision as proposed. This change 
modernizes the safe harbor and should provide enhanced flexibility to 
the health care industry to undertake innovative arrangements, 
including arrangements that support the transition to value and better 
coordinated care for patients.
    Comment: A commenter expressed concern that certain proposed 
changes to this safe harbor were not specific enough. In particular, 
the commenter warned that replacing a requirement to set aggregate 
compensation in advance with a requirement to identify the methodology 
for determining compensation could allow entities to structure 
agreements that look acceptable on the surface, but actually take into 
account the volume and value of referrals.
    Response: We agree with the commenter that implementing a more 
flexible approach to specifying compensation could protect arrangements 
that differ in structure from arrangements the safe harbor currently 
protects. However, we believe that other safe harbor conditions 
mitigate the risk identified by the commenter, namely the protection of 
arrangements that take into account the volume and value of referrals. 
For example, we continue to require parties seeking protection under 
the safe harbor to adhere to the safe harbor's other conditions (e.g., 
aggregate compensation must be consistent with fair market value in an 
arm's length transaction and may not be determined in a manner that 
takes into account the volume or value of any referrals or other 
business generated between the parties). Arrangements that do not 
squarely satisfy these conditions would not be protected by the safe 
harbor. In other words, despite the safe harbor's increased flexibility 
related to specifying compensation, the safe harbor would not protect 
an arrangement by which the aggregate compensation is determined in a 
manner that takes into account the volume or value of referrals or 
other business generated.
    Comment: Some commenters requested further guidance on whether a 
payment methodology based on ``actual expenses incurred'' constitutes a 
methodology that is sufficiently set in advance to satisfy the safe 
harbor condition as proposed. For example, a commenter inquired about 
compensation in an arrangement wherein a hospital leases an employed 
clinician from a physician practice on a full- or part-time basis. 
Specifically, the commenter sought clarification regarding whether the 
safe harbor would protect compensation under the employee lease from 
the hospital to the practice based on a methodology related to the 
physicians practice's actual expenses incurred for employing such 
clinician (e.g., salary, benefits, bonus, liability insurance, 
overhead). Another commenter requested guidance as to whether payment 
based on annual aggregate costs could be prorated to an hourly rate and 
charged based on completion of time records.
    Response: We appreciate the commenter's examples of potential 
arrangements that may be structured to comply with the personal 
services safe harbor as finalized. It is possible to structure an 
arrangement to fit within the safe harbor by using an hourly rate or 
other set, verifiable formula provided that all other conditions of the 
safe harbor are met. However, whether compensation under an employee 
lease that is based on actual expenses incurred would satisfy the 
requirement that the compensation methodology be set in advance or 
otherwise meet the safe harbor would depend on the facts and 
circumstances. The commenter specifically cited salary, benefits, 
liability insurance, overhead expenses, and a bonus. For example, 
assume that the hospital leases the physician part-time from the 
physician's practice and agrees to pay the practice the percent of the 
practice's actual expenses in employing that physician that correlate 
to the percentage of the physician's work actually performed for the 
hospital. We would expect that an

[[Page 77840]]

employee's salary, benefits, and liability insurance typically would be 
set in advance; overhead expenses possibly also would be set in 
advance. Consequently, the parties could structure these elements of 
the part-time employee's expenses to satisfy the condition that the 
compensation methodology be set in advance. However, depending on the 
structure and criteria for receiving a ``bonus,'' that portion of the 
practice's expenses--and therefore, the compensation methodology for 
the part-time employee lease--might not be set in advance and might not 
meet other criteria of the safe harbor. For example, if a bonus that 
took into account the volume or value of referrals between the parties 
was part of the compensation under the lease, the hospital's 
compensation to the practice for the part-time employee lease would not 
be protected by the safe harbor.
    The intent behind these modifications is to provide enhanced 
flexibility while mitigating the risk of parties periodically adjusting 
the agent's compensation to reward referrals or to promote unnecessary 
utilization of services. Parties seeking protection under this safe 
harbor must evaluate the specific facts and circumstances of their 
arrangement to determine whether the compensation methodology over the 
term of the agreement is set in advance before any payment under the 
arrangement is made. Any remuneration also must meet all other 
conditions of the safe harbor for protection.
    Comment: Some commenters agreed with our proposals but asked OIG to 
define certain terminology under the safe harbor such as ``fair market 
value'' and ``does not take into account the volume or value of 
referrals,'' and asked OIG to harmonize OIG's interpretations of this 
terminology under the Federal anti-kickback statute with CMS's 
interpretations of this terminology under the physician self-referral 
law in the proposed rule CMS issued in connection with the Regulatory 
Sprint (CMS NPRM),\122\ to the extent possible given the differences in 
the two laws. For example, a commenter recommended that OIG adopt CMS's 
interpretation of the volume or value standard as proposed by CMS in 
the CMS NPRM. Another commenter sought clarification from OIG that 
incentive compensation paid to a physician under a comanagement, 
bundled payment, or internal cost savings arrangement would not take 
into account the volume or value of referrals under the Federal anti-
kickback statute if the physician is paid a percentage of savings per 
``case.'' According to the commenter, the more cases performed may 
result in more savings, more losses, or something in between. A 
commenter asserted that ``value'' in the construct of ``fair market 
value'' should not solely relate to what an entity would pay regardless 
of the outcome. According to the commenter, OIG should consider 
defining ``fair market value'' in a manner that recognizes the value of 
savings attributable to the services to the entity paying the incentive 
compensation rather than the time value of the services or the value of 
the services based on metrics, or any relevant fee schedule. A 
commenter recognized that OIG cannot opine on ``fair market value'' in 
an advisory opinion but requested that OIG explain whether certain 
compensation methodologies (e.g., using an hourly rate as a 
compensation methodology or a percentage of savings attributable to an 
agent) could constitute fair market value under the Federal anti-
kickback statute.
---------------------------------------------------------------------------

    \122\ 84 FR 55766 (Oct. 17, 2019).
---------------------------------------------------------------------------

    Another commenter sought confirmation that OIG interprets the term 
``commercially reasonable'' consistent with CMS's proposed 
interpretation in the CMS NPRM, specifically ``that the particular 
arrangement furthers a legitimate business purpose of the parties and 
is on similar conditions as like arrangements. An arrangement may be 
commercially reasonable even if it does not result in profit for one or 
more of the parties.''
    Response: We did not propose to define or interpret fair market 
value, commercially reasonable, or the phrase ``takes into account the 
volume or value of referrals or business otherwise generated,'' nor are 
we adopting the commenter's suggestion that we interpret these terms, 
for purposes of applying the Federal anti-kickback statute and safe 
harbor regulations, consistent with CMS's interpretations of such 
terms. These terms have long existed throughout our existing safe 
harbors at section 1001.952 without further definition or 
interpretation by OIG and are well-established. Whether or not fair 
market value is or was paid or received for any personal services 
provided by an agent to a principal under this safe harbor depends on 
the specific arrangement's facts and circumstances, and we decline to 
interpret examples with limited information.
    Comment: Certain commenters were concerned that Indian health care 
service providers cannot utilize this safe harbor because of the 
requirement that each party in the arrangement pay fair market value 
for services. According to commenters, the fair market value for Indian 
health facility jobs and services may not align with the fair market 
value elsewhere. Some of these commenters recommended that the fair 
market value for Indian health facilities be lowered and relate more to 
the economic realities of provider recruitment and retention in tribal 
communities. Commenters also noted that some part-time contractors 
currently use the fair market value standard to extract pay that 
exceeds the fair market value for jobs within Indian health programs.
    Response: We understand the commenters' concerns with respect to 
establishing personal services arrangements in facilities or regions 
where salaries might be lower than the fair market value found in other 
nearby areas. We are not defining fair market value or further 
specifying the appropriate methodologies for parties to use when 
determining fair market value in this final rule. Based on our law 
enforcement experience, arrangements in which parties offer or provide 
free or below fair market services to those in a position to refer 
federally payable business to the offeror can be problematic under the 
Federal anti-kickback statute. However, we agree that fair market value 
can vary by region, setting, or other factors. For example, an hourly 
rate for certain specialist services in Manhattan likely would be 
higher than the hourly rate for the same services in rural Mississippi 
or at an Indian health facility.
    Comment: A commenter recommended that OIG expand the writing 
requirement within the safe harbor to include contemporaneous 
documentation rather than a signed agreement. The commenter noted that 
the CMS NPRM proposed to remove the formality of a signed agreement and 
modified this requirement in certain physician self-referral law 
exceptions to allow documentation that constitutes an agreement under 
applicable state law, which the commenter believes will ease the 
regulatory burden for stakeholders to document the arrangement.
    Response: We did not propose to modify the requirement that an 
agency agreement be set out in writing, thus we are not finalizing any 
change to that requirement. As we explained above, the physician self-
referral law and the Federal anti-kickback statute are different laws 
with different standards for liability. Having a signed, written 
agreement that meets all requirements of the safe harbor is a core 
safeguard that is necessary for parties to demonstrate that they intend 
to comply with all requirements of the safe harbor, have structured the 
compensation

[[Page 77841]]

methodology appropriately, and have a meeting of the minds on the 
services and payment to be provided under the arrangement. However, we 
note that the safe harbor does not specify a particular format for the 
agreement. The written agreement requirement can be met either through 
a single, formal, signed agreement or through a collection of documents 
if such collection of documents includes all of the required elements 
of the safe harbor and is signed by the parties (e.g., by signing each 
document that makes up the agreement, or by signing a single signed 
document that incorporates separate documents by reference).
b. Elimination of Requirement To Specify Schedule of Part-Time 
Arrangements
    Summary of OIG Proposed Rule: We proposed to eliminate the 
condition in the safe harbor paragraph 1001.952(d)(5) that requires 
that if an agreement provides for the services of an agent on a 
periodic, sporadic or part-time basis, the contract must specify the 
schedule, length, and the exact charge for such intervals.
    Summary of Final Rule: We are finalizing this modification as 
proposed.
    Comment: Commenters generally appreciated the proposed removal of 
the requirement that, for part-time arrangements, the contract must 
specify the schedule, length, and the exact charge for such intervals. 
Multiple commenters stated that eliminating the requirement that part-
time contractual arrangements specify exact interval schedules allows 
for greater flexibility in protected personal services arrangements, 
while the safe harbor continues to incorporate safeguards that limit 
potential abuse. For example, a commenter noted the proposal could 
apply to dialysis facility medical directors who provide their services 
on a part-time basis. The commenter highlighted the unpredictable 
nature of dialysis care and that the frequent need to respond to urgent 
medical emergencies can impede the ability of nephrologists serving as 
dialysis facility medical directors to adhere to predetermined 
schedules. In contrast, a commenter expressed concern that eliminating 
this requirement may increase the risk that either services will not be 
rendered or that the payment for services may vary based on referrals 
and recommended additional documentation requirements.
    Response: We are finalizing the removal of the requirement to 
specify the exact schedule of part-time arrangements, as proposed. We 
note that this change to the safe harbor should accommodate a broad 
range of part-time or sporadic-need value-based payment and care 
arrangements in furtherance of the Department's goals in connection 
with the Regulatory Sprint. We did not propose additional documentation 
requirements, and we continue to believe, as we stated in the OIG 
Proposed Rule, that other conditions sufficiently safeguard against the 
harms mentioned by a commenter.\123\
---------------------------------------------------------------------------

    \123\ 84 FR 55744-45 (Oct. 17, 2019).
---------------------------------------------------------------------------

c. Proposal To Protect Outcomes-Based Payments
    Summary of OIG Proposed Rule: At proposed paragraphs 1001.952(d)(2) 
and (3), we proposed to protect outcomes-based payment arrangements 
between a principal and an agent that reward improving patient or 
population health by achieving one or more outcome measures that 
effectively and efficiently coordinate care across care settings, or by 
achieving one or more outcome measures that appropriately reduce payor 
costs while improving, or maintaining the improved, quality of care. We 
proposed several safeguards. Under proposed paragraphs 1001.952(d)(2), 
protected payments would be between parties collaborating to measurably 
improve or maintain improvement in quality of care or appropriately and 
materially reduce costs of payments (without diminution of the quality 
of care), and the agent receiving the payment would need to meet at 
least one evidence-based, valid outcomes measure meeting specified 
criteria, including selection based on credible medical support. Under 
proposed paragraph 1001.952(d)(2)(iii), the payment methodology would 
be set in advance, commercially reasonable, consistent with fair market 
value, and not determined in a manner that directly takes into account 
the volume or value of referrals or other business generated between 
the parties.
    Additionally, at paragraph 1001.952(d)(2), we proposed safeguards 
to protect clinical decision-making, guard against stinting on care, 
and ensure written documentation, monitoring, periodic rebasing of 
outcome measures, and corrective action of deficiencies in the quality 
of care. The term of protected arrangements would be at least 1 year. 
At proposed paragraph 1001.952(d)(3), we proposed making certain 
entities ineligible for safe harbor protection under the outcomes-based 
payments provisions in a manner similar to the proposed definition of 
VBE participant at proposed paragraph 1001.952(ee)(12), and we proposed 
that outcomes-based payments would exclude payments related solely to 
achievement of internal cost savings for the principal. We indicated 
that we were considering excluding payments based on patient 
satisfaction or convenience measures.
    Summary of Final Rule: We are finalizing, with modifications, the 
new protection for outcomes-based payments at paragraphs 1001.952(d)(2) 
and (3). We revised the definition of ``outcomes-based payment'' in 
paragraph 1001.952(d)(3)(ii) to clarify that the payment may be a 
reward for successfully achieving an outcome measure or a recoupment or 
reduction in payment for failure to achieve an outcome measure. 
Paragraph 1001.952(d)(2)(i) consolidates and streamlines proposed 
paragraphs 1001.952(d)(2)(i) and (ii) related to acceptable outcomes 
measures; to receive a protected outcomes-based payment, the agent must 
achieve one or more legitimate outcome measure selected based on 
clinical evidence or credible medical support and with specified 
benchmarks related to quality of care, a reduction in costs, or both. 
At paragraph 1001.952(d)(2)(vii)(B), we revised our proposal related to 
``rebasing'' of outcomes measures to clarify that the parties must 
periodically (i) assess and (ii) revise benchmarks and remuneration 
under the agreement as necessary to ensure that any remuneration is 
consistent with fair market value in an arm's-length transaction as 
required by paragraph 1001.952(d)(2)(ii).
    We finalize the proposed requirements related to fair market value, 
commercial reasonableness, and the volume or value of business at 
paragraph 1001.952(d)(2)(ii). At paragraph 1001.952(d)(2)(iii), we 
finalize the writing requirement proposed at paragraph 
1001.952(d)(2)(viii). In paragraph 1001.952(d)(2), we finalize 
additional safeguards related to clinical decision-making, stinting on 
care, a 1-year term, monitoring, and counseling and promotion of 
unlawful business, as proposed.
    At paragraph 1001.952(d)(3)(iii), we finalized the scope of 
entities ineligible for safe harbor protection for making outcomes-
based payments to include: (i) Pharmaceutical companies; (ii) PBMs; 
(iii) laboratory companies; (iv) pharmacies that primarily compound 
drugs or primarily dispense compounded drugs; (v) manufacturers of a 
device or medical supply, as defined in paragraph (ee)(14)(iv); (vi) 
medical device distributors or wholesalers that are not otherwise 
manufacturers of a device or medical

[[Page 77842]]

supply, as defined in paragraph (ee)(14)(iv) of this section; or (vii) 
DMEPOS companies. In the same paragraph, we finalize our policy to 
exclude payments for internal cost savings or payments based solely on 
patient satisfaction or patient convenience measures.
    We clarify in both paragraph 1001.952(d)(2)(ii) and paragraph 
1001.952(d)(3)(ii) that the remuneration may be ``between or among'' 
the parties, rather than being limited to remuneration from the 
principal to the agent. We reordered the provisions from paragraphs 
(d)(2)(iii)-(vii) without making additional substantive changes. We 
made technical corrections in paragraph 1001.952(d)(2) to replace the 
word ``satisfy'' with the word ``achieve'' in order to use a consistent 
term throughout the safe harbor.
    Comment: Many commenters supported OIG's proposal to expand the 
existing safe harbor for personal services and management contracts by 
creating new provisions at paragraphs 42 CFR 1001.952(d)(2)-(3) to 
protect certain outcomes-based payments. Some expressed support for 
protection for outcomes-based payments but encouraged OIG to provide 
greater specificity regarding the types of payment arrangements, 
specific outcome measures, and specific requirements for measuring 
achievement of outcomes that would qualify for protection under these 
proposed provisions to the safe harbor. A commenter asked OIG to 
clarify that the list of examples in the OIG Proposed Rule's preamble 
was not all-inclusive, but merely a representative list of the types of 
arrangements that may be protected under the safe harbor. Another 
commenter cautioned against referencing or creating an exhaustive list 
of specific types of payments that could qualify as ``outcomes-based 
payments'' because that approach would be too limiting. Another 
commenter requested that OIG reiterate its recognition that outcomes-
based payment arrangements may vary in structure and that the safe 
harbor should provide flexibility for arrangements designed to achieve 
appropriate quality of patient care as well as appropriate efficiency 
and cost-saving goals. Many commenters believed the proposals were 
unnecessarily limited, overly complex, and potentially difficult for 
physicians to implement, and another commenter found the monitoring of 
arrangements overly burdensome.
    Response: We intend for the outcomes-based payments safe harbor to 
support outcomes-based payments that facilitate care coordination, 
encourage provider engagement across care settings, and advance the 
transition to value. At the outset, we note that in response to general 
comments regarding the complexity of this safe harbor and for the sake 
of clarity, we streamlined the language we had proposed in paragraphs 
1001.952(d)(2)(i) and (ii) such that the safe harbor still expressly 
specifies that the agent must achieve one or more legitimate outcome 
measures selected based on clinical evidence or credible medical 
support, but we are not finalizing the proposed language relating to 
the measures being specific, evidence-based, and valid. As we explain 
in greater detail in section III.B.3.b above in our discussion of 
outcome measures in the care coordination safe harbor, based on public 
comment, we changed the terms ``evidence-based'' and ``valid'' to 
``clinical evidence'' and ``legitimate'' to offer some additional 
flexibility while reflecting our intention that measures be credible 
and appropriate. In selecting outcome measures, parties have broad 
latitude under this safe harbor to identify opportunities for improving 
or maintaining the improvement of patient care and reducing costs to 
payors in ways that are scientifically valid, measurable, and 
transparent.
    We are not limiting protection under the safe harbor to a specific 
set of arrangements such as value-based arrangements. In the OIG 
Proposed Rule, we listed certain arrangements that may be protected 
under the safe harbor, provided the arrangement meets every requirement 
of the safe harbor.\124\ We are not limiting the protection provided by 
this safe harbor to a particular list of arrangements or particular 
types or structures of arrangements or measures.
---------------------------------------------------------------------------

    \124\ 84 FR 55745 (Oct. 17, 2019).
---------------------------------------------------------------------------

    We take a broader approach by providing additional protection to a 
variety of stakeholders, which should facilitate innovation in 
designing compensation arrangements that are value-based. As we stated 
in the OIG Proposed Rule, we strive to provide flexibility in this safe 
harbor, but we also must include appropriate safeguards, such as 
monitoring and assessment requirements, to protect patients and Federal 
health care programs.
    Comment: We received comments on our proposed definition of 
``outcomes-based payment'' and its interaction with other requirements. 
For example, a commenter recommended that we remove the language in the 
``outcomes-based payment'' definition that appears to make effectively 
and efficiently coordinating care across care settings a required 
factor in an outcome measure. A commenter also asked that we harmonize 
the terms we use to describe ``outcome measures'' throughout the safe 
harbor. For example, a commenter indicated that the definition of 
``outcomes-based payment'' is not consistent with the way payments are 
made under existing alternative payment models. A commenter recommended 
a technical change to paragraph 1001.952(d)(2) to specify that the safe 
harbor protects outcomes-based payments made by a principal to an agent 
as compensation for the services of the agent.
    Response: We are not making the change to paragraph 1001.952(d)(2) 
suggested by a commenter to refer to payments from a principal to an 
agent. However, we note that the safe harbor protects any ``outcomes-
based payment,'' and that term is defined in paragraph 1001.952(d)(3). 
In this final rule, we revised that definition to protect payments 
``between or among a principal and an agent'' that meet certain 
criteria, as described in more detail below.
    In addition, we removed the language in the definition of 
``outcomes-based payment'' regarding effectively and efficiently 
coordinating care across care settings, and instead rely on a reference 
to paragraph 1001.952(d)(2)(i) in which outcome measures are described. 
We believe that this change also addresses the commenter's concern 
about different terminology in those two sections. We also are revising 
the proposed requirement that the outcome measure measurably improves 
quality of patient care or appropriately and materially reduces payor 
costs to provide that the measure must be used to quantify: (i) Quality 
improvements (or maintenance of improvements in quality); (ii) material 
reductions in payor costs or expenditure growth while maintaining or 
improving the quality of care for patients; or (iii) both. Finally, we 
note that this safe harbor is not the only option for protecting 
payments under alternative payment models. Participants in such models 
may be able to look to the safe harbor for CMS-sponsored models at 
paragraph 1001.952(ii), or the value-based safe harbors at paragraphs 
1001.952(ee)-(gg).
    Comment: A commenter urged OIG to use ``outcome measures'' under 
paragraph 1001.952(d)(2) consistently with the use of the term under 
paragraph 1001.952(ee) to reduce complexity.
    Response: We interpret the term ``outcome measure'' under this safe 
harbor to have the same meaning as

[[Page 77843]]

under any other safe harbor that uses it, including paragraph 
1001.952(ee). We note, however, that different safe harbors protect 
different types of remuneration, include different safeguards, and use 
additional terms. For example, in the safe harbor for care coordination 
arrangements, the ``outcome or process measure'' must have a benchmark 
related to improving or maintaining improvements in the coordination 
and management of care for the target patient population, while 
``outcome measures'' under this safe harbor must have benchmarks that 
relate to improving or maintaining the quality of patient care, 
reducing costs or growth in expenditures to payors, or both. If a party 
seeks safe harbor protection for a particular arrangement, the 
arrangement need only meet one safe harbor to qualify for protection 
but the arrangement must comply with all conditions of the chosen safe 
harbor.
    Comment: A commenter urged that outcomes-based payments should 
include a service component to prevent sham arrangements that simply 
maintain the status quo. Similarly, a few commenters suggested that OIG 
limit parties that may pay outcomes-based payments to parties 
participating within a VBE to prevent fraud and abuse, such as sham 
arrangements through which no service is provided. A commenter asked 
whether an outcomes-based payment agreement that requires exclusive or 
minimum level of use of a product (e.g., product standardization) to 
achieve an outcomes-based payment could be protected by the safe harbor 
as long as the principal makes a determination that such the 
requirement for exclusivity or minimum use will not preclude it from 
making decisions in its patients' best interests.
    Response: As we stated in the OIG Proposed Rule, measures that 
simply seek to reward the status quo would not meet the safe harbor 
condition that requires parties to select legitimate outcome 
measures.\125\ However, we are not limiting the scope of entities that 
may make outcomes-based payments to VBEs or VBE participants. We 
believe that the conditions parties must meet for safe harbor 
protection will sufficiently mitigate the risk of fraud and abuse.
---------------------------------------------------------------------------

    \125\ 84 FR 55746 (Oct. 17, 2019).
---------------------------------------------------------------------------

    We agree that the safe harbor does not necessarily preclude product 
standardization. If the product standardization measures selected by 
the parties under the outcomes-based payment arrangement do not limit 
any party's ability to make decisions in their patients' best interest 
and meet the other terms of the safe harbor, then they could be part of 
an outcomes-based payment arrangement.
    Comment: A trade association commented that only sophisticated 
health systems with advanced data analytics have the capability to 
internally develop outcome measures while small, underserved, and rural 
practices would not have the resources to develop these measures 
internally. For example, a commenter noted that measuring outcomes can 
be a challenging and resource-intensive process that takes time to 
evaluate, especially on the individual participant level in a large 
entity with significant numbers of participants and multiple specialty 
areas.
    Response: We recognize that structuring and implementing outcomes-
based payment arrangements that satisfy the conditions of this safe 
harbor may be more onerous than structuring and implementing 
traditional personal service arrangements under the existing personal 
services and management contracts safe harbor (e.g., a party striving 
to satisfy the outcomes-based payment arrangements provisions must 
determine legitimate outcome measures, establish the types of services 
to be performed to achieve an outcome measure, set benchmarks, monitor 
and assess achievement, and ultimately achieve outcome measures). We 
understand the commenter's concern regarding the potential 
administrative and financial impact that developing outcome measures 
may have on small, underserved, and rural providers. Participation in 
an outcomes-based payment arrangement is entirely voluntary, as is 
structuring outcomes-based payments to satisfy the conditions of this 
safe harbor. To the extent that parties wish to enter into an outcomes-
based payment arrangement and structure such arrangement to satisfy the 
conditions of this safe harbor, the parties have discretion in the 
selection of outcome measures. Providers serving small, underserved, or 
rural communities may select outcome measures that would not impose an 
inappropriate financial burden on the parties to effectuate.
    Comment: A commenter asked OIG to include process measures (e.g., 
providing or not providing a specific treatment) that are supported by 
strong evidence of improving an outcome within the types of valid 
outcome measures that may serve as the basis for payment under the safe 
harbor. Another commenter recommended that we require outcomes-based 
arrangements to include a service component.
    Response: We agree that process measures supported by strong 
evidence of improving an outcome may serve as a component of outcome 
measures that an agent must achieve to receive an outcomes-based 
payment. For example, an outcomes-based payment arrangement may measure 
the agent's compliance with certain steps of a care process (e.g., 
providing mammograms) to improve a specific health outcome. In section 
III.B.3.b above, we explain the rationale for permitting process 
measures to be included in the care coordination arrangements safe 
harbor but not in the outcomes-based payment provisions discussed here 
(although a process measure could be included as part of an outcomes 
measure); that rationale focuses on the different remuneration 
permitted under the two safe harbors and the different standards set 
forth by each safe harbor.
    Under the modified regulatory text, outcome measures must be 
selected based on clinical evidence or credible medical support and be 
used to: (i) Quantify improvements or maintenance of improvements in 
the quality of patient care; (ii) quantify a material reduction in 
costs to, or growth in expenditures of, payors while maintaining or 
improving quality of care for patients; or (iii) both. In addition, as 
we proposed in the OIG Proposed Rule a ``measure'' related to patient 
satisfaction or convenience would not meet the criteria of an outcome 
measure.\126\ For similar reasons to those we discuss in connection 
with outcomes measures for paragraph 1001.952(ee), the final rule at 
paragraph 1001.952(d)(3)(iii)(C) provides that an outcomes-based 
payment based solely on patient satisfaction or patient convenience 
measures would not be protected. We recognize that patient satisfaction 
and patient convenience can be relevant factors in patient care. 
However, we do not consider these types of measures, standing alone, to 
provide adequate protection against abusive or sham payment 
arrangements for purposes of granting safe harbor protection.
---------------------------------------------------------------------------

    \126\ 84 FR 55708 (Oct. 17, 2019).
---------------------------------------------------------------------------

    We anticipate that most outcomes-based arrangements would include 
certain services to meet the conditions of the safe harbor, and the 
regulatory text includes several references to services. However, we 
believe that adding a separate requirement specific to performing 
services could add confusion, and that existing conditions in paragraph 
1001.952(d)(2) safeguard against sham arrangements.

[[Page 77844]]

    Comment: A commenter asked OIG not to require outcome measures to 
measurably improve the quality of patient care once the quality of care 
metric has been achieved. Instead, the commenter suggested that OIG 
focus on payment incentives that reduce costs after quality targets are 
met. On the other hand, a commenter expressed concern that allowing 
payment for ``maintaining improvement'' would invite sham arrangements 
that disguise payments in exchange for referrals for merely maintaining 
the status quo.
    Response: We share the concern about the potential for sham 
arrangements associated with maintaining cost or quality. However, we 
also recognize that parties may succeed in reaching the desired outcome 
on quality or cost containment but need to be incentivized to maintain 
it to prevent subsequent reductions in attained quality or cost 
containment. To achieve the desired outcome, parties may need to invest 
resources at the beginning of an arrangement (e.g., to develop new 
protocols and engage in training). However, a continued expenditure of 
resources also may be necessary to avoid regression from any progress 
made. These are the types of issues we would expect parties to assess 
and, as necessary, revise benchmarks and remuneration under the 
arrangement to benchmarks to continue to achieve the desired outcome on 
a periodic basis. For example, if parties had an outcome measure 
related to reducing falls to a certain level from a starting benchmark 
point in a skilled nursing facility, and they eventually achieve a fall 
rate benchmark that no longer has room for improvement, a revised 
outcome measure might be to maintain that low fall rate (i.e., the new 
fall rate becomes the starting benchmark, and the outcome measure is to 
maintain it rather than reduce it). Any outcomes-based payment made for 
a new outcome measure would still have to meet all conditions of the 
safe harbor, including that the methodology for setting compensation is 
consistent with fair market value. For example, the fair market value 
of an outcomes-based payment made to an agent to maintain the desired 
level of quality of care may be lower than the fair market value of an 
initial outcomes-based payment made for implementing operational 
changes necessary to achieve the quality of care outcome measure.
    Comment: A commenter indicated that it currently operates outcomes-
based payment arrangements and suggested that OIG impose the following 
three requirements to ensure that all outcomes-based payments are 
legitimately made toward advancing the clinical and cost-saving goals 
of the arrangement and not merely payments for referrals: (i) Require 
outcome measures to be well-defined, meaningful to patients, achievable 
in a defined timeframe, and agreed upon by the parties; (ii) require 
outcome measures to be tracked through claims data, existing 
registries, EHRs, or other low-cost mechanisms; and (iii) require the 
arrangement to deliver measurable outcomes that improve patient quality 
of care and other benefits to the health care system through lower cost 
of care, other efficiencies, or shared accountability, or both.
    Response: We appreciate the commenter's helpful suggestions. While 
we are not using the precise wording offered by the commenter, we 
believe the language finalized in the regulation captures many of the 
concepts suggested by the commenter. Similar to the commenter's 
suggestion of requiring meaningful, well-defined outcome measures, we 
require that the outcome measures be selected based on clinical 
evidence or other credible medical support and be used to quantify 
improvements to or maintenance of improvements in the quality of care 
or material reductions in cost to (or growth in expenditures of) 
payors, while maintaining or improving the quality of care of patients. 
We are not setting a timeline by which parties must achieve outcomes or 
requiring that parties must specify a timeline under which outcomes 
must be achieved because we recognize that the timeframe necessary to 
achieve certain outcome measures can vary greatly, depending on the 
measure and other characteristics, and that it may be challenging for 
parties to specify a certain timeline to achieve outcomes. Likewise, we 
do not specify any particular mechanism for tracking progress toward 
meeting outcome measures. We are not requiring parties to track outcome 
measures through claims data. However, the parties must regularly 
monitor and assess the agent's performance under the specified outcome 
measure(s), including its impact on patient quality of care and make 
any necessary adjustments. Parties also must periodically assess and, 
as necessary, revise the benchmarks and remuneration under the 
arrangement to ensure remuneration is consistent with fair market 
value. We do not believe mandating specific documentation methods is a 
necessary safeguard against fraud and abuse; parties may conduct and 
document such monitoring in any way that makes sense for the particular 
arrangement.
    Comment: A commenter asked OIG to remove the proposed requirement 
that an outcome measure ``appropriately and materially'' reduce costs 
or growth in expenditures for payors because the commenter believed 
this provision was too subjective. A commenter requested that OIG 
provide greater certainty to stakeholders by establishing concrete 
methods that parties could use to determine whether an outcome measure 
improves quality of care under an arrangement. Another commenter 
disagreed with the proposed safe harbor requirement that the agent 
achieve the outcome measure in order to receive payment, asserting that 
constant achievement of any outcome measure is not practical in health 
care.
    Response: We are making certain changes to ensure that parties 
appropriately measure and quantify the results of the arrangement on 
patient quality of care and costs. We are finalizing our proposal 
requiring the agent to achieve the outcome measure for the payment to 
be protected.\127\ We believe this requirement serves as an important 
safeguard to ensure that remuneration is for legitimate outcomes 
anticipated through implementing the arrangement and is not a vehicle 
for rewarding referrals. We are not requiring particular methods to 
evaluate quality improvements (or maintenance of improvements in 
quality) under any protected arrangement because we believe that 
evaluation methods may be specific to each arrangement and may evolve 
in the future as parties innovate in new ways. We are modifying the 
proposed language by replacing ``appropriately and materially'' with a 
requirement that the agent achieve one or more legitimate outcome 
measures that meet conditions described elsewhere in this preamble. We 
believe this modification will allow parties additional flexibility to 
determine how to quantify quality improvements (or maintenance of 
improvements in quality) to accommodate different types of outcomes-
based payment arrangements among a variety of stakeholders.
---------------------------------------------------------------------------

    \127\ We recognize that the Federal anti-kickback statute 
applies both to the offer and the receipt of remuneration, and 
parties may not know at the time of the offer of an outcomes-based 
payment (i.e., when the parties develop and initiate the 
arrangement) whether the outcome measure(s) will be achieved. 
Assuming all other safe harbor conditions are met when the 
remuneration is offered under an outcomes-based payment arrangement, 
the offer would be protected, even if the agent fails to achieve the 
outcome measure. However, any payment made for an outcome measure 
not successfully achieved would not meet the safe harbor conditions 
under paragraph 1001.952(d)(i) and would not be protected.

---------------------------------------------------------------------------

[[Page 77845]]

    Comment: Numerous commenters urged OIG to broaden its proposal to 
protect payments that solely provide cost savings to a payor to include 
cost savings to providers. Some commenters argued that limiting 
protection to arrangements that achieve cost savings to a payor would 
make the safe harbor unworkable in practice and encouraged OIG to 
include arrangements that achieve cost savings to a provider to 
incentivize changes in physician behavior that are necessary to 
facilitate the transition to value-based care. A commenter posited that 
outcomes-based payments by nature involve standardization on a given 
system, protocol, or both to improve efficiencies and better coordinate 
and deliver care.
    A few commenters indicated that cost savings arrangements for cost-
reporting providers would not immediately produce cost reductions for 
payors but may eventually lower Medicare costs because the cost 
reductions may be reflected in future bundled payment rates.
    Response: Having considered the comments, we decline to broaden the 
safe harbor to protect outcomes-based payments for arrangements that 
reduce internal costs only to the providers making the payments. We are 
concerned that such payments, while potentially beneficial in 
generating efficiencies, pose risks to patient care that outweigh the 
potential for the arrangements to further the care coordination and 
efficiency goals of this rulemaking if protected.
    In some cases, such as hospital-physician gainsharing, arrangements 
that reduce internal costs may benefit only the hospital making the 
payments without necessarily contributing to better care coordination, 
improvements in quality of care, or appropriate reductions in costs. We 
are concerned that some payments, such as a payment to select a less 
expensive device or to discharge a patient more quickly, could lead to 
reductions in the quality or safety of patient care. Moreover, apart 
from quality of care concerns such payments would not offer a 
corresponding reduction in the payments made by Medicare or another 
Federal health care program. In the absence of a potential efficiency 
benefit to Federal health care programs, and in light of patient care 
concerns, we are not protecting payments that relate solely to the 
achievement of internal cost savings for the principal making the 
payment as an ``outcomes-based payment.''
    However, properly structured arrangements that compensate 
physicians for services performed and achieve hospital internal cost 
savings can serve legitimate business and medical purposes. Depending 
on the specific facts and circumstances, such arrangements could 
potentially be structured in a manner that complies with paragraph 
1001.952(d)(1), as finalized.
    Comment: Numerous commenters opposed the proposed safe harbor 
requirement that the methodology for determining the aggregate 
compensation (including any outcomes-based payments) paid between or 
among the parties over the term of an agreement be consistent with fair 
market value, commercially reasonable, and not be determined in a 
manner that directly takes into account the volume or value of 
referrals or other business generated between the parties, arguing that 
there are no industry standards applicable to outcomes-based payments 
available to date. A commenter expressed concern about only prohibiting 
the aggregate compensation from being determined in a way that 
``directly'' takes into account the volume or value of referrals. 
Others supported these safe harbor requirements but asked for 
clarification from OIG on these terms, or asked OIG to align OIG's view 
of these standards to be consistent with the definitions of these terms 
proposed in the CMS NPRM as they relate to the physician self-referral 
law.
    Others argued that legitimate, outcomes-based arrangements should 
be able to take into account the volume or value of referrals within 
the payment methodology. A few commenters suggested that OIG remove the 
fair market value requirement.
    Response: We recognize that the process of evaluating whether an 
outcomes-based payment arrangement is consistent with fair market value 
may evolve and adapt as the health care industry shifts to value-based 
care payment models and outcomes-based payments. However, we believe 
that ensuring that the aggregate remuneration is consistent with fair 
market value helps ensure that monetary remuneration is paid for 
services that achieve legitimate outcome measures rather than 
referrals.
    We are not adopting any particular standard for determining that 
the aggregate compensation methodology is consistent with fair market 
value to provide parties sufficient flexibility to analyze fair market 
value as applicable to specific arrangements and in arrangements that 
may not currently exist today. As explained above in our discussion of 
the elimination of the requirement to set aggregate compensation in 
advance, we decline to adopt the fair market value standard proposed by 
CMS under the physician self-referral law. We are finalizing our 
proposal to require that the compensation methodology for determining 
the outcomes-based payment not directly take into account the volume or 
value of referrals or other business generated between the parties. We 
believe this will provide parties flexibility to structure arrangements 
that incentivize providers to achieve an outcome measure, even if the 
methodology indirectly takes into account the volume or value of 
referrals.
    Comment: A commenter questioned whether the safe harbor protects 
``reverse-flow payments'' from an agent to a principal and recommended 
that OIG revise the definition for ``outcomes-based payment'' to 
protect payments from an agent to a principal when a targeted outcome 
or cost metric has not been achieved (i.e., shared-losses payments).
    Response: In the OIG Proposed Rule, we explained that a shared-
losses payment could constitute an ``outcomes-based payment.'' \128\ We 
are finalizing this position through revisions to the regulatory text 
at paragraph 1001.952(d)(3)(ii) to clarify that an outcomes-based 
payment is a payment ``between or among a principal and an agent'' that 
meets the criteria listed in paragraphs 1001.952(d)(3)(ii)(A) and (B), 
and includes payments in the form of recoupment from or reduction in 
payment to an agent.
---------------------------------------------------------------------------

    \128\ 84 FR 55745 (Oct. 17, 2019).
---------------------------------------------------------------------------

    Comment: Several commenters objected to the safe harbor including a 
specific timeframe after which parties seeking protection for outcomes-
based payments would have to rebase their benchmarks. Commenters noted 
that any such time limits would be artificial. A commenter concerned 
with the negative effects of annual rebasing on preventive care 
provided the following example: One clinician takes preventive care 
steps to prevent colon cancer or to identify cancer at an earlier stage 
(e.g., through colonoscopies, blood work) in the first year, which has 
the effect of reducing the risk of cancer for 5 years, while another 
clinician does not take any preventive care steps for a patient and the 
patient develops cancer 4 years later. According to the commenter, if 
rebasing is done on an annual basis, the second clinician would be 
rewarded for providing care at no cost and good outcomes during that 1 
year, while the first clinician would not be rewarded because the 
clinician provided high-cost care with no discernible improvement of 
outcomes during that limited timeframe.

[[Page 77846]]

    Some commenters noted that finalizing a safe harbor condition that 
specifies timeframes for rebasing may have a negative impact on 
participation in outcomes-based arrangements. For example, because 
margins for improvement against benchmarks may be more challenging or 
impossible to meet over time, parties may be disincentivized to enter 
into these arrangements in the first place, or incentivized to unwind 
them after initial improvements, due to concerns about having an 
arrangement structure that does not squarely meet a safe harbor. Some 
of the commenters noted that, if there must be a specific timeframe in 
the safe harbor, that timeframe should be at least 5 to 10 years. In 
contrast, a commenter recommended that benchmarks be adjusted at least 
yearly to limit the risk that ``evergreen'' arrangements could be used 
as a vehicle to evade legitimate outcome obligations and instead to 
reward referrals.
    Several commenters supported the standard we proposed in the OIG 
Proposed Rule requiring outcome measures to be periodically rebased, as 
applicable, during the term of the agreement. As an alternative, a 
commenter suggested that OIG revise this provision to require that the 
parties periodically reevaluate whether an outcome measure should be 
rebased throughout the term or expressly state that under some 
circumstances it may be appropriate upon review to maintain an existing 
outcome-based measure. In support of a nonspecific periodic review 
approach, commenters noted that the time period for implementing 
interventions and other actions needed to influence outcome measures 
can vary greatly, as can the time period needed for results to fully 
appear in outcome measures data. In addition, commenters asserted that 
some outcomes measures may not be tied to a baseline performance level 
at all. Commenters also highlighted that outcomes-based payments may be 
made for maintaining improvement in quality of patient care, in which 
case the targets for the outcomes-based payment would not be altered. A 
commenter noted that providers and collaborators continually analyze 
their results, and value-based purchasing programs incentivize parties 
to adjust outcome measures in a timely manner. We also received a 
request for clarification on any durational limits on outcome-based 
payments or if there are parameters related to when they must end 
(i.e., whether an arrangement must end upon achieving the initial 
outcome measure or if it can continue through implementing a new 
outcome measure or maintaining the initial achievement).
    Response: We note first that for an agent to receive a protected 
outcomes-based payment under the final safe harbor, the agent must have 
achieved a specified, legitimate outcome measure. For an outcome to be 
measurable, there must be some sort of benchmark, whether that 
benchmark is a starting point (e.g., a 10 percent reduction from X) or 
reflects an end point (e.g., 90 percent of the time, X happened or was 
avoided). We agree with commenters that a one-size-fits-all approach is 
not appropriate for assessing benchmarks. However, we also agree with 
the commenter who highlighted the concern we raised in the OIG Proposed 
Rule about ``evergreen'' arrangements \129\ in which outcome measures 
are not properly monitored and the remuneration is paid in exchange for 
referrals, after any intended benchmarks have been met (or without 
determining that the outcome measure was achieved).
---------------------------------------------------------------------------

    \129\ 84 FR 55747 (Oct. 17, 2019).
---------------------------------------------------------------------------

    To illustrate, we point to the example from a commenter as it is 
summarized above, with two clinicians taking different approaches to 
patients with respect to colon cancer prevention and detection. Setting 
aside the potentially disparate impact on patient health, health 
outcomes, and quality of care, and looking only at costs for purposes 
of this example, one clinician may increase costs to payors in the 
short term by increasing preventive care but may save money in the 
longer term, while the other clinician may have limited costs in the 
short term, but by failing to detect the cancer early may increase 
costs to payors in the long term. However, it is not clear in the 
example what the outcome measure might be. By way of example for 
illustrative purposes, the U.S. Preventive Services Task Force 
recommends colon cancer screening beginning at age 50. A reasonable 
outcome measure might be a specific percentage increase in the 
practice's patient population first getting screened between age 50 and 
55. Parties would need to evaluate an appropriate benchmark year (i.e., 
a percentage increase in first screenings from which year), and whether 
over time the percentage change should be updated, the benchmark year 
should be changed, or both. In addition, the amount of remuneration 
paid for achieving the outcome measure should be reassessed to 
determine whether it is fair market value. For example, a practice may 
need to develop new processes, training, and take other steps initially 
to achieve an outcome measure. While certain work must continue in 
future years to continue achieving the desired outcomes (whether it is 
for continuing to improve quality of patient care or materially reduce 
cost, or to maintain the achieved improvements in those areas), the 
outcomes-based payment may be less than it was during the initial 
year(s). If the outcome measure was based on the cost savings over the 
course of a year, an annual reassessment of the benchmark and 
remuneration would be appropriate to meet that safe harbor requirement. 
We also recognize that some outcome measures might be on a longer 
timetable for reassessment (e.g., a percentage reduction in costs over 
a 5-year time span). Therefore, the outcome measure might not need to 
be reassessed for 5 years (but an outcomes-based payment also would not 
be protected by this safe harbor until such outcome is achieved).
    We have revised the regulatory text in the final rule to address 
many of the issues the commenters raised. These revisions are 
consistent with the substance of what we proposed in the OIG Proposed 
Rule. In the OIG Proposed Rule, we had solicited comments on defining 
the term ``rebasing'' and had described the fraud and abuse risk we 
were trying to prevent (e.g., arrangements in which outcome measures 
are not properly monitored or assessed and could be used as a vehicle 
to reward referrals well after the desired provider behavior change or 
savings benchmark has been met \130\). Specifically, in this final 
rule, rather than stating that, for each outcome measure, the parties 
must ``rebase during the term of the agreement, to the extent 
applicable,'' we are stating that the parties must ``[p]eriodically 
assess and, as necessary, revise benchmarks and remuneration under the 
agreement to ensure that the remuneration is consistent with fair 
market value in an arm's-length transaction as required by 
(d)(2)(ii).'' Thus, for safe harbor protection, all parties must assess 
the arrangement periodically (e.g., determine whether continued use of 
a benchmark or a measure is appropriate and whether the remuneration is 
appropriate for achieving that outcome measure), and then the parties 
should make any adjustments to benchmarks or remuneration that may be 
necessary to meet other conditions of the safe harbor.
---------------------------------------------------------------------------

    \130\ 84 FR 55747 (Oct. 17, 2019).

---------------------------------------------------------------------------

[[Page 77847]]

d. Outcomes-Based Payments: Entities Not Eligible for Protection
    Summary of the OIG Proposed Rule: We proposed making certain 
entities ineligible for safe harbor protection under the outcomes-based 
payments provisions, as described in section III.B.10.c.
    Summary of the Final Rule: We are finalizing our policy to make 
certain entities ineligible for safe harbor protection. Specifically, 
the following entities will be ineligible to use the safe harbor: (i) 
Pharmaceutical companies; (ii) PBMs; (iii) laboratory companies; (iv) 
pharmacies that primarily compound drugs or primarily dispense 
compounded drugs; (v) manufacturers of a device or medical supply, as 
defined in paragraph (ee)(14)(iv); (vi) medical device distributors or 
wholesalers that are not otherwise manufacturers of a device or medical 
supply, as defined in paragraph (ee)(14)(iv) of this section; and (vii) 
DMEPOS companies. In addition, the final rule clarifies that DMEPOS 
companies do not include a pharmacy or a physician, provider, or other 
entity that primarily furnishes services.
    Comment: Numerous commenters, including stakeholders representing 
pharmaceutical and medical device manufacturers and laboratories, 
opposed carving out pharmaceutical and medical device manufacturers, 
manufacturers, distributors, and suppliers of DMEPOS, and laboratories 
from the protection under the safe harbor. For example, a commenter 
suggested that medical device manufacturers should be protected because 
they can make valuable contributions to value-based care. Other 
commenters supported OIG's proposal, with some commenters requesting 
that we make additional entities ineligible for protection, such as 
device manufacturers, distributors, wholesalers, PBMs, and pharmacies.
    Response: As laid out in the OIG Proposed Rule, we remain concerned 
that pharmaceutical and medical device companies, DMEPOS companies, and 
laboratories may inappropriately use outcomes-based payment 
arrangements to market their products or divert patients from a more 
clinically appropriate item or service, provider, or supplier without 
regard to the best interests of the patient or to induce medically 
unnecessary demand for items and services.\131\ In the OIG Proposed 
Rule, we proposed to exclude from safe harbor protection payments made 
directly or indirectly by a pharmaceutical manufacturer; a 
manufacturer, distributor, or supplier of durable medical equipment, 
prosthetics, orthotics, or supplies, or a laboratory. We proposed to 
exclude these parties based on our enforcement and oversight experience 
and for reasons similar to the reasons for proposed exclusion of these 
entities from the definition of VBE participant (for further discussion 
of these reasons, readers are referred to section III.B.2.e.ii above). 
We explained that this provision reflected our concerns that these 
types of entities are heavily dependent on prescriptions and referrals 
and might use outcomes-based payments primarily to market their 
products to providers and patients. We further said we were considering 
excluding pharmacies (including compounding pharmacies), PBMs, 
wholesalers, and distributors for the same reasons we proposed to 
exclude them from the definition of VBE participant. With respect to 
PBMs, wholesalers, and distributors, their businesses are closely 
connected to the sale of manufacturer products, which provides an 
additional reason to exclude them along with manufacturers.
---------------------------------------------------------------------------

    \131\ 84 FR 55746 (Oct. 17, 2019).
---------------------------------------------------------------------------

    Additionally, we said in the OIG Proposed Rule that we were 
considering for the final rule the exclusion of medical device 
manufacturers from participation in the outcomes-based payments 
arrangements safe harbor.\132\ We explained our historical law 
enforcement experience with matters involving kickbacks paid to 
physicians, hospitals, and ambulatory surgical centers to market 
various medical devices, such as devices used for invasive procedures; 
in some cases, these schemes resulted in patients getting medically 
unnecessary care. We also explained our longstanding concern with 
physician-owned distributorships of medical devices because of 
financial incentives to perform more (or more extensive) procedures 
than are medically necessary and to use the devices sold by the 
distributorship instead of more clinically appropriate devices.\133\
---------------------------------------------------------------------------

    \132\ 84 FR 55705 (Oct. 17, 2019).
    \133\ Id.
---------------------------------------------------------------------------

    For the reasons stated in the OIG Proposed Rule, we are finalizing 
the provision as follows: Outcomes-based payments made directly or 
indirectly by the following entities are ineligible for protection 
under this safe harbor: (i) A pharmaceutical manufacturer, distributor, 
or wholesaler; (ii) a pharmacy benefit manager; (iii) a laboratory 
company; (iv) a pharmacy that primarily compounds drugs or primarily 
dispenses compounded drugs; (v) a manufacturer of a device or medical 
supply, as that term is defined in paragraph 1001.952(ee)(14)(iv) of 
this section; (vi) a medical device distributor or wholesaler that is 
not otherwise a manufacturer of a device or medical supply, as defined 
in paragraph (ee)(14)(iv) of this section; or (vii) an entity or 
individual that sells or rents durable medical equipment, prosthetics, 
orthotics, or supplies covered by a Federal health care program (other 
than a pharmacy or a physician, provider, or other entity that 
primarily furnishes services). We are not making payments made by 
pharmacies ineligible for safe harbor protection (except with respect 
to pharmacies that primarily compound drugs or primarily dispense 
compounded drugs for the reasons described in section III.B.2.e.ii.f 
above), although we suspect outcomes-based payments made by pharmacies 
might be relatively rare. As noted in a comment and response summarized 
in section III.B.2.e.iv above, pharmacies often serve as the key point 
of contact between patients and the health care system and provide many 
services to patients. For the same reasons we describe in that section, 
we do not believe that program integrity concerns warrant excluding 
them from protection under this safe harbor. We have modified the 
language describing DMEPOS companies to clarify that a pharmacy (other 
than a compounding pharmacy) or physician, provider, or other entity 
that primarily furnishes services remains eligible to make protected 
payments even if they also have some DMEPOS business. We did not 
propose, and did not intend, to exclude physicians or other providers.
    We are mindful that there may be legitimate uses for outcomes-based 
payments by these sectors. However, we are concerned that the proposed 
safe harbor conditions were not intended to be, and are not, tailored 
to outcome-based contracting or payments in these sectors. As noted in 
the OIG Proposed Rule, we may consider outcomes-based contracting for 
pharmaceutical products and medical device manufacturers in future 
rulemaking. Outcomes-based payment arrangements involving these sectors 
should be analyzed for compliance with the Federal anti-kickback 
statute based on their facts and circumstances, including the intent of 
the parties. The entities that are ineligible to receive protection 
under this safe harbor for making outcomes-based payments remain 
eligible to use the modified personal services and management contracts 
safe harbor at paragraph 1001.952(d)(1).

[[Page 77848]]

e. Writing and Monitoring
    Summary of OIG Proposed Rule: With paragraph 1001.952(d)(2)(viii), 
we proposed a requirement of a signed writing evidencing the outcomes-
based payments agreement. We proposed at paragraph 1001.952(d)(2)(vii) 
a requirement that the parties regularly monitor and assess the agent's 
performance for each outcome measure, including the impact of the 
outcomes-based payments arrangement on quality of care, and rebase 
outcomes measures periodically.
    Summary of Final Rule: We are finalizing, with modifications, the 
writing requirement for outcomes-based payments and we moved the 
requirement from paragraph 1001.952(d)(2)(viii) to paragraph 
1001.952(d)(2)(iii). As modified, the written agreement must include at 
a minimum a general description of the types of services to be 
performed under an outcomes-based payment arrangement. We are also 
finalizing the monitoring and assessment requirement with clarification 
regarding the rebasing requirement. Under the final rule parties must 
periodically assess and, as necessary revise, benchmarks and 
remuneration under the agreement to ensure that any remuneration is 
consistent with fair market value in an arm's-length transaction as 
required by paragraph 1001.952(d)(2)(ii).
    Comment: Commenters generally agreed that some type of written 
agreement should be required for safe harbor protection, but commenters 
did not necessarily agree with the specific condition OIG proposed. On 
the one hand, a commenter was concerned about arrangements losing safe 
harbor protection by not technically meeting the requirement of all 
services being documented, considering the need for some arrangements 
to be flexible. On the other hand, a commenter recommended that the 
safe harbor include additional documentation requirements, such as: 
Documentation of benchmarking methodologies; metrics for how to assess 
objectively its outcome measure(s) and documentation of the execution 
of any such assessment; records created at the time they entered into 
the agreement identifying the basis for the determination of 
compensation and the clinical evidence or credible medical support 
considered; and contemporaneous documentation of the services performed 
and the outcomes achieved. This commenter asserted that these 
additional documentation requirements would help prevent post-hoc 
justifications for conduct that the parties did not actually believe 
was permissible at the time, and that a lack of documentation is a way 
individuals and entities try to hide lack of compliance with a safe 
harbor.
    Response: We understand the need for flexibility in outcomes-based 
arrangements. However, the safe harbor must include safeguards to avoid 
protecting arrangements that reward referrals. In the OIG Proposed 
Rule, we proposed that the written agreement include at a minimum: (i) 
The services to be performed by the parties for the term of the 
agreement; (ii) the outcome measure(s) the agent must achieve to 
receive an outcomes-based payment; (iii) the clinical evidence or 
credible medical support relied upon by the parties to select the 
outcome measure(s); and (iv) the schedule for the parties to regularly 
monitor and assess the outcome measure(s). We believe it is critical 
for parties to include the outcome measures, the basis for selecting 
the outcome measures, and the monitoring and assessment schedule in an 
agreement at the outset of the arrangement.
    However, we are modifying the requirement that the agreement 
specify the services to be performed over the term of the agreement. We 
recognize that the parties may not be aware of every step necessary to 
achieve a certain outcome measure when the agreement becomes effective 
and that the needed services might change over time to achieve the 
desired outcome measure. Protected remuneration under paragraph 
1001.952(d)(2) is dependent upon meeting the outcome measure, not 
necessarily the specific steps a party may have taken to achieve that 
measure. Therefore, we are modifying the regulatory text to specify 
that the agreement must include at a minimum a general description of 
the types of services to be performed. We note, however, that other 
conditions of the safe harbor (e.g., monitoring the arrangement to 
assess the agent's performance and impact on patient care) would 
necessitate some type of documentation of services or other activities 
performed to achieve the outcome measure. We believe that requiring a 
general description of the anticipated services, coupled with the other 
required elements of the written agreement, strikes the appropriate 
balance between transparency needed to protect patients and Federal 
health care programs and flexibility for parties to create innovative 
arrangements that may need to evolve to achieve the desired results.
    Comment: A commenter asked whether an agreement to provide 
outcomes-based payments can be signed in advance of the establishment 
of the outcome measure(s) and whether the parties' eligibility for 
compensation commences on the date the outcome measure(s) are mutually 
agreed upon in writing signed by the parties or at some other time.
    Response: There may be certain other existing written agreements 
between the parties in advance of commencing an outcomes-based payment 
arrangement. But for purposes of meeting the writing requirement for 
protection under this safe harbor, the parties must agree to the 
outcome measure(s) in writing and sign such an agreement in advance of, 
or contemporaneous with, the commencement of the terms of the outcomes-
based payment arrangement. Furthermore, eligibility for protected 
compensation under this safe harbor commences after achievement of the 
outcomes measure (or failure to achieve it by the designated time in 
the case of a shared losses payment), assuming all safe harbor 
conditions are met.
11. Warranties (42 CFR 1001.952(g))
    Summary of OIG Proposed Rule: We proposed to modify the existing 
safe harbor for warranties at paragraph 1001.952(g) to: (i) Protect 
certain warranties for one or more items and related services upon 
certain conditions, such as all federally reimbursable items and 
services subject to bundled warranty arrangements must be reimbursed by 
the same Federal health care program and in the same payment (``same 
program/same payment requirement''); (ii) exclude beneficiaries from 
the reporting requirements applicable to buyers; and (iii) define 
``warranty'' directly and not by reference to 15 U.S.C. 2301(6).
    Summary of Final Rule: We are finalizing the modifications to the 
warranties safe harbor as proposed in the OIG Proposed Rule. In 
addition, in response to concerns raised by commenters, we are 
clarifying in this preamble the scope of buyers' reporting obligations 
to make clear the safe harbor is designed to accommodate the various 
reimbursement systems under which buyers may report price reductions.
a. Inclusion of Services in Bundled Warranties
    We are finalizing our proposal to protect warranties that warranty 
a bundle of items or a bundle of items and services. This revision 
protects, for the first time, warranties covering services, although 
the safe harbor does not provide protection to warranties that warranty 
only services. As explained in the OIG Proposed Rule, we believe 
warranties for services that are not tied

[[Page 77849]]

to one or more related items could present heightened fraud and abuse 
risks.
    Comment: Commenters generally supported our proposal to revise the 
warranties safe harbor to protect bundled warranties for one or more 
items and related services. A commenter noted sellers and buyers, such 
as health systems, would have greater flexibility under the safe harbor 
to protect related services that are often integral to determining 
whether the terms of a warranty, such as a clinical outcome, have been 
met. According to the commenter, such services might include, for 
example, data collection and analytics, verification of product use 
consistent with labeling and governing clinical protocols (including 
through confirmatory laboratory testing), and monitoring patient 
adherence to prescribed treatment regimens.
    Response: We agree with commenters that the revised safe harbor 
will offer greater flexibility to buyers and sellers to enter into 
innovative arrangements that warranty the value of an entire bundle of 
items or that include bundled items and services. We would highlight, 
however, that this revision to the warranties safe harbor does not 
protect free or reduced-priced items or services that sellers provide 
either as part of a bundled warranty arrangement or ancillary to a 
warranty arrangement. Instead, it merely protects the offer and 
exchange of warranty remedies under a warranty arrangement, provided 
all of the safe harbor's conditions are satisfied. As discussed further 
below, items and services provided either as part of or ancillary to a 
warranty arrangement may not need safe harbor protection or may be 
protected by other safe harbors.
    Comment: A commenter supported our proposal not to protect 
warranties covering only services. Another commenter, however, 
recommended that OIG should protect warranties that cover services 
only, explaining that medical device manufacturers can play a role in 
offering data analytics via software solutions, for example to predict 
post-treatment health care conditions and costs and thereby reduce 
utilization of higher-acuity post-acute services. According to the 
commenter, offering warranties that guarantee outcomes from using such 
services would provide an incentive for investment from both parties--
the vendor and the provider.
    Response: We appreciate the commenter's explanation regarding the 
potential benefits of services offerings. As we discussed in the OIG 
Proposed Rule, however, we believe services-only warranty arrangements 
present a heightened risk of fraud and abuse. In particular, we noted 
that the determination of whether services meet a clinical outcomes 
goal established by a warranty arrangement can be more subjective than 
warranties involving items. We also expressed concern that the 
potential to receive a monetary remedy under a services-only warranty 
could induce patients to select a particular provider, particularly if 
the clinical results are not easily achievable. Parties seeking to 
enter into outcomes-based arrangements for only services may look to 
the revised personal services and management contracts and outcomes-
based payment arrangements safe harbor at paragraph 1001.952(d) for 
potential protection.
    Comment: A commenter requested that if OIG finalizes limitations on 
the items and services that may qualify for bundled warranties, OIG 
should clarify that a warrantied bundle of items and services could 
encompass limited support services offered by the manufacturer that are 
not federally reimbursable and are offered free of charge. The 
commenter asked for this clarification in light of preamble language 
from the OIG Proposed Rule stating that the modified safe harbor would 
not protect free or reduced-priced items or services that sellers 
provide either as part of a bundled warranty arrangement or ancillary 
to a warranty arrangement. As an example, the commenter asked OIG to 
confirm that the safe harbor would protect a manufacturer's warranty of 
the clinical effectiveness of a self-injected drug contingent on the 
patient receiving product administration and use education through 
nurse support offered by the manufacturer.
    Response: We confirm that, under the safe harbor as modified, a 
warrantied bundle of items and services could encompass services 
offered by the manufacturer that are not federally reimbursable and are 
offered free of charge, although we emphasize that the safe harbor only 
protects remuneration provided as a warranty remedy; services offered 
for free by manufacturers would not themselves be protected under this 
safe harbor. The same program/same payment requirement does not 
prohibit the inclusion of non-federally reimbursable items or services 
in the bundle of items and services being warrantied. Therefore, under 
the safe harbor, a manufacturer could offer a bundled warranty that 
warranties the clinical effectiveness of a self-injected drug 
contingent on the patient receiving post-prescribing product 
administration and use education through nurse support offered by the 
manufacturer. We also want to confirm and clarify that the modified 
safe harbor does not protect free or reduced-priced items or services 
that sellers provide either as part of a bundled warranty arrangement 
or ancillary to a warranty arrangement. The modifications to the safe 
harbor provide protection for warranty remedies stemming from 
warranties covering more than one item or more than one item and 
service, whereas the original safe harbor for warranties provided 
protection for warranty remedies stemming from warranties on only one 
item. If non-reimbursable items or services offered for free as part of 
a bundled warranty have independent value to a buyer, the parties to 
the warranty arrangement may look to other safe harbors to protect the 
exchange of those items and services, such as the personal services and 
management contracts and outcomes-based payments safe harbor.
    Comment: In response to our solicitation of comments regarding the 
potential anticompetitive effects that bundled warranties may have--
including barriers to entry for manufacturers and suppliers that cannot 
offer bundled warranties--a commenter stated that it did not believe 
competitive barriers to entry were a likely outcome, and that any risks 
of anticompetitive behavior that may exist are better addressed through 
the government's other enforcement authorities to police 
anticompetitive behavior. According to the commenter, it is not 
uncommon for vendors to partner in selling and offering a warranty for 
a bundle of products containing items from different vendors.
    Response: We appreciate this comment and recognize that a variety 
of models exist in the marketplace for bundled-sale arrangements. We 
are not finalizing additional safeguards designed to limit the 
potential anticompetitive effects of bundled warranties. We continue to 
believe, however, that anticompetitive risks can be reduced by the safe 
harbor's provisions prohibiting exclusive-use or minimum-purchase 
requirements as a condition of a warranty offering.
    Comment: A commenter warned that bundled warranties may harm 
competition and limit clinician and patient choice because, even with 
the prohibition on exclusivity and minimum-purchase requirements, 
sellers could condition a warranty on the purchase of a bundle of 
products and services. The commenter suggested that OIG include 
language in the safe harbor that no warranty shall interfere

[[Page 77850]]

with a health care provider's autonomy and responsibility to make 
clinical decisions with regard to patient care and safety.
    Response: We appreciate the commenters' concerns and recognize that 
providing protection for bundled warranties could result in some 
anticompetitive effects. However, the safeguards we are finalizing in 
this rule, including prohibiting exclusivity and minimum-purchase 
requirements and limiting the scope of what may be included in a 
bundled warranty, provide meaningful protection against anticompetitive 
behavior that otherwise may occur. As noted in the OIG Proposed Rule, 
protection for bundled warranties may foster beneficial arrangements 
that facilitate the use of higher-value items and services. While we 
have not included an express requirement that protected warranties 
cannot interfere with a health care provider's autonomy and 
responsibility to make clinical decisions with regard to patient care 
and safety, we emphasize that the modifications to the safe harbor that 
we are finalizing are not intended to--and should not--affect 
providers' ongoing responsibilities to make clinical decisions in the 
best interests of their patients.
    Comment: Some commenters recommended that we include other 
additional safeguards within the safe harbor. For example, a commenter 
urged OIG to consider a safeguard that would prohibit any unfair or 
deceptive practice in the marketing of a service warranty. Another 
commenter urged us to add a requirement that for a warranty to be 
protected under the safe harbor, the manufacturer or supplier must 
determine that the warranty is reasonably related to an evidence-based 
clinical improvement objective and is commercially reasonable.
    Response: As noted above, we believe the safeguards in the OIG 
Proposed Rule strike the right balance between protecting beneficiaries 
and Federal health care programs while promoting beneficial and 
innovative arrangements, such as bundled warranties. In particular, we 
have not added a separate prohibition against unfair or deceptive 
practices because deceptive commercial practices are already prohibited 
by numerous State and Federal laws. We do not believe providing a 
separate requirement here is necessary.
    We also decline to impose a requirement that warranty arrangements 
relate to evidence-based clinical improvement objectives. Although some 
warranties may relate to evidence-based clinical improvement outcomes, 
many warranty arrangements that the safe harbor could protect, such as 
those guaranteeing that an item is defect-free or otherwise functions 
as intended, may not have an evidence-based clinical improvement 
component.
    Finally, we decline to impose a commercial reasonableness 
requirement within the warranties safe harbor for the same reasons 
articulated above. It is not clear that a commercial reasonableness 
requirement would provide additional, meaningful protection against 
fraud and abuse in the context of the warranties safe harbor, given the 
limited scope of protected remuneration and, in particular, that a 
seller may not pay any individual (other than a beneficiary) or entity 
for any medical, surgical, or hospital expense incurred by a 
beneficiary other than for the cost of the items and services subject 
to the warranty.
    Comment: Some commenters opposed restrictions on the manner in 
which sellers could provide warrantied medication adherence services as 
part of a bundled warranty, with those commenters pointing to the 
importance of medication adherence services generally and the alignment 
that exists between manufacturers' incentives and patients' health 
outcomes. Commenters noted that adherence programs can play an 
important role in helping patients follow their prescribed treatment 
regimens, which has been shown to lead to better patient outcomes, 
including fewer hospitalizations and emergency room visits. Commenters 
also pointed out that medication nonadherence--the problem of patients 
not taking medications in accordance with their health care providers' 
directions or otherwise not following their providers' treatment 
recommendations--is a major health problem, leading to poor clinical 
outcomes and increased health care spending. Commenters also asserted 
that the fraud and abuse risks of manufacturers providing medication 
adherence services is low because manufacturers have financial, 
regulatory, reputational, ethical, and legal incentives to ensure their 
products are used only to the extent that they continue to be safe and 
effective for patients. Commenters further noted that, when medication 
adherence programs are included in outcomes-based contracts, 
manufacturers are rewarded for their product working as intended to 
promote patients' health and safety and penalized for their product not 
working well for patients, which improves the alignment between 
manufacturer incentives and patient health and safety.
    Although most commenters on the topic did not support restrictions 
on the manner in which sellers could provide warrantied medication 
adherence services, a few commenters expressed support for a possible 
safeguard discussed in the OIG Proposed Rule. In particular, a 
commenter expressed support for OIG's proposal to require sellers' use 
of independent intermediaries for direct patient adherence activities, 
while another commenter supported a prohibition on any direct patient 
outreach by a seller offering a warranty. A commenter who shared the 
concerns expressed in the OIG Proposed Rule regarding patient outreach 
services being provided by manufacturers and suppliers recommended a 
safeguard requiring that warrantied patient outreach services be 
approved by a licensed medical professional. In doing so, the commenter 
expressed concern that drug manufacturers may abuse any safeguard 
requiring sellers to use independent intermediaries to perform direct 
patient outreach services.
    Response: OIG agrees that medication adherence services can have a 
significant beneficial impact on patient health and health care costs. 
Although we also recognize the potential for greater alignment of 
manufacturers' incentives and patient health outcomes in value-based 
arrangements, at this time most arrangements for the sale of a drug 
reimbursed by a Federal health care program are not outcome-driven, and 
we continue to have concerns regarding the direct provision of 
medication adherence services by sellers of warrantied items because 
their financial incentive to sell their products could result in 
medication adherence services that increase fraud and abuse risks, such 
as patient harm and overutilization.
    Despite these risks, we are not imposing any restriction in this 
final rule on the manner in which warrantied medication adherence 
services may be provided when offered as part of a bundled warranty. A 
limitation on the manner in which sellers of one or more warrantied 
items provide such services as part of a bundled warranty may not 
materially reduce any fraud and abuse risks, particularly because a 
limitation on warranties would not affect the provision of medication 
adherence services in contexts other than bundled warranties. For the 
same reason, we are declining to impose a requirement that warrantied 
medication adherence services must either be provided via an 
independent intermediary or subject to the approval of a licensed 
medical professional. We emphasize that the warranties safe harbor 
would not protect the provision of free or reduced-cost

[[Page 77851]]

medication adherence services furnished by a seller.
    Comment: A few commenters asserted that, consistent with existing 
OIG guidance, medication adherence services do not constitute 
remuneration because they do not have independent value to a buyer but 
rather are integrally related to the underlying product. A commenter 
noted that, although OIG has expressed concern that manufacturer-
sponsored adherence supports could replace actions that a health care 
provider might otherwise take to support medication adherence, the 
likelihood of manufacturer adherence supports leading providers to 
reduce their own efforts to improve their patients' medication 
adherence is very small.
    Response: We disagree with the assertion that medication adherence 
services never constitute remuneration and thus never implicate the 
anti-kickback statute. For example, in Advisory Opinion No. 11-07, we 
noted that the vaccine reminder program offered by a manufacturer could 
have independent value to health insurers and health care entities and 
could confer an additional financial benefit on physicians because the 
vaccine reminders were intended to encourage the recipients to schedule 
an appointment with their children's health care practitioners, who 
likely would be reimbursed for administering the vaccine and possibly 
for an associated office visit. As highlighted in this example, 
medication adherence services could result in a provider's opportunity 
to earn income. We also recognize that medication adherence services 
provided to beneficiaries as part of warranty arrangements could have 
independent value to the beneficiary, depending on how those 
arrangements are structured.
    Although the OIG Proposed Rule stated that the provision of free or 
below fair market value medication adherence services ``would implicate 
the anti-kickback statute,'' \134\ we clarify in this final rule our 
position that such services could implicate the statute but would not 
necessarily implicate the statute in all circumstances, and that such 
analysis would be dependent upon the facts and circumstances of a 
specific offering.
---------------------------------------------------------------------------

    \134\ 84 FR 55748 n.83 (Oct. 17, 2019).
---------------------------------------------------------------------------

    Comment: A commenter urged OIG to ensure that pharmacies can 
continue to provide adherence and medication therapy management 
services, including when such activities are compensated at fair market 
value by payors, manufacturers, and others within the supply and 
payment chain.
    Response: The modifications to the warranties safe harbor set forth 
in this final rule do not change pharmacies' ability to provide 
adherence and medication therapy management services. Any financial 
arrangement between pharmacies and payors, manufacturers, and others 
within the supply and payment chain could implicate the anti-kickback 
statute and should be analyzed on a case-by-case basis for compliance 
with the statute. Depending on the facts, other safe harbors may be 
available, including the personal services and management contracts and 
outcomes-based payments safe harbor.
    Comment: A commenter expressed support for a standalone safe harbor 
protecting manufacturer-supported patient adherence programs, and other 
commenters asked OIG to promulgate an additional rule that expressly 
defines how value-based arrangements for drugs can include all relevant 
health care entities (including manufacturers, payors, providers, and 
patients) and medication adherence programs without running afoul of 
the Federal anti-kickback statute.
    Response: We appreciate the commenters' requests for further 
rulemaking. However, they are outside the scope of this rulemaking.
    Comment: A commenter expressed concern regarding the statement in 
the OIG Proposed Rule regarding the provision of free or reduced-price 
laboratory testing as part of a warranty arrangement. The commenter 
asserted that the inclusion of confirmatory laboratory testing under a 
warranty arrangement could fit within the revised warranties safe 
harbor where a seller engages an independent laboratory under a fair 
market value arrangement to perform testing solely to determine whether 
the terms of a clinical outcome or other value-based warranty have been 
met.
    Response: Regardless of whether items and services used to 
determine the efficacy of a warranty have independent value to the 
buyer, the warranties safe harbor provides protection only for sellers' 
offer and provision of warranty remedies, not the offer or sale of the 
items and services being warrantied or any items or services used to 
determine whether a clinical outcome or other value-based outcome has 
been achieved. We recognize that warranty arrangements in some 
circumstances may require laboratory testing or other data to 
determine, for example, whether clinical or other outcomes have been 
met or whether the buyer or patient has adhered to the terms of the 
warranty.
    We did not intend to suggest in the OIG Proposed Rule that, in all 
instances, confirmatory laboratory testing for purposes of determining 
whether warrantied outcomes have been achieved would implicate the 
anti-kickback statute. Where a seller provides free items and services 
ancillary to a warranty arrangement that could have independent value 
to the buyer, sellers should analyze such arrangements on a case-by-
case basis to determine whether they implicate the anti-kickback 
statute and may look to other safe harbors, such as the safe harbor for 
personal services and management contracts and outcomes-based payments, 
for protection. In the case of confirmatory laboratory testing relating 
to a warranty arrangement, such testing could have independent value to 
the buyer if, for example, it alleviates administrative or financial 
burdens the buyer otherwise would incur to obtain laboratory testing 
for purposes other than the warranty.
b. Requirement for Federally Reimbursable Items and Services Subject to 
Bundled Warranty Arrangements To Be Reimbursed by the Same Federal 
Health Care Program and in the Same Payment
    We recognize the possibility that bundling of one or more items and 
related services that are reimbursed under different methodologies or 
different payments could create incentives for overutilization or the 
potential for cost-shifting. The final rule protects warranties that 
apply to one or more items and related services only if the federally 
reimbursable items and services subject to the warranty arrangement are 
reimbursed by the same Federal health care program and in the same 
Federal health care program payment. The same program/same payment 
requirement provides important protection against these risks.
    Comment: A number of commenters objected to the condition that 
federally reimbursable items and services in a bundled warranty 
arrangement must be reimbursed by the same Federal health care program 
and in the same Federal health care program payment in order to qualify 
for protection under the safe harbor. Commenters expressed concern that 
this condition would constrain innovation by limiting what items may or 
may not be included in a bundle based on reimbursement status, rather 
than focusing on clinical efficacy. A trade association representing 
providers noted that care coordination arrangements often require 
payments

[[Page 77852]]

from different reimbursement methodologies. For example, a joint 
replacement can occur in a hospital or ambulatory surgical center and 
then a patient may be discharged to a skilled nursing facility or to 
home health care. The commenter expressed concern that a warranty 
covering this episode of care would not be eligible for safe harbor 
protection because of the different payment methodologies. The 
commenter recommended OIG implement alternative safeguards in lieu of 
the same program/same payment requirement, such as limiting application 
of the safe harbor to medically necessary items and services, 
prohibiting stinting, and requiring the warranty to be part of a 
written care plan by a licensed medical professional.
    Other health care providers commented that the proposed same 
program/same payment requirement is outdated and unworkable in light of 
value-based arrangements that utilize a combination of items, services, 
or both, and that it is impracticable to determine that the same 
program/same payment requirement will be satisfied for every patient. 
Commenters also noted that warranties allow manufacturers to help 
providers manage risk when testing out new combinations of devices and 
supports, even if they are reimbursed under separate prospective or 
composite rate systems.
    Response: Although the warranties safe harbor could be used to 
protect a wide range of innovative arrangements, it is not designed to 
protect warranties involving items purchased by multiple buyers across 
different care settings or reimbursed by different payment systems. As 
explained further in this final rule, we believe a bundle of products 
paid for separately and potentially across different payment systems 
poses an increased risk of inappropriate utilization and 
overutilization. Such arrangements may qualify for protection under the 
value-based safe harbors described in this final rule, such as the safe 
harbors for care coordination arrangements (paragraph 1001.952(ee)), 
value-based arrangements with substantial downside financial risk 
(paragraph 1001.952(ff)), and value-based arrangements with full 
financial risk (paragraph 1001.952(gg)). We do not believe that the 
proposed alternative safeguards would be as effective--or as 
straightforward to apply and interpret--as the same program/same 
payment requirement we are finalizing.
    Comment: A commenter noted that a manufacturer or supplier seldom 
knows all of the ways in which providers might be reimbursed for items 
and services included in a bundled warranty arrangement.
    Response: As noted above, the warranties safe harbor is not 
designed to protect warranty arrangements that span different care 
settings or that involve multiple payment systems. Sellers should be 
able to craft warranty offerings that meet the terms of the safe 
harbor, even if a particular bundle of items or items and services 
could potentially be reimbursed in different ways. For example, a 
seller's written warranty could specify that warranty remuneration is 
available only in circumstances in which the bundle is reimbursed under 
the same Federal health care program and in the same payment.
    Comment: Commenters noted that the bundled warranty arrangement 
approved under Advisory Opinion No. 18-10 would not meet the revised 
safe harbor because some of the items in the bundle were separately 
reimbursable under certain States' Medicaid programs. Commenters also 
observed that various State Medicaid programs employ different 
reimbursement methodologies and that even within a single State, 
reimbursement methodologies can differ depending on whether 
beneficiaries are covered by the State's fee-for-service program or a 
Medicaid managed care plan.
    Response: We acknowledge that Medicaid programs reimburse items and 
services with a variety of payment methodologies, which can include 
separate, unbundled reimbursement for some items. We remain concerned, 
however, that providing safe harbor protection to warranties containing 
separately reimbursable items would introduce a higher risk of fraud 
and abuse in the form of potential overutilization, inappropriate 
steering, or inappropriate utilization. For example, a buyer may have 
an incentive to purchase separately reimbursable items in order to 
receive the benefit of a warranty on those items because the buyer will 
be reimbursed for each item separately, and if even one item does not 
meet the specified level of performance, the buyer could receive the 
cost of all items in the bundle. By comparison, if a buyer receives one 
warranty payment for all items covered by a bundled warranty, the buyer 
has a greater incentive to contain its costs and not purchase 
unnecessary items (or services).
    The arrangement described in Advisory Opinion No. 18-10 included 
the possibility that bundled devices could be separately reimbursed by 
State Medicaid programs, although the opinion specified that these 
instances would be infrequent and that Medicaid-reimbursed cases 
represented a very small part of the requestor's business. Although 
warranty remuneration paid resulting from the failure of a separately 
reimbursable item or service would not be covered by the warranties 
safe harbor, the advisory opinion process remains available for a legal 
opinion regarding facts and circumstances that may not be protected by 
the safe harbor.
    Although we solicited comments on instances when an exception may 
be necessary to the provision requiring reimbursement by the same 
Federal health care program payment, upon further consideration we do 
not believe an exception is necessary. The modified safe harbor 
requires that federally reimbursable items and services covered by a 
bundled warranty must be reimbursed by the same Federal health care 
program payment--not that the items and services be only reimbursable 
by one Federal health care program payment. In other words, the 
possibility that an item or service is reimbursable under a different 
program or by a different payment does not foreclose a manufacturer or 
supplier from offering a bundled warranty covering the item or service 
as long as the item or service is in fact reimbursed by the same 
Federal health care program payment as the other item(s) and service(s) 
comprising the warranty bundle.
    Although we recognize that it may be difficult for a seller to know 
under which reimbursement methodology a particular item or service will 
be reimbursed, we believe parties entering into bundled warranty 
arrangements could specify in the warranty's written terms that only 
items and services reimbursed by the same Federal health care program 
payment will be eligible for the warranty. Because warranty remedies 
are by their nature furnished after the use of items and services, a 
buyer likely knows before making a warranty claim whether the items and 
services are or will be reimbursed by the same Federal health care 
program payment. Consequently, a warranty undertaking could explicitly 
state that warranty remedies are available only for patients or 
procedures in which the bundled items and services are reimbursed by 
the same program and same payment even where alternative reimbursement 
methodologies for those items and services exist.
    Comment: A commenter noted that in many cases items or services 
included in a bundle are not reimbursed specifically but might be 
deemed reimbursed indirectly as part of a payment for another item or 
service. In such cases, there might be numerous

[[Page 77853]]

potential payments or reimbursement methodologies which could be viewed 
as providing such indirect reimbursement.
    Response: The warranties safe harbor does not attempt to address 
every possible variation in reimbursement methodologies. We continue to 
believe that limiting safe harbor protection to warranties involving 
bundled items and services reimbursed under the same program and same 
payment is an important safeguard to protect against inappropriate 
steering, inappropriate utilization, or overutilization of federally 
reimbursable health care items and services. We believe that, in most 
circumstances, health care providers can identify the reimbursement 
source for a particular item and can also determine whether items and 
services subject to a bundled warranty are reimbursed by the same 
payment.
    Comment: A commenter urged OIG to abandon the same program/same 
payment requirement and instead extend protection for bundled 
warranties involving items and services reimbursed under multiple 
prospective payment or composite rate systems, which the commenter 
asserted would protect a broader range of warranties but pose a low 
risk of fraud and abuse due to cost-shifting because no warrantied 
items would be separately reimbursable. Another commenter suggested 
that the safe harbor should protect bundled warranties involving items 
and services that are not specifically reimbursed under bundled or fee-
for-service payments but that could be reflected in some manner in a 
provider's Medicare cost report.
    Response: Although we recognize that warrantying only bundled items 
and services reimbursed under prospective payment bundles or composite 
rate systems could reduce the risk of cost-shifting between Federal 
health care programs, we remain concerned that protecting bundled 
warranties across such methodologies could complicate both the 
administration of warranties and reporting obligations, and we decline 
to expand the safe harbor provision according to the commenter's 
suggestion.
    Comment: A commenter stated that the same program/same payment 
requirement would not protect a warranty bundle consisting of a 
particular federally reimbursed drug product when used in conjunction 
with a companion diagnostic. According to the commenter, the drug would 
be reimbursed under Medicare at the negotiated price (for a Part D 
drug) or at ASP plus 6 percent (for a Part B drug), while the companion 
diagnostic would be reimbursed under the clinical laboratory fee 
schedule.
    Response: We appreciate the commenter's concern and acknowledge 
that the safe harbor would not protect the type of arrangement 
described in this comment. However, the safe harbor could protect a 
warranty covering a drug product, and where the seller wants to provide 
a companion diagnostic to determine if a warrantied outcome has been 
achieved, the seller could look to other safe harbors to protect the 
provision of the companion diagnostic to the extent the provision of 
the companion diagnostic implicates the anti-kickback statute.
    Comment: A commenter asserted that the same program/same payment 
requirement could foreclose protection for even one-drug warranties 
because drugs are virtually always reimbursed by Medicare, Medicaid 
(and usually additional Federal health care programs), with each 
program having different payment methodologies for outpatient drugs.
    Response: As noted in proposed paragraph 1001.952(g)(5), the same 
program/same payment requirement would only apply when a manufacturer 
or supplier offers a warranty for more than one item or one or more 
items and related services. This requirement would not apply to single-
item warranties.
    Comment: A number of commenters expressed concern that the 
requirement that federally reimbursable bundled items and services be 
reimbursed by the same Federal health care program payment could 
inhibit innovative warranties based on the performance of warrantied 
items and related services across a patient population (population-
based warranties). A commenter argued that the safe harbor should 
accommodate value-based arrangements that study a representative sample 
of a patient population and use the results observed from the sample to 
determine the price or price concession that is appropriate for product 
utilization more broadly. Another commenter asserted that warranties 
offered across a patient population have a low risk of fraud and abuse 
where none of the items or services is separately reimbursable.
    Response: As discussed in the preamble to the OIG Proposed Rule, we 
believe the expanded warranties safe harbor will facilitate beneficial 
and innovative arrangements between buyers and sellers, such as bundled 
warranties. While population-based warranties would not necessarily 
pose the same fraud and abuse risk of problematic cost-shifting between 
Federal health care programs as warranties covering a bundle of items 
and services that are reimbursable under different Federal health care 
programs, population-based warranties could pose different fraud and 
abuse risks. Specifically, population-based warranties may result in 
steering to particular products in a manner that inappropriately limits 
patient choice and providers' clinical decision-making and could result 
in overutilization or inappropriate utilization of items or services 
where a buyer feels compelled to use a certain quantity of a seller's 
product in order to be eligible for a warranty remedy. We appreciate 
the commenter's request for the warranties safe harbor to protect 
value-based arrangements that could inform the price of a product, and 
while the modified safe harbor does not specifically protect 
population-based warranties, we emphasize our statement in the OIG 
Proposed Rule that we may consider specifically tailored safe harbor 
protection for value-based contracting and outcomes-based contracting 
for the purchase of pharmaceutical products (and potentially other 
types of products) in future rulemaking.
c. Capped Amount of Warranty Remedies
    The existing safe harbor for warranties contains the limitation 
that a manufacturer or supplier must not pay remuneration to any 
individual (other than a beneficiary) or entity for any medical, 
surgical, or hospital expense incurred by a beneficiary other than for 
the cost of the item itself. In the OIG Proposed Rule, at proposed 
paragraph 1001.952(g)5), we proposed to adapt this limitation to 
accommodate the safe harbor's expanded protection of bundled 
warranties. In the modifications to the safe harbor we are finalizing 
here, warranty remuneration for any medical, surgical, or hospital 
expense incurred by a beneficiary is capped at the cost of the items 
and services subject to the warranty.
    This cap plays an important role in safeguarding against sellers 
providing excess remuneration to providers to induce referrals. The 
revised safe harbor offers sellers more flexibility by protecting both 
a broader scope of warranties and a potentially higher amount of 
warranty remuneration reflecting the cost of the entire bundle of items 
or bundle of items and services. This adaptation allows sellers to 
offer a valuable remedy to their customers if a product fails to meet a 
specified level of performance.
    Comment: Although some commenters expressed support for OIG's 
proposal to limit the remuneration a

[[Page 77854]]

manufacturer or supplier may pay to any individual (other than a 
beneficiary) or entity for any medical, surgical, or hospital expense 
incurred by a beneficiary other than for the cost of items and services 
subject to the warranty, several commenters objected to this proposed 
safeguard. For example, a commenter argued that warranty remedies that 
exceed the aggregate value of the warrantied items and related services 
are likely to be the key drivers in realizing the potential of value-
based care. Another commenter stated that capping the warranty remedy 
based on the collective cost of the warrantied items and services is 
insufficient because providers expect vendors offering warranties 
addressing long-term population health issues to be financially 
accountable for costs greater than the cost of the items and services 
subject to the warranty.
    Response: As proposed, the revised safe harbor would protect 
warranties in which vendors offer to reimburse any medical, surgical, 
or hospital expense incurred, up to the cost of the warrantied items 
and services incurred by the buyer to acquire those items and services. 
The safe harbor could be used to protect reimbursement for hospital 
expenses incurred as a result of, for example, a bundle of items that 
failed to meet the clinical outcomes guaranteed by a warranty 
arrangement. The total warranty remuneration provided, however--
including the cost of any replacement items--would be limited to the 
original cost of the items and services incurred by the buyer. We 
believe the proposed expansion of this safe harbor provides a 
significant and sufficient opportunity for vendors to offer a 
meaningful and valuable remedy to their customers to account for the 
failure of an item, a bundle of items, or a bundle of items and 
services to meet warrantied standards.
    Comment: Commenters stated that capping the amount of warranty 
remuneration will negatively impact patient care and unnecessarily 
stifle innovative value-based arrangements because vendors will not be 
able to offer appropriate remedies if warrantied outcomes are not 
achieved, such as the provision or payment for medical, surgical, 
hospital, or other services and related items in connection with the 
replacement or supplementation of a warrantied item, or as an 
alternative or supplemental treatment.
    Response: We continue to believe that the proposed cap strikes an 
appropriate balance between protecting remuneration for warrantied 
products and safeguarding against excessive remuneration paid by 
vendors to induce referrals. Furthermore, as we explained in the 
preamble to the OIG Proposed Rule, the safe harbor, as finalized, 
already is broad enough to protect certain value-based arrangements, 
such as warranties that offer a clinical outcomes guarantee, as long as 
the safe harbor's other requirements are met.
    Comment: A commenter stated that there is negligible risk that 
manufacturers and suppliers would use warranties to provide excess 
remuneration because vendors entering into warranty arrangements face 
steep exposure and will take all possible precautions to avoid future 
payments under such warranties.
    Response: We continue to believe that without limiting the amount 
of protected warranty remuneration there is a risk of vendors paying 
excessive remuneration to induce further Federal health care business. 
For example, without a cap on warranty remuneration, a vendor could pay 
for a wide range of consequential expenses resulting from the failure 
of a device including, for example, hospitalization expenses, revision 
surgery, and other downstream expenses, in addition to providing a 
replacement for the faulty device. We believe that would provide too 
great an opportunity for sellers to offer generous remuneration to 
buyers.
d. Prohibition on Exclusivity and Minimum-Purchase Requirements
    We proposed a new safeguard at proposed paragraph 1001.952(g)(6) 
that would preclude warranty arrangements from being conditioned on the 
exclusive use or minimum purchase of one or more items or services. We 
are finalizing this safeguard because we believe it provides important 
protection against patient steering that could interfere with clinical 
decision-making and against potential anticompetitive effects.
    Comment: Some commenters expressed support for the proposed 
prohibition on warranties conditioned on a buyer's exclusive use of any 
of the manufacturer's or supplier's items or services. Other commenters 
argued that these safeguards are unnecessary and possibly contravene 
the intent of the proposal. For example, a commenter noted that 
warranties constitute a means by which sellers compete against one 
another by providing assurances of performance. In addition, commenters 
noted that providers can standardize their use of any one of a number 
of similar, competitive products, and that such standardization through 
exclusivity and minimum-purchase requirements can promote competition 
and lower costs without triggering any concerns regarding patient 
access to medically necessary items.
    Response: We are finalizing the prohibition against sellers 
conditioning a warranty on a buyer's exclusive use or minimum purchase 
of any of the seller's items or services. Although exclusivity and 
minimum-purchase requirements may allow for certain efficiencies, we 
view exclusivity and minimum-purchase requirements tied to the offer of 
a warranty as potentially abusive steering practices that could result 
in, among other things, interference with clinical decision-making, 
overutilization or inappropriate utilization, or anticompetitive 
effects. Because warranty arrangements can be valuable tools for buyers 
to defray the costs associated with an item (and under the modified 
safe harbor, multiple items or items and services) that does not 
function as expected, the potential for sellers to require exclusivity 
and minimum-purchase requirements in exchange for a warranty may lock 
buyers into a particular item (and under the modified safe harbor, 
multiple items or items and services) and thereby could result in, for 
example, a buyer using a particular item in a given case that is not in 
the patient's best interest.
    Comment: A commenter asserted that exclusivity and minimum-purchase 
requirements are features that can promote competition and lower costs, 
as in the case of purchase discounts conditioned on the volume of 
products purchased. The commenter observed that a warranty might be 
conditioned on a minimum- or exclusive-purchase requirement, and that 
such requirement would not preclude a buyer from purchasing competitive 
products in violation of the requirement; the provider would simply 
lose the benefit of the warranty by doing so.
    Response: Because warranties can be valuable tools for buyers to 
defray the costs associated with an item (or items and services) that 
do not function as expected, we reiterate our concerns that 
conditioning warranties on exclusivity or minimum-purchase requirements 
increases certain fraud and abuse risks, as described above, and thus 
we are finalizing the modifications to the safe harbor with the 
prohibition on conditioning warranties on such requirements.
    Comment: A number of commenters urged OIG to omit or revise the 
prohibition against conditioning warranties on minimum-purchase or 
exclusivity requirements. In particular, commenters asserted that 
population-based warranties typically require that there be some 
minimum level of use of the product (and any related services) so

[[Page 77855]]

as to make the outcomes measure statistically meaningful. For example, 
a manufacturer might state in a warranty, consistent with clinical 
studies, that use of its device will produce the warrantied outcome a 
given percentage of the time, but that the warranty is only available 
if the device has been used on a large enough number of patients 
(typically determined through a minimum-purchase requirement) to 
produce a statistically relevant outcomes measure.
    Response: We agree that population-based warranties could require a 
certain amount of use of a product and any related services to make the 
outcomes measure(s) set forth in a warranty undertaking statistically 
meaningful. However, for the reasons set forth in this preamble, we are 
finalizing the same program/same payment requirement, which means that 
protection under the safe harbor as modified does not extend to 
warranties for items used across a patient population. Particularly 
given this limitation in the safe harbor, we do not believe 
conditioning warranties on exclusivity or minimum-purchase requirements 
is necessary for sellers to engage in beneficial warranty arrangements 
that promote the value of the items and services being warrantied.
    Comment: A commenter urged OIG to adopt a permissive approach, 
which would protect warranties conditioned upon exclusive-use 
arrangements under the safe harbor as long as manufacturers or 
suppliers: (i) Have good-faith reasons for adopting exclusive-use 
requirements; (ii) take and document reasonable precautions to avoid 
stinting on care, cherry-picking, lemon-dropping, or inappropriate 
utilization; and (iii) otherwise ensure that neither clinical decision-
making nor patient care choices are adversely impacted.
    Response: We appreciate the commenter's recommended safeguards and 
the commenter's focus on reducing the fraud and abuse risks associated 
with exclusivity requirements. However, for the reasons articulated 
above, we view certain risks as an inherent part of warranties 
conditioned on the exclusive use of any of a seller's products or 
services, and thus we are finalizing a safe harbor provision 
restricting warranties conditioned on exclusivity requirements.
    Comment: Commenters noted that sellers of items reimbursed under 
Federal health care programs are not subject to any general 
prohibitions on imposing exclusivity or minimum-purchase requirements 
as a condition of making discounts available or otherwise.
    Response: To the extent that the commenter refers to the discount 
safe harbor and the warranties safe harbor, those safe harbors were 
designed to protect remuneration paid under different circumstances, 
and therefore it is appropriate to include different safeguards in the 
safe harbors.
    Comment: A number of commenters asserted that many of the 
innovative, risk-based warranty arrangements proposed by manufacturers 
may include equipment and consumables that must be used together, 
resulting in a requirement to exclusively utilize a manufacturer's 
goods in order to obtain warranty protection. The proposed limitation 
on exclusive use could hinder these manufacturers from creating and 
proposing such warranty-based risk-sharing arrangements.
    Response: The revised warranties safe harbor, consistent with the 
description in the OIG Proposed Rule, would expand the safe harbor to 
explicitly protect warranties in which a bundle of items or a bundle of 
items and services must be used together to obtain warranty protection. 
The exclusive-use and minimum-purchase prohibitions provide meaningful 
protections against inappropriate steering practices and 
anticompetitive effects without impacting the ability of manufacturers 
and suppliers to offer bundled warranties.
    Comment: A commenter requested clarification on how OIG will 
interpret the exclusive-use limitation if, for example, a provider 
enters into an arrangement to purchase an ``exclusive'' or 
``preferred'' product independent of any potential unrelated bundled 
warranty offered by the product's manufacturer.
    Response: OIG is aware that arrangements exist in which providers 
agree to the exclusive purchase of a particular item or designate an 
item as ``preferred'' in exchange for favorable commercial terms. The 
revised safe harbor is not intended to impact those arrangements. 
Rather, the exclusive-use and minimum-purchase provisions in the 
revised safe harbor prevent a manufacturer or supplier from receiving 
safe harbor protection for a warranty that is conditioned on the 
buyer's exclusive use or minimum purchase of items or services offered 
by the manufacturer or supplier. We interpret the ``conditioned on'' 
standard to mean that a causal connection exists between receiving a 
warranty (or continuing eligibility for warranty coverage) and 
maintaining exclusivity or minimum-purchase levels. The safe harbor 
does not prohibit exclusive-use or minimum-purchase provisions that are 
conditioned upon commercial terms unrelated to the offer of a warranty.
e. Reporting Requirements
    As discussed in the OIG Proposed Rule, industry stakeholders have 
expressed concern that the safe harbor's existing reporting requirement 
could limit the ability of sellers to offer innovative warranty 
arrangements, including warranties that span multiple years. 
Stakeholders also have noted that the reporting requirement could make 
safe harbor protection unavailable for providers that lack specific 
reporting obligations under Federal health care programs or providers 
that do not file cost reports.
    We are addressing these concerns in this final rule by: (i) 
Clarifying in the preamble discussion below that the safe harbor can be 
used to protect warranty arrangements that span multiple years; (ii) 
changing references in the safe harbor from ``the price reduction'' to 
``any price reduction'' to make clear that more than one price 
reduction may occur pursuant to a warranty arrangement; and (iii) 
clarifying in this preamble that buyers are obligated to report price 
reductions in a manner compatible with the reimbursement methodology 
for the warrantied items or services, including circumstances in which 
a provider does not submit cost reports or a formal ``claim for 
payment'' unless the payor does not provide a reporting mechanism. 
Lastly, we are making a technical, non-substantive correction to 
paragraph 1001.952(g)(3) to remove a comma after ``and'' and before 
``when any price reduction becomes known.''
    Comment: A commenter noted that many items and services are 
reimbursed by Medicare Advantage plans or Medicaid managed care 
organizations, and therefore buyers have no obligations to report price 
reductions in a ``cost reporting mechanism'' or ``claim for payment,'' 
as referenced in the warranties safe harbor. The commenter asked OIG to 
clarify that a buyer should only be required to report a price 
reduction or replacement product obtained as part of a warranty if it 
has an obligation to do so under applicable requirements of the Federal 
health care program payor making payment for the warrantied item or 
service to which the price reduction relates.
    Response: In the preamble to the OIG Proposed Rule, we solicited 
comments on the burden of current reporting requirements and the need 
for more flexible reporting requirements for warranties tied to 
clinical outcomes. We emphasize that buyers, other than beneficiaries, 
are obligated under the

[[Page 77856]]

safe harbor to report price reductions in a manner compatible with the 
reimbursement methodology for the item(s) or service(s) which, as a 
commenter pointed out, may not in all circumstances be reported in a 
``cost reporting mechanism'' or a ``claim for payment.'' We affirm that 
this requirement applies to buyers even when buyers do not have an 
express obligation to report a price reduction or replacement product 
under applicable requirements of the Federal health care program payor 
making payment for the warrantied item or service to which the price 
reduction relates. In the event that a payor does not provide any 
mechanism for reporting of costs, such reporting is not required in 
order for a buyer to obtain safe harbor protection.\135\
---------------------------------------------------------------------------

    \135\ We remind parties to warranty arrangements that they must 
comply with all legal obligations associated with Medicare cost 
reporting and other applicable requirements of any Federal health 
care program payor, including those related to billing and payment 
for replaced devices offered without cost or with a credit. For 
example, we note that under the Medicare inpatient prospective 
payment system if a provider received full credit for the cost of a 
device, CMS requires that the credit be reported to the Medicare 
program and the cost of the device is subtracted from the DRG 
payment. See 42 CFR 412.89; 42 CFR 412.2(g) and Medicare Claims 
Processing Manual, CMS Pub. 100-04, Ch. 3, Sec.  100.8.
---------------------------------------------------------------------------

    Comment: In light of our preamble discussion regarding the timing 
of reporting requirements, including the protection for outcomes-based 
warranty arrangements in which buyers could receive return payments 
from manufacturers over several years, commenters requested additional 
clarification with respect to reporting requirements. In particular, 
commenters requested clarification that multiple warranty payments 
related to the same item or bundle of items and services could be 
reported at various points throughout a warranty arrangement, and that 
buyers are obligated to report such payments at the time they are 
received. A commenter suggested that OIG revise the manufacturer 
reporting requirements such that price reductions must appear either on 
an invoice or a statement, or on a series of invoices or statements. 
The commenter also suggested revising paragraph 1001.952(g)(3)(ii) such 
that the manufacturer is obligated to provide the buyer with 
documentation of the price reduction calculation in the same fiscal 
year as the purchase or the following fiscal year.
    Response: We agree with the commenters that, under the warranties 
safe harbor, buyers can report multiple warranty payments related to 
the same item or bundle of items and services at various points 
throughout a warranty arrangement. Paragraph 1001.952(g)(1) already 
requires buyers to report ``any price reduction'' obtained as part of 
the warranty. We are finalizing corresponding revisions to paragraph 
1001.952(g)(3) to change all references to ``the price reduction'' to 
``any price reduction'' to make clear that more than one price 
reduction may occur pursuant to a warranty arrangement. With respect to 
the commenter's suggestion to allow sellers to report price reductions 
on a series of invoices or statements, we believe this expansion of the 
safe harbor is unnecessary because sellers must either: (i) Report 
price reductions on the initial invoice or statement the manufacturer 
sends to the buyer; or (ii) when the amount of any price reduction is 
not known at the time of sale, report the existence of the warranty on 
the invoice or statement, and later provide the buyer with 
documentation of the calculation of any price reduction resulting from 
the warranty. Therefore, sellers must provide information regarding all 
price reductions to the buyer regardless of whether sellers report them 
on an invoice or statement or otherwise. Lastly, the modifications to 
the warranties safe harbor set forth in this final rule do not include 
a requirement for the seller to provide the buyer with documentation of 
the price reduction calculation in the same or following fiscal year of 
the buyer. We expect buyers and sellers to fulfill their reporting 
obligations under paragraphs 1001.952(g)(1) and 1001.952(g)(3) in a 
timely manner but are not otherwise prescribing a timeline for doing 
so.
    Comment: A commenter requested clarification that buyers are 
entitled to use any reasonable methodology for purposes of allocating a 
rebate that does not relate to a specific item or service across all 
bundled items and services to which the warranty rebate relates.
    Response: We understand that, in some circumstances, remuneration 
paid pursuant to a bundled warranty will be related to more than one 
item or service that fails to meet the specifications set forth in the 
warranty undertaking. The safe harbor does not set forth a specific 
methodology to allocate reporting across multiple items or a 
combination of items and services. OIG believes that in most cases a 
warranty remedy paid pursuant to a bundled warranty should be reported 
proportionately to the cost of each bundled item or service, but we 
wish to provide flexibility for buyers to adopt different but 
reasonable allocation methodologies in circumstances in which, for 
example, the failure of the bundle to meet the agreed specifications 
results disproportionately from the failure of a particular item or 
service.
    Comment: A commenter supported the proposal to expressly exclude 
beneficiaries from the reporting requirements applicable to other 
buyers.
    Response: We appreciate the commenter's support, and we are 
finalizing revisions to the warranties safe harbor to exempt 
beneficiaries from the reporting requirement for buyers.
    Comment: A commenter noted that a cost reduction under a warranty 
might be received long after the warrantied item has been purchased by 
a provider, particularly when the clinical outcome from the use of the 
item may be measured several years after the initial purchase of the 
item. Accordingly, the commenter recommended that OIG specifically 
provide for safe harbor purposes that such a rebate must be reported 
only after it is received.
    Response: We agree that the reporting requirement is not triggered 
until remuneration is received under the warranty arrangement. We also 
recognize that the failure of an item or service to meet specifications 
might not occur until a period of years after purchase.
f. Definition of ``Warranty''
    We proposed and are finalizing at paragraph 1001.952(g)(7) to 
define ``warranty'' directly and not by reference to 15 U.S.C. 2301(6). 
By defining ``warranty'' directly, we clarify that the warranties safe 
harbor is available for drugs and devices regulated under the Federal 
Food, Drug, and Cosmetic Act, whereas the definition set forth in 15 
U.S.C. 2301(6) potentially excludes FDA-regulated drugs and devices. 
The safe harbor protects not only warranties covering a ``product'' but 
warranties covering an item or bundle of items, or services in 
combination with one or more related items. Finally, the new definition 
parallels the prior definition's language requiring a written promise 
that an item, bundle of items, or bundle of items and services is 
defect-free or will meet a specified level of performance over a 
specified period of time.
    As we explained in the OIG Proposed Rule, we interpret the 
definition of ``warranty'' to apply to warranty arrangements 
conditioned on clinical outcomes guarantees, provided other safe harbor 
requirements are met.
    Comment: Commenters expressed support for the proposed revisions to 
the warranties safe harbor, including adopting a new definition of the 
term ``warranty.'' Several commenters offered proposed revisions to the 
types of remuneration articulated in proposed

[[Page 77857]]

paragraph 1001.952(g)(7)(ii). In particular, commenters urged OIG to 
confirm that a partial refund or retrospective rebate resulting in a 
price adjustment would constitute a ``refund'' or ``other remedial 
action,'' as those terms are used in paragraph 1001.952(g)(7)(ii).
    Response: As explained in the preamble to the OIG Proposed Rule, 
OIG's proposed definition is largely modeled after the definition of 
``warranty'' in the Magnuson-Moss Act, codified at 15 U.S.C. 2301(6), 
which defines ``refund'' as refunding the actual purchase price (less 
reasonable depreciation based on actual use where permitted by rules of 
the Commission). Although we have not explicitly adopted this 
definition, it provides persuasive guidance as to how we would 
interpret the term ``refund.''
    Regardless of how ``refund'' is defined, our proposed safe harbor 
contemplates that manufacturers or suppliers may ``take other remedial 
action'' if an item fails to meet the specifications set forth in the 
written arrangement. It is conceivable that a partial refund or 
retrospective rebate resulting in a price adjustment would constitute 
``other remedial action'' as long as all other conditions of the safe 
harbor were met.
    Comment: Several commenters recommended that OIG expand the list of 
permissible types of remuneration in paragraph 1001.952(g)(7)(ii) to 
allow for ``reperformance of services.''
    Response: Our definition of ``warranty'' includes an arrangement 
``to refund, repair, replace, or take other remedial action. . . .'' If 
a warranty arrangement is connected to the sale of a bundle of items 
and services, ``reperformance of services'' likely would be an ``other 
remedial action'' under the safe harbor as long as all other safe 
harbor conditions were satisfied, including that the total remuneration 
provided (in whatever form) cannot exceed the cost of the items and 
services subject to the bundled warranty arrangement.
    Comment: A commenter recommended that in addition to protecting 
warranty arrangements that provide remuneration in the event of product 
failure, the safe harbor should allow vendors to receive success 
payments in the event legitimate value-based objectives are achieved.
    Response: The warranties safe harbor is designed to protect 
warranty arrangements in which vendors offer remuneration to their 
customers in the event one or more items, or a bundle of one or more 
items and related services, fails to meet a specified level of 
performance. The safe harbor does not by its terms protect arrangements 
in which customers pay success fees to vendors contingent upon 
achieving certain outcomes. Depending on how such an arrangement is 
structured, remuneration paid by a customer to a vendor might not 
implicate the anti-kickback statute, or it might fall within a 
different safe harbor, such as the revised safe harbor for personal 
services and management contracts and outcomes-based payment 
arrangements. Any such arrangements should be reviewed and analyzed 
under the anti-kickback statute on a case-by-case basis.
    Comment: A commenter urged OIG to provide examples of the types of 
clinical outcomes guarantees that could be protected under the 
warranties safe harbor. Another commenter expressed concern regarding 
whether outcomes can properly be guaranteed by suppliers or 
manufacturers of warrantied items.
    Response: As noted above, we believe the expanded warranties safe 
harbor could be used to protect a wide range of warranty arrangements 
including, as we discussed in the preamble to the OIG Proposed Rule, 
warranty arrangements conditioned on clinical outcomes guarantees. In 
this final rule, we decline to provide specific examples of the types 
of clinical outcomes guarantees that might be protected because we do 
not wish to narrow the scope of innovative arrangements that might seek 
coverage under the safe harbor.
    Comment: A commenter asked OIG to clarify that the warranties safe 
harbor would protect an arrangement in which a warranty payment could 
vary depending on the product's performance on one or more dimensions 
specified in the warranty arrangement, as opposed to the warranty 
payment being a fixed amount.
    Response: The warranties safe harbor--both in its existing form and 
as modified by this final rule--is silent on whether a warranty 
arrangement protected under the safe harbor can have a single 
triggering condition or multiple triggering conditions in order to 
qualify for safe harbor protection. We believe, however, that a 
warranty arrangement could have multiple triggering conditions based on 
specifications set forth in the warranty undertaking. In such an 
arrangement, the seller must still comply with paragraph 1001.952(g)(4) 
in determining the maximum amount of remuneration it could offer for 
any given item, bundle of items, or bundle of items or services.
    Comment: Some commenters encouraged OIG to make clear that a 
``buyer'' as referenced in the safe harbor includes an indirect buyer 
such as a payor or pharmacy benefit manager. Another commenter asked 
OIG to coordinate with CMS to recognize that reimbursement for or 
replenishment of items and services, pursuant to a warranty 
arrangement, is excludable from price reporting under CMS's government 
pricing regulations and guidance, including determining how warranty 
arrangements involving pharmaceutical products and manufacturer-
supported adherence programs impact CMS's determination of best price.
    Response: The warranties safe harbor does not contain a definition 
of the term ``buyer,'' and the modifications to the safe harbor that we 
are finalizing do not affect the scope of individuals and entities that 
may receive protection under the safe harbor as buyers. Consistent with 
our approach elsewhere in this final rule, we decline to label certain 
individuals or entities as ``buyers'' in order to encourage innovation. 
The commenter's request regarding price reporting under CMS pricing 
regulations and guidance is outside the scope of this rulemaking.
    Comment: A commenter expressed concern that the safe harbor's 
definition of warranty is not sufficiently broad to protect warranties 
that guarantee achievement of value-based outcomes.
    Response: As modified, the safe harbor protects arrangements that 
guarantee ``a specified level of performance'' of an item, a bundle of 
items, or a bundle of items and services. We clarified in the preamble 
to the OIG Proposed Rule that the warranties safe harbor's protection 
could extend to arrangements conditioned on clinical outcomes 
guarantees, which could include warranties conditioned upon ``value-
based'' outcomes that meet the safe harbor's other requirements. We 
believe this offers buyers and sellers significant flexibility to 
structure arrangements that guarantee achievement of value-based 
objectives in the context of a warranty. The advisory opinion process 
remains available for parties seeking OIG's legal opinion on a specific 
arrangement.
12. Local Transportation (42 CFR 1001.952(bb))
    Summary of OIG Proposed Rule: We proposed to modify the existing 
safe harbor for local transportation at paragraph 1001.952(bb) to: (i) 
Expand the distance limitations applicable to residents of rural areas 
from 50 to 75 miles (including for shuttle services); and (ii) remove 
any mileage limitation for a patient transported from an inpatient 
facility from which the patient has been discharged after admission as

[[Page 77858]]

an inpatient to the patient's residence or another residence of the 
patient's choice. We indicated that we were considering and solicited 
comments on whether to eliminate the mileage limitation for patients 
discharged from certain settings and to extend the safe harbor to 
protect transportation for nonmedical purposes that may improve or 
maintain patient health. We provided preamble guidance to clarify that 
we believe nothing in the language of the safe harbor precludes 
protection for transportation offered through ride-sharing services and 
invited commenters to share any basis for disagreement. We also 
proposed a technical change to move undesignated definitions set forth 
in the note to paragraph 1001.952(bb) to a new paragraph 
1001.952(bb)(3).
    Summary of Final Rule: We are finalizing the proposed modifications 
to the safe harbor at paragraph 1001.952(bb), with modifications. With 
respect to transportation following an inpatient admission, we clarify 
that the mileage limits do not apply when the patient is discharged 
from an inpatient facility following inpatient admission or released 
from a hospital after being placed in observation status for at least 
24 hours. We retain our guidance regarding rideshare programs and do 
not extend protection under the safe harbor to transportation for non-
medical purposes. We finalize the technical reorganization.
a. Expansion of Mileage Limit for Patients Residing in Rural Areas
    Comment: Many commenters supported our proposal to increase the 
mileage limit for safe harbor protection of transportation of residents 
of rural areas to 75 miles. One such commenter explained that an 
expansion to 75 miles would meaningfully ``capture'' the communities 
and patients it serves and enable those patients who live farther away 
to access specialty services such as cancer care, neurology, 
transplant, and other specialties that are typically concentrated in 
larger hospitals located in urban areas. Another commenter stated that 
because many rural residents must travel more than 50 miles to obtain 
medically necessary services, increasing the limit to 75 miles likely 
would improve access to health care for many rural residents.
    However, not all commenters agreed. A commenter explained that 
rural areas are increasingly reporting shutdowns of local health care 
providers, which increases the distance traveled to receive necessary 
care. The commenter pointed to examples of closings of nursing homes 
resulting in patients being moved farther away. The commenter explained 
that a mileage limitation of 75 miles in rural areas would be 
insufficient because it is not uncommon for skilled nursing facilities 
and assisted living facilities to be located 150 miles or more from 
hospitals, physician's offices, outpatient facilities, and other 
clinical locations. The commenter advocated for OIG to expand the 
mileage limitation to 150 miles in rural areas; alternatively, the 
commenter suggested that OIG expand to 75 miles for all patients and 
150 miles for transports originating in a rural area as defined under 
the U.S. Census Bureau's classification guidelines.
    Response: We are finalizing the proposed expansion to 75 miles for 
residents of rural areas. In the OIG Proposed Rule, we explained that 
commenters to the OIG RFI stated that the existing local transportation 
safe harbor's 50-mile limit for rural areas was insufficient because 
many residents of rural areas needed to travel more than 50 miles to 
obtain medically necessary services. We proposed to increase the 
mileage limit for rural areas to 75 miles and solicited comments on 
whether this increase would be sufficient. We further solicited data 
and evidence about appropriate distances, as well as information about 
patients needing transportation and how longer distance transportation 
would be provided. We indicated that we would use the information to 
assist us in determining whether an increased distance limit is 
necessary and practical and whether it is likely to be subject to 
abuse.
    For the following reasons, we have determined that an increase to 
75 miles is necessary and practical, and we are finalizing the 75-mile 
limit. In combination with all of the conditions of the safe harbor, we 
conclude that the increased mileage limit is not likely to be subject 
to abuse. Commenters on this topic universally supported an expanded 
mileage limit for rural areas, and many supported our specific proposal 
of 75 miles. The final safe harbor will expand safe harbor protection 
and facilitate access to health care for residents of rural areas, 
including those seeking types of specialty care often concentrated in 
urban areas. The expanded mileage limit facilitates access to care for 
rural area patients whose travel distances have increased due to 
provider closings.
    The existing safe harbor contains a single, uniform mileage limit 
for rural areas, offering a bright line standard that is practical and 
clear to administer from a compliance perspective. Our final rule 
preserves this structure. Accordingly, we are not adopting the 
suggestion to create a longer distance standard applicable only to 
transports originating in rural areas. Nor are we adopting the 
suggestion to extend the mileage limit for rural areas to 150 miles. 
The safe harbor is intended for local transportation and this limit to 
local transportation is rooted in the legislative history in connection 
with the Beneficiary Inducements CMP. In enacting the CMP provision 
prohibiting inducements to Federal and state health care program 
beneficiaries, Congress intended that the statute not preclude the 
provision of complimentary local transportation of nominal value.\136\ 
We are concerned that 150 miles would be neither local nor 
appropriately address risks of abuse, such as inducing beneficiaries to 
travel long distances for care when they might prefer and be able to 
obtain comparable care more locally.
---------------------------------------------------------------------------

    \136\ H.R. Conf. Rep. No. 104-736 at 255. See also 79 FR 59717, 
59722-23 (Oct. 3, 2014); 81 FR 88368, 88379 (Dec. 7, 2016).
---------------------------------------------------------------------------

    We are mindful of the disruptions and burdens on patients in rural 
areas when local providers close and patients are transferred or must 
seek care at more distant locations. The news reports cited by the 
commenter describe some patients being transferred from closed nursing 
facilities between 50 and 75 miles away and others moving longer 
distances. We believe the expanded limit we are finalizing should help 
many patients facing longer travel distances. We recognize that the 
safe harbor will not protect every instance of needed transportation. 
This does not mean that programs offering transportation for rural area 
patients at greater distances are unlawful. To the contrary, such 
programs may be lawful depending on their facts and circumstances and 
would need to be evaluated on a case-by-case basis under the statute, 
including with respect to the intent of the parties. We remind 
stakeholders that the OIG advisory opinion process remains available 
for parties seeking to determine whether a particular arrangement 
complies with the law. We note that our further modification of the 
safe harbor to eliminate any distance limit for beneficiaries needing 
transportation from hospital inpatient or observation stay services to 
their residences, which can include nursing facilities, will also 
assist residents in rural areas facing longer travel distances to 
obtain health care.
    Comment: While some commenters found the increase of the limit for 
transportation of residents of rural communities to 75 miles to be 
sufficient

[[Page 77859]]

to address patient needs, many commenters advocated for OIG to expand 
the mileage limit further for certain categories of patients, such as 
those patients who live in areas without public transportation, those 
who have no health care facilities within 75 miles of their home, or 
those who lack access to specialty health care services due to the 
closures of nearby rural hospitals. For example, a transportation 
company shared OIG's desire to expand transportation access in rural 
areas and explained that 20 percent of Americans live in rural areas 
but that rural hospital closures have increased significantly in recent 
years. The commenter suggested that OIG remove the distance limit so 
that it could provide transportation for rural patients who now have to 
travel longer distances to receive care. According to the commenter, 
rural communities face limited transportation options, and reliable 
transportation could effectively close gaps in access to care.
    Commenters suggested various options that generally would tie 
protection for transportation beyond 75 miles to a patient's medical 
need. For example, a commenter recommended that we protect 
transportation that is greater than 75 miles if the eligible entity 
determines that a patient requires a medical procedure and the nearest 
provider of such procedure is more than 75 miles from the patient's 
residence. At least one commenter suggested that we impose additional 
monitoring requirements when transportation in excess of the proposed 
mileage limit is necessary.
    Another commenter suggested protection for transportation exceeding 
75 miles when the provider certifies in writing that there is no 
alternative provider available within 75 miles of the patient's home 
and that the transportation is furnished based on patient need using a 
good faith, individualized determination that the transport is 
necessary to facilitate the patient's access to medically necessary 
items or services. However, some commenters expressed concern that 
requiring a demonstration of need for transportation exceeding 75 miles 
would unnecessarily complicate the provision of transportation 
services, could lead to administrative burden, and would not further 
the objectives of the safe harbor. At least one of these commenters 
suggested that, if it does impose such a condition, OIG should 
recognize a range of need assessment tools.
    Another commenter suggested that OIG should expand the mileage 
limitation beyond 75 miles for ``frontier areas'' (which the commenter 
recommended that we define using selected levels from either commuting 
codes or frontier and remote codes), but it recommended that we include 
safeguards to prohibit bypassing locally available health care. At 
least one commenter asserted that no demonstration of financial, 
medical, or transportation need should be required for transportation 
above the current limits because the requirement for transportation to 
be for medically necessary items or services serves as sufficient 
protection.
    Response: For the reasons in the prior response, we are finalizing 
our proposal to increase the rural area mileage limit from 50 miles to 
75 miles but are not extending it farther. For the reasons that follow, 
we are not adopting the suggestions to expand safe harbor protection 
for distances beyond 75 miles in the specific circumstances suggested 
by commenters (e.g., instances where eligible entities determine or 
certify that there is a medical need, areas lacking public 
transportation or access to specialty health care services, or areas 
where rural hospitals have closed).
    We are maintaining the current safe harbor design of a single, 
uniform mileage limit for rural areas, which offers bright-line 
guidance and reduces administrative burden, including the 
administrative burden associated with the need to obtain certifications 
and/or other evidence of need determinations. We acknowledge and agree 
with commenters' concerns that imposing a patient need standard for 
exceptions to the general mileage limitations in the safe harbor could 
be administratively burdensome, and we are not adopting a patient need 
standard as a condition of the safe harbor. In the 2016 rule finalizing 
the local transportation safe harbor, we stated that while we 
understand that a set mileage limit is not a one-size-fits-all 
solution, we believe that a bright-line rule is easier for all parties 
to apply.\137\ This remains true. Specifically, the expansion of the 
mileage limitation combined with the bright-line rule should benefit 
many patients in rural and underserved areas and should be easy for 
eligible entities to apply in practice.
---------------------------------------------------------------------------

    \137\ 81 FR 88388 (Dec. 7, 2016).
---------------------------------------------------------------------------

    Furthermore, if we were to expand the mileage limit for specific 
types of patient need, we are concerned that providers could develop 
arbitrary criteria that do not reflect legitimate need and are subject 
to abuse. We are also concerned that, in many instances, exceptions 
could swallow the mileage-limitation rule, which we view as a 
fundamental safeguard and consistent with the safe harbor's intended 
focus on local transportation.\138\ On balance, including additional 
monitoring or certification conditions would not mitigate these 
concerns sufficiently to warrant the extra administrative burden.
---------------------------------------------------------------------------

    \138\ 81 FR 88387-89 (Dec. 7, 2016).
---------------------------------------------------------------------------

    In finalizing this proposal, we aim to balance the needs of rural 
patients to have access to quality health care with our concerns that 
patients could be transported for unnecessary care or be swayed to use 
a more distant provider even when they may prefer to receive items or 
services from a local provider. Transportation arrangements in rural 
areas or to address specific fact patterns such as hospital closures, 
lack of public transportation, or access to specialty health care 
services are not necessarily unlawful and would be evaluated for 
compliance with the statute on a case-by-case basis, including with 
respect to the intent of the parties. Individuals and entities that 
participate in value-based enterprises as VBE participants may look to 
the patient engagement and support safe harbor paragraph 1001.952(hh) 
as an additional or alternative avenue of protection for certain 
transportation services. Parties may also use OIG's advisory opinion 
process for specific facts and circumstances that may fall outside safe 
harbor protection.
    Comment: Some commenters requested wholesale exemption from any 
mileage limitations under the safe harbor. Several commenters 
representing Indian health care providers asked that the safe harbor 
not include any mileage limitations for transportation provided by 
Indian health care providers; in addition, some of these commenters 
advocated removing any restrictions regarding the use of Federal funds 
by Indian health care providers for the cost of transportation 
furnished to their beneficiaries. Some of these commenters recommended 
that OIG expand the safe harbor to protect free emergency 
transportation and air transportation for patients of Indian health 
care providers.
    A commenter that represents community health centers recommended 
that OIG exempt certain health centers from the mileage limits because 
Federal regulations issued by the Health Resources and Services 
Administration require certain health centers to provide transportation 
services as needed for adequate patient care.\139\
---------------------------------------------------------------------------

    \139\ 42 U.S.C. 254b(b)(1)(A)(iv).
---------------------------------------------------------------------------

    Another commenter suggested that OIG expand the safe harbor for

[[Page 77860]]

transportation for homeless individuals in a manner that aligns with 
California Health and Safety Code section 1265.2(o), which requires 
documentation that a hospital prior to discharge of a homeless patient 
has offered the homeless patient transportation to a specified 
destination if that destination is within a maximum travel time of 30 
minutes or a maximum travel distance of 30 miles of the hospital. 
Numerous commenters suggested that OIG expand the mileage limit for 
``special patient populations,'' such as patients undergoing cancer or 
behavioral health treatment or receiving dialysis services, regardless 
of whether such patients reside in a rural or urban area. According to 
these commenters, these special patient populations often need 
transportation services to care facilities over much greater distances 
than 25 or 75 miles in order to access quality care to treat their 
medical conditions. At least one such commenter recommended that OIG 
require providers to use ``reasonable measures'' (e.g., a shortage of 
appropriate medical facilities or health care professionals in a 
geographic area) that would be evaluated based on the totality of the 
circumstances for each individual.
    Response: In developing this final rule, we considered the comments 
offered by entities that provide services for communities with unique 
health care needs. The commenters raise important considerations about 
access to care for Tribal, rural, and underserved communities, an area 
of ongoing interest for OIG in our work to look at the effectiveness of 
HHS programs. Here, however, we have concerns regarding the fairness of 
eliminating the mileage limitation for populations of patients with 
specific health conditions while imposing mileage restrictions on 
patients with other health conditions. It would also be difficult to 
craft a fair and sufficiently bright-line rule allowing for exceptions 
to the mileage limitation based on ``reasonable measures'' evaluated on 
a case-by-case basis. Furthermore, any such exception would be 
difficult to administer.
    We note that lack of access to care in a particular geographic area 
could be a relevant factor in determining on a case-by-case basis 
whether a particular local transportation arrangement involves an 
improper inducement to a beneficiary under the Federal anti-kickback 
statute or Beneficiary Inducements CMP. Depending on the specific facts 
and circumstances of the arrangement, arrangements could comply with 
the statutes even if they do not fit in the safe harbor. OIG's advisory 
opinion process is better suited than the local transportation safe 
harbor to evaluate arrangements on a case-by-case basis.\140\ Moreover, 
depending on the specific facts of the arrangement, transportation 
furnished by a VBE participant to patient populations including those 
identified by the comments summarized above could be structured to 
qualify for protection under the patient engagement and support safe 
harbor paragraph 1001.952(hh) that we are finalizing in this rule.
---------------------------------------------------------------------------

    \140\ OIG, OIG Adv. Op. Nos. 00-07, 09-01, 15-13, and 16-02. 
(OIG has issued several favorable advisory opinions in this area.)
---------------------------------------------------------------------------

    In response to commenters that requested OIG remove any 
restrictions regarding the use of Federal funds for the cost of 
transportation furnished to their patients, we did not propose to 
modify the existing prohibitions on shifting the cost of protected 
transportation to any Federal health care program, other payors, or 
individuals, and we are not finalizing any such changes here. The 
existing prohibition serves important program integrity purposes, as 
described in the 2016 final rule.\141\ In addition, we recognize that 
other statutes or regulations may govern an entity's provision of 
transportation to patients and may impact the ability of an entity to 
structure an arrangement that squarely satisfies the conditions of the 
local transportation safe harbor.
---------------------------------------------------------------------------

    \141\ 81 FR 88389 (Dec. 7, 2016).
---------------------------------------------------------------------------

    Where parties are required by Federal or State law to provide 
transportation services to certain patients or to provide 
transportation services as part of a service covered by a Federal 
health care program or other Department program, those arrangements 
might not implicate the Federal anti-kickback statute. If the patient 
is entitled to receive services under their Federal health care program 
coverage, the parties should assess whether there is any remuneration 
passing to the patient; providing a covered item or service paid for by 
a Federal health care program alone would not result in an exchange of 
any remuneration under the Federal anti-kickback statute. However, 
there could be circumstances under which a provider or supplier, when 
furnishing a covered item or service, does give a Federal health care 
program beneficiary something of value, or remuneration, thereby 
implicating the Federal anti-kickback statute. For example, the Federal 
anti-kickback statute would be implicated by a provider waiving or 
reducing any required cost-sharing obligations for the covered item or 
service incurred by a Federal health care program beneficiary or 
providing ``extra'' items and services for free that are not part of 
the covered item or service. Furthermore, we remind stakeholders that 
an arrangement that does not satisfy all conditions of the local 
transportation safe harbor does not necessarily violate the Federal 
anti-kickback statute. The advisory opinion process remains available 
to stakeholders seeking prospective protection for transportation 
arrangements that do not fit within the four corners of the safe 
harbor.
    As an initial matter, we note that this safe harbor, as finalized, 
does not modify existing Federal law regarding IHS appropriations for 
transportation services furnished to its beneficiaries. While some 
commenters sought safe harbor protection for air transportation 
furnished to certain populations, we note that we exclude protection 
for free or discounted air transportation under the existing local 
transportation safe harbor and we did not propose changes to this 
provision. Although we are not adopting this suggestion, we are 
promulgating clear mileage limits to provide additional flexibilities 
to stakeholders to benefit all patients, including patients served by 
Indian health care providers and community health centers. With respect 
to the comment requesting protection for free emergency transportation, 
we did not propose changing the safe harbor's restriction on ambulance-
level transportation and are not making this change. To the extent free 
emergency transportation means waiving beneficiary cost-sharing--cost-
sharing waivers based on good faith--individualized determinations of 
the beneficiary's financial need have long been acceptable under OIG 
guidance.
    Comment: A commenter asked OIG to consider protecting 
transportation to an alternative health care provider without a mileage 
limitation in the event that one of a provider's locations must divert 
scheduled patients with urgent needs due to a disaster or similar 
emergency circumstances.
    Response: We are not adopting this recommendation to remove the 
mileage limitation for the reasons noted above with respect to other 
commenter suggestions for specific exceptions to the mileage limit 
based on various types of need. OIG is mindful of the need to protect 
patients whose availability of care is impacted by natural disasters, 
public health emergencies, and other exigent circumstances. For 
example, in response to the COVID-19 public health emergency, OIG has 
publicly answered inquiries from the health care community regarding 
the application of

[[Page 77861]]

OIG's administrative enforcement authorities under the Federal anti-
kickback statute and the Beneficiary Inducements CMP, including to 
transportation arrangements.\142\ It is important to note that the 
presence of exigent circumstances can be a relevant factor in 
determining whether the Federal anti-kickback statute would be 
implicated or violated by a particular transportation arrangement.
---------------------------------------------------------------------------

    \142\ See FAQs-Application of OIG's Administrative Enforcement 
Authorities to Arrangements Directly Connected to the Coronavirus 
Disease 2019 (COVID-19) Public Health Emergency, available at 
https://oig.hhs.gov/coronavirus/authorities-faq.asp (describing 
that, under the unique and exigent circumstances resulting from the 
COVID-19 outbreak, certain modest transportation assistance would 
present a low risk of fraud and abuse under the Federal anti-
kickback statute and the Beneficiary Inducements CMP).
---------------------------------------------------------------------------

    Comment: Numerous commenters encouraged OIG to expand the mileage 
limitation for transportation furnished to patients that reside in 
urban areas, as defined by the existing safe harbor. A commenter 
asserted that many Metropolitan Statistical Areas extend beyond 25 
miles, and some health care providers in those communities have 
developed evidenced-based clinical quality intervention strategies for 
high-risk patients that rely on free patient transportation. At least 
one commenter suggested that providing urban patients with safe, 
reliable transportation over a distance greater than 25 miles is a low-
cost, high-value way to ensure access to care, and advocated for OIG to 
expand the mileage limit for urban areas from 25 miles to at least 50 
miles. Another commenter urged OIG to add flexibility in instances when 
the nonrural patient demonstrates a financial, medical, or 
transportation need.
    Response: We did not propose to expand the mileage limits for 
protected transportation furnished to patients residing in urban areas 
and, therefore, we are not finalizing any such expansion here.
b. Elimination of Distance Limitations on Transportation of Discharged 
Patients to Their Residence
    Comment: Many commenters strongly supported OIG's proposal to 
eliminate any distance limit on transportation furnished to a patient 
who has been discharged from a facility after admission as an 
inpatient, regardless of whether the patient resides in an urban or 
rural area, if the transportation is to the patient's residence or 
another residence of the patient's choice. Numerous commenters 
recommended that OIG clarify in the final rule that a ``residence'' 
includes custodial care facilities, including but not limited to 
nursing facilities, which can serve as a patient's residence on a 
permanent basis. Another commenter asked OIG to confirm that a 
patient's residence may include a homeless shelter.
    Response: We confirm that we intend for the term ``residence'' as 
used in paragraph 1001.952(bb)(1)(iv)(B) to include custodial care 
facilities that may serve as a patient's permanent or long-term 
residence provided that the patient established the custodial care 
facility as a residence before receiving treatment by the facility from 
where the patient is being transported. In addition, we intend the term 
``residence'' to include a homeless shelter when a patient is homeless 
or established the homeless shelter as a residence prior to hospital 
admission. While not raised by commenters, we also affirm our statement 
in the OIG Proposed Rule that a residence of the patient's choice can 
include the residence of a friend or relative who is caring for the 
patient post-discharge.\143\ As long as the other requirements of this 
safe harbor are met, transportation to these locations would be 
protected. We also confirm our intention, as noted in the OIG Proposed 
Rule's preamble and raised in the comment above, that this post-
discharge analysis is not dependent on whether the patient resides in a 
rural or urban setting.\144\
---------------------------------------------------------------------------

    \143\ 84 FR 55751 (Oct. 17, 2019).
    \144\ 84 FR 55751 (Oct. 17, 2019).
---------------------------------------------------------------------------

c. Transportation to Locations Other Than a Patient's Residence or a 
Residence of the Patient's Choice
    Comment: Many commenters, including multiple associations 
representing health care providers, advocated for OIG to modify the 
safe harbor to protect transportation to any location of the patient's 
choice, including to another health care facility when there is a 
medical need for the transfer. Commenters provided various examples of 
instances when they believe hospitals, other providers, and patients 
could benefit when patients are transferred to other facilities. For 
example, some commenters explained that individuals seen in the 
emergency room may require transportation to another health care 
facility, while a trade association representing hospitals stated that 
a patient's medical needs may require being discharged from an 
inpatient facility directly to post-acute care.
    Another commenter expressed concern that, without the ability to 
provide transportation to another health care facility, skilled nursing 
facilities may be limited in their ability to transport discharged 
patients to a hospital, to a hospice, or to other long-term care 
facilities. Another commenter added that SNF patients often require 
transportation services following discharge to accommodate any mobility 
limitations.
    Response: After considering the comments, we are not extending safe 
harbor protection to transportation of patients to any location of 
their choice or another provider or facility. In developing this final 
rule, we reviewed and weighed the examples provided by commenters of 
situations when they believed it would be beneficial for a patient to 
be transported to another provider following discharge as an inpatient 
from a facility. We agree that the examples described by the commenters 
could benefit patients in many circumstances. However, we believe that 
protecting transportation between health care providers in a position 
to refer to each other is not sufficiently low risk to warrant safe 
harbor protection because of the risk that such transportation 
arrangements could be used to steer patients to health care facilities 
that may not be in the patients' best interests; for instance, the 
entity sponsoring the transportation might limit transportation 
improperly to affiliated facilities to generate system revenue and as a 
result may interfere with patient choice. Arrangements that do not fit 
in the safe harbor are not necessarily prohibited under the anti-
kickback statute. Under the final rule, patients discharged from 
inpatient facilities may be offered transportation to a nursing 
facility if it is their residence.
    In this final rule, OIG is finalizing a new safe harbor at 
paragraph 1001.952(hh) that may protect certain patient engagement 
tools and supports including transportation when the offeror of the 
transportation is a VBE participant. As long as all of the safe 
harbor's conditions are satisfied, the safe harbor at paragraph 
1001.952(hh) could protect transportation of patients from an inpatient 
hospital to another health care facility for post-acute care treatment.
    In addition, we emphasize that safe harbors are voluntary and that 
any assessment of liability under the Federal anti-kickback statute 
requires an analysis of the facts and circumstances specific to the 
arrangement, including the intent of the parties. For arrangements that 
do not meet all requirements of the safe harbor, the party could seek 
an advisory opinion.

[[Page 77862]]

d. Elimination of Distance Limitations for Patients Other Than Those 
Discharged After an Inpatient Admission
    Comment: Numerous commenters requested that OIG expand the proposed 
exemption from distance limitations beyond discharged hospital 
inpatients to include patients treated in a hospital outpatient 
department, ambulatory surgery center, or hospital emergency room, as 
well as patients held in observation status at the hospital for a 
substantial period of time but who are not admitted. For example, a 
trade association representing hospitals asserted that patients may 
travel a significant distance to obtain treatment that does not require 
an admission, and the commenter believed that transportation home for 
these patients without a limitation on distance would be appropriate. 
The commenter suggested that OIG could provide parameters for protected 
transportation so that it is not used as a workaround to the mileage 
limitations that otherwise serve as a condition of the safe harbor. To 
this point, a commenter suggested that an appropriate safeguard to 
limit potential fraud concerns would be to require a medical 
justification to receive transportation home for reasons other than an 
inpatient discharge (e.g., after a colonoscopy or after receiving 
stitches, a licensed medical professional could determine that a 
patient is unable to travel home safely).
    Response: As finalized in this rule, the mileage limitation of this 
safe harbor does not apply in two circumstances. First, we confirm our 
intention, as noted in the OIG Proposed Rule's preamble, that the 
elimination of the mileage limitation applies after admission as an 
inpatient. Second, we are persuaded by commenters that we should expand 
the safe harbor by removing the mileage limitation when a patient is 
discharged after spending 24 hours in observation status. We indicated 
in the OIG Proposed Rule that we were considering including 
transportation for patients who have been under observation status for 
a timeframe of at least 24 hours. We are including this provision in 
the final rule because we believe that transportation home following an 
extended stay in observation status at a hospital is sufficiently 
similar to transportation home following an inpatient discharge and to 
prevent any safe harbor compliance challenges resulting from a 
patient's status as an inpatient or outpatient in the hospital.
    We also solicited comments regarding transportation home for 
patients seen in the emergency department or following a procedure at 
an ambulatory surgery center. We are mindful that available 
transportation home for these patients could help address a legitimate 
need. However, we are not removing the mileage limitation for other 
patients categorized as outpatients, including patients who are seen in 
the emergency room but not under observation for at least 24 hours, or 
patients discharged from an ambulatory surgical center. It is not clear 
that we could define acceptable medical justifications or make 
distinctions about categories in this safe harbor. Moreover, creating 
an exception to the mileage limitations in the safe harbor for local 
transportation for these categories of patients would make the 
exception so expansive and overly broad so as to limit the utility of 
the mileage limitations as safeguards against potentially abusive 
arrangements. The OIG advisory opinion process remains available for 
particular transportation programs not covered by this safe harbor.
    In promulgating this safe harbor, we observed that Congress did not 
intend to preclude the provision of local transportation of nominal 
value in the context of beneficiary inducements. Although the Federal 
anti-kickback statute has no such exception for remuneration of nominal 
value, we stated that protection of complimentary local transportation 
that met certain requirements that limit the risk of fraud and abuse 
was warranted.\145\ We believe that transportation home following 
inpatient discharge or a stay in observation status at a hospital for 
at least 24 hours poses a sufficiently low risk of inducing patient 
referrals to the hospital, provided all safe harbor conditions are met.
---------------------------------------------------------------------------

    \145\ 81 FR 88379 (Dec. 7, 2016).
---------------------------------------------------------------------------

e. Local Transportation for Health-Related, Nonmedical Purpose
    Comment: Commenters generally supported extending protection under 
this safe harbor to transportation furnished for nonmedical purposes. 
For example, some commenters, including trade associations whose 
members are hospitals or nurse practitioners, encouraged OIG to protect 
transportation to obtain services that address social determinants of 
health (e.g., nutrition counseling, chronic disease counseling 
services, housing services), even if those services do not constitute 
medical care. The commenters posited that these services have a direct 
effect on a patient's health outcomes and well-being and are critical 
to achieving effective care transitions and improved outcomes, 
including reduced readmissions. One such commenter asked OIG to support 
hospitals' efforts to connect patients to nonmedical care and foster 
innovative community collaboration.
    Another commenter advocated for protection of transportation to 
access nutritious foods, suggesting that patients living in a ``food 
desert'' may have difficulties obtaining such foods, which the 
commenter asserted could potentially lead to increased health care 
costs later if the patients develop nutritional issues that require 
medical attention. A commenter also suggested that transportation to 
food stores, food banks, other non-health care social services (e.g., 
housing assistance), or agencies that offer employment or vocational 
training would be appropriate for safe harbor protection. A commenter 
asked OIG to clarify the types of non-medical purposes that OIG 
believes should not be protected by any expansion of the safe harbor.
    Some commenters suggested potential safeguards for expanded safe 
harbor protection for transportation for non-medical purposes. 
Recognizing the need to minimize the risk of fraud and abuse that may 
arise in conjunction with non-medical transportation, such as inducing 
beneficiaries to receive unnecessary health care items and services, 
these commenters suggested a variety of safeguards such as: (i) 
Imposing restrictions on an entity's ability to condition receipt of 
non-medical transportation support on continued receipt of health care 
services from a particular provider; (ii) requiring the entity to 
utilize an independent transportation vendor to arrange for 
transportation; (iii) requiring the entity to tie any transportation 
service to a specific quality improvement, social determinant of 
health, or public health initiative; (iv) requiring that the 
transportation is unlikely to interfere with, or skew, clinical 
decision-making; and (v) requiring providers to document the patient's 
need for such non-medical transportation (e.g., patient's income, 
medical condition).
    Another commenter suggested the existing conditions of the safe 
harbor, combined with an appropriately tailored scope of nonmedical 
transportation purposes (e.g., a direct connection to the coordination 
and management of care), would be a sufficient safeguard against 
abusive transportation initiatives.
    Response: We are not expanding the local transportation safe harbor 
to protect patient transportation for nonmedical purposes. In response 
to the OIG RFI, we received comments suggesting that transportation for 
nonmedical purposes may improve

[[Page 77863]]

patient health, and we solicited comments on whether the safe harbor 
could be expanded to protect transportation for these purposes without 
creating an unacceptable risk of fraud and abuse, such as inducing 
beneficiaries to receive unnecessary health care items and services. 
Some commenters suggested potential safeguards (e.g., requiring the 
entity to tie any transportation service to a specific quality 
improvement, social determinant of health, or public health 
initiative). While we do not doubt that properly structured 
transportation for non-medical needs can help patients maintain or 
improve their health, we believe that protecting transportation for 
non-medical purposes under paragraph 1001.952(hh), which limits 
protection of transportation to tools and supports furnished by VBE 
participants, rather than under the safe harbor for local 
transportation, presents the lowest risk approach to protecting 
patients and Federal health care programs from fraudulent and abusive 
transportation schemes.
    We continue to believe that the risk of beneficiaries being 
improperly induced to obtain items or services is too high for safe 
harbor protection when the transportation is for non-medical purposes. 
As we explained in the 2016 final rule establishing the local 
transportation safe harbor, a transportation program offered by a 
provider or supplier inherently poses a risk both of inducing patients 
to get items or services that they might otherwise not have obtained 
and to get services from that provider or supplier. In the case of 
transportation for medically necessary items and services, we think 
that risk is acceptable. However, we believe the risk is too high when 
the transportation is for non-health-related purposes.\146\ We noted 
that it would be difficult to determine whether non-medical 
transportation is related to the patient's health care (e.g., 
transportation to a shopping center that includes both a grocery store 
and a movie theater). We went on to say that transportation for 
nonmedical purposes very well might be more frequent than 
transportation for medical appointments, which would give larger 
providers a significant competitive advantage over smaller entities or 
individual suppliers.\147\ We explained that transportation for 
nonmedical purposes would not violate the statute if it is not for the 
purpose of inducing individuals to obtain federally reimbursable items 
and services.
---------------------------------------------------------------------------

    \146\ 81 FR 88384 (Dec. 7, 2016).
    \147\ 81 FR 88384 (Dec. 7, 2016).
---------------------------------------------------------------------------

    Notwithstanding the foregoing, we are mindful of the importance of 
addressing social determinants of health, and for this reason among 
others we are finalizing a new safe harbor at paragraph 1001.952(hh) 
that protects nonmedical transportation offered by VBE participants if 
such transportation has a direct connection to the coordination and 
management of care of the target patient population and meets the other 
conditions of the safe harbor. In promulgating paragraph 1001.952(hh), 
we recognize that transportation to address social determinants of 
health could improve patients' overall health and reduce health care 
costs. However, without the safeguards embedded within the VBE 
framework, including accountability for advancing value-based purposes, 
we are concerned that transportation for non-medical purposes could be 
used improperly to recruit patients or incentivize overutilization of 
items or services; therefore, OIG is not extending the local 
transportation safe harbor to include transportation for nonmedical 
purposes.
f. Use of Ride-Sharing Services
    Comment: Commenters supported OIG's clarification in the OIG 
Proposed Rule that transportation furnished through ride-sharing 
services could be protected by the safe harbor and that, for purposes 
of this safe harbor, there is no difference between taxis and ride-
sharing services. A commenter emphasized the importance of these 
services with respect to patients with driving restrictions, cognitive 
impairments, and mobility limitations. While some commenters did not 
believe a change to the regulatory text was needed, at least one 
commenter recommended that we amend the safe harbor to protect 
transportation via ride-sharing services explicitly; according to this 
commenter, the safe harbor is ambiguous with respect to ride-sharing 
services, which discourages some providers from entering into 
arrangements with ride-sharing services.
    A commenter recommended that OIG clarify whether a ride-share 
service can advertise a partnership with a hospital or health system to 
promote patient awareness and utilization of such services. Another 
commenter urged OIG not to make providers responsible for knowing or 
controlling the advertising practices of taxi companies, ride-sharing 
services, or other transportation providers.
    Response: We support the use of ride-sharing services or other 
patient transportation services similar to a taxi service by eligible 
entities to make local transportation available for their patients. The 
safe harbor protects certain free or discounted local transportation 
made available by an eligible entity, and we confirm that an eligible 
entity may make such transportation available through ride-sharing 
arrangements or through other means of local transportation that may 
exist in the future (e.g., self-driving cars). We do not believe an 
amendment to the regulatory text is necessary. Indeed, nothing in the 
language of the safe harbor prevents the use of ride-sharing services 
by eligible entities as long as all other conditions of the safe harbor 
are met. As we explained in the OIG Proposed Rule, although we do not 
explicitly refer to ride-sharing services within the safe harbor, we 
see no meaningful differences between these services and taxis, or 
other similar technology that serve as a taxi service should they 
become available in the future.\148\ We are not explicitly including 
specific transportation methods within the regulatory text to avoid 
being overly proscriptive and to allow eligible entities sufficient 
flexibility to outsource these services appropriately while satisfying 
every condition of the safe harbor.
---------------------------------------------------------------------------

    \148\ 84 FR 55752 (Oct. 17, 2019).
---------------------------------------------------------------------------

    We note that eligible entities that make transportation services 
available to patients by using ride-sharing or other similar 
transportation service providers must meet all requirements of the safe 
harbor and ensure such service providers also meet all requirements of 
the safe harbor to receive protection, including for example the 
prohibitions against luxury transportation and publicly marketing or 
advertising the free or discounted local transportation services.
    In the OIG Proposed Rule, we explained that a taxi company, ride-
sharing service, or other provider of transportation could advertise 
that it provides transportation to medical appointments and suggest to 
patients that they contact their medical providers to determine whether 
free or discounted transportation is available to their facilities. We 
stated, however, that it cannot advertise that it provides free or 
discounted transportation to a particular health care provider or group 
of providers because such customer-specific advertising is within the 
control of the customer (i.e., the eligible entity paying for the 
transportation) to prohibit, and therefore would be imputed to the 
customer and would disqualify transportation furnished by

[[Page 77864]]

the customer from safe harbor protection.\149\ Accordingly, we strongly 
suggest that eligible entities that furnish local transportation to 
patients and choose to rely on this safe harbor have mechanisms in 
place to ensure this condition of the safe harbor is satisfied.
---------------------------------------------------------------------------

    \149\ 84 FR 55752 (Oct. 17, 2019).
---------------------------------------------------------------------------

13. Accountable Care Organization (ACO) Beneficiary Incentive Program 
(42 CFR 1001.952(kk))
    Summary of OIG Proposed Rule: We proposed at proposed paragraph 
1001.952(kk) to codify the statutory exception to the definition of 
``remuneration'' at section 1128B(b)(3)(K) of the Act, as added under 
section 50341 of the Budget Act of 2018, for ACOs operating a CMS-
approved beneficiary incentive program under the Medicare Shared 
Savings Program, as defined under section 1899(m) of the Act. We 
proposed to clarify that an ACO may furnish incentive payments only to 
assigned beneficiaries and to interpret the statutory language in the 
Budget Act of 2018 stating, ``if the payment is made in accordance with 
the requirements of such subsection [section 1899(m) of the Act],'' to 
mean ``if the incentive payment is made in accordance with the 
requirements found in such subsection.'' We did not propose any 
additional safe harbor conditions that incentive payments made by an 
ACO to an assigned beneficiary under an ACO Beneficiary Incentive 
Program established under section 1899(m) of the Act would have to 
satisfy, and we solicited comments on the proposed lack of additional 
conditions.
    Summary of Final Rule: We are finalizing the safe harbor without 
modifications.
    Comment: Several commenters expressed support for the ACO 
Beneficiary Incentive Program safe harbor. For example, a commenter 
posited that incentivizing patients to attend primary care appointments 
may improve patient outcomes and reduce downstream medical expenses. 
Another commenter agreed with OIG's proposal not to establish 
additional safe harbor conditions to protect incentives under an ACO 
Beneficiary Incentive Program that satisfies the statutory exception 
and regulatory requirements.
    Response: We are finalizing the regulation text as proposed. We 
note that we do not interpret the statutory exception found at section 
1128B(b)(3)(K) of the Act, nor the safe harbor finalized at paragraph 
1001.952(kk), to require satisfaction of any requirements found outside 
section 1899(m) of the Act (e.g., the regulatory requirements 
established by CMS implementing the ACO Beneficiary Incentive Program 
found at 42 CFR 425.304(c)).
    Comment: A commenter supported the codification of the ACO 
Beneficiary Incentive Program exception in a safe harbor but 
recommended that OIG broaden the exception to protect any future 
beneficiary incentives covered under CMS-sponsored payment models and 
beneficiary incentive options that may be available in the future. 
According to the commenter, the ACO Beneficiary Incentive Program is 
too limited and the commenter has advised CMS that ACOs, and 
alternative payment models (APM) more broadly, should be able to 
provide beneficiary incentives to subsets of their population. Another 
commenter requested that OIG expand the safe harbor to protect ACOs 
participating in any Innovation Center demonstration, noting that 
several ACO demonstrations have risk-bearing standards that exceed 
those in the Medicare Shared Savings Program.
    Response: This safe harbor codifies a statutory safe harbor that is 
specific to ACO Beneficiary Incentive Programs; the commenters' 
suggestions are beyond the scope of the statute and our proposal. To 
the extent the commenters are requesting safe harbor protection for 
beneficiary incentives provided through existing CMS-sponsored models 
developed pursuant to section 1115A(d)(1) of the Act, any fraud and 
abuse waiver applicable to beneficiary incentives under the relevant 
model would potentially provide protection as long as the beneficiary 
incentive arrangement squarely satisfies the conditions of the 
applicable waiver. Moreover, we are finalizing a new safe harbor for 
CMS-sponsored models at paragraph 1001.952(ii) that protects certain 
CMS-sponsored model patient incentives under models for which CMS has 
determined that paragraph 1001.952(ii)(2) should apply. This new safe 
harbor is described more fully in section III.B.7 of this preamble.
    Comment: A trade association representing community pharmacists 
recommended that pharmacists be included in the definition of an ``ACO 
professional'' and that pharmacy services should constitute qualifying 
services for purposes of the ACO Beneficiary Incentive Program safe 
harbor. According to the commenter, including pharmacy services as 
qualifying services would give pharmacists more resources to provide 
medication adherence services more efficiently to further enhance care 
coordination.
    Response: The commenter's suggestion is beyond the scope of the ACO 
Beneficiary Incentive Program statutory exception found at section 
1128B(b)(3)(K) of the Act that OIG proposed to codify at paragraph 
1001.952(kk). Section 1899(h) of the Act defines an ACO professional 
for purposes of the Medicare Shared Savings Program, and section 
1899(m) of the Act sets forth the scope of qualifying services. CMS 
administers the Medicare Shared Savings Program on behalf of the 
Secretary, which includes promulgating regulations interpreting the 
statutory definition of ACO professional and the scope of qualifying 
services; for this reason, any requests to expand these terms should be 
directed to CMS.
    Comment: A commenter supported the proposed safe harbor but 
recommended that OIG consider the administrative burden associated with 
the ACO Beneficiary Incentive Program. In particular, the commenter 
noted that several requirements of the ACO Beneficiary Incentive 
Program (e.g., recordkeeping requirements) are burdensome.
    Response: The commenter's suggestion is beyond the scope of this 
rulemaking. Section 1899(m) of the Act contains certain programmatic 
reporting and documentation requirements for beneficiary incentives 
under the Medicare Shared Savings Program, and CMS has promulgated 
additional regulations implementing the ACO Beneficiary Incentive 
Program.\150\ The new safe harbor at paragraph 1001.952(kk) does not 
alter existing documentation requirements or impose any additional 
documentation requirements. Furthermore, section 50341(b) of the Budget 
Act of 2018 does not give OIG authority to waive programmatic 
documentation requirements set forth in section 1899(m) of the Act or 
in CMS regulations.
---------------------------------------------------------------------------

    \150\ 42 CFR 425.304(c)(4)(i).
---------------------------------------------------------------------------

    Comment: A commenter requested additional guidance on the specifics 
of the protected remuneration under this safe harbor.
    Response: The new safe harbor at paragraph 1001.952(kk) protects 
incentive payments made by an ACO to an assigned beneficiary under a 
beneficiary incentive program established under section 1899(m) of the 
Act if the incentive payment is made in accordance with the 
requirements found in section 1899(m) of the Act. We interpret the 
statutory language in the

[[Page 77865]]

Budget Act of 2018 stating, ``if the payment is made in accordance with 
the requirements of such subsection [section 1899(m) of the Act]'' to 
mean ``if the incentive payment is made in accordance with the 
requirements found in such subsection.''
    We read this provision broadly to incorporate all the requirements 
found in section 1899(m) of the Act as requirements of the ACO 
Beneficiary Incentive Program statutory exception to the definition of 
``remuneration'' under the Federal anti-kickback statute. In other 
words, as we stated in the preamble to the OIG Proposed Rule, we 
interpret this statutory requirement to mean that for an incentive 
payment to satisfy the ACO Beneficiary Incentive Program statutory 
exception, and the corresponding safe harbor interpreting the statutory 
exception, all of the requirements enumerated at section 1899(m) of the 
Act--related both to ACO Beneficiary Incentive Programs and incentive 
payments made pursuant to such programs--must be satisfied. We do not 
interpret the statutory exception at section 1128B(b)(3)(K) of the Act 
to require satisfaction of any requirements found outside of section 
1899(m) of the Act. For instance, CMS, which administers the Medicare 
Shared Savings Program, has promulgated programmatic regulations 
setting forth more detailed requirements for implementing an ACO 
Beneficiary Incentive Program in accordance with section 1899(m) of the 
Act. While compliance with these regulations is not a condition of 
satisfying the safe harbor, it would be prudent for ACOs to review 
these regulations to ensure that their ACO Beneficiary Incentive 
Programs meet all applicable programmatic requirements.

C. Civil Monetary Penalty Authorities: Beneficiary Inducements CMP

1. Exception for Telehealth Technologies for In-Home Dialysis (42 CFR 
1003.110)
    Summary of OIG Proposed Rule: We proposed to amend the definition 
of ``remuneration'' under the Beneficiary Inducements CMP by codifying 
the statutory exception enacted as part of the Budget Act of 2018. 
Specifically, we proposed to add an exception to the definition of 
``remuneration'' in paragraph 1003.110 at proposed paragraph 
1001.110(10) for the provision of certain telehealth technologies 
related to in-home dialysis services. The proposed exception would 
protect the provision of telehealth technologies by a provider of 
services or renal dialysis facility to an individual with end-stage 
renal disease (ESRD) who is receiving home dialysis paid for by 
Medicare Part B, provided the donation meets conditions proposed in the 
OIG Proposed Rule. We proposed a condition that would require uniform 
provision of technology. In addition, we proposed to define 
``telehealth technologies'' as multimedia communications equipment that 
includes at a minimum audio and video equipment permitting two-way, 
real-time interactive communication between the patient and distant 
site physician or practitioner used in the diagnosis, intervention, or 
ongoing care management--paid for by Medicare Part B--between a patient 
and the remote healthcare provider.
    Summary of Final Rule: We are finalizing this provision with 
several modifications at paragraph 1003.110(10) to align with the 
statutory exception in 1128A(i)(6)(J). As explained in more detail 
below, we are removing most of the additional proposed conditions and 
proposed regulatory text language that were not in the statutory 
exception. Additionally, the final rule modifies the definition of 
``telehealth technologies'' and includes physicians as a type of 
practitioner that can donate telehealth technologies to a patient. We 
are not finalizing the other proposed conditions on which we solicited 
comments.
a. General Comments
    Comment: Commenters on this topic overwhelmingly supported our 
proposed exception, in many cases as proposed. For example, a commenter 
stated that the exception would enhance access to telehealth services 
for vulnerable patients, including those who are immobile or located in 
rural areas, and would encourage patients to appropriately address 
their chronic condition. Commenters observed that telehealth 
technologies will provide an important tool for dialysis facilities and 
other providers to ease patients' adoption of home dialysis as their 
treatment modality of choice and that increased use of telehealth 
services benefit patients, including through reduced travel to and from 
physician visits. A commenter expressed that broad protection under the 
Beneficiary Inducements CMP would be consistent with policy priorities 
of Congress and the Department, as well as under the Executive Order 
entitled ``Advancing American Kidney Health.'' Another commenter noted 
the Administration's policy goal of increased rates of uptake and 
retention of in-home dialysis and urged OIG to consider the impact 
technologies have outside of an isolated clinical visit, such as 
dialysis modality education and support group access.
    Some commenters raised concerns about the need for safeguards 
against risks such as inappropriate steering, lemon-dropping, and 
cherry-picking of patients by providers and the use of free at-home 
technologies to entice patients to use a particular provider, 
especially when the technology could also be used for other purposes 
beyond the provision of telehealth services. Some commenters urged us 
to adopt the statutory exception without any additional conditions that 
could create barriers to patients accessing telehealth services, more 
administrative burden, or additional duties on staff. A commenter 
stated that the additional conditions and other potential safeguards in 
the OIG Proposed Rule preamble are unnecessary.
    Response: We have made several modifications to the final exception 
that address the commenters' general concerns. Consistent with the 
statutory exception at section 1128A(i)(6)(J) of the Act and the OIG 
Proposed Rule, these modifications finalize a broader definition of 
``telehealth technologies,'' reduce the number of conditions from the 
OIG Proposed Rule, and modify the proposed conditions to more closely 
align to the statute. The final exception incorporates the statutory 
text from section 1128A(i)(6)(J) and the two statutory conditions at 
1128A(i)(6)(J)(i) and (ii). We describe the specific rationale for each 
of these modifications in greater detail below.
    These modifications reflect our understanding as stated in the OIG 
Proposed Rule that this is a narrow exception to the CMP beneficiary 
inducement statute. Primarily, the exception is limited to a subset of 
patients receiving in-home dialysis and certain, enumerated providers 
in the statutory exception.\151\ Because the exception finalized here 
is only available to established patients who are receiving specific 
services paid for by Medicare Part B, the potential for fraud and abuse 
is reduced. Similar to our rationale related to the definition and use 
of target patient population in the patient engagement and support safe 
harbor at paragraph 1001.952(hh), we believe that remuneration 
connected to an objectively defined set of patients decreases the risk 
that valuable remuneration will be offered to patients as an inducement 
to seek care or as a reward for receiving care. For the purposes of 
this exception, Congress established the patient population as

[[Page 77866]]

those receiving in-home dialysis paid for by Medicare Part B.
---------------------------------------------------------------------------

    \151\ 84 FR 55754 (Oct. 17, 2019).
---------------------------------------------------------------------------

    Additionally, the two statutory conditions address common risks of 
fraud and abuse associated with remuneration furnished to 
beneficiaries. The first, which bars telehealth technologies from being 
offered as part of any advertisement or solicitation, protects against 
improper marketing schemes that entice beneficiaries to receive 
unnecessary services or select providers or services based on promises 
of valuable gifts rather than medical best interests. The second 
statutory condition requires that the telehealth technologies are 
provided for the purpose of furnishing telehealth services related to 
the recipient's ESRD; this condition tailors the statutory protection 
to arrangements that assist beneficiaries in managing their ESRD, 
reducing risk that the provision of telehealth technologies induce 
orders or purchases of other, unrelated items and services. These 
statutory limitations reduce the risks of fraud and abuse associated 
with providing certain beneficiaries with free telehealth technologies.
    We share commenters' concerns that offering valuable technology for 
free to patients has the potential to impact a patient's selection of a 
provider, and we agree that this exception should not be used to 
effectuate inappropriate steering, lemon-dropping, or cherry-picking of 
patients. The risk of fraud and abuse associated with selectively 
deciding which patients receive telehealth technologies is mitigated by 
conditions finalized in this rule (e.g., telehealth technologies are 
protected if provided to a beneficiary already receiving in-home 
dialysis paid for by Medicare Part B and if that patient initiated 
contact or scheduled an appointment with the donor (paragraphs (10)(i) 
and (ii) in 42 CFR 1003.110)).
    This final rule strives to foster the policy goal of: (i) Ensuring 
that beneficiaries can choose and benefit from medically appropriate 
in-home dialysis care, as determined by the beneficiary and their 
provider, physician, or renal dialysis facility; (ii) protecting 
beneficiaries against coercive marketing schemes that do not serve 
their best interests; and (iii) ensuring that providers, physicians, 
and renal dialysis facilities are seeking the protection of the 
exception use telehealth technologies for purposes related to 
beneficiaries' ESRD as contemplated in the statutory exception. We have 
endeavored to reduce administrative and staff burden wherever possible, 
consistent with these goals.
b. Definition of ``Telehealth Technologies''
    Summary of OIG Proposed Rule: Using the definition of ``interactive 
telecommunications system'' pursuant to 42 CFR 410.78(a)(3) as a 
basis,\152\ we proposed to define ``telehealth technologies'' as 
multimedia communications equipment that includes, at a minimum, audio 
and video equipment permitting two-way, real-time interactive 
communication between the patient and distant site physician or 
practitioner used in the diagnosis, intervention, or ongoing care 
management--paid for by Medicare Part B--between a patient and the 
remote healthcare provider. We proposed to exclude telephones, 
facsimile machines, and electronic mail systems from the definition. 
However, we proposed that smartphones with two-way, real-time 
interactive communication through secure video conferencing 
applications would not be considered ``telephones.'' We sought comments 
on this definition and whether ``telehealth technologies'' should 
include technologies such as software, a webcam, data plan, or 
broadband internet access that facilitates the telehealth encounter.
---------------------------------------------------------------------------

    \152\ In response to the COVID-19, HHS and CMS have exercised 
emergency authorities and regulatory flexibilities to help health 
care providers respond to the COVID-19 public health emergency. 
Specific to telehealth covered by Medicare Part B, CMS has expanded 
the types of technology that can be used to provide telehealth 
services, the types of services that can be provided via telehealth, 
certain coverage requirements related to originating and distant 
sites, and other flexibilities. Most of these flexibilities will 
remain in place until the Secretary ends the declaration of a public 
health emergency for COVID-19. See for example 85 FR 19230 (Apr. 6, 
2020), COVID-19 Emergency Declaration Blanket Waivers for Health 
Care Providers, available at https://www.cms.gov/files/document/summary-covid-19-emergency-declaration-waivers.pdf; 85 FR 27550 (May 
8, 2020), Additional Policy and Regulatory Revisions in Response to 
the COVID-19 Public Health Emergency and Delay of Certain Reporting 
Requirements for the Skilled Nursing Facility Quality Reporting 
Program, available at https://www.govinfo.gov/content/pkg/FR-2020-05-08/pdf/2020-09608.pdf.
---------------------------------------------------------------------------

    Summary of Final Rule: We are finalizing, with modifications, the 
regulatory text defining ``telehealth technologies'' in response to 
comments and in a way that is technology agnostic, as described further 
below.
    Comment: Several commenters agreed with our proposed definition of 
``telehealth technologies'' based on 42 CFR 410.78(a)(3), including our 
proposal to exclude smartphones from our interpretation of what 
consists of a ``telephone'' for the purposes of our proposed 
``telehealth technologies'' definition because it would help expand 
access to medically necessary care. A commenter suggested OIG finalize 
a technology-neutral definition of ``telehealth technologies'' and 
urged us not to detail specific technologies or services, which are 
likely to change over time to facilitate the development of more 
efficient means of delivering the same services. While a commenter 
agreed with excluding telephones, facsimile machines, and electronic 
mail systems from the definition of ``telehealth technologies'' because 
the commenter did not view them as providing the required services, 
other commenters asserted that these technologies should not be 
included. For example, a commenter explained that these technologies do 
not constitute ``telehealth technologies'' as standalone items but can 
be used to supplement a telehealth encounter.
    Several commenters were supportive of including the broader range 
of technologies considered in the OIG Proposed Rule (e.g., software and 
data plans). Commenters suggested that these technologies, which alone 
will not facilitate a telehealth encounter, may be required by some 
patients to access telehealth services. A commenter asserted that the 
exception should protect any type of technology as long as it 
contributes to accomplishing the telehealth service. The commenter also 
urged OIG to consider that software protected under the exception must 
be easily downloadable, be easy to use for patients, and meet HIPAA 
standards.
    Another commenter supported narrowly defining ``telehealth 
technologies'' as the ``interactive communications system'' necessary 
for the telehealth service. According to the commenter, a broader 
definition could inappropriately induce a beneficiary to consider in-
home dialysis because of the availability of technology benefits rather 
than the clinical appropriateness of the treatment approach. A 
commenter also suggested that if necessary we include a list of items 
ineligible for protection under this exception.
    Response: We agree with those commenters that recommended a broader 
definition that includes items and services that facilitate telehealth 
services because the goal of this exception, as explained in the OIG 
Proposed Rule, is to protect a wide range of technologies to better 
support in-home dialysis. Specifically, this final rule modifies the 
definition of ``telehealth technologies'' by removing references to 
specific types of technology, limits on the type of communication, and 
a requirement that telehealth services be paid for by Medicare Part B. 
We are revising language to clarify that the definition means 
technology used to support

[[Page 77867]]

communication between providers and patients in instances when the 
communication is distant or remote, and when the communication is for 
diagnosis, intervention, or ongoing care management. For purposes of 
the telehealth technologies exception to the definition of 
``remuneration'' authorized under section 1128A(i)(6)(J) of the Act, 
this final rule defines ``telehealth technologies'' to mean hardware, 
software, and services that support distant or remote communication 
between the patient and provider, physician, or renal dialysis facility 
for the diagnosis, intervention, or ongoing care management. We note 
that the revised definition includes all of the technologies that we 
proposed would constitute telehealth technologies and be protected if 
all conditions of the exception were met: that is, multimedia 
communications equipment, including audio and video equipment 
permitting two-way, real-time interactive communication with the 
patient.
    The revised definition also now includes technologies that we 
proposed to specifically exclude from the definition: Telephones, 
facsimile machines, and electronic mail systems. The final definition 
is technology agnostic. We emphasize that the revised definition 
retains the element that the technology supports provider and patient 
communication for diagnosis, intervention, or ongoing care management. 
Additionally, for a donation of technology to be protected it must meet 
all conditions of this exception, not just satisfy the revised 
definition of ``telehealth technologies.'' This includes the condition 
at paragraph (10)(i) in 42 CFR 1003.110 that requires the telehealth 
technology be provided for the purpose of furnishing telehealth 
services related to the recipient's end-stage renal disease. If a 
provider, physician, or facility determines that a fax machine meets 
this condition and the revised definition (and the donation meets all 
other conditions) then it would be protected by this exception.
    This modification is consistent with the statutory exception and 
our solicitation of comments in the proposed rule. In the OIG Proposed 
Rule, we proposed to define ``telehealth technologies'' to encompass 
``multimedia communications equipment'' that included at a minimum 
audio and video equipment with distant site, interactive communications 
functionality between patients and physicians or practitioners. We 
considered whether to broaden the definition to include technology such 
as software, webcams, data plans, and broadband internet access that 
facilitate a telehealth encounter and solicited specific comments on 
the treatment of telephones, facsimile machines, and electronic mail 
systems.
    We are modifying the definition to focus on the functionality of 
the technology to support telehealth rather than specific types. The 
revised definition is technology neutral to provide flexibility to 
providers, physicians, and renal dialysis facilities to determine what 
telehealth technology is needed for the purpose of furnishing 
telehealth services related to an individual's ERSD. By ``technology 
agnostic,'' we mean that the technology is not limited to specific 
technologies or services, which are likely to change over time. For 
telehealth and virtual care specifically, we believe a technology-
agnostic approach is especially important given, for example, the 
widespread and rapid changes to telehealth during the response to the 
COVID-19 public health emergency. This approach will also allow the 
exception to continue to be available to support telehealth services 
for ESRD beneficiaries as technology evolves. We recognize that the 
revised definition will allow for a wider range of technology to be 
provided to beneficiaries than the proposed regulatory text. We also 
recognize the potential for ``telehealth technologies'' as defined more 
broadly in this final rule to inappropriately induce patients to pursue 
in-home dialysis over a dialysis facility or select a particular 
provider or physician. However, we believe the risk is mitigated 
because the exception is available for a defined set of patients 
already receiving in-home dialysis, marketing is not allowed, and other 
conditions provide safeguards against fraud and abuse.
    The revised definition is supported by the statutory exception in 
section 1128A(i)(6)(J) of the Act. The statute gives the Secretary 
authority to define ``telehealth technologies'' and protects 
technologies provided for the purpose of furnishing telehealth services 
related to the individual's ESRD. The statute did not limit the 
telehealth technology or technology services under the exception to any 
related Medicare definitions. In contrast, section 1128A(i)(6)(J) of 
the Act states that a provider of services or a renal dialysis facility 
are defined as those terms are used in title XVIII (Medicare). 
``Telehealth technologies'' in section 1128A(i)(6)(J) and the term 
``telehealth services'' in 1128A(i)(6)(J)(ii) do not include a 
reference to specific statutory or regulatory definitions. Therefore, 
the statute provides the Secretary additional flexibility to interpret 
these terms differently than any related Medicare definitions. We 
similarly interpret the term ``telehealth services'' differently than 
the scope of telehealth services paid for by Medicare Part B. For a 
more detailed discussion of the term ``telehealth services'' used in 
paragraph (10)(ii) in 42 CFR 1003.110, see section III.C.1.e below.
    Based on the statutory exception and flexibility afforded by the 
statutory exception and the response to our solicitation on the 
appropriate scope of technology covered by this exception, we are 
modifying the definition in the regulatory text of ``telehealth 
technologies'' to focus on core functionality to support telehealth 
services and be technology agnostic. As several commenters noted, 
telehealth technologies are ineffective without the ability to connect 
any device facilitating telehealth services, and the purpose of this 
exception would not be advanced without those capabilities. We agree 
and have expanded the definition of telehealth technologies to include 
services that support distant or remote communication between the 
patient, provider, or renal dialysis facility for diagnosis, 
intervention, or ongoing care management. For example, the finalized 
definition would include internet service or data plans.
    We emphasize that although this definition would encompass various 
technologies, to receive protection under the exception arrangements 
for providing telehealth technologies to beneficiaries must squarely 
satisfy the other conditions in the exception, including that the 
technologies are provided for the purpose of furnishing telehealth 
services related to the recipient's ESRD.
    In this preamble we offer examples of technology we view as within 
the scope of the final definition of ``telehealth technologies.'' We 
are not providing an exhaustive list in regulatory text or preamble to 
avoid inadvertently limiting telehealth technologies that donors 
determine are best suited to facilitate telehealth services to 
beneficiaries with ESRD and to allow for the evolution of technology. 
We are not including a condition related to ease of use for telehealth 
technologies furnished to patients, which we believe is a consideration 
for the patient and the clinician and is not needed as a fraud and 
abuse safeguard. Parties would need to comply with any other applicable 
government regulations that address ease of use or functioning of 
telehealth technology. Similarly, HIPAA and other Federal and State 
privacy and security laws apply notwithstanding this exception; 
therefore, we do not believe

[[Page 77868]]

an additional condition within this exception is necessary.
    Comment: Several commenters asserted that limiting ``telehealth 
technologies'' to two-way, real-time interactive communications 
equipment is overly narrow and could bar protection of many beneficial 
technologies that pose no greater risk than technologies included in 
the proposed definition. As an example, some commenters suggested that 
equipment used to monitor and report data to physicians and dialysis 
facilities (e.g., Bluetooth-enabled stethoscopes and thermometers) 
would not qualify under the proposed definition but could provide 
valuable clinical benefits. A commenter suggested that OIG follow the 
example provided in the current Kidney Care Choices Model operated by 
the Innovation Center that allows the use of asynchronous store-and-
forward technologies and the forwarding of health history to a 
clinician for review outside of a real-time interaction. Several 
commenters recommended including real-time (synchronous) and store-and-
forward (asynchronous) audio and video platforms. A commenter stated 
that an audio-only platform may be appropriate to assess whether the 
patient's condition necessitates an office visit.
    Response: We agree with commenters who suggest revising the 
definition to include broader forms of technology, including 
technologies that enable asynchronous communications between the 
patient and a distant site physician or practitioner. We have revised 
the definition of ``telehealth technologies'' to cover a more expansive 
range of technology than the proposed definition. This modification to 
the definition would cover technology based on its function, rather 
than specific types of technology. This would include equipment that 
could be used to monitor and report data to physicians and dialysis 
facilities (e.g., Bluetooth-enabled stethoscopes and thermometers) 
where appropriate, provided such technologies satisfy the other 
conditions of the exception. We believe the donor of any protected 
telehealth technologies--who per the terms of the exception must be 
currently providing the in-home dialysis, telehealth services, or other 
ESRD care to the patient--is in the best position to determine whether 
real-time or asynchronous information is appropriate and whether such 
technologies serve the purpose of furnishing telehealth services 
related to the recipient's ESRD. We do not believe the distinction 
between two-way, real-time technology and asynchronous technology 
materially changes the fraud and abuse analysis associated with 
providing patients valuable technology. Relatedly, we agree that some 
audio-only technology may be appropriate to assess whether the 
patient's condition necessitates an office visit and could contribute 
substantially to the provision of telehealth services to a patient.
    As explained above, the definition of ``telehealth technologies'' 
set forth in this final rule is technology agnostic and is not limited, 
for example, to technologies used for two-way, real-time interactive 
communication. We believe this final definition will extend protection 
to many of the specific technologies identified by commenters as long 
as other conditions of the exception are met.
    Comment: A commenter encouraged OIG to define the minimum set of 
capabilities required for a telehealth physician visit to include at 
least real-time bidirectional video interaction with audio. The 
commenter recommended the definition for ``telehealth technologies'' 
include tools such as peripheral devices or applications that the 
physician deems necessary to complete a proper assessment of the 
patient during a telehealth service, including remote monitoring and 
asynchronous messaging.
    Another commenter recommended OIG adopt the full definition of 
``interactive telehealth system'' at 42 CFR 410.78 in lieu of the 
proposed ``telehealth technologies'' definition but expand the 
definition to protect the use of asynchronous technologies in certain 
geographic areas (e.g., areas that are medically underserved). The same 
commenter also recommended including peripheral or supporting 
technology in the definition, which could support the use of remote 
patient monitoring.
    Response: As described above, we have modified the definition of 
``telehealth technologies'' to clarify the scope of technologies with 
telehealth capabilities protected by this exception. With respect to 
real-time bidirectional video interaction with audio, we view such 
technology as within the scope of the proposed definition as well as 
the definition finalized here. We also agree with the commenter that 
the definition should include tools such as peripheral devices or 
applications that the physician deems necessary to complete a proper 
assessment of the patient during a telehealth service. The definition 
of ``telehealth technologies'' encompasses the peripheral or supporting 
technologies for remote patient monitoring noted by the commenter. 
Asynchronous technologies would also meet the definition of telehealth 
technologies and could be protected if all conditions of the exception 
are met. For example, many types of remote patient monitoring 
technology are asynchronous and used to support remote communication 
between a patient and their physician for diagnosis, intervention, and 
ongoing care management. We did not propose and are not adopting any 
geographic limitation. Such restrictions are not necessary due to the 
other safeguards in the safe harbor, and further narrowing the limited 
statutory exception is not consistent with the statutory text (e.g., 
section 1128A(i)(6)(J) of the Act is not connected to telehealth 
services paid for by Medicare Part B, which are historically subject to 
geographic limitations).
    We note that policies regarding what constitutes a physician 
telehealth service are outside the scope of this rulemaking because it 
is limited to requirements for an exception to the Beneficiary 
Inducements CMP.
    Comment: Another commenter recommended aligning the exception with 
the list of services payable under the Medicare Physician Fee Schedule 
when furnished via telehealth by expanding the definition of 
``telehealth technologies'' to include communications-based 
technologies in addition to telehealth technologies.
    Response: We believe the commenter is referring to the telehealth 
technologies used to furnish ``communications technology-based 
services'' such as virtual check-in and remote assessment services that 
are separately billable under Medicare Part B. As discussed above, we 
have revised the definition of ``telehealth technologies,'' and it 
would include technologies that facilitate communications for these 
services including, by way of example, virtual check-in services. This 
exception protects a wide range of telehealth technologies that are 
provided for the purposes of furnishing remote or distant services 
through various modalities, including telehealth services, virtual 
check-in services, e-visits, monthly remote care management, and 
monthly remote patient monitoring.
    Consistent with this approach, as explained more fully above, we 
have modified the telehealth technologies definition so that it is not 
dependent on Medicare Part B payment for telehealth services. 
Relatedly, as explained more fully below, we are also modifying 
paragraph 10(iii) under the definition of ``remuneration'' in 42 CFR 
1003.110 so that protection of telehealth

[[Page 77869]]

technologies is not conditioned on their being provided for the purpose 
of furnishing ``telehealth services'' paid for by Medicare Part B.
c. Furnished by Specified Individuals and Entities Currently Providing 
Care to the Patient
    Summary of OIG Proposed Rule: Section 1128A(i)(6)(J) of the Act 
limits the exception to technologies provided ``by a provider of 
services or a renal dialysis facility (as such terms are defined for 
purposes of title XVIII) to an individual with end-stage renal disease 
who is receiving home dialysis for which payment is being made under 
part B of such title . . . .'' We proposed to implement this statutory 
provision in two ways. First, we proposed to use the precise statutory 
text in the introductory text in paragraph (10) under the definition of 
``remuneration'' in 42 CFR 1003.110. Second, we proposed a condition at 
paragraph (10)(i) that interprets the statutory language so that the 
exception would be available only to the provider of services or the 
renal dialysis facility that is currently providing in-home dialysis, 
telehealth services, or other ESRD care to the patient. We explained 
that the intent of this condition was to ensure that the exception only 
protected the provision of telehealth technologies to patients with 
whom the provider or renal dialysis facility had a prior clinical 
relationship. A beneficiary has a prior clinical relationship with the 
donor if the patient is receiving home dialysis, telehealth services, 
or other ESRD care from the donor. We also specifically solicited 
comment on this interpretation recognizing that this limitation may 
pose challenges.
    We also sought comment on but did not propose specific regulatory 
text for whether we should interpret the statutory exception to apply 
not only to the ``provider of services or the renal dialysis facility 
(as those terms are defined in title XVIII of the Act)'' but also 
``suppliers,'' as defined in title XVIII of the Act, so that the 
exception would be consistent with the broader goals to expand patient 
access to in-home dialysis care furnished by their physician in section 
50302(b) of the Budget Act of 2018.
    Summary of Final Rule: We are finalizing, with modifications, the 
proposed condition at paragraph (10)(i) that interprets the statutory 
language so that the exception would be available only to the provider 
of services or the renal dialysis facility that is currently providing 
in-home dialysis, telehealth services, or other ESRD care to the 
patient. The final rule limits the exception to telehealth technologies 
furnished by a provider of services, physicians, or a renal dialysis 
facility currently providing in-home dialysis, telehealth services, or 
other ESRD care to the patients or has been selected or contacted by 
the patient to schedule an appointment or provide services.
    Comment: Several commenters supported both of our proposals 
implementing section 1128A(i)(6)(J) of the Act, including the 
interpretation that the provision of telehealth technologies is limited 
to patients with whom the donors have a prior clinical relationship. 
Several commenters shared OIG's concern that expanding the exception to 
protect the provision of telehealth technologies to new patients or to 
patients who are not currently receiving ESRD services or care from the 
individual or provider of services or the facility may result in 
inappropriate steering.
    However, another commenter expressed concern that this 
interpretation would be operationally difficult to implement and could 
reduce the benefits of the otherwise permissible telehealth 
technologies. According to the commenter, once patients have selected a 
provider, they should not have to wait for telehealth services 
furnished through protected arrangements until they are already 
receiving in-home dialysis. The commenter asserted that delaying 
telehealth technologies in this context may disrupt normal care 
delivery methods.
    Response: Consistent with section 1128A(i)(6)(J) of the Act and our 
proposed interpretation, limiting the exception to telehealth 
technologies furnished by a provider of services, physicians, or a 
renal dialysis facility currently providing in-home dialysis, 
telehealth services, or other ESRD care to the patients is consistent 
with the statutory language and an appropriate safeguard against 
inappropriate steering and patient recruitment. As such, we are 
finalizing the introductory language of paragraph (10) under the 
definition of remuneration in 42 CFR 1003.110 as proposed.
    We also are finalizing the condition at paragraph (10)(i) under the 
definition for ``remuneration'' in 42 CFR 1003.110 with modifications. 
Specifically, we have modified this condition by adding the following 
clause: ``or has been selected or contacted by the individual to 
schedule an appointment or provide services.''
    We agree with the commenter who suggested that once a patient has 
selected a provider, physician, or facility, the patient should be 
eligible to receive telehealth technologies. The purpose of the 
proposed condition was to limit the risk of the technologies being used 
as a recruiting tool or to facilitate the provision of unnecessary 
services. However, because protected telehealth technologies may not be 
offered as part of any advertisement or solicitation, we believe that 
making telehealth technologies available to patients who contact the 
provider, physician, or facility on their own initiative is 
sufficiently low risk to warrant protection by this exception. Thus a 
provider, physician, or facility may offer or furnish telehealth 
technologies to a patient with ESRD who is receiving home dialysis paid 
for by Medicare Part B after the patient selects and initiates contact 
with a provider, facility, or physician to schedule an appointment or 
other services.\153\ This approach is consistent with our intent in the 
OIG Proposed Rule to prevent arrangements from being protected by the 
exception where the donor does not have a preexisting clinical 
relationship with the patient and to reduce the risk of inappropriate 
patient recruitment or marketing schemes.
---------------------------------------------------------------------------

    \153\ If a patient is unable to call a provider or physician 
himself or herself, or has otherwise given consent for a person 
(e.g., a family member, a case manager, or a provider or supplier 
when the patient is attending an appointment or receiving services) 
to schedule appointments or upcoming services for him or her, then a 
request for an appointment or upcoming services made on behalf of 
the patient is sufficient to meet the patient-initiated contact 
requirement.
---------------------------------------------------------------------------

    We view a patient reaching out to schedule an appointment or other 
services and asking whether assistance in facilitating telehealth 
services might be available as low risk in light of the other 
conditions in the exception, such as the limitation on advertisement 
and solicitation discussed further below. Patient-initiated contact is 
also distinguishable from a provider, facility, or physician initiating 
contact with a new patient (or to the patient's case manager) and 
soliciting the patient to elect in-home dialysis or to switch 
providers, coupled with an offer of telehealth technologies. The former 
would be protected (if all other conditions of the exception are met) 
and the latter would not.
    Comment: Several commenters opposed extending the exception to 
apply to suppliers as defined in title XVIII of the Act because it 
could result in telehealth technologies being offered to patients 
without any provider reviewing whether the technology is an appropriate 
offering for the particular patient's clinical condition and, more 
generally, increases the risk for

[[Page 77870]]

inappropriate use or offering of technologies. A commenter also 
asserted that expanding protected donors to include protection for 
suppliers is not consistent with congressional intent. A commenter 
asserted that protection under the exception should be limited only to 
nephrologists and dialysis providers who are directly responsible for 
the provision of care to home dialysis patients.
    Response: This final exception, consistent with our solicitation in 
the OIG Proposed Rule, protects telehealth technologies provided by 
physicians as defined in title XVIII of the Act who are providing in-
home dialysis, telehealth services, or other ESRD care to the 
recipient. This modification will be included in the introductory 
language of paragraph (10) and in paragraph (10)(i) under the 
definition to remuneration in 42 CFR 1003.110. As explained in the OIG 
Proposed Rule and further below, this modification is consistent with 
section 50302 of the Budget Act of 2018. In particular, physicians--
notably but not exclusively nephrologists--are central to the provision 
of telehealth services related to ESRD care that would be furnished 
using the telehealth technologies, as described in the statute. For 
example, without the inclusion of physicians, telehealth technologies 
furnished by a patient's nephrologist could not receive protection 
under this exception.
    As part of the Creating High-Quality Results and Outcomes Necessary 
to Improve Chronic Care Act of 2018,\154\ section 50302 of the Budget 
Act of 2018 amends section 1881(b)(3) of the Social Security Act to 
permit an individual with ESRD receiving home dialysis to elect to 
receive their monthly ESRD-related clinical assessments via telehealth, 
if certain other conditions are met. CMS implemented these statutory 
changes through amendments to 42 CFR 410.78 and 414.65.\155\ Under 
those CMS rules, the newly covered monthly ESRD-related clinical 
assessments furnished via telehealth would be provided by a physician 
at the distant site who is licensed under State law to furnish the 
covered monthly ESRD-related clinical assessments.\156\ It is 
consistent with the OIG Proposed Rule and section 50302 of the Budget 
Act of 2018 that this exception protect the provision of telehealth 
technologies offered by physicians (e.g., nephrologists) furnishing 
monthly ESRD-related clinical assessments via telehealth for patients 
receiving home dialysis. Under the new CMS rules, the physicians 
performing these clinical assessments are well positioned to understand 
what telehealth technologies should be provided to the ESRD patient for 
the purpose of furnishing telehealth services.
---------------------------------------------------------------------------

    \154\ S. 870, 115th Congress (Sept. 26, 2017).
    \155\ 83 FR 59495 (Nov. 23, 2018).
    \156\ 42 CFR 410.78(b) specifies in part that ``Medicare Part B 
pays for covered telehealth services included on the telehealth list 
when furnished by an interactive telecommunications system if the 
following conditions (are met, such as) . . . [t]he physician or 
practitioner at the distant site must be licensed to furnish the 
service under State law. The physician or practitioner at the 
distant site who is licensed under State law to furnish a covered 
telehealth service described in this section may bill, and receive 
payment for, the service when it is delivered via a 
telecommunications system.''
---------------------------------------------------------------------------

    We agree with commenters that expanding the exception to a broad 
range of practitioner types by using ``suppliers'' poses risk and, upon 
further review, we see no support in the statute for doing so. Section 
1128J(i)(6)(J) of the Act conditions protection on the connection 
between the provider of services or renal dialysis facility and caring 
for an individual with ESRD. The definition of ``suppliers'' in title 
XVIII includes a physician or other practitioner, a facility, or other 
entity (other than a provider of services) that furnishes items or 
services under this title. That definition covers numerous practitioner 
and entity types, many of which are not providing ESRD services. We are 
concerned that including these practitioners and entities would not 
further the ESRD-related purposes of the exception, were not 
contemplated by Congress, and could pose risk that these parties would 
offer telehealth technologies to steer beneficiaries to select them as 
a supplier or to their products and services. In light of that risk and 
consistent with the section 1128J(i)(6)(J) of the Act, we are 
finalizing the exception by including ``physicians'' but not 
``suppliers'' (as that term is defined in title XVIII).
    Section 1861(r) of the Act defines the term ``physician.'' That 
definition includes a limited set of practitioners including doctors of 
medicine or osteopathy, doctors of dental surgery, doctors of podiatric 
medicine, doctors of optometry, and chiropractors. Under this final 
exception, a physician must meet this definition in 1861(r) of the Act 
and, consistent with paragraph 10(i) in 42 CFR 1003.110, be providing 
in-home dialysis, telehealth services, or other ESRD care to the 
patient. Consequently, it is unlikely that all practitioner types under 
1861(r) would be eligible for protection for providing telehealth 
technologies under this exception. For example, it is unlikely that 
dental surgeons, doctors of podiatric medicine, or chiropractors would 
be providing telehealth services to ERSD patients.
d. Prohibition on Advertisement or Solicitation
    Summary of OIG Proposed Rule: We proposed to incorporate the 
statutory requirement in section 1128A(i)(6)(J)(i) of the Act that the 
telehealth technologies are not offered as part of any advertisement or 
solicitation. We proposed to interpret the terms ``advertisement'' and 
``solicitation'' consistent with their common usage in the health care 
industry.
    Summary of Final Rule: We are finalizing this condition as 
proposed.
    Comment: A commenter expressed support for the proposal precluding 
the protection of telehealth technologies offered as part of an 
advertisement or solicitation.
    Response: We are including this protection in the final rule, 
consistent with the statute. As stated in the OIG Proposed Rule, we 
interpret the terms ``advertising'' and ``solicitation'' consistent 
with prior rulemakings. We emphasize that whether a particular means of 
communication constitutes an advertisement or solicitation will depend 
on the facts and circumstances.\157\
---------------------------------------------------------------------------

    \157\ 81 FR 88373 (Dec. 7, 2016).
---------------------------------------------------------------------------

    Additionally, consistent with our interpretation in the OIG 
Proposed Rule, we note that it is important for patients to receive 
information about their health care options, and that not all 
information provided to beneficiaries is advertising or solicitation. 
Stakeholders should interpret the terms ``advertisement'' and 
``solicitation'' consistent with their common usage in the health care 
industry.
e. Provided for the Purpose of Furnishing Telehealth Services Related 
to an Individual's End Stage Renal Disease
    Summary of OIG Proposed Rule: We proposed to interpret the 
condition at section 1128A(i)(6)(J)(ii) of the Act that the telehealth 
technologies are provided ``for the purpose of furnishing telehealth 
services related to the individual's [ESRD]'' to mean that the 
technologies: (i) Contribute substantially to the provision of 
telehealth services related to the individual's ESRD; (ii) are not of 
excessive value; and (iii) are not duplicative of technology that the 
beneficiary already owns if that technology is adequate for telehealth 
purposes. We proposed to interpret ``telehealth services related to the 
individual's ESRD'' to mean only those telehealth services paid for by 
Medicare

[[Page 77871]]

Part B. We stated that we would consider technology to be of excessive 
value if the retail value of the technology were substantially more 
than required for the telehealth purpose.
    We sought comment on but did not propose regulatory text on the 
following issues: (i) Whether we should require that the person 
furnishing the telehealth technologies make a good faith determination 
that the individual to whom the technology is furnished does not 
already have the necessary technology and that such technology is 
necessary for the telehealth services provided; (ii) whether we should 
adopt a more restrictive exception that would protect technologies that 
provide the beneficiary with no more than a de minimis benefit for any 
purpose other than furnishing telehealth services related to the 
individual's ESRD; (iii) whether we should adopt a different standard 
that would protect telehealth technologies only when furnished 
predominantly for the purpose of furnishing telehealth services related 
to the individual's ESRD; and (iv) whether the exception should require 
the provider or facility to retain ownership of any hardware and make 
reasonable efforts to retrieve the hardware once a beneficiary no 
longer needs it for the permitted telehealth purposes.
    Summary of Final Rule: We finalizing this condition, with 
modification, to use the statutory language in section 
1128J(i)(6)(J)(ii) of the Act. We are finalizing this condition 
consistent with the statutory exception to read: The telehealth 
technologies are provided for the purpose of furnishing telehealth 
services related to the individual's end-stage renal disease.
    Comment: Several commenters supported our interpretation of section 
1128A(i)(6)(J)(ii) of the Act as proposed. Commenters appreciated what 
they believed to be meaningful guardrails to ensure that the provision 
of telehealth technology does not serve as an inducement to select a 
particular provider and shared our concerns regarding the potential for 
providers to offer such remuneration to steer patients with whom they 
do not have a prior clinical relationship to themselves.
    Some commenters argued that our proposed interpretation of ``for 
the purpose of furnishing telehealth services related to the 
individual's [ESRD]'' was more restrictive than the statutory language 
required. For example, a commenter supported removing the word 
``substantially'' from the phrase ``contributes substantially to the 
provision of telehealth services,'' observing it adds a restriction 
that does not appear expressly in the statute.
    A commenter noted that certain telehealth technologies may have 
some benefit to a patient beyond facilitating telehealth services 
related to the individual's ESRD, but most uses can be limited from a 
technical standpoint. For those services for which it would not be 
feasible to limit use, such as data services, the commenter believed 
that such services could be provided based on a patient's clinical 
need, geographic need, or both, and removed when the patient no longer 
has a clinical or geographic need for the services (e.g., the patient 
is no longer treated in the home).
    Response: We are not finalizing our proposed language. Instead, we 
are modifying this condition to use the statutory language in section 
1128J(i)(6)(J)(ii) of the Act. We agree with commenters that the 
proposed condition added additional requirements not included in the 
statute. To the extent that the exception needed additional safeguards, 
the Secretary has the authority to implement those under section 
1128J(i)(6)(iii) of the Act. Therefore, we are finalizing this 
condition consistent with the statutory exception to read: The 
telehealth technologies are provided for the purpose of furnishing 
telehealth services related to the individual's end-stage renal 
disease.
    As explained in the OIG Proposed Rule, we have concerns about the 
provision of valuable technology improperly inducing a beneficiary to 
choose a particular provider, physician, or facility. The limited 
nature of the exception and the conditions finalized in this rule 
provide reasonable and necessary safeguards against fraud and abuse. 
For example, the conditions at paragraphs 10(i) and (ii) work together 
to prevent protection under the exception if the provider, physician, 
or renal dialysis facility is marketing or using the potential 
provision of technology to induce and obtain new patients.
    Based on the statutory language and matching condition finalized 
here, we believe a wide range of technologies could be protected. 
However, we emphasize that a determination regarding whether the 
provision of telehealth technologies meets the condition at paragraph 
10(ii) in the definition of ``remuneration'' at 42 CFR 1003.110 
requires a case-by-case assessment of the functionality of the 
technologies to be provided and telehealth services being furnished to 
the ESRD patient.
    We are not including a condition as suggested by the commenter that 
would require a donor to technically limit the telehealth technologies 
provided. Under this condition and the definition of ``telehealth 
technologies'' as finalized, technologies that are multifunctional and 
have purposes in addition to furnishing telehealth services related to 
the individual's ESRD are not precluded and may be protected. For 
example, this condition could protect a tablet that a patient would use 
to access telehealth services for their ESRD care, even though the 
tablet has other purposes or functionalities (e.g., ability to download 
any mobile application) as long as such provision meets all conditions 
of the exception.
    Comment: Several commenters opposed OIG's considered interpretation 
of this statutory condition--``the telehealth technologies are provided 
for the purpose of furnishing telehealth services related to the 
individual's [ESRD]''--that would restrict telehealth technologies to 
those that do not provide the beneficiary with more than a de minimis 
benefit outside of the telehealth services related to the individual's 
ESRD. Commenters suggested that such a condition would limit access to 
needed technology, add unnecessary burden and uncertainty, or impede 
the objective of expanding in-home dialysis patients' use of telehealth 
services. A commenter recognized that allowing devices with non-health 
care functions could be considered an inducement but highlighted that 
patients who receive such devices also must accept the obligations and 
responsibilities of home dialysis, which the commenter believes serves 
as an appropriate safeguard.
    Another commenter expressed concerns that the de minimis benefit 
standard might create complications for patients with multiple health 
needs that could be fulfilled by the same device, and the commenter 
asserted that it would not be a good use of resources for a patient to 
be prescribed two separate digital health tools when one would meet all 
of the patient's clinical needs.
    Response: We agree with commenters and are not finalizing a de 
minimis benefit standard in this exception.
    Comment: Several commenters supported prohibiting providers from 
giving patients telehealth technologies for home dialysis that are of 
excessive value or duplicative of technology that the beneficiary 
already owns. A commenter found these guardrails particularly important 
given the limited number of vendors currently offering home dialysis 
equipment and supplies. The commenter asserted that the limited 
competition in the home dialysis market would make acquisition costs of 
telehealth technologies particularly

[[Page 77872]]

significant for small and independent providers who lack market share 
advantages used in negotiations with vendors. Another commenter 
requested further clarification on what donations would be considered 
of ``excessive value.''
    Response: For the reasons noted above, we are finalizing paragraph 
(10)(iii) in 42 CFR 1003.110 to mirror the statutory language at 
section 1128J(i)(6)(J)(ii) of the Act, without a requirement that the 
telehealth technologies not be of excessive value. Additionally, we are 
not finalizing a condition elsewhere that requires the telehealth 
technologies not be of excessive value. The limited nature of the 
exception and the other conditions provide appropriate safeguards.
    The value of the telehealth technologies provided to a patient may 
be a fact or circumstance used to assess whether the provision of such 
technology meets the finalized condition at paragraph 10(iii) in the 
definition of ``remuneration'' at 42 CFR 1001.130. In other words, 
depending on the facts and circumstances, technology of excessive value 
could indicate that the technology is not being provided for the 
purpose of furnishing telehealth services related to the individual's 
ESRD. Excessively valuable technology beyond what is reasonable for 
furnishing telehealth services related to ESRD could also indicate that 
the technology is part of a prohibited advertisement or solicitation 
under paragraph (10)(ii).
    As stated in the OIG Proposed Rule, providing telehealth technology 
with substantial independent value might serve to inappropriately 
induce the beneficiary. In the context of this exception, that risk 
materializes because excessive value of the telehealth technology may 
make the purpose of the donation suspect and call into question whether 
it is related to furnishing telehealth services. For example, if a $50 
per month data plan would facilitate the connection needed for the 
patient to access telehealth services, the provision of a $100 per 
month data plan might raise concerns that the data plan is being 
offered for a purpose other than access to telehealth services. 
Similarly, if the donor knows that the patient already has a data or 
internet service plan that would facilitate the furnishing of 
telehealth services and furnishes such a plan anyway, a question could 
arise about the purpose of the remuneration to the patient.
    Comment: A commenter stated that if telehealth technologies are 
provided for the purpose of furnishing telehealth services related to 
the individual's end-stage renal disease, and if the donated telehealth 
technologies meet the other elements of the exception, no dollar value 
limit should be necessary because the purpose cannot be to induce 
beneficiaries to select particular providers. Two other commenters 
recommended including a condition requiring the recipient's payment of 
at least 15 percent of the offeror's cost for the in-kind remuneration. 
Another commenter recommended a $500 annual cap to ensure the 
technology did not act as an inducement for referrals.
    Response: We did not propose a contribution requirement or an 
annual monetary cap. We believe the combination of safeguards we are 
finalizing implement the statutory conditions in section 1128A(i)(6)(J) 
of the Act and safeguard against risks of fraud and abuse.
    Comment: Related to the proposed requirement that the telehealth 
technologies be necessary and nonduplicative of technology the patient 
already has, a commenter stated that a patient's existing personal use 
technology may have some of the necessary capabilities but also may 
lack all components necessary to be reliable and fully functional for 
accessing telehealth services. The commenter further asserted it would 
not be efficient or practical to require that the provider furnish 
additional necessary components to the patient's existing technology--
and any associated installation and support services--to make it fully 
capable of accessing telehealth services. For example, the commenter 
referenced a patient who has a personal computer without video 
capabilities. The commenter surmised that it is more logical and cost-
effective to provide a ready-to-use integrated device focused solely on 
their ESRD clinical assessments and related ESRD care support to the 
patient instead of trying to retrofit the computer, which could involve 
identifying and installing missing components and providing 
technological support for this personal-use equipment. The commenter 
recommended that if the patient's personal technology does not have all 
the necessary components for telehealth, provision of fully integrated 
telehealth technology should be protected under the exception.
    Response: We are not finalizing a requirement that the telehealth 
technologies not be duplicative of technology that the beneficiary 
already owns in paragraph 10(iii) in the definition of ``remuneration'' 
at 42 CFR 1001.130. This condition is being finalized consistent with 
the statutory condition at section 1128J(i)(6)(J)(ii) of the Act. 
Additionally, we are not finalizing a condition elsewhere that requires 
the telehealth technologies not be duplicative of technology that the 
beneficiary already owns. The limited nature of the exception and the 
other conditions provide appropriate safeguards.
    Assessing whether telehealth technologies would be duplicative of 
technology that the beneficiary already has may be a fact or 
circumstance used to determine whether the provision of such technology 
meets the finalized condition at paragraph 10(iii) in the definition of 
``remuneration'' at 42 CFR 1001.130. For example, if a patient has 
existing telehealth technology and is already able to receive 
telehealth services, providing the patient with additional telehealth 
technology may not have the purpose of furnishing telehealth services. 
A true determination would have to be based on the specific facts and 
circumstances of the additional provision of telehealth technologies, 
including the telehealth services provided to the patient and the 
patient's condition.
    We highlight that if a patient's existing technology does not have 
all the necessary components or capabilities to support the telehealth 
services, then those facts are favorable in determining that the 
provision of telehealth technology to that patient meets the condition 
at paragraph (10)(iii). With respect to the decision between 
``retrofitting'' a patient's existing technology or providing fully 
integrated telehealth technology, meeting this exception is not 
specifically conditioned on whether the technology is fully integrated 
or retrofitted. In making a determination about the technology to 
provide and potential protection under this exception, providers, 
physicians, and renal dialysis facility will have to assess the 
particular facts and circumstances for that patient and the potential 
technology. To be clear, we do not intend for this exception to result 
in providers, physicians, and renal dialysis facilities that provide 
telehealth technologies attempting to retrofit a patient's existing 
technology. To the extent that technology already owned or used by a 
patient with ESRD would not be adequate for the telehealth services, 
that fact weighs favorably in determining that providing new telehealth 
technology meets the condition at 10(iii) under the definition of 
``remuneration'' in 42 CFR 1003.110.
    Comment: Many commenters objected to the proposed additional 
requirement that the party furnishing the technology make a good faith 
determination that the

[[Page 77873]]

individual to whom the technology is furnished does not already have 
the necessary telehealth technology. Some commenters stated that the 
primary proposal--that the technology is not of excessive value and is 
not duplicative of technology that the beneficiary already owns if that 
technology is adequate for the telehealth purposes--provides adequate 
protection against technologies being used as inducements for 
duplicative or unnecessary telehealth services. Other commenters 
supported the proposed ``good faith determination'' requirement. 
Another commenter asked us to clarify what a ``good faith'' effort to 
determine that the patient does not have the necessary technology 
means, because the commenter is concerned that this provision could 
lead to increased physician burden. A commenter stated that requiring 
facilities or providers to make a good faith determination regarding 
whether the recipient already has access to telehealth technologies 
places a potentially ongoing burden to investigate a home dialysis 
patient's personal life to ensure that they do or do not possess such 
technology. The commenter asked whether a facility or provider must 
consistently audit patient technology access to ensure that the loaned 
or donated technology does not become duplicative over time. The 
commenter suggested that patients should be able to opt out of 
telehealth technologies furnished by a provider or facility, even if 
specified in their plan of care, because they already have access to 
such technology. In this way, the responsibility falls to the patient 
to report access to technology, not on the facility or provider to 
ensure that the patient does or does not possess such a device. Some 
commenters supported the proposed additional ``good faith 
determination'' requirement.
    Response: We are not including a condition in this final exception 
that requires a good faith determination that the individual to whom 
the technology is furnished does not already have the necessary 
telehealth technology. Consistent with the discussion related to the 
condition on duplicative technology, we note that assessing whether 
providing telehealth technologies would be duplicative of technology 
that the beneficiary already has may be a fact or circumstance used to 
determine if the provision of such technology meets the finalized 
condition at paragraph 10(iii) in the definition of remuneration at 42 
CFR 1003.110.
    In response to the commenters' questions regarding what constitutes 
a good faith effort, we want to clarify that this exception does not 
condition protection on investigating the patient's personal life or 
auditing the technology that a patient may already have available. When 
determining whether the provision of telehealth technology meets this 
condition, specific facts and circumstances about the patient will need 
to be considered. This would include the patient's health condition, 
telehealth services provided to the patient, and how the telehealth 
technologies support furnishing telehealth services relating to the 
patient's condition. Most of the information about the patient is 
likely gathered as part of the clinical and monthly assessments that 
patients receiving in-home dialysis receive or is gathered through the 
normal course of patient and provider interaction about the patient's 
condition and treatment.
    That said, nothing in this exception prevents physicians, 
providers, and facilities from asking patients about their existing 
technology needs and capabilities; nothing requires patients to answer 
such inquiries. We would expect that conversations about patients' 
existing technology would inform donors' decision-making with respect 
to furnishing telehealth technologies consistent with this exception. 
We do not prescribe how providers, physicians, and facilities make the 
determination whether providing telehealth technologies meets the 
condition that the technology be for the purpose of furnishing 
telehealth services related to the patient's ESRD.
    As modified, we do not believe this final exception will increase 
provider, physician, or renal dialysis facility burden, nor expose 
patients to unwarranted intrusions. Conditions of this exception 
implement the statutory exception in section 1128A(i)(6)(J) of the Act. 
The statutory exception gives providers, physicians, and renal dialysis 
facilities the flexibility to provide telehealth technologies for the 
purpose of furnishing telehealth services related to patients' ESRD. 
This may help increase options for ESRD patients to manage their care 
by making telehealth more widely available. We also note that use of 
this exception is voluntary.
    Comment: A commenter recommended that as a condition for 
protection, the telehealth technology provided to the patient should be 
necessary for the provision of the telehealth services and, where 
possible, restricted to the functions that facilitate the provision of 
care (e.g., a tablet that can only be used for telehealth services), 
and ensure a secure, safe, and satisfactory user experience. However, 
the commenter explained that some telehealth technologies may be 
duplicative or overlap with technology the patient may already have 
access to and that the condition may result in an overly burdensome 
patient intake process, to include an accounting of all of the 
patient's technology (e.g., items in a patient's possession as well as 
the operating systems and compatibility with the telehealth offering). 
The commenter suggested that instead of protecting only nonduplicative 
telehealth technologies, OIG limit protected telehealth technologies to 
what is reasonably necessary for the furnishing of telehealth services 
and require that providers, suppliers, and facilities provide the 
patient with disclosure language that the telehealth equipment is 
provided for their ESRD-related treatment and care, and that it is the 
responsibility of the patient to use the device for these specific 
purposes only.
    Response: We did not propose a condition that the telehealth 
technology be necessary for the provision of telehealth services and 
are not finalizing such a condition. As explained above, we are also 
not finalizing a condition that requires a good faith determination 
that the individual to whom the technology is furnished does not 
already have the necessary telehealth technology. We emphasize 
telehealth technology is not protected unless the technology is 
provided for the purpose of furnishing telehealth services related to 
the individual's end-stage renal disease.
    We are not finalizing the condition that would require the person 
who furnishes the telehealth technologies to take reasonable steps to 
limit the use of the telehealth technologies by the individual to the 
telehealth services described on the Medicare telehealth list. We agree 
with the commenter that there may be practical and operational 
challenges with such a requirement. Additionally, the combinations of 
safeguards finalized in this rule appropriately protect against 
potential fraud and abuse and this condition, which we considered in 
the OIG Proposed Rule, is not necessary.
    Comment: A commenter expressed support for our proposal to 
interpret ``telehealth services related to the individual's [ESRD]'' to 
mean telehealth services paid for by Medicare Part B because the 
proposal ensures that all Part B telehealth services are treated 
consistently by defaulting to the statutory definition for telehealth 
services. Another commenter suggested that we clarify that, in order to 
qualify for protection under the exception, the telehealth technologies 
must be used for

[[Page 77874]]

the Part B clinical assessment and also may be used for additional 
clinical support and patient monitoring directly related to the ongoing 
ESRD care.
    Many other commenters urged us not to adopt this interpretation, 
asserting that it was too narrow. Commenters noted that patients with 
ESRD could benefit from telehealth services that might not be covered 
by Part B--including patient education, dietary counseling, and 
monitoring vital signs--that may assist with managing comorbidities 
(which may or may not be related to the patient's ESRD) and preventing 
further progression of kidney disease. A commenter stated that while 
the care provided via telehealth technologies should be primarily 
related to the management of ESRD, dialysis providers are well-suited 
to treat the ``whole person'' with the assistance of telehealth 
technologies. The commenter sought to provide telehealth technologies 
that might support virtual ESRD management (e.g., nurse assessment, 
social worker support, dietician care), as well as telehealth 
technologies that may address ESRD-related issues and comorbidities 
possibly included in value-based care models (e.g., fistula evaluation 
and specialty visits for comorbidity management). Commenters also 
asserted that protecting a broader range of telehealth services would 
further the Department's goal of encouraging care coordination and 
Congress' intent in enabling in-home dialysis. Some commenters asserted 
that the statute does not require limiting the telehealth services to 
those paid for by Medicare Part B. A commenter also noted that payment 
for ESRD services under Medicare Part B is through a bundled payment 
and it is therefore impossible to have the technology tied to any 
particular reimbursed service.
    Response: We are not finalizing our proposed interpretation of 
``telehealth services related to the individual's [ESRD]'' to mean 
telehealth services paid for by Medicare Part B. We did not propose 
regulatory text to implement this interpretation, and therefore, are 
not making corollary modifications to the regulatory text. We explain 
in more detail below that we broadly interpret the term ``telehealth 
services'' to apply a wide range of services that are provided with 
telehealth technologies. However, we are not adopting a specific 
definition of ``telehealth services'' for this exception. We provide 
additional explanation about our interpretation of the term 
``telehealth services'' below.
    We agree with commenters that section 1128A(i)(J)(6) of the Act 
does not limit telehealth services to those paid for by Medicare Part 
B. The definition of ``telehealth technologies'' in section 
1128A(i)(6)(J) and the term ``telehealth services'' in 
1128A(i)(6)(J)(ii) are not limited to related definitions in Medicare. 
The statute provided the Secretary flexibility to interpret these terms 
differently than the Medicare definitions in Title XVIII of the Act.
    Consistent with the statutory exception and for the purpose of this 
exception, we are not limiting the term ``telehealth services'' to 
those that would be paid for by Medicare Part B. We recognize that this 
means providers, physicians, and renal dialysis facilities will have 
flexibility to determine whether telehealth technologies are provided 
for the purpose of furnishing telehealth services related to the 
individual's ERSD. The limited nature of the exception and the other 
safeguards appropriately limit the risk of fraud and abuse. For 
example, one risk of inappropriate beneficiary inducements is that they 
will lead to a practitioner providing medically unnecessary services to 
the patient. The limited nature of this exception mitigates that risk 
(e.g., this exception is limited to Medicare Part B beneficiaries 
receiving in-home dialysis). It is unlikely that a beneficiary could be 
induced to receive medically unnecessary in-home dialysis to receive 
free telehealth technologies. In-home dialysis is invasive treatment 
and requires significant up-front training.
    Additionally, under the same sections the beneficiary must be 
receiving in-home dialysis paid for by Medicare Part B. That mitigates 
and provides additional protection against providers, physicians, and 
renal dialysis facilities that seek to use telehealth technologies to 
induce and bill for medically unnecessary telehealth services related 
to the patient's ESRD condition. If the provider is seeking to bill 
Medicare for telehealth services that use telehealth technologies 
protected by this exception, those services must meet all Medicare 
requirements, including medical necessity. This exception does not 
affect Medicare requirements for ESRD services or telehealth services. 
Furthermore, billing for medically unnecessary telehealth services is 
not protected by this exception and such conduct would implicate 
criminal and civil health care fraud statutes. Therefore, this 
exception does not need to link the term ``telehealth services'' to 
those paid for by Part B as an additional safeguard for the purposes of 
this exception. To the contrary, we agree with commenters that limiting 
telehealth services to services currently paid for by Medicare Part B 
would unnecessarily limit the utility of the exception to support 
patients' ESRD care and use of home dialysis. To the extent that the 
telehealth services are not billable to Medicare, there is reduced risk 
that free telehealth technology is being offered as an inducement for 
billable services.
    We are not finalizing a definition of ``telehealth services'' 
specific for this exception. Instead, we are providing an 
interpretation of the term in the preamble of this rule. The exception 
protects the provision of a broad range of telehealth technologies, as 
we explained above in the discussion of that definition. If we were to 
limit the term to telehealth services paid for by Medicare Part B, then 
the types of technology would be limited to those identified in section 
1834(m) of the Act and 42 CFR 410.78 (i.e., audio and video equipment 
permitting two-way, real-time interactive communication). Similarly, if 
we were to define ``telehealth services,'' we might inadvertently limit 
the scope of the telehealth technologies definition that is intended to 
be broad.
    As stated previously, we intend for this exception to apply to all 
types of telehealth technology that are provided for the purposes of 
furnishing distant or remote services through various modalities. At a 
minimum, such services include the following types covered by Medicare: 
Telehealth services, virtual check-in services, e-visits, remote care 
management, and remote patient monitoring. To receive protection, 
telehealth technologies do not need to be provided for the purpose of 
furnishing a payable Medicare service related to the individual's end-
stage renal disease.
    To provide additional examples, this exception would protect 
telehealth technology provided for the purpose of furnishing the 
following types of telehealth services raised by commenters as long as 
the arrangement meets all conditions of the exception: Virtual ESRD 
management (e.g., nurse assessment, social worker support, dietician 
care), patient education, dietary counseling, and monitoring vital 
signs. Other services not listed here may also be considered telehealth 
services for the purposes of this exception based on the facts and 
circumstances of the care being provided. Accepted clinical and care 
practices for use of telehealth, physician judgment, and patient and 
caregiver needs and preferences with respect to modalities would be 
relevant considerations in assessing the telehealth services under this 
specific condition. This exception provides significant flexibility to 
providers,

[[Page 77875]]

physicians, and renal dialysis facilities to assess how telehealth 
technologies can be provided to support a wide range of telehealth 
services related to an individual's ESRD.
    Again, this exception does not change the coverage or payment 
requirements related to the provision of these services or submitting 
claims for reimbursement. Even though this exception may protect a 
physician, provider, or renal dialysis facility from CMP liability for 
providing a patient telehealth technology for the purpose of furnishing 
telehealth services, that does not mean the physician, provider, 
facility, or any other individual or entity can bill for those 
services.
    The other limitation in this condition is that the telehealth 
technologies be provided for the purposes of furnishing telehealth 
services related to the individual's ESRD. In response to commenters 
who recommended that this include telehealth services that address 
ESRD-related issues and comorbidities, we agree that this language is 
not specifically limited to ESRD. We recognize that patients with ESRD 
are likely receiving care for comorbidities that affect their ESRD. It 
would be difficult to define in this Beneficiary Inducement CMP 
exception criteria that a provider, physician, or renal dialysis 
facility could apply to assess whether a telehealth service is or is 
not related to an individual's ESRD. We believe the appropriate 
approach is to give health care providers flexibility to make this 
determination reasonably based on the specific facts and circumstances 
of the patient's condition and telehealth services furnished to care 
for such condition. Although not required, we believe it would be a 
best practice for the donor to document contemporaneously how the 
telehealth services relate to the individual's ESRD care, such as to 
management of care, monitoring of health, or treatment, potentially 
including reference to appropriate clinical or other relevant health or 
patient-reported indicators.
    Furthermore, we note that several other exceptions and safe harbors 
may apply to certain items and services for which commenters sought 
protection under this exception, depending on the facts and 
circumstances, such as the patient engagement and support safe harbor 
finalized in this rule at 42 CFR 1001.952(hh) and the exception to the 
definition of ``remuneration'' under the Beneficiary Inducements CMP 
for certain remuneration that poses a low risk of harm and promotes 
access to care, 42 CFR 1003.110.
f. Ownership and Retrieval of Technology
    Summary of OIG Proposed Rule: In the OIG Proposed Rule, we 
considered and sought comment on a condition that would require the 
provider or facility to retain ownership of any hardware and make 
reasonable efforts to retrieve the hardware once the beneficiary no 
longer needs it for the permitted telehealth purposes.
    Summary of Final Rule: After a consideration of relevant comments, 
we are not finalizing this condition.
    Comment: Many commenters on this topic expressed support for the 
overall concept of requiring the provider or facility to retain 
ownership and make reasonable efforts to retrieve the hardware once the 
beneficiary no longer needs it. Some commenters did not support a 
requirement that the provider or facility retain ownership. Some of 
these commenters noted that the concept of ownership in this context 
may be rendered moot because the useful life of the device may expire 
during the period of use by the patient. Some commenters also 
questioned the utility of requiring retrieval of items that are no 
longer state-of-the-art or otherwise have minimal value. Many 
commenters also expressed concern regarding the administrative burden 
associated with tracking and monitoring compliance with a retrieval 
requirement.
    Many commenters on this topic described potential scenarios in 
which technology may be provided to a patient who then ceases to need 
it (e.g., the patient receives a transplant). In these circumstances, 
commenters were generally supportive of requiring the provider or 
facility to retrieve the technology. Several commenters supported 
requiring ``reasonable efforts'' to retrieve the hardware in 
circumstances when it will not harm the patient, with exceptions for 
circumstances when retrieval is impractical, the hardware has greatly 
reduced utility or value, or the patient has died. A commenter also 
asserted that if the hardware is provided in such a way that the use is 
limited to telehealth services, it will not provide substantial 
independent value to the beneficiary, and thus the failure to retrieve 
after reasonable recovery efforts does not create meaningful inducement 
risks.
    Response: We are not finalizing a requirement that a provider, 
physician, or facility retain ownership of the technology. We also are 
not finalizing a retrieval requirement. We note that the condition that 
the telehealth technologies be provided to an individual with ESRD and 
who is receiving home dialysis for which payment is being made under 
Medicare Part B would necessitate termination of technology services 
(e.g., recurring monthly data plan fees or applications that require 
ongoing subscription fees) if the individual is no longer receiving 
home dialysis payable by Medicare Part B. Likewise, technology services 
would need to be terminated if the patient is no longer using them for 
ESRD-related telehealth services. Further, the exception does not 
protect sham donations of technology given to individuals to keep 
indefinitely.
g. Prohibition on Cost-Shifting
    Summary of OIG Proposed Rule: We proposed to require as a condition 
of protection under the exception that the provider of services or a 
renal dialysis facility not separately bill Federal health care 
programs, other payors, or individuals for the telehealth technologies, 
claim the costs of the telehealth technologies as a bad debt for 
payment purposes, or otherwise shift the burden of the costs of the 
telehealth technologies to a Federal health care program, other payors, 
or individuals.
    Summary of Final Rule: We are not finalizing this condition.
    Comment: Commenters expressed support for the proposed prohibition 
on cost-shifting. No commenters expressed opposition.
    Response: Upon consideration of the combination of safe harbor 
conditions implemented by this final rule, we are not finalizing the 
proposed cost-shifting prohibition. We have concluded that the 
combination of final conditions and the limited-nature of this 
statutory exception will adequately protect against fraud and abuse 
risks, and an additional safeguard related to cost-shifting is not 
necessary.
    We proposed the cost-shifting condition to protect against the 
telehealth technologies resulting in inappropriately increased costs to 
Federal health care programs, other payors, and patients. However, we 
do not want to exclude arrangements from this exception that involve 
furnishing telehealth or other service to the ESRD patient receiving 
in-home dialysis and that are also billable to Medicare. We recognize 
that those services, as long as applicable Medicare rules are met, may 
appropriately result in Medicare paying for costs of certain telehealth 
technologies or an appropriate increase in certain Medicare costs.
    We did not intend to suggest any limit on appropriate billing of 
Federal health care programs or other payors for

[[Page 77876]]

medically necessary items and services furnished in connection with 
telehealth technologies provided to ERSD patients receiving in-home 
dialysis. If a provider furnishes items or services that are covered as 
part of a Federal health care program, the provision of those items or 
services alone would not implicate the Federal anti-kickback statute at 
all. However, there could be circumstances under which a provider, when 
furnishing covered items or services, does give a Federal health care 
program beneficiary something of value, or remuneration, thereby 
implicating the Federal anti-kickback statute. For example, the Federal 
anti-kickback statute would be implicated by a provider waiving or 
reducing any required cost-sharing obligations for the covered items 
and services incurred by a Federal health care program beneficiary or 
providing ``extra'' items and services--that is, that are not part of 
the covered item or service--for free. Furthermore, nothing in this 
rule exempts parties from responsibility for compliance with all 
applicable coverage and billing rules.
    Additionally, this final exception covers a wider range of 
telehealth technologies used to support the furnishing of telehealth 
services than types of technology used to provide Medicare Part B 
covered ``telehealth services.'' There may be other Medicare covered 
services that would cover the costs of telehealth technologies, as 
defined in this exception, as part of a service provided to a 
beneficiary receiving in-home dialysis. For example, the remote patient 
monitoring services described by the chronic care remote physiologic 
monitoring family of codes are covered by Medicare Part B but are not 
``telehealth services'' within the meaning of the Medicare statute. 
However, remote patient monitoring technologies would meet the 
definition of ``telehealth technologies'' in this final exception.
h. Other Potential Safeguards
i. Consistent Provision of Telehealth Technologies
    Summary of OIG Proposed Rule: The OIG Proposed Rule considered 
several other potential conditions for this exception, including 
prohibiting providers and renal dialysis facilities from discriminating 
in the offering of telehealth technologies. We solicited comments on 
this potential safeguard and whether it would limit the ability of 
providers and facilities to offer technologies due to the potential 
cost of furnishing the technology to all qualifying patients rather 
than a small subset. We also solicited comments on why offering 
technology to a smaller subset of qualifying patients might be 
appropriate and not increase the risk of fraud and abuse.
    Summary of Final Rule: We are not finalizing this condition.
    Comment: A few commenters supported some form of a 
nondiscrimination standard as appropriate. On the other hand, several 
commenters raised concerns regarding a possible condition to the 
exception requiring that a provider or facility provide the same 
telehealth technologies to any Medicare Part B patient receiving in-
home dialysis, or to otherwise consistently offer telehealth 
technologies to all patients, including that the uniform provision of 
telehealth technologies would be cost-prohibitive for many providers 
and facilities and could result in their decision not to offer any 
telehealth technologies. Several commenters encouraged us to adopt more 
flexible standards that would allow the provider or facility to 
exercise discretion in offering telehealth technologies to ensure that 
the patients to whom they offer the technologies are most likely to 
benefit from them.
    At least one of these commenters suggested that providers and 
facilities be permitted to provide telehealth technologies 
differentially to patients based on clinical risk assessments, clinical 
appropriateness determinations from the patient's physician, or other 
clinical or means-based criteria, with another commenter noting that it 
is common for providers and payors to focus interventions on higher 
risk or higher cost patients. A dialysis provider specified that they 
would like the exception to protect the deployment of certain 
technologies, such as remote monitoring or wearable devices, to 
specific patient populations that may have higher assessed clinical 
risk, such as patients that have experienced a recent hospitalization 
event.
    Other commenters supported the approach of requiring providers or 
facilities to consistently offer telehealth technologies to all 
patients satisfying specified, uniform criteria, and a commenter 
requested that we make clear that a provider or facility would have 
flexibility to establish criteria under which only a subset of patients 
would be offered telehealth technologies. A commenter noted that 
legitimate criteria may include for example patient mobility, access to 
transportation options, financial status, and health condition. A 
commenter suggested that we identify and carve out criteria that would 
not be appropriate, such as the patient's payor or provider.
    A dialysis provider encouraged OIG to ensure flexibility to provide 
and customize certain telehealth technology offerings to patients based 
on for example means-based or rural location needs, and to allow for 
changes resulting in the development of new technology. The commenter 
noted that the availability and cost of data plans and devices with 
wireless cellular service may vary from location to location, and thus 
a requirement to furnish the same telehealth technologies to all 
patients may not be feasible.
    Response: We appreciate the comments that explain why providing the 
same telehealth technologies to any Medicare Part B eligible patient 
receiving in-home dialysis may be impractical or impossible, and we are 
not finalizing that condition. We also are not finalizing a condition 
that would require providers, physicians, and facilities to 
consistently offer telehealth technologies to all patients satisfying 
specified, uniform criteria. As stated in section III.C.1.a above, this 
is a narrow statutory exception to the Beneficiary Inducement CMP. 
Because the exception finalized here is only available to established 
patients who are receiving specific services paid for by Medicare Part 
B, the potential for fraud and abuse is reduced.
    We recognize that patient need for technology may vary based on 
location, availability of transportation, financial status, diagnosis 
and treatment plan, or other legitimate and appropriate factors. We 
believe the donor is in the best position to identify whether provision 
of the technology is appropriate only to a subset of patients receiving 
in-home dialysis paid for by Medicare Part B. We are providing 
additional flexibilities to donors to determine which beneficiaries 
receive telehealth technologies by not finalizing this condition. The 
risk of fraud and abuse associated with selectively deciding which 
patients receive telehealth technologies is mitigated by other 
conditions finalized in this rule (e.g., telehealth technologies are 
protected only if provided to beneficiary already receiving in-home 
dialysis). Additionally, providers, physicians, and facilities must 
still meet Medicare requirements for services provided to the 
beneficiary; they cannot bill for medically unnecessary services. 
Schemes to submit false claims would implicate other criminal and civil 
fraud statutes and would not be protected by this exception to the 
Beneficiary Inducement CMP.
    Comment: Several commenters encouraged us to adopt a standard that 
allows for providing technology on an as-needed basis, recognizing that 
some

[[Page 77877]]

patients may choose not to have telehealth services and some patients 
may prefer to use their own technology. Other commenters encouraged us 
to ensure patients retain the right to choose whether to participate in 
telehealth services or utilize telehealth technology.
    Response: The design of the final rule allows providers to take 
into account patient choice and preferences. We are not finalizing a 
condition that would have required physicians, providers, and 
facilities to provide telehealth technologies in accordance with 
specified criteria applied uniformly. We agree with commenters that 
patient choice is paramount, and the decision to select a home dialysis 
modality or telehealth services related to the patient's ESRD rests 
with the patient. Patients are under no obligation to dialyze in the 
home or to receive telehealth services, notwithstanding the 
availability of telehealth technologies. We emphasize that protected 
telehealth technologies cannot be offered as part of an advertisement 
or solicitation, nor should offers of free telehealth technology be 
made for the purpose of persuading patients to make clinical decisions 
about treatment modalities. In such cases, the telehealth technologies 
are not being provided for the purpose of furnishing telehealth 
services as required by the statute and this exception.
ii. Notice to Patients
    Summary of OIG Proposed Rule: In the OIG Proposed Rule, we stated 
that we were considering adding a condition that would require 
providers or facilities to provide a written explanation of the reason 
for the technology and any potential ``hidden'' costs associated with 
the telehealth services to any patient who elects to receive telehealth 
technology. We considered this condition in response to concerns raised 
in comments submitted in response to the OIG RFI \158\ that patients 
may be confused by the technology or the reason they are receiving a 
piece of technology and may be unaware of costs associated with 
telehealth services. We sought comment on these perceived risks to 
patients, whether to include a written notice requirement in the final 
rule and, if so, what that notice should state.
---------------------------------------------------------------------------

    \158\ 83 FR 43607 (Aug. 27, 2018).
---------------------------------------------------------------------------

    Summary of Final Rule: For the reasons stated below, we are not 
finalizing this requirement.
    Comment: Most commenters on this topic supported the principle of 
providing information to patients, but commenters disagreed as to 
whether we should adopt a formal notice requirement as a standard for 
meeting the exception. Some commenters asserted that there was no need 
for a formal notice requirement as a condition of the exception because 
this type of communication should be a part of the normal physician-
patient relationship. Others stated that conveying this type of 
information is the current standard of medical practice for home 
dialysis patients. Other commenters supported having a formal notice 
requirement as a condition of the exception, emphasizing the need to 
ensure patients have a clear and transparent understanding of the care 
they are receiving and the costs of such care. A commenter requested 
that OIG provide a sample of any required notice.
    Response: We agree that patients need to have a clear understanding 
of the care they are receiving and the costs of such care. However, we 
also agree with commenters that this information should be conveyed 
through the physician-patient relationship or in the normal facility-
patient communications for patients dialyzing at home. We are not 
finalizing any notice requirement as part of the exception. Parties are 
free to provide written notice explaining the reason for the technology 
and any potential costs associated with the telehealth services if they 
so choose.
iii. Patient Freedom of Choice
    Summary of OIG Proposed Rule: The OIG Proposed Rule considered a 
condition to the telehealth technologies exception designed to preserve 
patient freedom of choice among health care providers and the manner in 
which a patient receives dialysis services (i.e., in-home or in a 
facility). Specifically, we considered adding a condition to the 
exception that would require offerors of telehealth technologies to 
advise patients when they receive such technology that they retain the 
freedom to choose any provider or supplier of dialysis services and 
receive dialysis in any appropriate setting.
    Summary of Final Rule: As explained below, we are not finalizing 
this requirement.
    Comment: Several commenters, while supportive of patient autonomy 
and ensuring that patients are aware of the right to choose 
practitioners, providers, suppliers, and dialysis modalities, disagreed 
with additional documentation requirements related to informing 
patients of these rights for a number of reasons. For example, one 
commenter suggested that patients may not wish to receive this 
information. The commenter advocated instead for broader protections 
for freedom of choice, such as a prohibition on restricting referrals. 
Other commenters highlighted the administrative burden of additional 
documentation. Commenters stated that notice already is part of the 
provider and patient relationship, noting that for certain facilities 
any additional documentation requirement would be duplicative of the 
notice requirements found in the ESRD Conditions for Coverage (CFCs). A 
commenter requested a carve-out for facilities that meet the 
requirement under the CFCs. A commenter asserted that it would not add 
sufficient value that outweighs the burden of providing a written 
explanation of the reason for the technology and any potential 
``hidden'' costs associated with the telehealth services to any patient 
who elects to receive telehealth technology.
    Other commenters supported the proposed requirement and asserted 
that patients should be informed that they have the choice whether to 
use technologies and that their choice will not in any way influence 
the care to which they are entitled. Another commenter suggested that 
this should be standard information given to patients receiving ESRD-
related care, regardless of the treatment modality they use. The 
commenter shared a concern raised that some patients may be persuaded 
to opt for telehealth services due to generous telehealth technologies 
and services being offered rather than clinical appropriateness, and 
believes this step could prevent any such inappropriate care from 
occurring. One commenter proposed to further clarify that the patient 
notice or patient consent for use of telehealth technologies include 
that the patient is not required to utilize or accept the provision of 
such technologies.
    Response: We are not finalizing this condition because we believe 
in part that existing laws are better suited to protecting patient 
freedom of choice and the patient's best interest than a statutory-
based exception to the Beneficiary Inducement CMP, including those 
discussed by the commenters. Furthermore, discussion of clinical 
appropriateness of in-home dialysis and telehealth services related to 
a patient's ESRD is inherent in the physician-patient relationship or 
facility-patient relationship, which serves first-and-foremost to 
protect the patient's best interest and preserve patient choice. The 
condition finalized at paragraph (10)(i) in 1003.110 limits the offer 
or furnishing of telehealth technologies to a patient that initiates 
contact with the provider, facility, or physician to schedule an 
appointment or other

[[Page 77878]]

service also supports patient autonomy, and marketing is not allowed by 
the condition at paragraph (10)(ii) in 1003.110. These conditions will 
help preserve a patient's choice to select any provider, physician, or 
facility without inappropriate influence from such entities.
    Comment: A commenter supported informing recipients of their 
freedom to choose any provider or supplier of dialysis services but 
requested clarification regarding whether telehealth technologies 
furnished to certain in-home dialysis patients would also be covered 
under the exception to the definition of ``remuneration'' for items or 
services that promote access to care and pose a low risk of harm to 
Federal health care programs at 1128A(i)(6)(F) of the Act.
    Response: As stated above, we believe existing laws are better 
suited to protecting patient freedom of choice and nothing in this rule 
limits patient's freedom of choice. As we stated in the OIG Proposed 
Rule, the provision of telehealth technologies might qualify for 
protection under other existing exceptions or safe harbors. Whether a 
particular arrangement for the provision of telehealth technologies 
meets the requirements of, for example, the exception for arrangements 
that promote access to care and poses low risk of harm at 
1128A(i)(6)(F) of the Act (and the corresponding regulatory exception 
at 42 CFR 1003.110) is a fact-specific analysis beyond the scope of 
this rulemaking. We note that parties are also free to request an OIG 
advisory opinion.
iv. Materials and Records Requirement
    Summary of OIG Proposed Rule: We did not propose a condition 
related to the development or retention of materials and records or 
another documentation requirement but solicited comments on the fraud 
and abuse risks presented by not including such a condition in this 
exception.
    Summary of Final Rule: We are not finalizing a materials and 
records retention requirement.
    Comment: Commenters agreed with our approach to omit a materials 
and records or other documentation requirement. A commenter noted that 
this approach reduces unnecessary administrative burden. Another 
commenter pointed to other documentation requirements required by law, 
highlighting that these obviate the need for a documentation 
requirement in this exception.
    Response: We agree that omitting a documentation requirement for 
this exception may reduce administrative burden for donors of 
telehealth technologies. We believe that in the case of telehealth 
technologies provided to individuals with ESRD under this exception, 
the absence of a documentation requirement does not materially impact 
the attendant fraud and abuse risks. We note, however, that while this 
exception is voluntary, parties that rely on it have the burden of 
demonstrating that all the conditions are met. Maintaining 
documentation that the provision of telehealth technologies satisfies 
the exception's conditions may be prudent for compliance purposes.
a. Other Offerors
    Comment: Several commenters stated that free and charitable clinics 
and charitable pharmacies, especially in rural areas, rely on the use 
of telehealth technologies to provide access to specialty care to 
uninsured and medically underserved patients. The commenters posited 
that eliminating barriers to allow free and charitable clinics and 
charitable pharmacies to furnish telehealth technologies to patients 
without implicating the physician self-referral law or the Federal 
anti-kickback statute would enhance their ability to serve the target 
population of uninsured and medically underserved. The commenters 
suggest that expanded access to telehealth technologies would enhance 
health equity and care coordination, specifically for those who are 
uninsured and in rural areas. Another commenter was supportive of the 
exception and suggested expansion to allow for the provision of 
telehealth technologies by behavioral health providers.
    Response: We appreciate the commenters' suggestion that telehealth 
technologies may benefit a broader range of patients. Charitable 
clinics or charitable pharmacies that meet the conditions in paragraphs 
(10)(i) and (ii) (e.g., a provider, physician, or renal dialysis 
facility that is currently providing the in-home dialysis, telehealth 
services, or other end-stage renal disease care to the patient or has 
been selected or contacted by the individual to schedule an appointment 
or provide services) may be eligible to protect the provision of 
telehealth technologies under this exception. Such a determination must 
be based on the facts and circumstance of the specific clinic or 
pharmacy, and whether the provision of the telehealth technology meets 
all conditions of the exception.
    We note that several other exceptions and safe harbors may apply to 
the provision of telehealth technologies to patients, depending on the 
facts and circumstances, such as the patient engagement and support 
safe harbor, finalized in this rule at 42 CFR 1001.952(hh), and the 
exception to the definition of ``remuneration'' under the Beneficiary 
Inducements CMP for certain remuneration that poses a low risk of harm 
and promotes access to care, found at 42 CFR 1003.110.
j. Recipient
    Comment: A commenter stated that it is critical to ensure that the 
provision without charge of these same technologies to nephrologists 
and other treating physicians of home dialysis patients is permissible 
under anti-kickback statute. The commenter highlighted that every 
dialysis patient is required to have an attending nephrologist, and the 
nephrologist is the only individual who is part of the required care 
team who is not otherwise employed by the dialysis provider. 
Accordingly, the commenter urged us to clarify that the dialysis 
provider can also provide members of the care team who are not employed 
by the dialysis provider with the technology and software necessary to 
accommodate telehealth for dialysis patients.
    Response: We appreciate the commenter's concerns, but the 
commenter's recommendations are outside the scope of the statutory 
exception we codify here, which is an exception to the definition of 
``remuneration'' under the Beneficiary Inducements CMP. Specifically, 
the regulatory exception we finalize here implements the corresponding 
statutory exception in section 50302 of the Budget Act of 2018, which 
protects the provision of telehealth technologies ``to an individual 
with end-stage renal disease. . . .'' This exception does not protect 
remuneration between a dialysis provider and other members of a 
patient's care team. As the commenter notes, remuneration among and 
between providers and practitioners may implicate the Federal anti-
kickback statute. Parties seeking to protect such arrangements may seek 
protection under a safe harbor, such as the care coordination 
arrangements safe harbor finalized in this rule at 1001.952(ee). 
Parties are also free to request an advisory opinion pursuant to 42 CFR 
1008 et seq. related to the facts and circumstances described in this 
comment.
    Comment: A commenter requested clarity regarding situations in 
which technologies provided to beneficiaries could also result in 
potential indirect benefits to other providers who may be in a referral 
source relationship with the donor of the telehealth technologies,

[[Page 77879]]

including in the context of an integrated care delivery system.
    Response: We appreciate the commenter's concern. The Federal anti-
kickback statute is a criminal statute that serves as an important 
sanction against fraud when parties intentionally offer or pay 
kickbacks to influence referrals. Any indirect benefit to a provider 
who may be a referral source for a donor would need to be analyzed 
under the Federal anti-kickback statute which, as explained above, is 
outside the scope of the statutory exception to the Beneficiary 
Inducements CMP that we codify here. As a matter of law, arrangements 
that fit in an exception to the Beneficiary Inducements CMP are not 
automatically protected from liability under the Federal anti-kickback 
statute. Parties seeking to protect remuneration implicating the 
Federal anti-kickback statute should assess arrangements to determine 
if the arrangement qualifies for protection under a safe harbor.

IV. Provisions of the Final Regulation

    This final rule incorporates the regulations and amendments we 
proposed in the OIG Proposed Rule, but with changes to the regulatory 
text. In this final rule, we modify existing as well as add new safe 
harbors pursuant to our authority under section 14 of the Medicare and 
Medicaid Patient and Program Protection Act of 1987 by specifying 
certain payment practices that will not be subject to prosecution under 
the Federal anti-kickback statute. We also codify into our regulations 
a statutory safe harbor for patient incentives offered by ACOs to 
assigned beneficiaries under ACO Beneficiary Incentive Programs and a 
statutory exception to the definition of ``remuneration'' in 42 CFR 
1003.110 for certain telehealth technologies furnished to in-home 
dialysis patients.
    The following is a list of the safe harbors and the exception that 
we are finalizing: Modifications to the existing safe harbor for 
personal services and management contracts at 42 CFR 1001.952(d); 
modifications to the existing safe harbor for warranties at 42 CFR 
1001.952(g); modifications to the existing safe harbor for electronic 
health records items and services at 42 CFR 1001.952(y); modifications 
to the existing safe harbor for local transportation at 42 CFR 
1001.952(bb); a new safe harbor for care coordination arrangements to 
improve quality, health outcomes, and efficiency at 42 CFR 
1001.952(ee); a new safe harbor for value-based arrangements with 
substantial downside financial risk at 42 CFR 1001.952(ff); a new safe 
harbor for value-based arrangements with full financial risk at 42 CFR 
1001.952(gg); a new safe harbor for arrangements for patient engagement 
and support to improve quality, health outcomes, and efficiency at 42 
CFR 1001.952(hh); a new safe harbor for CMS-sponsored model 
arrangements and CMS-sponsored model patient incentives at 42 CFR 
1001.952(ii); a new safe harbor for cybersecurity technology and 
related services at 42 CFR 1001.952(jj); a new safe harbor for 
accountable care organization (ACO) beneficiary incentive program at 42 
CFR 1001.952(kk); and an exception for telehealth technologies for in-
home dialysis at 42 CFR 1003.110.

V. Regulatory Impact Statement

    As set forth below, we have examined the impact of this final rule 
as required by Executive Order 12866, the Regulatory Flexibility Act 
(RFA) of 1980, the Unfunded Mandates Reform Act of 1995, Executive 
Order 13132, and Executive Order 13771. In section A, we provide an 
overview of our analysis of the impact of this final rule. We also 
provide additional supporting analysis in section F.
    Summary of OIG Proposed Rule: We determined that the aggregate 
economic impact of the proposals would be minimal and would have no 
effect on the economy or on Federal or State expenditures. We also 
determined that the proposals would not significantly affect small 
providers. Further, we determined that the rule was neither regulatory 
nor deregulatory under Executive Order 13771.
    Summary of Final Rule: We are finalizing the determinations set 
forth in the OIG Proposed Rule except for the determination under 
Executive Order 13771. Here we explain that this final rule is a 
deregulatory action under Executive Order 13771. In addition, we 
provide additional explanation about our determinations here.

A. Overview of Analysis

    By making available the new protections established in this final 
rule, we expect health care industry stakeholders will realize 
increased flexibility and legal certainty when entering into value-
based, care coordination, and other arrangements that have the 
potential to reduce Federal health care program expenditures and 
improve the quality of care without sacrificing program integrity. 
However, we are unable to quantify--with certainty--the overall 
aggregate impact or effect on small providers related to changes in 
industry behavior that we can reasonably expect following the effective 
date of this final rule. Even so, we believe that our final policies 
are reasonably likely to permit, if not encourage, behavior that will 
reduce waste in the U.S. health care system, including Medicare and 
other Federal health programs, and that these changes will result in 
lower costs for both patients and payors, and generate other benefits, 
such as improved quality of patient care and lower compliance costs for 
providers and suppliers. Below we describe: (1) The need for new and 
modified safe harbors and exceptions; (2) an overview of the estimated 
impact of the final rule; (3) anticipated outcomes of the final rule; 
(4) expanded protections under the final rule and examples of 
anticipated arrangements; (5) anticipated beneficial impact of value-
based, care coordination, and patient engagement and support 
arrangements; (6) anticipated beneficial impact of the new safe harbor 
for cybersecurity technology and services; and (7) anticipated costs.
1. Need for New and Modified Safe Harbors and Exceptions
    The Federal anti-kickback statute provides for criminal penalties 
for whoever knowingly and willfully offers, pays, solicits, or receives 
remuneration to induce or reward, among other things, the referral of 
business reimbursable under any of the Federal health care programs, 
including Medicare and Medicaid. Health care providers and others may 
voluntarily seek to comply with safe harbors so that they have the 
assurance that their business practices will not be subject to any 
Federal anti-kickback enforcement action. Compliance with an applicable 
safe harbor insulates an individual or entity from liability under the 
Federal anti-kickback statute. Parties may use any applicable safe 
harbor into which they can squarely fit.\159\ However, failure to fit 
in a safe harbor does not mean that an arrangement violates the law.
---------------------------------------------------------------------------

    \159\ Existing safe harbors that may apply to some care 
coordination and value-based arrangements include the employee safe 
harbor (42 CFR 1001.952(i)), the personal services and management 
contracts safe harbor (42 CFR 1001.952(d)), the various managed care 
safe harbors (e.g., 42 CFR 1001.952(t)), and the local 
transportation safe harbor (42 CFR 1001.952(bb)). However, 
stakeholders have informed us that many arrangements they would like 
to enter into cannot fit in the existing safe harbors as currently 
structured.
---------------------------------------------------------------------------

    The Beneficiary Inducements CMP provides for the imposition of 
civil monetary penalties against any person who offers or transfers 
remuneration to a Medicare or State health care program (including 
Medicaid) beneficiary that

[[Page 77880]]

the benefactor knows or should know is likely to influence the 
beneficiary's selection of a particular provider, practitioner, or 
supplier of any item or service for which payment may be made, in whole 
or in part, by Medicare or a State health care program (including 
Medicaid). Compliance with an applicable exception to the definition of 
``remuneration'' under the Beneficiary Inducements CMP or compliance 
with an exception or safe harbor to the Federal anti-kickback statute 
protects such practice from liability under the Beneficiary Inducements 
CMP.
    In many cases, emerging coordinated care and value-based delivery 
and payment arrangements, which encourage functional integration and 
coordination between and among providers and other industry 
stakeholders, often using financial incentives, may not fit easily or 
at all under current safe harbors to the Federal anti-kickback statute, 
exceptions to the Beneficiary Inducements CMP, or both. Many value-
based and care coordination arrangements also rely on improving patient 
engagement in care through tools or supports (e.g., free or reduced-
cost technology, free local transportation services), potentially 
implicating both the Federal anti-kickback statute and the Beneficiary 
Inducements CMP. Such tools or supports may not fit easily (or at all) 
under existing safe harbors to the Federal anti-kickback statute or 
exceptions to the definition of ``remuneration'' under the Beneficiary 
Inducements CMP.
    Public stakeholders have asserted--through comments to both the OIG 
RFI and OIG Proposed Rule, as well as other public forums--that this 
lack of clear legal protection has a chilling effect on the development 
of effective care coordination arrangements, value-based arrangements, 
and arrangements engaging or supporting patients. As a consequence, 
this final rule provides greater certainty and protection for care 
coordination arrangements, value-based arrangements, patient engagement 
tools and supports, and other beneficial arrangements from potential 
liability under the Federal anti-kickback statute and Beneficiary 
Inducements CMP (as applicable), if the arrangements are properly 
structured to satisfy an applicable safe harbor's or exception's 
conditions (as applicable).
2. Overview of Estimated Impact of the Final Rule
    There is not enough available information to estimate this final 
rule's effect on the economy, Federal or State expenditures, or small 
providers. In other words, we are not able to provide quantitative 
estimates of savings to or expenditures for the Federal health care 
programs, providers, and others that will result from this final rule. 
More specifically, we lack a basis for determining the scope and 
magnitude of financial arrangements for which parties may seek safe 
harbor protection.
    We lack a basis for making any quantitative estimates for the 
following reasons. First, we cannot estimate how many providers and 
other industry stakeholders will enter in value-based and care 
coordination arrangements or other arrangements protected by these 
final safe harbors and exception. This is in part because using and 
complying with the safe harbors and exception to the definition of 
``remuneration'' under the Beneficiary Inducements CMP finalized here 
are voluntary. Indeed, providing remuneration in the context of a care 
coordination arrangement and engaging Federal health care program 
beneficiaries through the provision of tools and supports are voluntary 
as well. Stated otherwise, parties are not required either to enter 
into financial relationships that implicate the Federal anti-kickback 
statute and Beneficiary Inducements CMP, or to structure any financial 
relationships that implicate these statutes to satisfy a safe harbor or 
exception, as applicable. Failure to satisfy a safe harbor or 
exception, as applicable, does not mean that an arrangement is illegal 
under the Federal anti-kickback statute or Beneficiary Inducements CMP. 
Parties are free to conduct financial arrangements that do not fit 
within the protections set forth in these final regulations provided 
that they otherwise comply with the law. Further, while parties often 
use safe harbors and exceptions as tools to structure compliant 
arrangements, parties may also wait to assert compliance with a safe 
harbor as a defense should the Government bring an enforcement action. 
For this reason, it is further difficult to estimate usage of these 
regulations.
    Second, while we can provide examples--as noted below--of 
arrangements we believe health care industry stakeholders may enter 
into under the protection of these final safe harbors and exception, we 
cannot predict the form of all of the arrangements, nor which industry 
stakeholders will enter into what form of arrangements. More 
specifically, based on comments submitted by stakeholders, our 
understanding of currently existing value-based and care coordination 
arrangements, and our assumption that there will be continued 
innovation, we expect significant heterogeneity in value-based and care 
coordination arrangements that seek protection under these safe harbors 
and exception. Applying a ``conceptual framework'' developed by RAND 
Corporation in an assessment of value-based programs illuminates how 
the attributes of value-based care and care coordination arrangements 
could vary across the industry, making any basis for quantitative 
estimates regarding the impact of the regulatory flexibilities set 
forth in this final rule highly speculative.\160\
---------------------------------------------------------------------------

    \160\ Cheryl L. Damberg et al., RAND Corp., Measuring Success in 
Health Care Value-Based Purchasing Programs (2014), available at 
https://www.rand.org/content/dam/rand/pubs/research_reports/RR300/RR306/RAND_RR306.pdf.
---------------------------------------------------------------------------

    In particular, the RAND conceptual framework highlights how various 
aspects of the arrangements for which parties may seek safe harbor and 
exception protection could differ, including: (1) Overarching program 
design features with respect to the value-based arrangement (e.g., 
measures, incentive structure, targets for incentives, and quality 
improvement support and resources); (2) the characteristics of the 
providers and the settings in which they practice, including whether or 
not the providers are employees, as well as the characteristics of 
other parties to the arrangement; and (3) external factors (e.g., other 
payment policies, other quality initiatives, consumer behavior, market 
characteristics, and regulatory changes) that can enable or hinder any 
response to the incentive. In addition, we expect wide variation in the 
patient populations served and their particular needs with respect to 
care coordination and tools and supports. To provide an example related 
to external factors, whether a provider might need to use the patient 
engagement and support safe harbor (paragraph 1001.952(hh)) may depend 
on whether the beneficiary's Federal health care program covered the 
desired tool and support. An arrangement for the provision of digital 
technology that is a covered item or service, when provided in 
accordance with coverage and payment rules, does not likely require 
safe harbor protection and additional regulatory flexibility in this 
final rule. On the other hand, an arrangement for the provision of 
noncovered tools and supports for free to a Federal health care program 
beneficiary likely implicates the Federal anti-kickback statute and may 
implicate the Beneficiary Inducements CMP, may need safe harbor 
protection, and would

[[Page 77881]]

benefit from such flexibility. Variation in coverage and payment rules 
and changes in such rules over time impact the analysis of the 
application of the statutes to arrangements and whether parties would 
seek to use the final regulations.
    In sum, any estimation of behavioral change--and any resulting 
increases or decreases in costs to Federal or State health care 
programs, providers and other stakeholders, or patients--would be 
highly speculative and too uncertain to be appropriately quantifiable. 
While we cannot gauge with certainty savings or costs that may result 
from this final rule, the rule reflects our effort to remove barriers 
impeding wider adoption of beneficial care coordination and value-based 
arrangements identified by stakeholders, while prohibiting arrangements 
that would improperly increase utilization, promote anti-competitive 
behavior, or result in fraud or abuse. Below we elaborate on the 
intended and anticipated beneficial outcomes related to the final rule 
as well as some potential costs.
3. Anticipated Outcomes of the Final Rule
    We can reasonably predict, however, that the final rule likely will 
result in changes to stakeholder behavior. The rule may increase 
providers' or others' participation in beneficial value-based, care 
coordination, patient engagement and support, and other arrangements to 
the extent that providers or others have been concerned that such 
arrangements would otherwise implicate the Federal anti-kickback 
statute and Beneficiary Inducements CMP. In this regard, and with 
respect to the intended outcomes and benefits related to this final 
rule, we anticipate that the policies in this final rule may: (1) 
Remove barriers to robust participation in beneficial value-based 
health care delivery and payment systems, including those administered 
by CMS and non-Federal payors; (2) facilitate arrangements for 
beneficial patient care coordination among affiliated and unaffiliated 
health care providers, practitioners, suppliers, and others; (3) remove 
barriers to providing tools and supports to patients to better engage 
them in their care and improve health outcomes; (4) provide certainty 
for participants in the Medicare Shared Savings Program and Innovation 
Center models; (5) facilitate the continued adoption and use of 
electronic health records by making permanent the safe harbor for the 
donation of such items and services; and (6) promote more robust 
cybersecurity throughout the health care system. Some of the benefits 
that we anticipate will arise from these intended outcomes are: (1) 
Improved care coordination for patients, including Federal health care 
program beneficiaries; (2) improved quality of care and outcomes for 
patients, including Federal health care program beneficiaries; (3) 
potential reduction in compliance costs to individuals and entities to 
which the Federal anti-kickback statute's and Beneficiary Inducements 
CMP's prohibitions apply; (4) reduction in administrative complexity 
and related waste from continued progress toward interoperability of 
data and electronic health records; (5) protection against the 
corruption of or access to health records and other information 
essential to the safe and effective delivery of health care; and (6) 
reduction in impacts of cybersecurity attacks, including the improper 
disclosure of protected health information (PHI), and reduction in 
costs associated with cybersecurity attacks, including ransom payments, 
costs to patients whose PHI is improperly disclosed, and costs to 
providers, suppliers, and others to reestablish cybersecurity.
    With respect to the final rule's impact on parties currently 
participating in the Medicare Shared Savings Program and Innovation 
Center models, we have determined that this Final Rule would not 
significantly alter the conditions upon which such providers and 
suppliers operate. Such parties currently must comply with the fraud 
and abuse statutes and receive fraud and abuse waivers as needed for 
CMS to operate the Medicare Shared Savings Program and test models, as 
authorized by statute. Finalizing safe harbors protecting value-based 
arrangements, care coordination, and certain patient engagement tools 
and supports would not significantly alter these conditions. This is 
particularly true in light of the new final safe harbor for CMS-
sponsored models, which is designed to streamline the current fraud and 
abuse waiver process and make model participation more uniform with 
respect to compliance with fraud and abuse laws.
4. Expanded Protections Under Final Rule and Examples of Anticipated 
Arrangements
    As explained in greater detail in the preamble above, this final 
rule expands safe harbor protection under the Federal anti-kickback 
statute to protect the following types of arrangements that, in most 
cases, would not fit squarely or with certainty in existing safe 
harbors:
     Certain remuneration exchanged between or among eligible 
participants in a value-based arrangement that fosters better 
coordinated and managed patient care.
     Certain tools and supports furnished to patients to 
improve quality, health outcomes, and efficiency.
     Certain remuneration provided in connection with a CMS-
sponsored model.
     Certain donations of cybersecurity technology and 
services.
     Certain donations of electronic health records items and 
services.
     Certain outcomes-based payments and remuneration in 
connection with part-time personal services and management contracts 
arrangements.
     Certain remuneration in connection with bundled warranties 
for one or more items and related services.
     Certain free or discounted local transportation given to 
Federal health care program beneficiaries.
    In addition, this final rule extends protection under the 
Beneficiary Inducements CMP to protect certain ``telehealth 
technologies'' furnished to certain in-home dialysis patients.
    Based on the Department's experience with the Medicare Shared 
Savings Program and Innovation Center models, information provided by 
commenters on the OIG RFI and the OIG Proposed Rule, and information 
shared publicly by providers, suppliers, practitioners, health plans, 
and others, following the issuance of this final rule we reasonably 
expect parties may seek protection under the final safe harbors and 
exception such as the following:
     A hospital--in recognition that new reimbursement models 
may extend hospital accountability for a patient's health beyond 
inpatient or outpatient care--may wish to provide recently discharged 
patients with free health coaching, technology that facilitates remote 
monitoring, a non-reimbursable home visit, or nutritional supplements 
to promote the best health outcomes after discharge.
     A hospital, recognizing that clinical collaboration and 
care coordination may improve patient transitions from one care 
delivery point to the next, may wish to provide care coordinators that 
furnish individually tailored case management services for patients 
requiring post-acute care.
     A medical device manufacturer may wish to offer a 
physician practice or hospital a data analysis service to track 
clinical practices, clinical outcomes, and patient impact as they 
relate to hospital- or health-care-acquired pressure injuries.
     A hospital may wish to provide support and to reward 
institutional post-acute providers for achieving outcome measures that 
effectively and

[[Page 77882]]

efficiently coordinate care across care settings and reduce hospital 
readmissions. Such measures would be aligned with a patient's 
successful recovery and return to living in the community.
     A physician may wish to offer--for free-- a prescription 
pickup service to retrieve filled prescriptions from the pharmacy and 
get them to the patient to expedite the patient's adherence to the 
physician's ordered treatment.
     A primary care physician, dialysis facility, or other 
provider could furnish a smart tablet that is capable of two-way, real-
time interactive communication between the patient and his or her 
physician. In turn, the Federal health care program beneficiary's 
access to a smart tablet could facilitate communication through 
telehealth and the provision of in-home dialysis services.
5. Anticipated Beneficial Impact of Value-Based, Care Coordination, and 
Patient Engagement and Support Arrangements
    As explained further below, to the extent that providers and others 
elect to use these safe harbors and exception to the definition of 
``remuneration'' under the Beneficiary Inducements CMP to protect care 
coordination, value-based, and other arrangements, there could be 
significant beneficial impacts should the intended effect of the 
regulatory flexibilities afforded by this final rule--promoting the 
adoption of beneficial value-based arrangements and improved care 
coordination--come to fruition.
    As noted above, we are unable to quantify with certainty any impact 
related to the changes in industry behavior that we can reasonably 
expect following the effective date of this final rule. Despite the 
inability to quantify impact, we believe that the value-based 
arrangements, care coordination arrangements, and patient engagement 
and support arrangements protected by this final rule ultimately will 
reduce waste in the U.S. health care system.
    In particular, a recent review of literature from January 2012 to 
May 2019 focusing on unnecessary spending, or waste, in the U.S. health 
care system (the 2019 study) indicates that waste related to the 
failure of care coordination alone results in annual costs of $27 
billion to $78 billion.\161\ Much of the research on waste and 
improvement reviewed in the 2019 study was conducted in Medicare 
populations. The 2019 study noted empirical evidence that 
interventions, such as aligning payment models with value or supporting 
delivery reform to enhance care coordination, safety, and value, can 
produce meaningful savings and reduce waste by as much as half. The 
2019 study also identified waste from administrative complexity 
(resulting from fragmentation in the health care system) as the 
greatest contributor to waste in the U.S. health care system at an 
estimated $266 billion annually, and highlighted the opportunity to 
reduce waste in this category from enhanced payor collaboration with 
health care providers and clinicians in the form of value-based payment 
models. According to the 2019 study, as value-based care continues to 
evolve, there is reason to believe that such interventions can be 
coordinated and scaled to produce better care at lower cost for all 
U.S. residents. Moreover, in value-based and care coordination 
arrangements, improvements could reduce waste related to overtreatment 
and low-value care, a separate category of waste in the U.S. health 
care system.
---------------------------------------------------------------------------

    \161\ William H. Shrank et al., Waste in the US Health Care 
System, Estimated Costs and Potential for Savings, 322 JAMA 1501 
(2019), available at https://jamanetwork.com/journals/jama/fullarticle/2752664.
---------------------------------------------------------------------------

    OIG studies regarding the Medicare Shared Savings Program and 
participating ACOs have found beneficial impacts through improved 
quality of care and reduced spending. A June 2019 evaluation found that 
Medicare Shared Savings Program ACOs have developed a number of 
strategies that the ACOs found successful in reducing Medicare spending 
and improving quality of care.\162\ These strategies include, among 
others, engaging beneficiaries to improve their own health, reducing 
avoidable hospitalizations and improving hospital care through better 
care coordination, and using technology for information sharing. For 
example, one ACO in the study used tablets to issue medication 
reminders and digital scales to transmit information directly to care 
coordinators to help manage the health of beneficiaries with end-stage 
congestive heart failure. The ACO reported that hospitalizations for 
this group declined, on average, from four times a year to one time. 
The evaluation observes that the successful strategies can apply not 
only to ACOs but also to other providers committed to transforming the 
health care system toward value.
---------------------------------------------------------------------------

    \162\ OIG, ACOs' Strategies for Transitioning to Value-Based 
Care: Lessons From the Medicare Shared Savings Program (OEI-02-15-
00451), July 19, 2019. Available at https://oig.hhs.gov/oei/reports/oei-02-15-00451.asp.
---------------------------------------------------------------------------

    An August 2017 OIG report analyzed spending and quality data from 
the first 3 years of the Medicare Shared Savings Program to determine 
the extent to which ACOs reduced Medicare spending and improved 
quality.\163\ During the period studied, most of the 428 participating 
ACOs (serving 9.7 million beneficiaries) reduced Medicare spending 
compared to their benchmarks, achieving a net spending reduction of 
nearly $1 billion. At the same time, ACOs generally improved their 
performance on most of the individual quality measures. ACOs also 
outperformed fee-for-service providers on most of the quality measures. 
A small subset of ACOs showed substantial reductions in Medicare 
spending while providing high-quality care. These high-performing ACOs 
reduced spending by an average of $673 per beneficiary for key Medicare 
services during the review period. This included significant spending 
reductions for high[hyphen]cost services such as inpatient hospital 
care and skilled nursing facility care. These ACOs also maintained high 
use of primary care services, which can lower utilization and costs for 
other care, and reduced the use of costly services such as emergency 
department visits. In contrast, other Medicare Shared Savings Program 
ACOs and the national average for fee-for-service providers showed an 
increase in per beneficiary spending for key Medicare services.
---------------------------------------------------------------------------

    \163\ OIG, Medicare Shared Savings Program Accountable Care 
Organizations Have Shown Potential for Reducing Spending and 
Improving Quality (OEI-02-15-00450), Aug. 28, 2017. Available at 
https://oig.hhs.gov/oei/reports/oei-02-15-00450.asp.
---------------------------------------------------------------------------

    In addition, we are aware that certain other innovative value-based 
and care coordination arrangements exist that have resulted in cost 
savings for third-party payors, quality of care improvements, or 
both.\164\ While we cannot extrapolate these results to the possible 
impact of this final rule, we

[[Page 77883]]

believe the reported success of some of these programs suggests the 
promising nature of value-based care and improved care coordination. In 
describing the results below, we do not mean to suggest that this rule 
prescribes or endorses the interventions inherent to these results. 
Further, we emphasize that this final rule simply removes certain 
regulatory barriers to implementing value-based and care coordination 
arrangements that may be similar to those described below.
---------------------------------------------------------------------------

    \164\ See e.g., Brian W. Powers et al., Impact of Complex Care 
Management on Spending and Utilization for High-Need, High-Cost 
Medicaid Patients, 26 Am. J. Managed Care e57 (2020), available at 
https://doi.org/10.37765/ajmc.2020.42402 (finding, in a study of a 
complex care management program implemented in Tennessee for high-
need, high-cost Medicaid patients, that the program reduced total 
medical expenditures by 37 percent and inpatient utilization by 59 
percent); Shreya Kangovi et al., Evidence-Based Community Health 
Worker Program Addresses Unmet Social Needs and Generates Positive 
Return on Investment, 39 Health Aff. 207 (2020), available at 
https://www.healthaffairs.org/doi/full/10.1377/hlthaff.2019.00981 
(finding that every dollar invested in the Individualized Management 
for Patient-Centered Targets (IMPaCT) intervention, which is ``a 
standardized community health worker intervention that addresses 
socioeconomic and behavioral barriers to health in low-income 
populations,'' yielded a return of $2.47 within a single fiscal year 
from the perspective of a Medicaid payer).
---------------------------------------------------------------------------

    For example, a case study targeted at determining the specific 
factors that reduce Medicare payments and lead to hospital savings in 
bundled payment models for lower extremity joint replacement surgeries 
(which provide a lump sum payment to be shared among providers for an 
episode of care instead of payment for every service performed) in one 
Texas health system found that, between July 2008 and June 2015, the 
system's five hospitals were able to reduce total Medicare spending per 
episode of care by $5,577, or 20.8 percent, in cases without 
complications, and by $5,321, or 13.8 percent, in cases with 
complications.\165\ The hospitals also recognized $6.1 million in 
internal cost savings, along with slight decreases in emergency room 
visits and readmission rates, and a decrease in cases with a prolonged 
length-of-stay admission. Over half of the internal cost savings were 
attributable to reduced implant costs.\166\ We note that the product 
standardization incentive programs that contribute to such internal 
cost savings involve compensation arrangements between hospitals and 
physicians which, depending on their structure, may not satisfy the 
requirements of any current safe harbors to the Federal anti-kickback 
statute, but to which the new and modified safe harbors may apply. 
Relatedly, in 2018, a large health plan announced that it was expanding 
a bundled payment program for spinal surgeries and hip/knee 
replacements to new markets, after finding savings of $18,000 per 
procedure,\167\ and a health network reported over $10 million in 
savings in 2017 with more anticipated savings in 2018.\168\
---------------------------------------------------------------------------

    \165\ Amol S. Navathe, et al., Cost of Joint Replacement Using 
Bundled Payment Models, 177(2) JAMA Internal Med. 214-222 (Feb. 
2017), available at https://jamanetwork.com/journals/jamainternalmedicine/article-abstract/2594805.
    \166\ Vera Gruessner, 3 Ways Bundled Payment Models Brought 
Hospital Cost Savings, Health Payer Intelligence (Jan. 16, 2017), 
https://healthpayerintelligence.com/news/3-ways-bundled-payment-models-brought-hospital-cost-savings.
    \167\ David Muhlestein et al., Recent Progress In The Value 
Journey: Growth Of ACOs And Value-Based Payment Models In 2018, 
Health Affairs Blog (Aug. 14, 2018), https://www.healthaffairs.org/do/10.1377/hblog20180810.481968/full/.
    \168\ Shane Wolverton, Providers partner with payers for bundled 
payments, Becker's Payer Issues (May 10, 2018) https://www.beckershospitalreview.com/payer-issues/providers-partner-with-payers-for-bundled-payments.html.
---------------------------------------------------------------------------

    As another example of the potential for cost savings associated 
with value-based arrangements, a recent survey of more than 100 
commercial payors showed that, in 2018, ``pure FFS'' payment--where 
each medical service is billed and paid for separately--accounts for 
only 37.2 percent of reimbursement and is expected to drop to 26 
percent by 2021.\169\ According to the payors surveyed, payors that 
adopted value-based health care delivery and payment models reduced 
health care costs by an average of 5.6 percent, improved provider 
collaboration, and created more impactful member engagement.
---------------------------------------------------------------------------

    \169\ Thomas Beaton, Value-Based Payment Adoption Drives 5.6% 
Reduction in Care Costs, Health Payer Intelligence (June 18, 2018), 
https://healthpayerintelligence.com/news/value-based-payment-adoption-drives-5.6-reduction-in-care-costs.
---------------------------------------------------------------------------

    Further, there are studies that suggest that improved care 
coordination may decrease costs and enhance health outcomes. One 
randomized, controlled trial evaluated the cost[hyphen]effectiveness of 
a home[hyphen]based care coordination program that targeted older 
adults with problems self[hyphen]managing their chronic illnesses.\170\ 
Study participants in the test group received care coordination 
services from a nurse and a pill organizer. The results of this study 
showed that, for those beneficiaries who participated in the study for 
more than 3 months, total Medicare costs were $491 lower per month than 
in the control group. Another study conducted by the Centers for 
Disease Control and Prevention demonstrated that certain interventions, 
such as team-based or coordinated care, increase patient medication 
adherence rates.\171\ Specifically, in a 2015 study, patients assigned 
to team-based care--including pharmacist-led medication reconciliation 
and tailoring, pharmacist-led patient education, collaborative care 
between pharmacist and primary care provider or cardiologist, and two 
types of voice messaging--were significantly more adherent with their 
medication regimen 12 months after hospital discharge (89 percent) 
compared with patients not receiving team-based care (74 percent).
---------------------------------------------------------------------------

    \170\ Karen Dorman Marek et al., Cost analysis of a home-based 
nurse care coordination program, 62 J. Am. Geriatrics Soc'y 2369 
(2014).
    \171\ Andrea B. Neiman et al., CDC Grand Rounds: Improving 
Medication Adherence for Chronic Disease Management--Innovations and 
Opportunities, 66 Morbidity & Mortality Wkly. Rep. 1248 (2017), 
available at https://www.cdc.gov/mmwr/volumes/66/wr/mm6645a2.htm.
---------------------------------------------------------------------------

    In addition, there are reported examples of value-based health care 
delivery and payment programs developed and implemented by commercial 
health plans that report success. For example, one health plan recently 
reported that it saved $1 billion through avoided costs in 3 years of 
its recent primary care pay-for-value program that offers primary care 
practices rewards for their performance on quality, cost, and 
utilization measures, while also improving outcomes for the plan's 
members.\172\ According to this plan, members treated by a primary care 
provider in the program had 11 percent fewer emergency room visits in 
2017 than members treated by a primary care physician not in the 
program. The plan also stated that members with a primary care 
physician in the program experienced 16 percent fewer inpatient 
admissions in 2017 compared to members seeing a primary care physician 
not in the program, potentially saving the plan $224 million in 
inpatient care costs.\173\
---------------------------------------------------------------------------

    \172\ Press Release, Highmark, Inc., Highmark saves more than $1 
billion in avoided cost with True Performance program (Oct. 5, 
2020), available at https://www.highmark.com/newsroom/press-releases.html#!release/highmark-saves-more-than-1-billion-in-avoided-cost-with-true-performance-program.
    \173\ Press Release, Highmark, Inc., Highmark's True Performance 
Program Avoided Health Care Costs by More Than $260 Million in 2017 
(June 26, 2018), available at https://www.highmark.com/newsroom/press-releases.html#!release/highmarks-true-performance-program-avoided-health-care-costs-by-more-than-260-million-in-2017.
---------------------------------------------------------------------------

    A collaboration between a physician-led ACO and a health plan in 
North Carolina similarly reportedly reduced costs while improving 
quality of care.\174\ Specifically, an analysis conducted by the plan 
concluded that the 47 primary care practices that participated in the 
collaboration: (1) Reduced the total cost of care by 4.7 percent for 
commercial patients; (2) reduced the total cost of care by 6.1 percent 
for Medicare Advantage patients; and (3) improved their Medicare star 
ratings, on average, from 3 to 4.5 stars. Another analysis by a 
different health plan determined that primary care physicians paid 
under global capitation improved certain patient outcomes related to 
preventive care and chronic conditions, such as

[[Page 77884]]

higher screening rates for colorectal and breast cancer, higher rates 
of medication review, and higher controlled blood sugar levels.\175\
---------------------------------------------------------------------------

    \174\ Press Release, Blue Cross and Blue Shield of North 
Carolina, Primary Care ACOs from Blue Cross NC and Aledade Show 
Significant Savings and Quality Improvements (July 20, 2020), 
available at https://mediacenter.bcbsnc.com/news/primary-care-acos-from-blue-cross-nc-and-aledade-show-significant-savings-and-quality-improvements.
    \175\ UnitedHealth Group, Physicians Provide Higher Quality Care 
Under Set Monthly Payments Instead of Being Paid Per Service, 
UnitedHealth Group Study Shows (Aug. 11, 2020), available at https://www.unitedhealthgroup.com/newsroom/2020/uhg-study-shows-higher-quality-care-under-set-monthly-payments-403552.html.
---------------------------------------------------------------------------

6. Anticipated Beneficial Impact of New Safe Harbor for Cybersecurity 
Technology and Services
    The health care sector is among the most targeted industries for 
cyberattacks and is also under-resourced to prevent such attacks and 
data breaches. As a result, the cost of cybersecurity attacks and 
breaches within the health care industry is significant. A study 
estimated that data breaches may have cost U.S hospitals $6.2 billion 
between 2015 and 2016.\176\ Additionally, other estimates indicate that 
a health care organization that is breached faces $8 million dollars in 
costs on average as a result of the breach, or $400 per patient record 
involved.\177\ The impact of cyberattacks extends beyond increased and 
unnecessary recovery and ransom costs. It may limit patient access to a 
provider or directly affect patient care. For example, a September 2020 
cyberattack on a large health care system in the United States 
reportedly affected nearly 400 facilities, causing hospitals to divert 
ambulances during the initial stages of the attack. In addition, staff 
reported that some lab test results were delayed. The system responded 
by suspending user access to its information technology applications 
related to operations across the United States, requiring the use of 
backup processes, including paper medical record charting and labeling 
medications by hand, for nearly 3 weeks.\178\
---------------------------------------------------------------------------

    \176\ Ponemon Institute, Sixth Annual Benchmark Study on Privacy 
& Security of Healthcare Data (May 2016), available at https://www.ponemon.org/local/upload/file/Sixth%20Annual%20Patient%20Privacy%20%26%20Data%20Security%20Report%20FINAL%206.pdf.
    \177\ Health Sector Cybersecurity Coordination Center, A Cost 
Analysis of Healthcare Sector Data Breaches (Apr. 4, 2019), 
available at https://www.hhs.gov/sites/default/files/cost-analysis-of-healthcare-sector-data-breaches.pdf.
    \178\ Jeff Lagasse, Universal Health Services hit with 
cyberattack that shuts down IT systems, Healthcare Finance (Sept. 
29, 2020), https://www.healthcarefinancenews.com/news/universal-health-services-hit-cyberattack-shuts-down-it-systems-1; Jessica 
Davis, UPDATE: UHS Health System Confirms All US Sites Affected by 
Ransomware Attack, Health IT Security (Oct. 5, 2020) https://healthitsecurity.com/news/uhs-health-system-confirms-all-us-sites-affected-by-ransomware-attack; Jessica Davis, 3 Weeks After 
Ransomware Attack, All 400 UHS Systems Back Online, Health IT 
Security (Oct. 13, 2020), https://healthitsecurity.com/news/3-weeks-after-ransomware-attack-all-400-uhs-systems-back-online; and Press 
Release, Universal Health Services (Oct. 29. 2020), https://www.uhsinc.com/statement-from-universal-health-services/.
---------------------------------------------------------------------------

    According to the Health Sector Cybersecurity Coordination Center 
(HC3), health care organizations should consider implementing strong 
risk management practices to help prevent data breaches and minimize 
any disruptions or loss if a breach occurs.\179\ HC3 highlights that 
adequate prevention and preparation for data breaches will protect 
patients, minimize direct and indirect costs, and allow for more 
efficient operations of a health care organization.\180\ Separately, 
the HCIC Task Force's June 2017 report, among other things, highlighted 
its review of many concerns related to potential constraints imposed by 
the physician self-referral law and the Federal anti-kickback statute. 
The report encouraged Congress to evaluate an amendment to these laws 
specifically for cybersecurity software that would allow health care 
organizations the ability to assist physicians in the acquisition of 
this technology, through either donation or subsidy.\181\ The HCIC Task 
Force noted that the existing regulatory exception to the physician 
self-referral law (42 CFR 411.357(w)) and the safe harbor to the 
Federal anti-kickback statute (42 CFR 1001.952(y)) applicable to 
certain donations of EHR items and services could serve as an ideal 
template for an analogous cybersecurity provision.\182\
---------------------------------------------------------------------------

    \179\ Health Sector Cybersecurity Coordination Center, A Cost 
Analysis of Healthcare Sector Data Breaches (Apr. 4, 2019), https://www.hhs.gov/sites/default/files/cost-analysis-of-healthcare-sector-data-breaches.pdf.
    \180\ Id.
    \181\ HCIC Task Force Report, https://www.phe.gov/Preparedness/
planning/CyberTF/Documents/report2017.pdf.
    \182\ Id.
---------------------------------------------------------------------------

    Further substantiating the need for increased flexibility related 
to the donation of cybersecurity technology and services, in 2018, the 
American Medical Association surveyed over 1,300 physicians in a 
cybersecurity-related survey. Approximately 83 percent of the 
participants reported having experienced some sort of cybersecurity 
attack.\183\ The study also highlighted that 50 percent of the surveyed 
physicians wished they could receive donations of security-related 
hardware and software from other providers, and recommended that OIG 
develop a safe harbor to permit it.
---------------------------------------------------------------------------

    \183\ American Medical Association, Tackling Cyber Threats in 
Healthcare, https://www.ama-assn.org/sites/ama-assn.org/files/corp/media-browser/public/government/advocacy/medical-cybersecurity-findings.pdf and https://www.ama-assn.org/sites/ama-assn.org/files/corp/media-browser/public/government/advocacy/infographic-medical-cybersecurity.pdf.
---------------------------------------------------------------------------

    As described in section III.B.8 of this final rule, we received 
overwhelming support from across the health care industry in response 
to our proposal to establish the new safe harbor for cybersecurity 
items and services, and we anticipate significant expansion of 
cybersecurity efforts through donations following the effective date of 
this final rule, similar to the expanded adoption of EHR items and 
services reported by stakeholders following the establishment of the 
EHR safe harbor in 2006. Support for the new cybersecurity safe harbor 
came from many well-resourced organizations that are potential future 
donors of cybersecurity technology, such as health plans and large 
health systems, as well as from likely recipients of donations and 
trade groups representing practitioners.
    Because of the cost of cybersecurity attacks to organizations that 
wish to donate or receive cybersecurity technology and services, and 
the general support among donors and recipients for the new 
cybersecurity exception, we anticipate significant investment in 
improvements to the cybersecurity hygiene of the health care industry. 
An organization's cybersecurity posture is only as strong as its 
weakest link, including weaknesses of downstream providers, suppliers, 
and practitioners that wish to receive donations; thus, donors are 
incented to protect themselves by donating cybersecurity technology and 
services that improves their cybersecurity.
    There are a variety of factors integral to determining the impact 
of this final safe harbor's effect on the cybersecurity hygiene of the 
health care industry that remain too speculative to make a quantitative 
estimate of the impact of this final rule. We cannot predict with 
sufficient certainty various elements that will determine the impact of 
this safe harbor. For example, we cannot predict: (1) How many health 
care industry stakeholders will donate cybersecurity technology or 
services for which parties may seek safe harbor protection; (2) the 
specific combinations of items and services that will be donated or how 
such donations will improve the cybersecurity hygiene of recipients, 
donors, and the health care industry as a whole; and (3) external 
factors (e.g., other policies promoting cybersecurity within the health 
care industry, how cyber criminals will proliferate and develop new 
strategies, how cyberattack recovery costs and ransom costs will 
change) that can enable or hinder improved cybersecurity hygiene and 
potentially

[[Page 77885]]

result in increased or decreased costs associated with cyberattacks. 
Despite this, we expect that the flexibility to donate cybersecurity 
technology and services will benefit the ecosystem as a whole, improve 
cybersecurity across the industry, and reduce costs associated with 
cyberattacks (by improving prevention and detection of cybersecurity 
weaknesses and reducing successful cyberattacks, and consequently, 
ransom fees and recovery costs). However, we cannot predict the 
specific impacts of the flexibility afforded by the cybersecurity 
technology and services safe harbor on the costs or benefits to Federal 
health care programs, beneficiaries, or the health care industry as a 
whole.
7. Anticipated Costs
    We also acknowledge that there could be some costs associated with 
this final rule. For example, providers and other stakeholders 
voluntarily complying with the safe harbors and exception finalized 
here may incur legal and administrative costs to appropriately 
structure an arrangement to satisfy an applicable safe harbor or 
exception. In addition, it is possible providers and others may misuse 
the protection afforded by the safe harbors and exception which could 
result in increased costs to Federal health care programs or 
beneficiaries. It also is possible that providers and other 
stakeholders will appropriately use the safe harbors, but a care 
coordination or value-based arrangement developed in good faith might 
not result in savings to the Federal health care programs or 
beneficiaries or improvements in quality of care.
    Designing safe harbors with sufficient safeguards against potential 
abuses and harms by those who might misuse the safe harbors is not 
without challenges. In this final rule, we have tried to strike the 
right balance between flexibility for beneficial innovation and 
safeguards to protect patients and Federal health care programs. 
However, we cannot quantify whether we have struck the appropriate 
balance; in particular, we cannot quantify whether achievement of the 
intended outcomes (e.g., improved coordination of patient care, 
improved quality of patient care, reduced costs to payers) will 
outweigh any potential costs.

B. Executive Order 12866

    Executive Order 12866 directs agencies to assess all costs and 
benefits of available regulatory alternatives and if regulations are 
necessary, to select regulatory approaches that maximize net benefits 
(including potential economic, environmental, public health and safety 
effects; distributive impacts; and equity). A regulatory impact 
analysis must be prepared for major rules with economically significant 
effects (i.e., $100 million or more in any given year). This final rule 
codifies a new exception to the definition of ``remuneration'' under 
the Beneficiary Inducements CMP and implements new or revised anti-
kickback statute safe harbors. As explained more fully above, we 
believe the changes in the final rule to the safe harbors and the new 
exception to the Beneficiary Inducements CMP will provide flexibility 
for providers and others to enter into certain beneficial arrangements. 
In doing so, this final rule imposes no requirements on any party. 
Providers and others will be allowed to voluntarily seek to comply with 
these provisions so that they have assurance that participating in 
certain arrangements will not subject them to liability under the 
Federal anti-kickback statute and the Beneficiary Inducements CMP. 
These safe harbors and exception facilitate providers' and others' 
ability to provide important health care and related services to 
communities in need. We estimated that this rule would be 
``economically significant'' as measured by the $100 million threshold, 
and hence also a major rule under the Congressional Review Act. 
Accordingly, we prepared an RIA that presented our estimates of the 
costs and benefits of this rulemaking. Thus, this rule has been 
reviewed by the Office of Management and Budget.

C. Regulatory Flexibility Act

    The RFA and the Small Business Regulatory Enforcement and Fairness 
Act of 1996, which amended the RFA, require agencies to analyze options 
for regulatory relief of small businesses. For purposes of the RFA, 
small entities include small businesses, nonprofit organizations, and 
Government agencies. Most providers are considered small entities by 
having revenues of $7 million to $35.5 million or less in any one year. 
For purposes of the RFA, most physicians and suppliers are considered 
small entities.
    Comment: We received comments from two associations representing 
small and rural providers or Indian health care providers regarding the 
level of administrative burden and potential costs associated with 
implementing the requirements in certain proposed safe harbors (e.g., 
requiring a writing signed by the parties under certain proposed safe 
harbors and requiring a financial contribution by a recipient of 
remuneration under the care coordination arrangements safe harbor and 
EHR safe harbor), particularly for small and rural providers and Indian 
health care providers. For example, a commenter suggested that if OIG 
reduced administrative burden on physicians under its final rule, it 
would allow physicians to focus on the patient-physician relationship 
and the patient's welfare. In addition, a commenter representing Indian 
health care providers expressed concern that its stakeholders would 
need to make changes to current practices and operations in response to 
this rulemaking in order to comply with the Federal anti-kickback 
statute and to avoid severe criminal, civil, and administrative 
penalties. The commenter also raised concerns regarding potential 
administrative burden that may occur if Indian health care providers 
revise or amend existing agreements with the Health Resources and 
Services Administration to participate in arrangements protected under 
new safe harbors. The commenter also asked OIG to exempt Indian health 
programs from certain proposed safe harbor contribution requirements.
    Response: We reiterate that this final rule does not impose any 
obligations on any entity, including Indian health care providers, nor 
does this final rule require any entity to make changes to current 
practices and operations to comply with the Federal anti-kickback 
statute or Beneficiary Inducements CMP. This final rule provides 
additional flexibilities for providers and others to enter into care 
coordination arrangements with potentially reduced legal risk. As 
explained above, structuring financial arrangements to satisfy a safe 
harbor or exception is voluntary; indeed, even entering into such 
financial arrangements is voluntary. We believe the changes to the safe 
harbors and the addition of a new exception to the definition of 
``remuneration'' under the Beneficiary Inducements CMP provide industry 
stakeholders with additional flexibility if they desire to enter into 
certain beneficial arrangements.
    We understand the commenter's concern regarding potential costs 
associated with contribution requirements included within certain safe 
harbors that we are finalizing. However, after careful consideration, 
we continue to believe that the contribution requirement is an 
important safeguard against fraud and abuse in light of the specific 
risks of inappropriate generation of referrals presented by donations 
of EHR items and services that could be protected by the EHR safe 
harbor(paragraph 1001.952(y)) and care

[[Page 77886]]

coordination arrangements safe harbor (paragraph 1001.952(ee)). As we 
explain in our discussion of these safe harbors in sections III.B.3.g 
and III.B.9.e above, when recipients of valuable remuneration have some 
responsibility to contribute to the cost of the items or services, they 
are more likely to make economically prudent decisions and accept only 
what they need or will use. The final rule reflects our efforts to 
balance additional flexibility for beneficial arrangements that have 
potential to reduce costs and improve care with safeguards to protect 
against potential abuses, including inappropriate increases in costs to 
Federal health care programs and beneficiaries.
    We recognize that small or rural entities or Indian health care 
providers may incur costs to avail themselves of the safe harbor and 
exception protections under the final rule. However, we expect the 
costs to be no greater than parties currently incur to comply with the 
Federal anti-kickback statute and the Beneficiary Inducements CMP. We 
do not expect this final rule to have a significant impact on a 
substantial number of small entities or Indian health care providers 
because the rules are completely voluntary (i.e., providers are not 
required to comply with the conditions of any safe harbor in order to 
avoid violating the Federal anti-kickback statute). Furthermore, we 
believe the net impact on small businesses that choose to take 
advantage of the new flexibilities will be low because we anticipate 
that the potential burden associated with certain provisions may be 
mitigated by other provisions offering greater flexibility to 
providers.
    We estimate the changes to the exception to the Beneficiary 
Inducements CMP and the Federal anti-kickback statute safe harbors will 
impose no incremental burden on covered entities. We are providing 
covered entities with the option to adjust their business practices to 
better serve patients without adversely affecting their profitability. 
As a result, we have concluded that this final rule likely will not 
have a significant impact on a substantial number of small providers 
and that a regulatory flexibility analysis is not required for this 
rulemaking. In addition, section 1102(b) of the Act requires that we 
prepare a regulatory impact analysis if a rule under titles XVIII or 
XIX or section B of title XI of the Act may have a significant impact 
on the operations of a substantial number of small rural hospitals. For 
the reasons stated above, we do not believe that any provisions or 
changes finalized here will have a significant impact on the operations 
of rural hospitals. Thus, an analysis under section 1102(b) of the Act 
is not required for this rulemaking.

D. Unfunded Mandates Reform Act

    Section 202 of the Unfunded Mandates Reform Act of 1995, Public Law 
104-4, also requires that agencies assess anticipated costs and 
benefits before issuing any rule that may result in expenditures in any 
one year by State Governments, Tribal Governments, or local 
governments, in the aggregate, or by the private sector, of $100 
million, adjusted for inflation. We believe that no significant costs 
will be associated with this final rule that would impose any mandates 
on State Governments, Tribal Governments, local governments, or the 
private sector that would result in an expenditure of $154 million 
(after adjustment for inflation) in any given year.

D. Executive Order 13132

    Executive Order 13132 establishes certain requirements that an 
agency must meet when it promulgates a rule that imposes substantial 
direct requirements for costs on State and local governments, preempts 
State law, or otherwise has Federalism implications. In reviewing this 
rule under the threshold criteria of Executive Order 13132, we have 
determined that this final rule will not significantly affect the 
rights, roles, and responsibilities of State or local governments.

E. Executive Order 13771

    Executive Order 13771 (January 30, 2017) requires that the costs 
associated with significant new regulations ``to the extent permitted 
by law, be offset by the elimination of existing costs associated with 
at least two prior regulations.'' This final rule has been designated a 
significant regulatory action as defined by Executive Order 12866 but 
imposes no more than de minimis costs and is a deregulatory action 
under Executive Order 13771. This designation has been informed by 
public comments.

F. Statement of Need

    The Department has identified the broad reach of the Federal anti-
kickback statute and Beneficiary Inducements CMP as potentially 
inhibiting beneficial arrangements that would advance the ability of 
providers, suppliers, and others to transition more effectively and 
efficiently to value-based care and to better coordinate care among 
providers, suppliers, and others in both the Federal health care 
programs and commercial sectors. Industry stakeholders have informed us 
that, because the consequences of potential noncompliance with the 
Federal anti-kickback statute and Beneficiary Inducements CMP could be 
significant, providers, suppliers, and others may be discouraged from 
entering into innovative arrangements that could improve quality 
outcomes, produce health system efficiencies, and lower health care 
costs (or slow their rate of growth). To the extent providers are 
discouraged from entering into these innovative arrangements, patient 
care may not be provided as efficiently as possible. In addition, the 
potential consequences of noncompliance with these statutes may impede 
the ability of providers, suppliers, and others, including small 
providers and suppliers or those serving rural or medically underserved 
populations, to raise capital to invest in the transition to value-
based care or to obtain infrastructure necessary to coordinate patient 
care, including technology. This unnecessarily slows the transition 
toward more efficient patient care. This final rule attempts to address 
these concerns by removing unnecessary impediments to the 
transformation of the health care system into one that better pays for 
and delivers value.
    To remove regulatory barriers to care coordination and support 
value-based arrangements, we faced the challenge of designing safe 
harbor protections for emerging health care arrangements, the optimal 
form, design, and efficacy of which remain unknown or unproven. These 
arrangements will be driven by the determinations and experiences of a 
wide range of providers, suppliers, and others as they innovate in 
delivering value-based care. This challenge is further complicated by 
the substantial variation in care coordination and value-based 
arrangements contemplated by the health care industry and others 
(meaning that one-size-fits-all safe harbor designs may not be 
optimal), variation among patient populations and provider 
characteristics, emerging health technologies and data capabilities, 
the still-developing science of quality and performance measurement, 
and our desire not to have a chilling effect on beneficial innovations.
    As described above, it is difficult to gauge the effects of this 
regulatory action in a rapidly evolving and diverse health care 
ecosystem of substantial innovation, experimentation, and deployment of 
technology and digital data. For example, as explained above, while a 
recent article projected potential savings of $29.6 billion to $38.2 
billion across the U.S. health care system for

[[Page 77887]]

reducing waste from failure of care coordination,\184\ it is difficult, 
if not impossible to gauge reductions in wasteful health care spending 
and improved health outcomes as a result of new arrangements made 
possible by this final rule. It is also difficult, if not impossible, 
to quantify savings or losses that could occur as a result of new 
fraudulent or abusive conduct that could increase costs or lead to poor 
outcomes as a result of new arrangements. In some cases, innovations 
may enhance program integrity and protect against fraud and abuse, 
reducing costs and increasing benefits. There is a compelling concern 
that uncertainty and regulatory barriers under current regulations 
could prevent the best and most efficacious innovations from emerging 
and being tested in the marketplace. Our goal in finalizing safe 
harbors is to protect arrangements that foster beneficial arrangements 
and facilitate value, while also protecting programs and beneficiaries 
against harms cause by fraud and abuse.
---------------------------------------------------------------------------

    \184\ William H. Shrank et al., Waste in the US Health Care 
System, Estimated Costs and Potential for Savings, 322 JAMA 1501 
(2019), available at https://jamanetwork.com/journals/jama/article-abstract/2752664.
---------------------------------------------------------------------------

VI. Paperwork Reduction Act

    The provisions of this final rule will not impose any new 
information collection and recordkeeping requirements. Consequently, it 
need not be reviewed by the Office of Management and Budget under the 
authority of the Paperwork Reduction Act of 1995.

List of Subjects

42 CFR Part 1001

    Administrative practice and procedure, Fraud, Grant programs--
health, Health facilities, Health professions, Maternal and child 
health, Medicaid, Medicare, Social Security.

42 CFR Part 1003

    Fraud, Grant programs--health, Health facilities, Health 
professions, Medicaid, Reporting, and recordkeeping.

    For the reasons set forth in the preamble, the Office of Inspector 
General, Department of Health and Human Services, amends 42 CFR parts 
1001 and 1003 as follows:

PART 1001--PROGRAM INTEGRITY--MEDICARE AND STATE HEATH PROGRAMS

0
1. The authority citation for part 1001 continues to read as follows:

    Authority:  42 U.S.C. 1302, 1320a-7, 1320a-7a, 1320a-7b, 1320a-
7d, 1395u(j), 1395u(k), 1395w-104(e)(6), 1395y(d), 1395y(e), 
1395cc(b)(2)(D), (E) and (F), and 1395hh; and sec. 2455, Pub. L. 
103-355, 108 Stat. 3327 (31 U.S.C. 6101 note).

0
2. Section 1001.952 is amended by:
0
a. Revising paragraphs (d), (g) introductory text, (g)(1), (3), and 
(4);
0
b. Adding paragraphs (g)(5) and (g)(6) before the undesignated text at 
the end of paragraph (g);
0
c. Designating the undesignated text at the end of paragraph (g) as 
paragraph (g)(7) and revising newly redesignated (g)(7);
0
d. Revising paragraph (y) introductory text, paragraph (y)(1), the 
second sentence of paragraph (y)(2);
0
e. Removing and reserving paragraphs (y)(3) and (7);
0
f. Revising paragraph (y)(11);
0
g. Removing and reserving paragraph (y)(13);
0
h. Redesignating the note to paragraph (y) as paragraph (y)(14) and 
revising newly redesignated (y)(14);
0
i. Revising paragraphs (bb)(1)(iv)(B) and (bb)(2)(iii);
0
j. Redesignating the note to paragraph (bb) as paragraph (bb)(3) and 
revising newly redesignated (bb)(3);
0
k. Adding and reserving paragraphs (cc) and (dd); and
0
l. Adding paragraphs (ee) through (kk).
    The revisions and additions read as follows:


Sec.  1001.952  Exceptions.

* * * * *
    (d) Personal services and management contracts and outcomes-based 
payment arrangements. (1) As used in section 1128B of the Act, 
``remuneration'' does not include any payment made by a principal to an 
agent as compensation for the services of the agent, as long as all of 
the following standards are met:
    (i) The agency agreement is set out in writing and signed by the 
parties.
    (ii) The agency agreement covers all of the services the agent 
provides to the principal for the term of the agreement and specifies 
the services to be provided by the agent.
    (iii) The term of the agreement is not less than 1 year.
    (iv) The methodology for determining the compensation paid to the 
agent over the term of the agreement is set in advance, is consistent 
with fair market value in arm's-length transactions, and is not 
determined in a manner that takes into account the volume or value of 
any referrals or business otherwise generated between the parties for 
which payment may be made in whole or in part under Medicare, Medicaid, 
or other Federal health care programs.
    (v) The services performed under the agreement do not involve the 
counseling or promotion of a business arrangement or other activity 
that violates any State or Federal law.
    (vi) The aggregate services contracted for do not exceed those 
which are reasonably necessary to accomplish the commercially 
reasonable business purpose of the services.
    (2) As used in section 1128B of the Act, ``remuneration'' does not 
include any outcomes-based payment as long as all of the standards in 
paragraphs (d)(2)(i) through (viii) of this section are met:
    (i) To receive an outcomes-based payment, the agent achieves one or 
more legitimate outcome measures that:
    (A) Are selected based on clinical evidence or credible medical 
support; and
    (B) Have benchmarks that are used to quantify:
    (1) Improvements in, or the maintenance of improvements in, the 
quality of patient care;
    (2) A material reduction in costs to or growth in expenditures of 
payors while maintaining or improving quality of care for patients; or
    (3) Both.
    (ii) The methodology for determining the aggregate compensation 
(including any outcomes-based payments) paid between or among the 
parties over the term of the agreement is: Set in advance; commercially 
reasonable; consistent with fair market value; and not determined in a 
manner that directly takes into account the volume or value of any 
referrals or business otherwise generated between the parties for which 
payment may be made in whole or in part by a Federal health care 
program.
    (iii) The agreement between the parties is set out in writing and 
signed by the parties in advance of, or contemporaneous with, the 
commencement of the terms of the outcomes-based payment arrangement. 
The writing states at a minimum: A general description of the services 
to be performed by the parties for the term of the agreement; the 
outcome measure(s) the agent must achieve to receive an outcomes-based 
payment; the clinical evidence or credible medical support relied upon 
by the parties to select the outcome measure(s); and the schedule for 
the parties to regularly monitor and assess the outcome measure(s).
    (iv) The agreement neither limits any party's ability to make 
decisions in their patients' best interest nor induces any party to 
reduce or limit medically necessary items or services.

[[Page 77888]]

    (v) The term of the agreement is not less than 1 year.
    (vi) The services performed under the agreement do not involve the 
counseling or promotion of a business arrangement or other activity 
that violates any State or Federal law.
    (vii) For each outcome measure under the agreement, the parties:
    (A) Regularly monitor and assess the agent's performance, including 
the impact of the outcomes-based payment arrangement on patient quality 
of care; and
    (B) Periodically assess, and as necessary revise, benchmarks and 
remuneration under the arrangement to ensure that the remuneration is 
consistent with fair market value in an arm's length transaction as 
required by paragraph (d)(2)(ii) of this section during the term of the 
agreement.
    (viii) The principal has policies and procedures to promptly 
address and correct identified material performance failures or 
material deficiencies in quality of care resulting from the outcomes-
based payment arrangement.
    (3) For purposes of this paragraph (d):
    (i) An agent of a principal is any person other than a bona fide 
employee of the principal who has an agreement to perform services for 
or on behalf of the principal.
    (ii) Outcomes-based payments are limited to payments between or 
among a principal and an agent that:
    (A) Reward the agent for successfully achieving an outcome measure 
described in paragraph (d)(2)(i) of this section; or
    (B) Recoup from or reduce payment to an agent for failure to 
achieve an outcome measure described in paragraph (d)(2)(i) of this 
section.
    (iii) Outcomes-based payments exclude any payments:
    (A) Made directly or indirectly by the following entities:
    (1) A pharmaceutical manufacturer, distributor, or wholesaler;
    (2) A pharmacy benefit manager;
    (3) A laboratory company;
    (4) A pharmacy that primarily compounds drugs or primarily 
dispenses compounded drugs;
    (5) A manufacturer of a device or medical supply as defined in 
paragraph (ee)(14)(iv) of this section;
    (6) A medical device distributor or wholesaler that is not 
otherwise a manufacturer of a device or medical supply, as defined in 
paragraph (ee)(14)(iv) of this section; or
    (7) An entity or individual that sells or rents durable medical 
equipment, prosthetics, orthotics, or supplies covered by a Federal 
health care program (other than a pharmacy or a physician, provider, or 
other entity that primarily furnishes services); or
    (B) Related solely to the achievement of internal cost savings for 
the principal; or
    (C) Based solely on patient satisfaction or patient convenience 
measures.
* * * * *
    (g) Warranties. As used in section 1128B of the Act, 
``remuneration'' does not include any payment or exchange of anything 
of value under a warranty provided by a manufacturer or supplier of one 
or more items and services (provided the warranty covers at least one 
item) to the buyer (such as a health care provider or beneficiary) of 
the items and services, as long as the buyer complies with all of the 
following standards in paragraphs (g)(1) and (2) of this section and 
the manufacturer or supplier complies with all of the following 
standards in paragraphs (g)(3) through (6) of this section:
    (1) The buyer (unless the buyer is a Federal health care program 
beneficiary) must fully and accurately report any price reduction of an 
item or service (including a free item or service) that was obtained as 
part of the warranty in the applicable cost reporting mechanism or 
claim for payment filed with the Department or a State agency.
* * * * *
    (3) The manufacturer or supplier must comply with either of the 
following standards:
    (i) The manufacturer or supplier must fully and accurately report 
any price reduction of an item or service (including free items and 
services) that the buyer obtained as part of the warranty on the 
invoice or statement submitted to the buyer and inform the buyer of its 
obligations under paragraphs (g)(1) and (2) of this section.
    (ii) When the amount of any price reduction is not known at the 
time of sale, the manufacturer or supplier must fully and accurately 
report the existence of a warranty on the invoice or statement, inform 
the buyer of its obligations under paragraphs (g)(1) and (g)(2) of this 
section, and when any price reduction becomes known, provide the buyer 
with documentation of the calculation of the price reduction resulting 
from the warranty.
    (4) The manufacturer or supplier must not pay any remuneration to 
any individual (other than a beneficiary) or entity for any medical, 
surgical, or hospital expense incurred by a beneficiary other than for 
the cost of the items and services subject to the warranty.
    (5) If a manufacturer or supplier offers a warranty for more than 
one item or one or more items and related services, the federally 
reimbursable items and services subject to the warranty must be 
reimbursed by the same Federal health care program and in the same 
Federal health care program payment.
    (6) The manufacturer or supplier must not condition a warranty on a 
buyer's exclusive use of, or a minimum purchase of, any of the 
manufacturer's or supplier's items or services.
    (7) For purposes of this paragraph (g), the term warranty means:
    (i) Any written affirmation of fact or written promise made in 
connection with the sale of an item or bundle of items, or services in 
combination with one or more related items, by a manufacturer or 
supplier to a buyer, which affirmation of fact or written promise 
relates to the nature of the quality of workmanship and affirms or 
promises that such quality or workmanship is defect free or will meet a 
specified level of performance over a specified period of time;
    (ii) Any undertaking in writing in connection with the sale by a 
manufacturer or supplier of an item or bundle of items, or services in 
combination with one or more related items, to refund, repair, replace, 
or take other remedial action with respect to such item or bundle of 
items in the event that such item or bundle of items, or services in 
combination with one or more related items, fails to meet the 
specifications set forth in the undertaking which written affirmation, 
promise, or undertaking becomes part of the basis of the bargain 
between a seller and a buyer for purposes other than resell of such 
item or bundle of items; or
    (iii) A manufacturer's or supplier's agreement to replace another 
manufacturer's or supplier's defective item or bundle of items (which 
is covered by an agreement made in accordance with this paragraph (g)), 
on terms equal to the agreement that it replaces.
* * * * *
    (y) Electronic health records items and services. As used in 
section 1128B of the Act, ``remuneration'' does not include nonmonetary 
remuneration (consisting of items and services in the form of software 
or information technology and training services, including 
cybersecurity software and services) necessary and used predominantly 
to create, maintain, transmit, receive, or protect electronic health 
records, if all of the conditions in paragraphs (y)(1) through (13) of 
this section are met:
    (1) The items and services are provided to an individual or entity

[[Page 77889]]

engaged in the delivery of health care by:
    (i) An individual or entity, other than a laboratory company, that:
    (A) Provides services covered by a Federal health care program and 
submits claims or requests for payment, either directly or through 
reassignment, to the Federal health care program; or
    (B) Is comprised of the types of individuals or entities in 
paragraph (y)(1)(i)(A) of this section; or
    (ii) A health plan.
    (2) * * * For purposes of this paragraph (y)(2) of this section, 
software is deemed to be interoperable if, on the date it is provided 
to the recipient, it is certified by a certifying body authorized by 
the National Coordinator for Health Information Technology to 
certification criteria identified in the then-applicable version of 45 
CFR part 170.
* * * * *
    (11) The recipient pays 15 percent of the donor's cost for the 
items and services. The following conditions apply to such 
contribution:
    (i) If the donation is the initial donation of EHR items and 
services, or the replacement of part or all of an existing system of 
EHR items and services, the recipient must pay 15 percent of the 
donor's cost before receiving the items and services. The contribution 
for updates to previously donated EHR items and services need not be 
paid in advance of receiving the update; and
    (ii) The donor (or any affiliated individual or entity) does not 
finance the recipient's payment or loan funds to be used by the 
recipient to pay for the items and services.
* * * * *
    (14) For purposes of this paragraph (y), the following definitions 
apply:
    (i) Cybersecurity means the process of protecting information by 
preventing, detecting, and responding to cyberattacks.
    (ii) Health plan shall have the meaning set forth at Sec.  
1001.952(l)(2).
    (iii) Interoperable shall mean able to:
    (A) Securely exchange data with and use data from other health 
information technology; and
    (B) Allow for complete access, exchange, and use of all 
electronically accessible health information for authorized use under 
applicable State or Federal law.
    (iv) Electronic health record shall mean a repository of consumer 
health status information in computer processable form used for 
clinical diagnosis and treatment for a broad array of clinical 
conditions.
* * * * *
    (bb) * * *
    (1) * * *
    (iv) * * *
    (B) Within 25 miles of the health care provider or supplier to or 
from which the patient would be transported, or within 75 miles if the 
patient resides in a rural area, as defined in this paragraph (bb) 
except that, if the patient is discharged from an inpatient facility 
following inpatient admission or released from a hospital after being 
placed in observation status for at least 24 hours and transported to 
the patient's residence, or another residence of the patient's choice, 
the mileage limits in this paragraph (bb)(1)(iv)(B) shall not apply; 
and
* * * * *
    (2) * * *
    (iii) The eligible entity makes the shuttle service available only 
within the eligible entity's local area, meaning there are no more than 
25 miles from any stop on the route to any stop at a location where 
health care items or services are provided, except that if a stop on 
the route is in a rural area, the distance may be up to 75 miles 
between that stop and any providers or suppliers on the route;
* * * * *
    (3) For purposes of this paragraph (bb), the following definitions 
apply:
    (i) An eligible entity is any individual or entity, except for 
individuals or entities (or family members or others acting on their 
behalf) that primarily supply health care items.
    (ii) An established patient is a person who has selected and 
initiated contact to schedule an appointment with a provider or 
supplier, or who previously has attended an appointment with the 
provider or supplier.
    (iii) A shuttle service is a vehicle that runs on a set route, on a 
set schedule.
    (iv) A rural area is an area that is not an urban area, as defined 
in paragraph (bb)(3)(v) of this section.
    (v) An urban area is:
    (A) A Metropolitan Statistical Area (MSA) or New England County 
Metropolitan Area (NECMA), as defined by the Executive Office of 
Management and Budget; or
    (B) The following New England counties, which are deemed to be 
parts of urban areas under section 601(g) of the Social Security 
Amendments of 1983 (Pub. L. 98-21, 42 U.S.C. 1395ww (note)): Litchfield 
County, Connecticut; York County, Maine; Sagadahoc County, Maine; 
Merrimack County, New Hampshire; and Newport County, Rhode Island.
    (cc)-(dd) [Reserved]
    (ee) Care coordination arrangements to improve quality, health 
outcomes, and efficiency. As used in section 1128B of the Act, 
``remuneration'' does not include the exchange of anything of value 
between a VBE and VBE participant or between VBE participants pursuant 
to a value-based arrangement if all of the standards in paragraphs 
(ee)(1) through (13) of this section are met:
    (1) The remuneration exchanged:
    (i) Is in-kind;
    (ii) Is used predominantly to engage in value-based activities that 
are directly connected to the coordination and management of care for 
the target patient population and does not result in more than 
incidental benefits to persons outside of the target patient 
population; and
    (iii) Is not exchanged or used:
    (A) More than incidentally for the recipient's billing or financial 
management services; or
    (B) For the purpose of marketing items or services furnished by the 
VBE or a VBE participant to patients or for patient recruitment 
activities.
    (2) The value-based arrangement is commercially reasonable, 
considering both the arrangement itself and all value-based 
arrangements within the VBE.
    (3) The terms of the value-based arrangement are set forth in 
writing and signed by the parties in advance of, or contemporaneous 
with, the commencement of the value-based arrangement and any material 
change to the value-based arrangement. The writing states at a minimum:
    (i) The value-based purpose(s) of the value-based activities 
provided for in the value-based arrangement;
    (ii) The value-based activities to be undertaken by the parties to 
the value-based arrangement;
    (iii) The term of the value-based arrangement;
    (iv) The target patient population;
    (v) A description of the remuneration;
    (vi) Either the offeror's cost for the remuneration and the 
reasonable accounting methodology used by the offeror to determine its 
cost, or the fair market value of the remuneration;
    (vii) The percentage and amount contributed by the recipient;
    (viii) If applicable, the frequency of the recipient's contribution 
payments for ongoing costs; and
    (ix) The outcome or process measure(s) against which the recipient 
will be measured.
    (4) The parties to the value-based arrangement establish one or 
more legitimate outcome or process measures that:
    (i) The parties reasonably anticipate will advance the coordination 
and

[[Page 77890]]

management of care for the target patient population based on clinical 
evidence or credible medical or health sciences support;
    (ii) Include one or more benchmarks that are related to improving 
or maintaining improvements in the coordination and management of care 
for the target patient population;
    (iii) Are monitored, periodically assessed, and prospectively 
revised as necessary to ensure that the measure and its benchmark 
continue to advance the coordination and management of care of the 
target patient population;
    (iv) Relate to the remuneration exchanged under the value-based 
arrangement; and
    (v) Are not based solely on patient satisfaction or patient 
convenience.
    (5) The offeror of the remuneration does not take into account the 
volume or value of, or condition the remuneration on:
    (i) Referrals of patients who are not part of the target patient 
population; or
    (ii) Business not covered under the value-based arrangement.
    (6) The recipient pays at least 15 percent of the offeror's cost 
for the remuneration, using any reasonable accounting methodology, or 
the fair market value of the in-kind remuneration. If it is a one-time 
cost, the recipient makes such contribution in advance of receiving the 
in-kind remuneration. If it is an ongoing cost, the recipient makes 
such contribution at reasonable, regular intervals.
    (7) The value-based arrangement does not:
    (i) Limit the VBE participant's ability to make decisions in the 
best interests of its patients;
    (ii) Direct or restrict referrals to a particular provider, 
practitioner, or supplier if:
    (A) A patient expresses a preference for a different practitioner, 
provider, or supplier;
    (B) The patient's payor determines the provider, practitioner, or 
supplier; or
    (C) Such direction or restriction is contrary to applicable law 
under titles XVIII and XIX of the Act; or
    (iii) Induce parties to furnish medically unnecessary items or 
services, or reduce or limit medically necessary items or services 
furnished to any patient.
    (8) The exchange of remuneration by a limited technology 
participant and another VBE participant or the VBE must not be 
conditioned on any recipient's exclusive use or minimum purchase of any 
item or service manufactured, distributed, or sold by the limited 
technology participant.
    (9) The VBE, a VBE participant in the value-based arrangement 
acting on the VBE's behalf, or the VBE's accountable body or 
responsible person reasonably monitors and assesses the following and 
reports the monitoring and assessment of the following to the VBE's 
accountable body or responsible person, as applicable, no less 
frequently than annually or at least once during the term of the value-
based arrangement for arrangements with terms of less than 1 year:
    (i) The coordination and management of care for the target patient 
population in the value-based arrangement;
    (ii) Any deficiencies in the delivery of quality care under the 
value-based arrangement; and
    (iii) Progress toward achieving the legitimate outcome or process 
measure(s) in the value-based arrangement.
    (10) If the VBE's accountable body or responsible person 
determines, based on the monitoring and assessment conducted pursuant 
to paragraph (ee)(9) of this section, that the value-based arrangement 
has resulted in material deficiencies in quality of care or is unlikely 
to further the coordination and management of care for the target 
patient population, the parties must within 60 days either:
    (i) Terminate the arrangement; or
    (ii) Develop and implement a corrective action plan designed to 
remedy the deficiencies within 120 days, and if the corrective action 
plan fails to remedy the deficiencies within 120 days, terminate the 
value-based arrangement.
    (11) The offeror does not and should not know that the remuneration 
is likely to be diverted, resold, or used by the recipient for an 
unlawful purpose.
    (12) For a period of at least 6 years, the VBE or VBE participant 
makes available to the Secretary, upon request, all materials and 
records sufficient to establish compliance with the conditions of this 
paragraph (ee).
    (13) The remuneration is not exchanged by:
    (i) A pharmaceutical manufacturer, distributor, or wholesaler;
    (ii) A pharmacy benefit manager;
    (iii) A laboratory company;
    (iv) A pharmacy that primarily compounds drugs or primarily 
dispenses compounded drugs;
    (v) Except to the extent the entity is a limited technology 
participant, a manufacturer of a device or medical supply;
    (vi) Except to the extent the entity or individual is a limited 
technology participant, an entity or individual that sells or rents 
durable medical equipment, prosthetics, orthotics, or supplies covered 
by a Federal health care program (other than a pharmacy or a physician, 
provider, or other entity that primarily furnishes services); or
    (vii) A medical device distributor or wholesaler that is not 
otherwise a manufacturer of a device or medical supplies.
    (14) For purposes of this paragraph (ee), the following definitions 
apply:
    (i) Coordination and management of care (or coordinating and 
managing care) means the deliberate organization of patient care 
activities and sharing of information between two or more VBE 
participants, one or more VBE participants and the VBE, or one or more 
VBE participants and patients, that is designed to achieve safer, more 
effective, or more efficient care to improve the health outcomes of the 
target patient population.
    (ii) Digital health technology means hardware, software, or 
services that electronically capture, transmit, aggregate, or analyze 
data and that are used for the purpose of coordinating and managing 
care; such term includes any internet or other connectivity service 
that is necessary and used to enable the operation of the item or 
service for that purpose.
    (iii) Limited technology participant means a VBE participant that 
exchanges digital health technology with another VBE participant or a 
VBE and that is:
    (A) A manufacturer of a device or medical supply, but not including 
a manufacturer of a device or medical supply that was obligated under 
42 CFR 403.906 to report one or more ownership or investment interests 
held by a physician or an immediate family member during the preceding 
calendar year, or that reasonably anticipates that it will be obligated 
to report one or more ownership or investment interests held by a 
physician or an immediate family member during the present calendar 
year (for purposes of this paragraph, the terms ``ownership or 
investment interest,'' ``physician,'' and ``immediate family member'' 
have the same meaning as set forth in 42 CFR 403.902); or
    (B) An entity or individual that sells or rents durable medical 
equipment, prosthetics, orthotics, or supplies covered by a Federal 
health care program (other than a pharmacy or a physician, provider, or 
other entity that primarily furnishes services).
    (iv) Manufacturer of a device or medical supply means an entity 
that meets the definition of applicable manufacturer in 42 CFR 403.902 
because it is engaged in the production, preparation, propagation, 
compounding, or conversion of a device or medical supply that meets the 
definition of covered drug, device, biological, or

[[Page 77891]]

medical supply in 42 CFR 403.902, but not including entities under 
common ownership with such entity.
    (v) Target patient population means an identified patient 
population selected by the VBE or its VBE participants using legitimate 
and verifiable criteria that:
    (A) Are set out in writing in advance of the commencement of the 
value-based arrangement; and
    (B) Further the value-based enterprise's value-based purpose(s).
    (vi) Value-based activity. (A) Means any of the following 
activities, provided that the activity is reasonably designed to 
achieve at least one value-based purpose of the value-based enterprise:
    (1) The provision of an item or service;
    (2) The taking of an action; or
    (3) The refraining from taking an action; and
    (B) Does not include the making of a referral.
    (vii) Value-based arrangement means an arrangement for the 
provision of at least one value-based activity for a target patient 
population to which the only parties are:
    (A) The value-based enterprise and one or more of its VBE 
participants; or
    (B) VBE participants in the same value-based enterprise.
    (viii) Value-based enterprise or VBE means two or more VBE 
participants:
    (A) Collaborating to achieve at least one value-based purpose;
    (B) Each of which is a party to a value-based arrangement with the 
other or at least one other VBE participant in the value-based 
enterprise;
    (C) That have an accountable body or person responsible for 
financial and operational oversight of the value-based enterprise; and
    (D) That have a governing document that describes the value-based 
enterprise and how the VBE participants intend to achieve its value-
based purpose(s).
    (ix) Value-based enterprise participant or VBE participant means an 
individual or entity that engages in at least one value-based activity 
as part of a value-based enterprise, other than a patient acting in 
their capacity as a patient.
    (x) Value-based purpose means:
    (A) Coordinating and managing the care of a target patient 
population;
    (B) Improving the quality of care for a target patient population;
    (C) Appropriately reducing the costs to or growth in expenditures 
of payors without reducing the quality of care for a target patient 
population; or
    (D) Transitioning from health care delivery and payment mechanisms 
based on the volume of items and services provided to mechanisms based 
on the quality of care and control of costs of care for a target 
patient population.
    (ff) Value-based arrangements with substantial downside financial 
risk. As used in section 1128B of the Act, ``remuneration'' does not 
include the exchange of payments or anything of value between a VBE and 
a VBE participant pursuant to a value-based arrangement if all of the 
following standards in paragraphs (ff)(1) through (8) of this section 
are met:
    (1) The remuneration is not exchanged by:
    (i) A pharmaceutical manufacturer, distributor, or wholesaler;
    (ii) A pharmacy benefit manager;
    (iii) A laboratory company;
    (iv) A pharmacy that primarily compounds drugs or primarily 
dispenses compounded drugs;
    (v) A manufacturer of a device or medical supply;
    (vi) An entity or individual that sells or rents durable medical 
equipment, prosthetics, orthotics, or supplies covered by a Federal 
health care program (other than a pharmacy or a physician, provider, or 
other entity that primarily furnishes services); or
    (vii) A medical device distributor or wholesaler that is not 
otherwise a manufacturer of a device or medical supplies.
    (2) The VBE (directly or through a VBE participant, other than a 
payor, acting on the VBE's behalf) has assumed through a written 
contract or a value-based arrangement (or has entered into a written 
contract or a value-based arrangement to assume in the next 6 months) 
substantial downside financial risk from a payor for a period of at 
least 1 year.
    (3) The VBE participant (unless the VBE participant is the payor 
from which the VBE is assuming risk) is at risk for a meaningful share 
of the VBE's substantial downside financial risk for providing or 
arranging for the provision of items and services for the target 
patient population.
    (4) The remuneration provided by, or shared among, the VBE and VBE 
participant:
    (i) Is directly connected to one or more of the VBE's value-based 
purposes, at least one of which must be a value-based purpose defined 
in Sec.  1001.952(ee)(14)(x)(A), (B), or (C);
    (ii) Unless exchanged pursuant to risk methodologies defined in 
paragraph (ff)(9)(i) or (ii) of this section, is used predominantly to 
engage in value-based activities that are directly connected to the 
items and services for which the VBE has assumed (or has entered into a 
written contract or value-based arrangement to assume in the next 6 
months) substantial downside financial risk;
    (iii) Does not include the offer or receipt of an ownership or 
investment interest in an entity or any distributions related to such 
ownership or investment interest; and
    (iv) Is not exchanged or used for the purpose of marketing items or 
services furnished by the VBE or a VBE participant to patients or for 
patient recruitment activities.
    (5) The value-based arrangement is set forth in writing, is signed 
by the parties in advance of, or contemporaneous with, the commencement 
of the value-based arrangement and any material change to the value-
based arrangement, and specifies all material terms including:
    (i) Terms evidencing that the VBE is at substantial downside 
financial risk or will assume such risk in the next 6 months for the 
target patient population;
    (ii) A description of the manner in which the VBE participant 
(unless the VBE participant is the payor from which the VBE is assuming 
risk) has a meaningful share of the VBE's substantial downside 
financial risk; and
    (iii) The value-based activities, the target patient population, 
and the type of remuneration exchanged.
    (6) The VBE or VBE participant offering the remuneration does not 
take into account the volume or value of, or condition the remuneration 
on:
    (i) Referrals of patients who are not part of the target patient 
population; or
    (ii) Business not covered under the value-based arrangement.
    (7) The value-based arrangement does not:
    (i) Limit the VBE participant's ability to make decisions in the 
best interests of its patients;
    (ii) Direct or restrict referrals to a particular provider, 
practitioner, or supplier if:
    (A) A patient expresses a preference for a different practitioner, 
provider, or supplier;
    (B) The patient's payor determines the provider, practitioner, or 
supplier; or
    (C) Such direction or restriction is contrary to applicable law 
under titles XVIII and XIX of the Act; or
    (iii) Induce parties to reduce or limit medically necessary items 
or services furnished to any patient.
    (8) For a period of at least 6 years, the VBE or VBE participant 
makes available to the Secretary, upon request, all materials and 
records sufficient to establish compliance with the conditions of this 
paragraph (ff).
    (9) For purposes of this paragraph (ff), the following definitions 
apply:

[[Page 77892]]

    (i) Substantial downside financial risk means:
    (A) Financial risk equal to at least 30 percent of any loss, where 
losses and savings are calculated by comparing current expenditures for 
all items and services that are covered by the applicable payor and 
furnished to the target patient population to a bona fide benchmark 
designed to approximate the expected total cost of such care;
    (B) Financial risk equal to at least 20 percent of any loss, where:
    (1) Losses and savings are calculated by comparing current 
expenditures for all items and services furnished to the target patient 
population pursuant to a defined clinical episode of care that are 
covered by the applicable payor to a bona fide benchmark designed to 
approximate the expected total cost of such care for the defined 
clinical episode of care; and
    (2) The parties design the clinical episode of care to cover items 
and services collectively furnished in more than one care setting; or
    (C) The VBE receives from the payor a prospective, per-patient 
payment that is:
    (1) Designed to produce material savings; and
    (2) Paid on a monthly, quarterly, or annual basis for a predefined 
set of items and services furnished to the target patient population, 
designed to approximate the expected total cost of expenditures for the 
predefined set of items and services.
    (ii) Meaningful share means the VBE participant:
    (A) Assumes two-sided risk for at least 5 percent of the losses and 
savings, as applicable, realized by the VBE pursuant to its assumption 
of substantial downside financial risk; or
    (B) Receives from the VBE a prospective, per-patient payment on a 
monthly, quarterly, or annual basis for a predefined set of items and 
services furnished to the target patient population, designed to 
approximate the expected total cost of expenditures for the predefined 
set of items and services, and does not claim payment in any form from 
the payor for the predefined items and services.
    (iii) Manufacturer of a device or medical supply, target patient 
population, value-based activity, value-based arrangement, value-based 
enterprise, value-based purpose, and VBE participant shall have the 
meaning set forth in paragraph (ee) of this section.
    (gg) Value-based arrangements with full financial risk. As used in 
section 1128B of the Act, ``remuneration'' does not include the 
exchange of payments or anything of value between the VBE and a VBE 
participant pursuant to a value-based arrangement if all of the 
standards in paragraphs (gg)(1) through (9) of this section are met:
    (1) The remuneration is not exchanged by:
    (i) A pharmaceutical manufacturer, distributor, or wholesaler;
    (ii) A pharmacy benefit manager;
    (iii) A laboratory company;
    (iv) A pharmacy that primarily compounds drugs or primarily 
dispenses compounded drugs;
    (v) A manufacturer of a device or medical supply;
    (vi) An entity or individual that sells or rents durable medical 
equipment, prosthetics, orthotics, or supplies covered by a Federal 
health care program (other than a pharmacy or a physician, provider, or 
other entity that primarily furnishes services); or
    (vii) A medical device distributor or wholesaler that is not 
otherwise a manufacturer of a device or medical supplies.
    (2) The VBE (directly or through a VBE participant, other than a 
payor, acting on behalf of the VBE) has assumed through a written 
contract or a value-based arrangement (or has entered into a written 
contract or a value-based arrangement to assume in the next 1 year) 
full financial risk from a payor.
    (3) The value-based arrangement is set forth in writing, is signed 
by the parties, and specifies all material terms, including the value-
based activities and the term.
    (4) The VBE participant (unless the VBE participant is a payor) 
does not claim payment in any form from the payor for items or services 
covered under the contract or value-based arrangement between the VBE 
and the payor described in paragraph (2).
    (5) The remuneration provided by, or shared among, the VBE and VBE 
participant:
    (i) Is directly connected to one or more of the VBE's value-based 
purposes;
    (ii) Does not include the offer or receipt of an ownership or 
investment interest in an entity or any distributions related to such 
ownership or investment interest; and
    (iii) Is not exchanged or used for the purpose of marketing items 
or services furnished by the VBE or a VBE participant to patients or 
for patient recruitment activities.
    (6) The value-based arrangement does not induce parties to reduce 
or limit medically necessary items or services furnished to any 
patient.
    (7) The VBE or VBE participant offering the remuneration does not 
take into account the volume or value of, or condition the remuneration 
on:
    (i) Referrals of patients who are not part of the target patient 
population; or
    (ii) Business not covered under the value-based arrangement.
    (8) The VBE provides or arranges for a quality assurance program 
for services furnished to the target patient population that:
    (i) Protects against underutilization; and
    (ii) Assesses the quality of care furnished to the target patient 
population.
    (9) For a period of at least 6 years, the VBE or VBE participant 
makes available to the Secretary, upon request, all materials and 
records sufficient to establish compliance with the conditions of this 
paragraph (gg).
    (10) For purposes of this paragraph (gg), the following definitions 
apply:
    (i) Full financial risk means the VBE is financially responsible on 
a prospective basis for the cost of all items and services covered by 
the applicable payor for each patient in the target patient population 
for a term of at least 1 year.
    (ii) Prospective basis means that the VBE has assumed financial 
responsibility for the cost of all items and services covered by the 
applicable payor prior to the provision of items and services to 
patients in the target patient population.
    (iii) Items and services means health care items, devices, 
supplies, and services.
    (iv) Manufacturer of a device or medical supply, target patient 
population, value-based activity, value-based arrangement, value-based 
enterprise, value-based purpose, and VBE participant shall have the 
meaning set forth in paragraph (ee) of this section.
    (hh) Arrangements for patient engagement and support to improve 
quality, health outcomes, and efficiency. As used in section 1128B of 
the Act, ``remuneration'' does not include a patient engagement tool or 
support furnished by a VBE participant to a patient in the target 
patient population of a value-based arrangement to which the VBE 
participant is a party if all of the conditions in paragraphs (hh)(1) 
through (9) of this section are met:
    (1) The VBE participant is not:
    (i) A pharmaceutical manufacturer, distributor, or wholesaler;
    (ii) A pharmacy benefit manager;
    (iii) A laboratory company;
    (iv) A pharmacy that primarily compounds drugs or primarily 
dispenses compounded drugs;
    (v) A manufacturer of a device or medical supply, unless the 
patient engagement tool or support is digital health technology;

[[Page 77893]]

    (vi) An entity or individual that sells or rents durable medical 
equipment, prosthetics, orthotics, or supplies covered by a Federal 
health care program (other than a pharmacy, a manufacturer of a device 
or medical supply, or a physician, provider, or other entity that 
primarily furnishes services);
    (vii) A medical device distributor or wholesaler that is not 
otherwise a manufacturer of a device or medical supply; or
    (viii) A manufacturer of a device or medical supply that was 
obligated under 42 CFR 403.906 to report one or more ownership or 
investment interests held by a physician or an immediate family member 
during the preceding calendar year, or that reasonably anticipates that 
it will be obligated to report one or more ownership or investment 
interests held by a physician or an immediate family member during the 
present calendar year, even if the patient engagement tool or support 
is digital health technology (for purposes of this paragraph, the terms 
``ownership or investment interest,'' ``physician,'' and ``immediate 
family member'' have the same meaning as set forth in 42 CFR 403.902).
    (2) The patient engagement tool or support is furnished directly to 
the patient (or the patient's caregiver, family member, or other 
individual acting on the patient's behalf) by a VBE participant that is 
a party to the value-based arrangement or its eligible agent.
    (3) The patient engagement tool or support:
    (i) Is an in-kind item, good, or service;
    (ii) That has a direct connection to the coordination and 
management of care of the target patient population;
    (iii) Does not include any cash or cash equivalent;
    (iv) Does not result in medically unnecessary or inappropriate 
items or services reimbursed in whole or in part by a Federal health 
care program;
    (v) Is recommended by the patient's licensed health care 
professional; and
    (vi) Advances one or more of the following goals:
    (A) Adherence to a treatment regimen determined by the patient's 
licensed health care professional.
    (B) Adherence to a drug regimen determined by the patient's 
licensed health care professional.
    (C) Adherence to a followup care plan established by the patient's 
licensed health care professional.
    (D) Prevention or management of a disease or condition as directed 
by the patient's licensed health care professional.
    (E) Ensure patient safety.
    (4) The patient engagement tool or support is not funded or 
contributed by:
    (i) A VBE participant that is not a party to the applicable value-
based arrangement; or
    (ii) An entity listed in paragraph (hh)(1) of this section.
    (5) The aggregate retail value of patient engagement tools and 
supports furnished to a patient by a VBE participant on an annual basis 
does not exceed $500. The monetary cap set forth in this paragraph 
(hh)(5) is adjusted each calendar year to the nearest whole dollar by 
the increase in the Consumer Price Index--Urban All Items (CPI-U) for 
the 12-month period ending the preceding September 30. OIG will publish 
guidance after September 30 of each year reflecting the increase in the 
CPI-U for the 12-month period ending September 30 and the new monetary 
cap applicable for the following calendar year.
    (6) The VBE participant or any eligible agent does not exchange or 
use the patient engagement tools or supports to market other 
reimbursable items or services or for patient recruitment purposes.
    (7) For a period of at least 6 years, the VBE participant makes 
available to the Secretary, upon request, all materials and records 
sufficient to establish that the patient engagement tool or support was 
distributed in a manner that meets the conditions of this paragraph 
(hh).
    (8) The availability of a tool or support is not determined in a 
manner that takes into account the type of insurance coverage of the 
patient.
    (9) For purposes of this paragraph (hh), the following definitions 
apply:
    (i) Eligible agent means any person or entity that is not 
identified in paragraphs (hh)(1)(i) through (viii) of this section as 
ineligible to furnish protected tools and supports under this 
paragraph.
    (ii) Coordination and management of care, target patient 
population, value-based arrangement, VBE, VBE participant, manufacturer 
of a device or medical supply, and digital health technology shall have 
the meaning set forth in paragraph (ee) of this section.
    (ii) CMS-sponsored model arrangements and CMS-sponsored model 
patient incentives.
    (1) As used in section 1128B of the Act, ``remuneration'' does not 
include an exchange of anything of value between or among CMS-sponsored 
model parties under a CMS-sponsored model arrangement for which CMS has 
determined that this safe harbor is available if all of the following 
conditions are met:
    (i) The CMS-sponsored model parties reasonably determine that the 
CMS-sponsored model arrangement will advance one or more goals of the 
CMS-sponsored model;
    (ii) The exchange of value does not induce CMS-sponsored model 
parties or other providers or suppliers to furnish medically 
unnecessary items or services, or reduce or limit medically necessary 
items or services furnished to any patient;
    (iii) The CMS-sponsored model parties do not offer, pay, solicit, 
or receive remuneration in return for, or to induce or reward, any 
Federal health care program referrals or other Federal health care 
program business generated outside of the CMS-sponsored model;
    (iv) The CMS-sponsored model parties in advance of or 
contemporaneous with the commencement of the CMS-sponsored model 
arrangement set forth the terms of the CMS-sponsored model arrangement 
in a signed writing. The writing must specify at a minimum the 
activities to be undertaken by the CMS-sponsored model parties and the 
nature of the remuneration to be exchanged under the CMS-sponsored 
model arrangement;
    (v) The parties to the CMS-sponsored model arrangement make 
available to the Secretary, upon request, all materials and records 
sufficient to establish whether the remuneration was exchanged in a 
manner that meets the conditions of this safe harbor; and
    (vi) The CMS-sponsored model parties satisfy such programmatic 
requirements as may be imposed by CMS in connection with the use of 
this safe harbor.
    (2) As used in section 1128B of the Act, ``remuneration'' does not 
include a CMS-sponsored model patient incentive for which CMS has 
determined that this safe harbor is available if all of the following 
conditions are met:
    (i) The CMS-sponsored model participant reasonably determines that 
the CMS-sponsored model patient incentive will advance one or more 
goals of the CMS-sponsored model;
    (ii) The CMS-sponsored model patient incentive has a direct 
connection to the patient's health care unless the participation 
documentation expressly specifies a different standard;
    (iii) The CMS-sponsored model patient incentive is furnished by a 
CMS-sponsored model participant (or by an agent of the CMS-sponsored 
model participant under the CMS-sponsored model participant's direction 
and control), unless otherwise specified by the participation 
documentation;
    (iv) The CMS-sponsored model participant makes available to the

[[Page 77894]]

Secretary, upon request, all materials and records sufficient to 
establish whether the CMS-sponsored model patient incentive was 
distributed in a manner that meets the conditions of this safe harbor; 
and
    (v) The CMS-sponsored model patient incentive is furnished 
consistent with the CMS-sponsored model and satisfies such programmatic 
requirements as may be imposed by CMS in connection with the use of 
this safe harbor.
    (3) For purposes of this paragraph (ii), the following definitions 
apply:
    (i) CMS-sponsored model means:
    (A) A model being tested under section 1115A(b) of the Act or a 
model expanded under section 1115A(c) of the Act; or
    (B) The Medicare shared savings program under section 1899 of the 
Act.
    (ii) CMS-sponsored model arrangement means a financial arrangement 
between or among CMS-sponsored model parties to engage in activities 
under the CMS-sponsored model that is consistent with, and is not a 
type of arrangement prohibited by, the participation documentation.
    (iii) CMS-sponsored model participant means an individual or entity 
that is subject to and is operating under participation documentation 
with CMS to participate in a CMS-sponsored model.
    (iv) CMS-sponsored model party means:
    (A) A CMS-sponsored model participant; or
    (B) Another individual or entity whom the participation 
documentation specifies may enter into a CMS-sponsored model 
arrangement.
    (v) CMS-sponsored model patient incentive means remuneration not of 
a type prohibited by the participation documentation that is furnished 
to a patient under the terms of a CMS-sponsored model.
    (vi) Participation documentation means the participation agreement, 
legal instrument setting forth the terms and conditions of a grant or 
cooperative agreement, regulations, or model-specific addendum to an 
existing contract with CMS that specifies the terms of a CMS-sponsored 
model.
    (4) For purposes of remuneration that satisfies this paragraph 
(ii), the safe harbor protects:
    (i) For a CMS-sponsored model governed by participation 
documentation other than the legal instrument setting forth the terms 
and conditions of a grant or a cooperative agreement, the exchange of 
remuneration between CMS-sponsored model parties that occurs on or 
after the first day on which services under the CMS-sponsored model 
begin and no later than 6 months after the final payment determination 
made by CMS under the model;
    (ii) For a CMS-sponsored model governed by the legal instrument 
setting forth the terms and conditions of a grant or cooperative 
agreement, the exchange of remuneration between CMS-sponsored model 
parties that occurs on or after the first day of the period of 
performance (as defined at 45 CFR 75.2) or such other date specified in 
the participation documentation and no later than 6 months after 
closeout occurs pursuant to 45 CFR 75.381; and
    (iii) For a CMS-sponsored model patient incentive, an incentive 
given on or after the first day on which patient care services may be 
furnished under the CMS-sponsored model as specified by CMS in the 
participation documentation and no later than the last day on which 
patient care services may be furnished under the CMS-sponsored model, 
unless a different timeframe is established in the participation 
documentation. A patient may retain any incentives furnished in 
compliance with paragraph (ii)(2) of this section.
    (jj) Cybersecurity technology and related services. As used in 
section 1128B of the Act, ``remuneration'' does not include nonmonetary 
remuneration (consisting of cybersecurity technology and services) that 
is necessary and used predominantly to implement, maintain, or 
reestablish effective cybersecurity if all of the conditions in 
paragraphs (jj)(1) through (4) of this section are met.
    (1) The donor does not:
    (i) Directly take into account the volume or value of referrals or 
other business generated between the parties when determining the 
eligibility of a potential recipient for the technology or services, or 
the amount or nature of the technology or services to be donated; or
    (ii) Condition the donation of technology or services, or the 
amount or nature of the technology or services to be donated, on future 
referrals.
    (2) Neither the recipient nor the recipient's practice (or any 
affiliated individual or entity) makes the receipt of technology or 
services, or the amount or nature of the technology or services, a 
condition of doing business with the donor.
    (3) A general description of the technology and services being 
provided and the amount of the recipient's contribution, if any, are 
set forth in writing and signed by the parties.
    (4) The donor does not shift the costs of the technology or 
services to any Federal health care program.
    (5) For purposes of this paragraph (jj) the following definitions 
apply:
    (i) Cybersecurity means the process of protecting information by 
preventing, detecting, and responding to cyberattacks.
    (ii) Technology means any software or other types of information 
technology.
    (kk) ACO Beneficiary Incentive Program. As used in section 1128B of 
the Act, ``remuneration'' does not include an incentive payment made by 
an ACO to an assigned beneficiary under a beneficiary incentive program 
established under section 1899(m) of the Act, as amended by Congress 
from time to time, if the incentive payment is made in accordance with 
the requirements found in such subsection.

PART 1003--CIVIL MONEY PENALTIES, ASSESSMENTS AND EXCLUSIONS

0
3. The authority citation for part 1003 continues to read as follows:

    Authority:  42 U.S.C. 262a, 1302, 1320-7, 1320a-7a, 1320b-10, 
1395u(j), 1395u(k), 1395cc(j), 1395w-141(i)(3), 1395dd(d)(1), 
1395mm, 1395nn(g), 1395ss(d), 1396b(m), 11131(c), and 11137(b)(2).

0
4. Section 1003.110 is amended--
0
a. In the definition of ``Remuneration'' by adding paragraph (10); and
0
b. By adding in alphabetical order a definition for ``Telehealth 
technologies.''
    The additions read as follows:


Sec.  1003.110  Definitions.

* * * * *
    Remuneration * * *
* * * * *
    (10) The provision of telehealth technologies by a provider of 
services, physician, or a renal dialysis facility (as such terms are 
defined for purposes of title XVIII of the Act) to an individual with 
end-stage renal disease who is receiving home dialysis for which 
payment is being made under part B of such title, if:
    (i) The telehealth technologies are furnished to the individual by 
the provider of services, physician, or the renal dialysis facility 
that is currently providing the in-home dialysis, telehealth services, 
or other end-stage renal disease care to the individual, or has been 
selected or contacted by the individual to schedule an appointment or 
provide services;
    (ii) The telehealth technologies are not offered as part of any 
advertisement or solicitation; and
    (iii) The telehealth technologies are provided for the purpose of 
furnishing telehealth services related to the individual's end-stage 
renal disease.
* * * * *

[[Page 77895]]

    Telehealth technologies, for purposes of paragraph (10) of the 
definition of the term ``remuneration'' as set forth in this section, 
means hardware, software, and services that support distant or remote 
communication between the patient and provider, physician, or renal 
dialysis facility for diagnosis, intervention, or ongoing care 
management.
* * * * *

Christi A. Grimm,
Principal Deputy, Inspector General.
Alex M. Azar II,
Secretary.
[FR Doc. 2020-26072 Filed 11-20-20; 4:30 pm]
 BILLING CODE 4152-01-P