Shortly before year-end, CMS and the OIG issued final rules that extend and modify the ability of healthcare entities to subsidize or donate electronic health records (EHR) under both the Stark Law1 and the Anti-Kickback Statute (AKS).2 The changes made by each final rule are “almost identical,” as the agencies attempted to ensure as much consistency as possible between the self-referral law exception and the safe harbor changes. The sunset extensions took effect December 31, 2013 and extend the Stark exception and Anti-Kickback safe harbor until December 31, 2021.3 The other provisions take effect on March 27, 2014.

Due to concerns about laboratory donations being potentially abusive, the final rules exclude laboratory companies (both clinical and anatomic pathology laboratories) from the types of entities that may donate items and services under the Stark exception and remove those laboratories from the scope of donors protected under the AKS safe harbor. The final rules also change EHR software requirements, removing the requirement that donated software have electronic prescribing capability and modifying the provision under which software is deemed interoperable. The “deeming provision,” which governs software interoperability, now tracks the anticipated regulatory cycle of the Office of the National Coordinator for Health Information Technology (ONC). Donated or subsidized software may be deemed interoperable if, on the date it is provided to the recipient, it has been certified by a certifying body authorized by ONC to then-current EHR certification criteria.4

The OIG and CMS aim to encourage the exchange of data and to prevent data and referral “lock-in” that could result from EHR donations. Lock-in can result when interoperability is not practicable—for example, when vendors who have donated EHR charge high fees to providers who do not use the same donated software, so that those providers cannot afford to connect to the donated EHR items and services. Or, more markedly, some software is designed to limit the accessibility of data received from an EHR system that is different than the donated software. Such software might prevent data from a non-donated EHR system from populating automatically in a patient’s EHR. To prevent data lock-in, the final rules clarify the condition that prohibits a donor from taking any action to limit or restrict the use, compatibility, or interoperability of the donated items or services. The agencies used a non-exhaustive list (“applications, products, or services”) to make clear that the prohibition applies to any donor action that limits the use of donated software with any other health information technology.

The Stark exception and AKS safe harbor for EHR were created in 2006 to encourage the widespread adoption of digital health records.5 They allow certain healthcare entities, including hospitals, to give physicians computers, software, and related devices that meet certification standards, requiring that physicians cover only 15 percent of the costs.6 This push toward technology does not come without pitfalls, however; the security and integrity of EHR will be a “key focus area” for the OIG until at least 2018.7

Any healthcare entity planning to rely on the Stark exception or AKS safe harbor on or after the effective dates should carefully structure any EHR donations or subsidies to meet the revised rules.

The two rules can be found:

For more information about the content of this alert, please contact one of the authors listed above or any of our Healthcare attorneys.

1 78 F.R. 78751 (Dec. 27, 2013), modifying 42 C.F.R. 411.357(w).
2 78 F.R. 79202 (Dec. 27, 2013), modifying 42 C.F.R. 1001.952(y).
3 Expiration dates found at 42 C.F.R. §§ 411.357(w)(13) and 1001.952(y)(13). Despite urging from numerous commenters to make the safe harbor and exception permanent, the OIG and CMS declined to do so.
4 Certification criteria are found in 45 C.F.R. Part 170.
5 71 F.R. 45140 (Aug. 8, 2006) (Final Rule for Stark exception); 71 F.R. 45110 (Aug. 8, 2006) (Final Rule for AKS safe harbor).
6 42 C.F.R. 1001.952(y)(11).
7 OIG Strategic Plan 2014–2018, available at;
OIG Management Issue 9: Integrity and Security of Health Information Systems and Data, available at