New Strict Law and Backlash Protection for Cybersecurity Technology – Technology

United States:

New strict law and setback protection for cybersecurity technology

To print this article, all you need to do is be registered or log in to

This comment is part of a series of nine commentaries on the recently completed exemptions to the Stark Act and Anti-Kickback Act, as well as safe havens designed to remove regulatory barriers to the coordination of care.

In summary

The situation: The introduction of new technologies has been a hallmark of the healthcare industry in the 21st century. While these technologies have helped improve both industry efficiencies and patient outcomes, the increasing use of technology is making the industry increasingly vulnerable to cyberattacks. Unfortunately, cybersecurity technologies and services to combat the cyber attack threat can be prohibitively expensive for many healthcare providers and others.

The action: In concurrently published final rules with practically identical requirements, the Inspectorate General of the Department of Health and Human Services (“OIG”) and the Centers for Medicare & Medicaid Services (“CMS”) have codified the new Anti-Kickback Statute (“AKS”) “) Exception to Safe Harbor and Stark Law, which allows stakeholders to donate cybersecurity technology and services to companies with which they interact. This is intended to help combat cybersecurity threats affecting donors and recipients more sensitively from accidental disclosure Patient information and corruption of health records are protected and the quality of care is preserved.

Looking ahead: After the final rules are published, stakeholders should consider how sharing cybersecurity technologies and services with other companies can help reduce the risk of cyberattacks. When structuring donations for cybersecurity technology or services, stakeholders should carefully review the final rules to encourage compliance with any applicable requirements.

The safe haven for cybersecurity technology and related services (§ 1001.952 (jj)) and the exception (§ 411.357 (bb))

In October 2019, OIG and CMS published two proposed rules that contain highly anticipated updates to the longstanding AKS and Stark legal provisions (“Proposed Rules”). Among many other reforms, the proposed rules introduced an AKS Safe Harbor and a parallel exception to the Stark Act that would protect certain non-monetary rewards in the form of donations to cybersecurity technologies and services. Given the increasing frequency of cybersecurity attacks involving the healthcare industry, the proposed rules encouraged agreements that would protect patients – and the healthcare system as a whole – from such attacks.

In November 2020, OIG and CMS issued their respective final rules codifying the AKS Safe Harbor and Stark Law exception for the donation of cybersecurity technology and services (“Final Rules”). Although the OIG and CMS rules are formulated slightly differently, they contain the same substantive requirements for the protection of these agreements. While the safe haven and exemption have largely been carried over as suggested, the final rules make some adjustments:

  1. Definition of “cybersecurity technology”: As stated above, the final rules protect the “cybersecurity technology and services” donation. The proposed rules defined that this technology includes software or other types of information technology other than hardware. However, the final rules do not exclude hardware from the types of technology that can be donated. The final rules have been changed in response to public comments so that donated hardware falls into the safe haven / exemption as long as it is “necessary and mostly used” and meets all required conditions for effective cybersecurity.
  2. Alternative proposal regarding cybersecurity hardware: Since the definition of “technology” in the proposed rules did not include hardware, the agencies sought comments on an alternative proposal that would allow hardware to be donated when it was “reasonably necessary based on a risk assessment of the donor and recipient”. Since the revised definition of “technology” in the final rules now allows for hardware donations, this alternative is not required.
  3. Protected donors: While the proposed rules did not limit the types of individuals and organizations eligible for Safe Harbor and Exemption Protection, the agencies indicated that they would consider adding restrictions if deemed necessary. The agencies ultimately did not include any additional restrictions in the final rules – the safe haven and exception protect all donors without restrictions as long as the other conditions of the final rules are met.
  4. Approved recipients::
    Similarly, the proposed rules protected donations of cybersecurity technology and services to individuals or organizations without limitation, even if the recipient was a patient. The agencies said they could consider additional safeguards if needed. Commentators suggested safeguards ranging from financial limits on donations to restrictions on “multifunctional” software or devices, but the agencies ultimately rejected these suggestions. The final rules do not limit the types of companies or individuals that can receive donations from cybersecurity technology and services.
  5. Recipient contribution:: The agencies received numerous comments on the proposed rules as to whether recipients should contribute to the cost of the donated cybersecurity technology or services. While no recipient contributions were required for the proposed rules, under the Safe Harbor and the Electronic Health Record Exception (“EHR”) (42 CFR §§ 1001.952 (y) and 411.357 (w)), recipients must pay 15% of the donor cost for the EHR articles and services provided. Finally, in response to the comments received, the Agencies concluded that (i) given the wide variety of cybersecurity technologies and services that may be provided, it is often impractical to require a minimum contribution from recipients; (ii) the safe haven / cybersecurity exemption includes other conditions that prevent abuse or potential anti-competitive behavior; and (iii) Donors remain free to require recipients to contribute to the cost of the technology or service provided.


These long-awaited final rules to protect cybersecurity technologies and services provide an opportunity for stakeholders to build a resilient cybersecurity network regardless of a company’s ability to independently invest in such technologies. While the agencies broadly designed the final safe haven and exemption to give flexibility to stakeholders, stakeholders should carefully review the final rules in structuring donations for cybersecurity technology or services to ensure compliance with any applicable requirements promote.

Three important takeaways:

  1. OIG and CMS have completed the new AKS Safe Harbor and Stark Law Exemption, which protect certain donations of cybersecurity technology and related services.
  2. With the new exception and safe haven, OIG and CMS want to enable the development of a robust cybersecurity network that protects personally identifiable health information and other sensitive health data, even with small providers with limited resources. To achieve these goals, OIG and CMS have proposed comprehensive definitions that allow the donation of cybersecurity software and hardware, provided certain conditions are met.
  3. Stakeholders should carefully review the final rules to determine how to encourage compliance with all applicable requirements when structuring donations.

Originally published January 2021

The content of this article is intended to provide general guidance on the subject. A professional should be obtained about your particular circumstances.

POPULAR ARTICLES ABOUT: Technology Made in the United States

Legal Notices for Starting an NFT Marketplace

Foley & Lardner

Catherine Zhu and Louis Lehot from Foley & Lardner LLP discuss the increasing popularity of non-fungible tokens and legal considerations when launching an NFT marketplace.

NFTs: But is it art (or security)?

Latham & Watkins LLP

As the current crypto boom continued, Decentralized Finance (DeFi) appeared to have cemented its position as the dominant new narrative of this cycle.

FinTech Comparison Guide

J. Sagar Associates

India Jurisdiction FinTech Comparison Guide. Please see our Comparison Guides section for information on how to compare across countries

Comments are closed.