Skip to Main Content
February 01, 2021

Health Law Daily

CMS Completes Sprint to Modernize Stark Law—Part II

  • February 01, 2021
  • Joan Polacheck , McDermott Will & Emery LLP
  • Charles Buck , McDermott Will & Emery LLP
  • Troy Barsky , Crowell & Moring LLP
  • Roma Sharma , Crowell & Moring LLP

The Centers for Medicare & Medicaid Services (CMS) published its much-anticipated final Stark rule in the December 2, 2020 Federal Register (Final Rule),1 finalizing the most extensive changes to the Stark Law regulations since the final Stark Law II rulemaking in the 2000s. The Final Rule is effective January 19, 2021, but it is possible that it could be stayed by the incoming Biden administration, along with other rules finalized by the Trump administration at the end of 2020.2

This article is Part II of a three-part series that covers some of the major regulatory changes in the Final Rule.3 Part II focuses on CMS’ new value-based exceptions including a number of new and interrelated definitions.

The Final Rule provides relief for parties to value-based arrangements not currently protected by the fraud and abuse waivers for CMS-sponsored value-based programs and models. The Final Rule makes significant strides in fulfilling CMS’ goal to encourage value-based arrangements while still protecting the Medicare program from fraud and abuse. Further, it is encouraging to see that in the Final Rule, CMS chose to strengthen these value-based exceptions rather than make them less useful to the health care industry. While CMS has gone a long way to providing regulatory clarity and a pathway for value-based arrangements, the complimentary Department of Health and Human Services Office of Inspector General (OIG) modifications to the Anti-Kickback Statute (AKS) and the Beneficiary Inducement Civil Monetary Penalty regulations do not go nearly as far.4 OIG created a similar set of value-based safe harbors under its authority, but by adding a number of additional safeguards that are not present in the Stark Final Rule and by excluding a number of key health care entities from safe harbor protection, the flexibility of CMS’ value-based exceptions is potentially limited.

Value-Based Exceptions

CMS created three regulatory value-based exceptions combined into one new subsection of the Stark Law compensation exceptions at 42 C.F.R. § 411.357(aa). CMS also protected indirect value-based arrangements under a new exception for indirect compensation arrangements with physicians that permits the value-based exceptions to apply to certain indirect arrangements. These exceptions were created in response to industry concerns that common and beneficial arrangements, such as gainsharing, pay-for-quality arrangements, and clinically integrated networks, triggered Stark Law scrutiny, but were not protected by existing exceptions. Under the new value-based exceptions, the number of regulatory requirements and safeguards increases as the level of financial risk accepted by the parties to the arrangements decreases. The value-based exceptions only protect compensation arrangements, including both in-kind and monetary remuneration. Ownership arrangements are not protected under these new exceptions.5

A key difference between the new exceptions and other commonly used compensation exceptions is that CMS eliminated the typical safeguards of requiring compensation to be set at fair market value and prohibiting payment based on the volume and value of referrals. CMS replaced these safeguards with requirements for bearing financial risk and meeting additional contracting terms.

CMS noted that these three new value-based exceptions will protect all financial arrangements that are currently protected by fraud and abuse waivers that apply to the Medicare Shared Savings Program (MSSP) and other Center for Medicare and Medicaid Innovation (CMMI) models. While that may be true, as discussed in more detail below, many of the fraud and abuse waivers are still broader in scope and easier to comply with than these new exceptions and create a clearer path to fraud and abuse compliance. Thankfully, CMS and OIG are not revoking any existing fraud and abuse waivers, so that waiver-compliant relationships will not need to be reconfigured or unwound. But unfortunately, for new CMMI models, it appears likely that participants will need to comply with these new exceptions rather than rely upon similar fraud and abuse waivers to those that have been included with past models.6 This may lead current participants in these models, who enjoy fraud and abuse protection under existing waivers, to find that they cannot engage in the same arrangements as they transition to new payment models.


All three value-based exceptions focus on a core entity called a “value-based enterprise” or “VBE.” The VBE is made up of two or more participants, called “VBE Participants.” The VBE Participants need to collaborate to achieve at least one value-based purpose. Each VBE Participant must be a party to a value-based arrangement with at least one other VBE Participant. The VBE needs to have an accountable body or person that is responsible for the financial and operational oversight of the VBE. Finally, the VBE must have a governing document that describes the VBE and how the VBE Participants intend to achieve their value-based purpose.

CMS defines a VBE Participant as a person or entity that engages in one value-based activity as part of a VBE. Many different entities can be a VBE Participant including hospitals, physician groups, and individual physicians. CMS recognizes that within the definition of VBE Participant, it uses the word “entity” to describe VBE Participants. It makes clear that the word “entity” within the VBE Participant definition is distinct from the narrower Stark Law defined term “Entity.”7 CMS recognizes the potential for confusion in using the same word in two different ways within the same regulation, but the agency is trying to align CMS’ definitions with the definitions adopted by OIG in its value-based safe harbors. CMS may ultimately decide to make further revisions in future rulemaking.

In the Proposed Rule, CMS asked commenters whether any entities should be excluded from the definition of VBE Participant. For example, CMS considered following OIG’s lead by excluding laboratories; pharmaceutical manufacturers; durable medical equipment, prosthetics, orthotics, and supplies (DMEPOS) manufacturers, distributors, and suppliers; pharmacy benefit managers; wholesalers; and distributors from the definition of VBE Participant due to program integrity concerns. CMS specially called out laboratories and DMEPOS suppliers as entities that do not appear to directly connect with patients and therefore have less justification to enter into value-based arrangements. Unlike OIG, CMS ultimately was persuaded that these provider types play a valuable role in value-based care and therefore did not exclude any providers from the definition of VBE Participant in the Final Rule. However, because OIG narrowed its definition of VBE Participants, the impact of CMS’ decision on this issue is somewhat diminished.

The VBE definition is broad enough to include different permutations of value-based arrangements and the umbrella organizations within which some value-based arrangements operate. For example, the VBE definition covers entities like accountable care organizations (ACOs) or clinically integrated networks, where a group of providers collaborate together to coordinate care. It also applies to contract-based value-based arrangements between two parties, with no separate VBE entity, such as a bundled payment arrangement between a hospital and a physician group practice. This universal definition gives parties flexibility to enter into different types of arrangements without the government prescribing the form and structure of those arrangements.

To qualify as a value-based arrangement, the arrangement must be reasonably designed to achieve at least one value-based purpose. A value-based purpose is defined as one of four goals related to a target patient population:8 (1) coordinating and managing the care of a target patient population; (2) improving the quality of care for a target patient population; (3) appropriately reducing the costs to, or growth in expenditures of payors without reducing the quality of care for a target patient population; and (4) transitioning from health care delivery and payment mechanisms based on the volume of items and services provided to mechanisms based on the quality of care and control of costs of care for a target patient population.

VBEs must carefully consider each compensation arrangement that could implicate the Stark Law, and if they plan to use these value-based exceptions, they must determine how they will be working towards one of these value-based purposes. In preamble discussion, CMS provided some specific examples of what would not satisfy the value-based purpose test. For example, if the value-based purpose of a VBE is to improve quality while reducing costs, and the VBE is providing patient care services but not monitoring utilization, CMS said that it would not appear that the activity was designed to meet that purpose.9 It is also interesting to note reducing costs for payors is a value-based purpose, but reducing costs for other entities (e.g., hospitals and other facilities) is not a value-based purpose. CMS has clear ideas of what value-based activities meet the value-based purpose test. Yet, because of the limited examples in the Final Rule, there is an element of uncertainty in what activities do and do not meet the value-based purpose test. Hopefully, CMS will interpret the value-based purpose test broadly and provide greater clarity on this point in the future.

The three exceptions protect value-based arrangements between a VBE and a VBE Participant or between VBE Participants in the same VBE, but in all cases, all parties to the value-based arrangement must be VBE Participants in the same VBE. For example, a value-based arrangement can be between an ACO and participating group practices, or it can be between different group practices that are within the same ACO. The exceptions do not cover value-based arrangements between a VBE or VBE Participants and parties outside of the VBE, although in most cases it would seem this could be addressed by bringing all parties into contractual privity.

CMS defines a value-based activity as the provision of an item or service, taking an action, or refraining from an action. And the value-based activity needs to be designed to achieve at least one value-based purpose. In other words, each VBE Participant who wants Stark Law protection for remuneration received under these exceptions will need to meaningfully work towards achieving one of the VBE’s goals—no free-riders will be tolerated, as each participant will need to fulfill their responsibilities to achieve the goals of the enterprise.

In the Proposed Rule, CMS proposed that the definition of “value-based activity” explicitly exclude “the making of a referral.”10 Commenters expressed concern with this limitation stating that in many cases, value-based care constitutes establishing a plan of care, which is a “referral” as defined at 42 C.F.R. § 411.351. By excluding referrals from the definition of value-based activity, CMS would have significantly limited the application of the new value-based exceptions. In response, CMS did not include this referral exclusion in the Final Rule. Instead, CMS revised the definition of “referral” under the Stark Law to clarify that a “referral” is not “an item or service,” which means that exceptions like the fair market value exception may not protect payments for referrals.11 While this clarification codifies CMS’ long-standing policy that the Stark Law prohibits remuneration in exchange for referrals, it does not appear to impact the definition of value-based activity because the value-based exceptions protect any value-based activity, not simply the provision of items or services like some other Stark Law exceptions. Therefore, even if the value-based activity generates referrals, it may still enjoy protection under the value-based activity definition.

Each VBE needs to have a governing body or an individual that is responsible for financial and operational oversight of the VBE. This requirement is consistent with existing fraud and abuse waivers that require managing board responsibility and oversight for a value-based entity participating in the MSSP or a CMMI model. Yet, here CMS provides more flexibility, recognizing that some contractual arrangements will not have a separate legal entity nor have a governing board that is created for the VBE. As an alternative to a governing board, VBEs can identify (for example, in the applicable contract) an individual who will have oversight responsibility without the need to create an unnecessary layer of governance.

Finally, the VBE will need to create a document that describes the VBE and how the participants intend to achieve its value-based purpose. All three of the value-based exceptions require the VBE to create and keep records of all compensation methodologies used for at least six years.

Three Exceptions for “Arrangements that facilitate value-based health care delivery and payment”

Full Financial Risk

The first value-based arrangement exception offers protection for remuneration between VBE Participants or between a VBE Participant and the VBE (if a distinct entity) within a VBE that is at full financial risk during the entire duration of the value-based arrangement. “Full financial risk” means the VBE is financially responsible on a prospective basis for the cost of all patient care items and services covered by the applicable payor for each patient in the target patient population for a specified period of time. For example, if a clinically integrated network agrees to manage the delivery of care to a payor’s enrollees for a set capitated amount of money, that would satisfy the “full financial risk” requirement. Being at full financial risk for only a portion of patient care does not satisfy this requirement. We note that, in our experience, this type of true full financial risk, with no carve out for specific items or services is rare and presents other regulatory challenges (e.g., state regulation of insurance).

Assuming, for the moment, that the VBE can satisfy this challenging requirement, the VBE Participants can enter into value-based arrangements with each other without significant restrictions. There is no requirement that the physicians who are VBE Participants take on any downside financial risk themselves. Instead, the financial risk must be taken by the VBE. They will need to determine how the arrangement will meet the value-based purpose or purposes of the VBE, but there are no additional restrictions such as a fair market value or volume and value of referrals limitations.

Value-Based Arrangements with Meaningful Downside Risk to the Physician

The main difference between the full financial risk exception and the meaningful downside risk exception is the level of risk that the physician needs to take. Under the meaningful downside risk exception, the physician needs to be at meaningful downside risk for failure to achieve a value-based purpose of the VBE during the entire duration of the value-based arrangement. Meaningful downside financial risk means that a physician is responsible “to repay or forgo no less than 10 percent of the total value of the remuneration the physician receives under the value-based arrangement.”12

CMS simplified this exception in the Final Rule. CMS originally proposed that the physician would be responsible for at least 25% of the value of the remuneration that the physician received, or that the physician be “financially responsible to the entity on a prospective basis for the cost of all or a defined set of patient care items and services covered by the applicable payor for each patient in the target patient population for a specific period of time.”13 Not only did CMS lower the financial risk level from 25% to 10%, but it also eliminated language requiring that the financial risk be with an “entity” and on a prospective basis. The elimination of the “entity” reference in the meaningful downside risk definition was helpful and focused on the financial risk taken by the physician, rather than focusing on what entity the physician engaged with to assume financial risk.14 Further, the elimination of the discussion of risk on a prospective basis clarified confusing language that was contained in the Proposed Rule. This simplification now makes both the full risk and the meaningful downside risk exceptions distinct. The full risk exception applies to risk that is accepted by the VBE, while the meaningful downside risk exception applies to risk accepted by the physician.

As CMS promised, this second exception has additional regulatory requirements commensurate with the lower level of financial risk. Specifically, under this exception, the description of the nature and extent of the downside risk must be set forth in writing, and “the methodology used to determine the amount of remuneration [must be] set in advance of the undertaking of the value-based activity for which the remuneration is paid.” In contrast, the full financial risk exception does not have the writing and set in advance requirements. Yet, in both the full financial risk and meaningful downside risk exceptions, there is a requirement that records must be made and retained for six years documenting the methodology for determining, and the actual amount of, remuneration paid. So, while CMS did not create a specific set in advance and writing requirement, parties that take advantage of the full risk exception must nonetheless create a written record of the value-based arrangement.

Value-Based Arrangements

The third value-based arrangement exception, suitable for co-management, provision of care management tools, and other no-risk arrangements, does not require physician or VBE financial risk but introduces regulatory requirements that must be satisfied. For example, CMS not only requires that these arrangements be put in writing, but also that they be “signed by the parties.”15 Further, CMS was quite prescriptive regarding what must be included in the writing, such as: a description of the value-based activities; an explanation of how the value-based activities will further the value-based purpose of the enterprise; the target patient population; the type or nature of the remuneration; the methodology to determine the remuneration; and the outcomes measures against which the recipient of the remuneration is assessed, if any. Further if any performance or quality measure is used, it must be objective and measurable, and any change in methodology must be prospective. This last requirement is notable in that CMS is not mandating that there be any measurable performance or quality measures, but only that if one is used that it be in writing, objective, and measurable.

In the Final Rule, CMS included a monitoring requirement that must be completed at least annually to determine if the value-based activity actually occurred, and if it has occurred, whether the value-based activity is expected to further the value-based purpose of the VBE. Additionally, if there are any outcomes measures used, a VBE must assess whether there is progress in the attainment of the outcomes-based measure. If the VBE or any VBE Participant determines that the arrangement is not expected to further the value-based purpose, the arrangement must be terminated. CMS gives the parties a wind-down period of 30 days to terminate the arrangement or 90 days to modify the arrangement to terminate the ineffective value-based activity. These monitoring requirements make clear that while a value-based activity does not necessarily need to be successful to enjoy Stark Law protection, CMS expects that if the parties do not believe that the activity will meet a value-based purpose, it must wind down the arrangement. In other words, the parties cannot expect that Stark Law protection remains intact forever.

Indirect Value Based Arrangements

CMS recognized that value-based arrangements will often create indirect compensation arrangements between a physician and another VBE Participant that is a designated health services (DHS) entity. Therefore, CMS finalized its proposal to make 42 C.F.R. § 411.357(aa) applicable to indirect financial arrangements where the relationship closest to the physician is a value-based arrangement.16 This, along with the revisions to the definition of an “indirect compensation arrangement”17 is a welcome addition, providing more flexibility for physician compensation in connection with value-based arrangements that would not otherwise be protected under existing exceptions.

Impact of AKS Safe Harbors

The three Stark Law value-based exceptions cannot be reviewed in a vacuum. For many value-based arrangements, parties will need to comply with both the Stark Law and the AKS. While the two risk-based exceptions are similar to their AKS counterparts, the no risk value-based exception and safe harbor have some important differences. While it is often the case that meeting a Stark Law exception also means that there is little AKS risk, an arrangement that meets a Stark Law value-based arrangement exception still must also be analyzed for AKS purposes. For a number of reasons, arrangements that meet a Stark Law exception might not meet an AKS safe harbor. Of course, for AKS purposes, meeting a safe harbor is not required to comply with the AKS, although the safe harbors provide a useful framework for analysis.

There are at least four important distinctions between CMS’ and OIG’s final rules. First, under the value-based arrangement exception, CMS will allow for monetary and in-kind remuneration to be protected. In contrast, OIG will only protect in-kind remuneration under its safe harbor that protects care coordination arrangements to improve quality, health outcomes, and efficiency.18 While OIG has created other potential safe harbors for monetary value-based arrangements, it does not appear that the new safe harbors align with the CMS value-based exception.19

Next, under the value-based arrangement AKS safe harbor, OIG requires that the recipient of the in-kind remuneration contribute at least 15% of the value of the item or service. The value-based Stark Law exception has no contribution requirement. Therefore, if a referral source receives in-kind remuneration and does not contribute to the cost, the compensation arrangement should include safeguards or other evidence that the remuneration does not induce referrals of federal health care program patients.

OIG requires that arrangements seeking protection under its no-risk value-based safe harbor be designed to coordinate the care and management of a patient population.20 CMS ultimately declined to adopt that standard in its Final Rule definition of value-based arrangement.21 Therefore, if a value-based arrangement does not coordinate care and manage a patient population, the compensation arrangement should include safeguards or other evidence that the remuneration does not induce referrals of federal health care program patients.

Finally, as noted above, CMS declined to add the “referrals” restriction in the definition of value-based activities. In responding to comments, CMS understood that sometimes making a referral is in fact a value-based activity. Yet, OIG declined to align its definition of value-based activity, precluding referrals from being considered value-based activities. The problem with the disparity in the Stark Law value-based exceptions and OIG’s value-based safe harbors is that value-based arrangements will by their very nature involve compensation that is contingent on retaining patients within the VBE and, when protocols warrant, referring patients for certain items or services.22


1 85 Fed. Reg. 77492 (Dec. 2, 2020).

2 As of publication, the authors are not aware of any position taken by the Biden administration to revoke or delay the effective date of this regulation. While the White House Chief of Staff issued a regulatory freeze memorandum on January 20, 2021, the terms of the memorandum do not apply to this regulation that was finalized on January 19, 2021. See We note that the U.S. Government Accountability Office found that HHS did not comply with the 60-day notice requirement under the Congressional Review Act (CRA). See Therefore, Congress could invoke the CRA to revoke this regulation. Yet, the authors are not aware of any effort by Congress to take this step and revoke the regulation.

4 85 Fed. Reg. 77684 (Dec. 2, 2020).

5 See 85 Fed. Reg. at 77498.

6 See id. at 77508

7 42 C.F.R. § 411.351.

8 A target patient population is defined as “an identified patient population selected by a VBE or its VBE participants based on legitimate and verifiable criteria that—(1) are set out in writing in advance of the commencement of the value-based arrangement; and (2) further the value-based enterprise’s value-based purpose(s).” 42 C.F.R. § 411.351.

9 See 85 Fed. Reg. at 77497.

10 84 Fed. Reg. 55766, 55773 (Oct. 17, 2019).

11 See 85 Fed. Reg. 77492, 77501 and 42 C.F.R. § 411.351.

12 42 C.F.R. § 411.357(aa)(2)(ix).

13 42 C.F.R. § 411.357(aa).

14 In the preamble discussion, CMS still contends that the physician must be at meaningful downside risk with an “entity” even though the regulatory text has eliminated that language. See 85 Fed. Reg. at 77516. Yet, what CMS likely meant is that a physician must be at risk with the VBE or a VBE Participant, rather than an applicable payor. Regardless of CMS’ intent, the Final Rule regulatory text is improved from the Proposed Rule.

15 We note that under the Final Rule, CMS provided additional leeway for providers to satisfy the writing and signature requirements. Therefore, this requirement is not as onerous as it once was. See 85 Fed. Reg. 77492, 77597.

16 See 42 C.F.R. § 411.354(c)(4)(iii).

18 42 C.F.R. § 1001.952(ee).

19 See 42 C.F.R. § 1001.952(d) for the revision to the personal services and management contracts and outcomes-based payment arrangements safe-harbor.

20 85 Fed. Reg. at 77684; 42 C.F.R. § 1001.952(ee).

21 See 85 Fed. Reg. at 77498.

22 OIG explained in preamble discussion that simply requiring a referral or making a referral is not itself a value-based activity. And there is nothing in the safe harbors that prevents the existence of preferred provider networks. OIG also stated that the reason for this disparity is that the definition of referrals under the Stark Law and the AKS are different. See 85 Fed. Reg. 77684, 77703-05. Yet, even with this preamble discussion, the regulatory text between the two rules is at odds.

Joan Polacheck is Senior Counsel at McDermott Will & Emery LLP and advises clients on health care compliance and regulatory issues, including fraud and abuse, Stark Law, Anti-Kickback Law, and Medicare reimbursement issues. She represents a broad range of health care industry clients, including hospitals, physician groups, DME suppliers, IDTFs, and drug and device companies.

Charles (Charlie) R. Buck is a Partner at McDermott Will & Emery LLP and advises health care enterprises on complex transactions and regulatory compliance. He represents a wide range of clients, including proprietary and tax-exempt hospital systems, academic medical centers and faculty practice groups, accountable care organizations, and health maintenance organizations and other health insurers.

Troy Barsky is a Partner in Crowell & Moring’s Washington, DC office where he focuses on health care fraud and abuse, Medicare and Medicaid law and policy, and value-based care. He also defends clients seeking resolution of government health care program overpayment issues or fraud and abuse matters through self-disclosures and negotiated settlements with the United States. Troy has extensive prior government experience, serving at HHS for 11 years, most recently as the Director of the Division of Technical Payment Policy at CMS where he oversaw Stark Law policy.

Roma Sharma is a Counsel in Crowell & Moring’s Washington, DC office and a member of the firm’s Health Care Group. Roma’s practice entails counseling and representing health care providers, managed care organizations, distributors, pharmacies, laboratories, and other health care entities in various regulatory, transactional, and litigation matters. Roma primarily works with health care clients seeking to comply with federal and state laws and regulations, including those related to fraud and abuse (e.g., the Stark Law, the Anti-Kickback Statute, the False Claims Act–and state corollaries), telemedicine, licensing, reimbursement, the practice of medicine, and federal and state demonstration programs.