The shift toward value-based care has prompted a significant overhaul in how health tech companies can legally collaborate with providers and payors. And while it has been a long time coming, we're finally seeing real shifts in the way our clients engage with their provider customers and patients.
Back in 2020, HHS issued three new-at-the-time value-based safe harbors under the Anti-Kickback Statute (AKS), designed to give compliant ventures greater freedom to innovate without the legal landmines that usually come with financial relationships in healthcare. Although stakeholders were generally optimistic about the impact of the new safe harbors, at the time, it was challenging to figure out how to leverage them in a way that truly added value for patients.
Perhaps the biggest challenge to implementing these safe harbors lies in one or more parties taking on increased financial risk while also managing increased operational and administrative burdens. Today, though, some have found a way to make it work.
What are the "value-based safe harbors"?
There are four primary "value-based safe harbors" available to digital health companies:
- Care Coordination Arrangements Safe Harbor
- Substantial Downside Financial Risk (SDFR) Safe Harbor
- Full Financial Risk (FFR) Safe Harbor
- Outcomes-Based Payment Arrangements Safe Harbor
But first, you can't rely on 1-3 (VBE Safe Harbors) unless you've established a compliant Value-Based Enterprise (VBE).
What is a VBE, and Why Do You Need One?
At its core, a VBE is a legal construct that allows two or more participants to coordinate care and share risks, benefits, and/or outcomes when certain criteria are met.
To establish a VBE, you need:
- 2 or more VBE participants (e.g., a digital health company and provider group);
- At least one value-based purpose (e.g., improving care coordination);
- At least one target patient population (e.g., patients discharged from a hospital within the past 30 days with a primary diagnosis of congestive heart failure);
- An accountability mechanism to monitor progress and adjust as needed; and
- A governing document that formalizes the arrangement.
Keep in mind:
- You do not need a separate legal entity for the VBE. Participants' existing legal entities with one shared governing document (such as a Charter) among them will suffice.
- All of the safe harbors discussed in this article protect compliant arrangements between entities. They do not protect by offering free or discounted items of value to patients.
- In general, pharma companies, PBMs, labs, compounding pharmacies, medical device and supply manufacturers and distributors, and DME suppliers are ineligible for protection under the VBE Safe Harbors.
With your VBE established, you've unlocked flexibilities in your business model that your non-VBE competitors may not be able to take advantage of.
1. Care Coordination Arrangements to Improve Quality, Health Outcomes, and Efficiency
This is the most flexible of the three VBE safe harbors, as it does not require any participant to assume financial risk. Use this safe harbor to unlock the ability to share free or discounted in-kind items or services between participants.
When to use it
- Tech companies offering shared care plans or centralized communications across providers
- Partnerships focused on improved outcomes like lowering patients' A1C
- Arrangements that do not involve downside financial risk
Key Requirements
- Execute a written agreement between two or more VBE participants
- Contributions must be directly connected to the value-based purpose
- Must not induce medically unnecessary or low-value care
- Must include monitoring, documentation, and accountability mechanisms
- Any participant receiving free or discounted items or services must contribute at least 15% of (i) the offeror's cost, or (ii) the fair market value of the item or service received.
Common Pitfalls
Misunderstanding the "limited technology participant" restriction
A tech company that only furnishes digital tools and does not directly provide patient care can participate in a VBE, but cannot be the only type of entity involved in the value-based arrangement. At least one other Participant that is not a limited technology participant must be meaningfully involved in the arrangement for the safe harbor to apply.
Additionally, if an arrangement involves a limited technology participant, that Participant cannot require other participants to exclusively use its product or commit to a minimum purchase or use threshold
Confusing referral relationships with care coordination
The safe harbor protects in-kind contributions tied to care coordination, not cash or services exchanged in connection with referrals. Care coordination means organizing patient care and sharing information between participants to deliver safer, more effective, and/or more efficient care that improves health outcomes for the target population, not simply referring patients to another provider in exchange for cash, items, or services.
Participants should mutually contribute information, insights, and resources, and simply masking referrals with "services" won't cut it. Be sure to carefully distinguish referrals from the flow of remuneration.
2. Substantial Downside Financial Risk (SDFR) Arrangements
This safe harbor allows more freedom with respect to potential "remuneration"—but only if the VBE involves a meaningful level of financial risk.
When to Use It
- Digital health tools (e.g., predictive analytics platforms) that help provider groups assuming risk under an MA plan identify and address care gaps to reduce unnecessary ER visits
- Tech-enabled care managers helping ACOs manage a specific population
What is "substantial downside financial risk"?
The SDFR safe harbor requires that the VBE, directly or through a participant (other than a payor), assume substantial downside financial risk from a payor for at least one year. In this context, Substantial Enterprise Risk can be any of the following ("Substantial Enterprise Risk" ):
- Sharing at least 30% of losses under a shared savings/losses contract. Think CMS's MSSP ACO ENHANCED track, for example.
- Covering at least 20% of losses in a bundled payment structure covering a specific episode of care involving multiple care settings. Think Total Joint Replacement is co-managed between a hospital and a rehab facility.
- Responsibility for 100% of spending that exceeds a prospective payment received monthly, quarterly, or annually to manage a specific, limited set of services. Think CMS's ACO REACH Professional track capitation payments.
What level of risk are individual participants required to assume?
Each VBE participant must be responsible for a meaningful share of the enterprise risk, where "meaningful share" equates to:
- ≥5% of any savings and losses realized by the VBE pursuant to the enterprise risk; or
- A monthly, quarterly, or annual capitated payment to the Participant for a predefined set of items and services, where the Participant does not claim any payment from the payor for those items and services.
Key Requirements
- The VBE must assume Substantial Enterprise Risk
- Each Participant relying upon the SDFR Safe Harbor must assume a meaningful share of the enterprise risk assumed by the VBE
- Remuneration exchanged must not involve ownership, investment interest, or related distributions between participants
- Execute a written agreement between the VBE and each Participant that defines the Enterprise Risk and each Participant's meaningful share and other key terms of the arrangement
Common Pitfalls
Misunderstanding the risk requirements
Shared savings arrangements that do not involve downside risk do not suffice as Enterprise Risk. Both the VBE and each Participant must assume downside risk. Additionally, simply sharing downside risk between participants will not suffice – the VBE must assume risk Enterprise Risk directly from a payor.
3. Full Financial Risk (FFR) Arrangements
This is the most permissive—but also most demanding—VBE safe harbor. It applies only when a VBE assumes full financial risk for the cost of all covered services furnished to members of a patient population.
When to Use It
- Tools that help full-risk entities manage global costs across their entire population (e.g., a care navigation tool that helps a primary care group assume the total cost of care under a Medicare Advantage contract surface low-cost/high-quality specialists)
What is "full financial risk"?
The FFR safe harbor requires that the VBE, directly or through a participant (other than a payor), assume full financial risk from a payor. In this context, "full financial risk" means the VBE is financially responsible on a prospective basis for the cost of all items and services covered by the applicable payor for each patient in the target patient population for a term of at least 1 year ("Full Enterprise Risk").
What level of risk are individual participants required to assume?
The FFR safe harbor, unlike the SDFR safe harbor, does not explicitly require individual participants to assume a certain portion of the overall risk assumed by the VBE.
Key Requirements
- The VBE must assume Full Enterprise Risk
- Individual participants cannot submit claims to payors for any items or services furnished to members of the target patient population
- The VBE must implement a quality assurance program to protect against underutilization and monitor the quality of care delivered
Common Pitfalls
Overestimating your entity's ability actually to assume full risk
As OIG acknowledged when establishing the FFR safe harbor, "there may be substantial up-front investments that can strain any physician practice's limited resources but can be particularly challenging for small, rural, or underserved practices with smaller patient pools to spread risk." Before taking on Full Enterprise Risk, VBE participants may consider a Care Coordination or SDFR arrangement as an entry point.
4. Outcomes-Based Payment Arrangements (OBPA Safe Harbor)
While not part of the formal "value-based enterprise" safe harbors, OIG also revised the preexisting management contracts and services safe harbor to allow outcomes-based payments without the need for a formal VBE. The added language relaxed restrictions that previously required fixed-in-advance service fees to allow healthcare companies to structure service fees and incentive payments tied to measurable, data-driven clinical or cost outcomes.
When to Use It
- Digital health companies or tech-enabled service providers supporting clinical outcomes, cost reduction, or improved quality metrics
- You don't meet the definition of a VBE (e.g., you're a solo vendor contracting with a fee-for-service provider or health system directly)
Key Requirements
- Written agreement with defined outcomes, metrics, and benchmarks
- Metrics must be evidence-based, measurable, and verifiable
- Outcomes-based compensation must (i) be contingent upon achievement of permissible outcomes or (ii) involve recoupment or reduced payments if the accountable party fails to achieve one or more established outcome measures
- Must include a methodology for measuring outcomes that is objective, validated, and set in advance
- Parties must monitor and document performance and ensure that outcome measures are not distorted
Common Pitfalls
Establishing improper metrics
The OBPA safe harbor does not protect payments based solely on internal cost savings, patient satisfaction, or patient convenience. Payments must instead be tied to evidence-based clinical outcomes, such as reduced A1C levels among patients living with diabetes or improved medication adherence.
Final Thoughts: Strategic Use of Safe Harbors in Digital Health
Digital health companies can and should leverage these safe harbors—but not blindly. Choose the right pathway based on how much financial risk your partner is assuming (if any), what services you're providing, and your role in patient care.
And remember: Safe harbor compliance is not automatic. You must affirmatively meet every element of the applicable safe harbor.