The shift toward value-based care has prompted a significant overhaul in how health tech companies can legally collaborate with providers and payors. And while it has been a long time coming, we're finally seeing real shifts in the way our clients engage with their provider customers and patients.
Back in 2020, HHS issued three new-at-the-time value-based safe harbors under the Anti-Kickback Statute (AKS), designed to give compliant ventures greater freedom to innovate without the legal landmines that usually come with financial relationships in healthcare. Although stakeholders were generally optimistic about the impact of the new safe harbors, at the time, it was challenging to figure out how to leverage them in a way that truly added value for patients. Shockingly, the regulatory language didn't really seem to reflect how healthcare was actually delivered.
But maybe the regulators were visionaries? Because 5 years later, value-based payor contracts are actually gaining traction, digital health companies are compiling, organizing, and interpreting years of data, AI is simplifying workflows at reduced costs, and investors are demanding partnerships to drive growth -- and VBEs are finally starting to make sense.
Plus, with CMS’s new ACCESS Model reshaping how Medicare rewards tech-enabled chronic care, the strategic value of compliant value-based structures continues to increase. More on this below.
What are the "value-based safe harbors"?
There are four safe harbors under AKS that I would classify as "value-based safe harbors" available to digital health companies:
- Care Coordination Arrangements Safe Harbor
- Substantial Downside Financial Risk (SDFR) Safe Harbor
- Full Financial Risk (FFR) Safe Harbor
- Outcomes-Based Payment Arrangements Safe Harbor
To understand 1-3 (VBE Safe Harbors), you first have to get to know the AKS version of a "Value-Based Enterprise (VBE)".
What is a VBE, and Why Do You Need One?
At its core, a VBE is a legal construct that allows two or more participants to coordinate care and share risks, benefits, and/or outcomes when certain criteria are met.
To establish a VBE, you need:
- 2 or more VBE participants (e.g., a digital health company and provider group);
- At least one value-based purpose (e.g., improving care coordination);
- At least one target patient population (e.g., patients discharged from a hospital within the past 30 days with a primary diagnosis of congestive heart failure);
- An accountability mechanism to monitor progress and adjust as needed; and
- A governing document that formalizes the arrangement.
Keep in mind:
- You do not need a separate legal entity to act as a VBE. Participants' existing legal entities with one shared governing document (such as a Charter) among them will suffice.
- All of the safe harbors discussed in this article protect compliant arrangements between entities. They do not protect by offering free or discounted items of value to patients.
- In general, pharma companies, PBMs, labs, compounding pharmacies, medical device/supply manufacturers and distributors, and DME suppliers are ineligible for protection under the VBE Safe Harbors.
With your VBE established, you've unlocked flexibilities in your business model that your non-VBE competitors may not be able to take advantage of.
1. Care Coordination Arrangements to Improve Quality, Health Outcomes, and Efficiency
This is the most flexible of the three VBE safe harbors, as it does not require the VBE or any participant to assume financial risk from a payor. This safe harbor allows digital health companies, providers, and others to share patients AND resources with one another in care coordination models.
When to use it
- Tech companies offering shared care plans or centralized communications across providers
- Partnerships focused on improved outcomes like lowering patients' A1C
- Arrangements that do not involve risk-based payor contracts
Key Requirements
- Shared resources must be "in-kind" items or services shared between participants, not provided to patients
- Execute a written agreement between two or more VBE participants
- Contributions must be directly connected to one or more value-based purpose of the VBE
- Must not induce medically unnecessary or low-value care
- Must include outcomes and compliance monitoring, documentation, and accountability mechanisms
- Any participant receiving free or discounted items or services must contribute at least 15% of (i) the offeror's cost, or (ii) the fair market value of the item or service received.
Common Pitfalls
Misunderstanding the "limited technology participant" restriction
A tech company that only furnishes digital tools and does not directly provide patient care can participate in a VBE, but cannot be the only type of entity involved in the value-based arrangement. At least one other participant that is not a limited technology participant must be meaningfully involved in the arrangement for the safe harbor to apply.
Additionally, if an arrangement involves a limited technology participant, that participant cannot require other participants to exclusively use its product or commit to a minimum purchase or use threshold.
Confusing referral relationships with care coordination
The safe harbor protects in-kind contributions tied to care coordination. Care coordination means organizing patient care and sharing information between participants to deliver safer, more effective, and/or more efficient care that improves health outcomes for the target population, not simply referring patients to another provider in exchange for cash, items, or services.
Participants should mutually contribute information, insights, and resources, and simply masking referrals as "services" won't cut it. Be sure to carefully distinguish referrals from remuneration to identify what is actually permitted.
2. Substantial Downside Financial Risk (SDFR) Arrangements
This safe harbor allows more freedom with respect to potential "remuneration"—but only if the VBE involves a meaningful level of financial risk.
When to Use It
- Digital health tools (e.g., predictive analytics platforms) that help provider groups assuming risk under an MA plan identify and address care gaps to reduce unnecessary ER visits
- Tech-enabled care managers helping ACOs manage a specific population
What is "substantial downside financial risk"?
The SDFR safe harbor requires that the VBE, directly or through a participant (other than a payor), assumes substantial downside financial risk from a payor for at least one year ("Enterprise Risk"). In this context, "substantial downside financial risk" can be any of the following:
- Sharing at least 30% of losses under a shared savings/losses contract. Think CMS's MSSP ACO ENHANCED track, for example.
- Covering at least 20% of losses in a bundled payment structure covering a specific episode of care involving multiple care settings. Think Total Joint Replacement is co-managed between a hospital and a rehab facility.
- Responsibility for 100% of spending that exceeds a prospective payment received monthly, quarterly, or annually to manage a specific, limited set of services. Think CMS's ACO REACH Professional track capitation payments.
What level of risk are individual participants required to assume?
Each VBE participant must be responsible for a meaningful share of the Enterprise Risk, where "meaningful share" equates to:
- ≥5% of any savings and losses realized by the VBE pursuant to the Enterprise Risk; or
- A monthly, quarterly, or annual capitated payment to the relevant participant for a predefined set of items and services, where the participant does not claim any payment from the payor for those items and services.
Key Requirements
- The VBE, directly or through a participant, must assume the Enterprise Risk
- Each participant relying upon the SDFR Safe Harbor must assume a meaningful share of the Enterprise Risk assumed by the VBE
- Remuneration exchanged between participants must not involve ownership, investment interest, or related distributions
- A written agreement between the VBE and each participant that defines the Enterprise Risk and each participant's meaningful share (and other key terms)
Common Pitfalls
Misunderstanding the risk requirements
Shared savings arrangements that do not involve downside risk do not suffice as Enterprise Risk. Both the VBE and each participant must assume the requisite downside risk. Additionally, simply sharing downside risk between participants without Enterprise Risk will not suffice – the VBE must assume Enterprise Risk directly from a payor.
3. Full Financial Risk (FFR) Arrangements
This is the most permissive—and most demanding—VBE safe harbor. It applies only when a VBE assumes full financial risk for the cost of all covered services furnished to members of a patient population.
When to Use It
- Tools that help full-risk entities manage global costs across their entire population (e.g., a care navigation tool that helps a primary care group assuming the total cost of care under a Medicare Advantage contract surface low-cost/high-quality specialists)
What is "full financial risk"?
The FFR safe harbor requires that the VBE, directly or through a participant (other than a payor), assumes full financial risk from a payor. In this context, "full financial risk" means the VBE is financially responsible on a prospective basis for the cost of all items and services covered by the applicable payor for each patient in the target patient population for a term of at least 1 year ("Full Enterprise Risk").
What level of risk are individual participants required to assume?
The FFR safe harbor, unlike the SDFR safe harbor, does not explicitly require individual participants to assume a certain portion of the overall risk assumed by the VBE.
Key Requirements
- The VBE must assume Full Enterprise Risk
- Individual participants cannot submit claims to payors for any items or services furnished to members of the target patient population
- The VBE must implement a quality assurance program to protect against underutilization and monitor the quality of care delivered
Common Pitfalls
Overestimating your entity's ability actually to assume full risk
As OIG acknowledged when establishing the FFR safe harbor, "there may be substantial up-front investments that can strain any physician practice's limited resources but can be particularly challenging for small, rural, or underserved practices with smaller patient pools to spread risk." Since individual participants cannot submit claims for services rendered to members of the target patient population, the VBE's governing body should ensure that the arrangement will not impose financial harm on individual participants.
4. Outcomes-Based Payment Arrangements (OBPA Safe Harbor)
While not part of the formal "value-based enterprise" safe harbors, the OBPA safe harbor added language to the commonly used Personal Services and Management Contracts safe harbor (42 C.F.R. § 1001.952(d)) that allows parties to add value-based elements to traditional fee-for-service arrangements without the need for a formal VBE. The added language relaxed restrictions that previously required fixed-in-advance service fees to allow healthcare companies to instead structure more flexible service fees based on measurable, data-driven clinical or cost outcomes.
When to Use It
- Digital health companies or tech-enabled service providers supporting clinical outcomes, cost reduction, or improved quality metrics for fee-for-service providers
Key Requirements
- Written agreement with defined outcomes metrics
- Metrics must be evidence-based, measurable, and verifiable
- Outcomes-based compensation must (i) be contingent upon achievement of permissible outcomes or (ii) involve recoupment or reduced payments if the accountable party fails to achieve one or more established outcome measures
- Arrangements must include a methodology for measuring performance against the metrics that is objective, validated, and set in advance
- Parties must monitor and document performance on an ongoing basis
Common Pitfalls
Establishing improper metrics
The OBPA safe harbor does not protect payments based solely on internal cost savings, patient satisfaction, or patient convenience. Payments must instead be tied to evidence-based clinical outcomes, such as reduced A1C levels among patients living with diabetes, improved medication adherence, or reduced cost of care to the system (i.e., Medicare).
Where the ACCESS Model Meets the Value-based Safe Harbors
The Advancing Chronic Care with Effective, Scalable Solutions ("ACCESS") Model effectively expands the playing field for digital health companies that have been waiting for a more functional bridge between innovation and reimbursement. CMS explicitly acknowledged that "Original Medicare has historically lacked a payment option to adequately support novel technology-supported care" because "fee-for-service methodologies pay for a defined set of activities that do not typically align with the way technology-supported care is delivered." And CMS intends for the ACCESS Model to begin to solve that problem.
Quick facts about the ACCESS Model
- The Model focuses on 4 clinical tracks categorized by condition type: early cardio-kidney-metabolic (CKM), CKM, musculoskeletal (MSK), and behavioral health conditions
- Participants must be enrolled in Medicare Part B
- Patients will be able to sign up with ACCESS participants directly via a directory maintained by CMS
- Participants will receive Outcomes-Aligned Payments ("OAP") described as "recurring payment for managing a patient’s qualifying condition, with payment tied to achieving measurable health outcomes"
How the value-based safe harbors are relevant to the CMS ACCESS Model
ACCESS will require participants to offer integrated, technology-supported care across clinician consultations, lifestyle and behavioral support (nutrition, exercise, smoking cessation), therapy and counseling, patient education and care coordination, medication management, and ordering and interpreting diagnostic tests and imaging. And if you're in the remote monitoring space, you might be interested to know that CMS explicitly acknowledges that ACCESS participants will be incentivized to use or monitor medical devices, including software devices that are subject to FDA enforcement discretion.
But, CMS will only pay incentives to providers and suppliers directly enrolled in Medicare Part B. This is where the value-based safe harbors come in.
The safe harbors are more than simply compliance guardrails. ACCESS and similar payment models turn them into commercial alignment tools.
- Care Coordination Arrangements can support ACCESS participants by enabling tech-enabled referrals, shared clinical dashboards, automated risk-stratification, and closed-loop communication workflows, all of which reinforce ACCESS’s requirement for proactive, team-based chronic care management.
- It is not clear whether the model will involve downside financial risk for participants, but if it does (or if participants also participate in a separate payment model that does) the Substantial Downside Risk and Full Financial Risk safe harbors can structure deeper partnerships, where revenue scales with sustained improvement in functional outcomes.
- And of course, the Outcomes-Based Payment Arrangement dovetails perfectly with the ACCESS Model, allowing digital health companies to more perfectly align their own incentives with the OAPs available to their customers participating in the ACCESS Model.
Final Thoughts: Strategic Use of Safe Harbors in Digital Health
Digital health companies can and should leverage these safe harbors—but not blindly. Choose the right pathway based on how much financial risk your partner is assuming (if any), what services you're providing, and your role in patient care.
Keep in mind that, while in effect for several years at this point, it has taken just as long for many stakeholders to begin to leverage them. There are very few published enforcement examples or OIG Advisory Opinions to help us understand approved fact patterns, which means stakeholders may need to lower their risk tolerance and/or consider requesting input from OIG prior to implementation.
And finally, remember that you must affirmatively meet every element of the applicable safe harbor. Understanding the details is an essential component of continued compliance and, in turn, safe harbor protection.