The recent settlement of a False Claims Act lawsuit against electronic health records software vendor eClinicalWorks should serve as a wake-up call to both health IT vendors, and the healthcare providers who are the end-users of these technologies, according to many healthcare IT industry leaders.
On May 31, the U.S. Department of Justice announced a settlement that holds eClinicalWorks, and the company’s founders and executives—Chief Executive Officer Girish Navani, Chief Medical Officer Rajesh Dharampuriya, M.D., and Chief Operating Officer Mahesh Navani—liable for payment of $155 million to resolve a False Claims Act lawsuit. The company allegedly violated federal law by misrepresenting the capabilities of its software and for allegedly paying kickbacks to certain customers in exchange for promoting its product, according to the Justice Department.
The complaint alleges eClinicalWorks falsely attested to its certifying body that it met certification requirements under the Meaningful Use program, and in turn caused its healthcare provider customers to make false claims for incentive payments under the Meaningful Use program. The U.S. Department of Health and Human Services (HHS) established the Meaningful Use program, pursuant to the HITECH Act, and it provides incentive payments to healthcare providers who demonstrate meaningful use of certified EHR technology.
It is important to note that the Westborough, Mass.-based EHR vendor has not admitted any fault or wrongdoing and its software remains fully certified under the Meaningful Use program.
In response to a media request for an interview about the settlement, an eClinicalWorks spokesperson sent a letter that was sent to the company’s customers. In that letter, eClinicalWorks stated that it would, in addition to paying $155 million, bolster its compliance program. “The inquiry leading to the settlement primarily centered on technical aspects of the Meaningful Use program and allegations that eClinicalWorks software had technical non-conformities related to some of the criteria, all of which have since been addressed,” eClinicalWorks’ CEO Girish Navani stated in the letter.
Regarding the allegations that its customer referral program violated the federal Anti-Kickback statute, Navani wrote in the letter, “While referral programs like this are common in the industry, and while HHS-OIG (Department of Health and Human Services Office of the Inspector General) has provided no guidance regarding them, the government took the position that the payments were improper. We disagreed but have nevertheless discontinued the program.”
Jeffrey Smith, vice president of public policy at the Washington, D.C.-based American Medical Informatics Association (AMIA), says, on the surface, the settlement is about the federal government holding an electronic health records vendor accountable for allegedly failing to meet federal standards designed to ensure patient safety and quality patient care. “When you peel back the layers of the onion a little bit, what you find is that this case sheds light on genuine deficiencies in the current health IT certification program, and it details the many ways that risks to patient safety can arise when software is not developed properly or when it’s not implemented or used properly,” he says.
“This case really highlights how benign glitches can have far-reaching impacts to patient safety. I imagine every single CIO out there understands this notion very well, because while we all suffer through computer glitches and little hiccups on smartphones—in healthcare, a glitch can be the difference between life and death,” Smith says. “I think if you are a CIO trying to figure out what is that you want to do as a result of this, you should probably go and have a conversation with your vendor to make sure that they understand the implications of this $155 million settlement. And, I anticipate that the $155 million that the government is getting is only the beginning.”
Drilling Down into the Case
The Justice Department’s settlement with eClinicalWorks resolves allegations in a lawsuit filed in the District of Vermont by Brendan Delaney, a software technician formerly employed by the New York City Division of Health Care Access and Improvement. The lawsuit was filed under the qui tam, or whistleblower, provisions of the False Claims Act, which permit private individuals to sue on behalf of the government for false claims and to share in any recovery. As a result of the resolution, Delaney will receive approximately $30 million.
According to a press release issued by a law firm representing Delaney, Phillips & Cohen, Delaney was, at the time, a New York City government employee implementing the eClinicalWorks EHR system at Rikers Island for prisoner healthcare when he first became aware of numerous software problems that he alleged put patients at risk.
In its complaint-in-intervention, the Justice Department accused the vendor of "gaming" the certification test, by, for example, modifying its software by “hardcoding” only the drug codes required for testing. “In other words, rather than programming the capability to retrieve any drug code from a complete database, ECW simply typed the 16 codes necessary for certification testing directly into its software. ECW’s software also did not accurately record user actions in an audit log and in certain situations did not reliably record diagnostic imaging orders or perform drug interaction checks,” the Justice Department stated in a press release about the settlement.
eClinicalWorks’ Navani responded to these allegations in the letter to the company’s customers. He wrote, “One of the technical non-conformities alleged by the government involved the use of RxNorm codes in electronic prescriptions. From 2014 to August 2016, electronic prescriptions sent by eClinicalWorks users included NDC codes rather than RxNorm codes. During this time period, more than 500 million prescriptions were successfully transmitted and filled, and most major pharmacies did not support RxNorm codes. The failure to include RxNorm codes in electronic prescriptions was completely inadvertent on the part of eClinicalWorks, as our software used RxNorm codes in other parts of the system, such as in C-CDAs. We gained nothing by not including the codes, which are available for free from the National Library of Medicine. We resolved this issue as soon as we learned of it.”
Navani also wrote that, historically, technical non-conformities with the MU Program were addressed through an administrative rather than a legal process, and specifically pointed to ONC's Certified Health IT Product List website for a list of EHR vendors with non-conformities. “eClinicalWorks chose to settle this matter to avoid the uncertainty of a prolonged legal dispute which could have been disruptive to our customers, our employees and our company,” he stated.
Considering the implications of the fraud allegations, Bob Ramsey, an attorney who focuses on healthcare as a shareholder/partner at the Pittsburgh, Pa.-based law firm Buchanan, Ingersoll & Rooney, says the case should serve as a wake-up call to health IT vendors about the importance of being compliant with certification requirements. “It really underscores that all parties, vendors, suppliers, or anyone that is touching the healthcare system, needs to be careful. Are other vendors doing the same kind of thing? I don’t think so, but I don’t know so, and if they are, they better be careful, a $155 million settlement should get their attention,” he says. Ramsey added that the Justice Department was clearly sending a message by holding the company’s founding officers and executives liable as well. “The government is doing that on purpose, sending a message to the industry to say, ‘It’s not just corporate accountability here, it’s individuals, and we will go after individuals.’”
Health IT vendors should review their systems and their procedures for identifying and correcting software design and quality issues that call into question EHR software’s conformity to applicable EHR certification criteria or that could pose patient safety or clinician usability risks, many health IT leaders say. “Compliance programs and compliance officers are absolutely critical,” Ramsey says. “Healthcare providers have had compliance programs for years, and the EHR vendors probably should adopt a similar approach.”
As part of the settlement, eClinicalWorks also agreed to a five-year Corporate Integrity Agreement (CIA) with strict reporting obligations and compliance oversight. “For five years, this company is going to be closely scrutinized by the government. And those corporate integrity agreements are very carefully drafted by the government and are very difficult to comply with; it means really dotting the i’s and crossing the t’s. It’s an important message from the government to the industry which is, ‘EHRs can have an impact on patient safety and patient health and on outcomes and we’re not going to tolerate fraud, because people’s lives are potentially at risk here.’”
Farzad Mostashari, M.D., former National Coordinator for Health IT, and now CEO of health IT company Aledade, shared his thoughts on Twitter the day the news broke: “Let me be plain-spoken. eClinicalWorks is not the only EHR vendor who flouted certification/misled customers. Other vendors better clean up.
Let me be plain-spoken.— Farzad Mostashari (@Farzad_MD) May 31, 2017
eClinicalWorks is not the only EHR vendor who flouted certification /misled customers
Other vendors better clean up pic.twitter.com/vF1NduHYe8
AMIA’s Smith also is not as optimistic as Ramsey that the allegations against eClinicalWorks represent a “one-off” case. “One of the things that has come to light is that the certification program itself is highly reliant on the honor system,” he says, “I think we will learn more over the coming weeks and months about just how pervasive this kind of activity may well be. I would like to think that eClinicalWorks is the only organization out there that has gamed the certification program the way that they did, but I doubt it. I find it hard to believe that eClinicalWorks would be the only such developer that used the honor system to their benefit, at least early on.”
Is More Federal Oversight Needed?
There are many safety advocates who contend that the current oversight structure isn’t strong enough. The allegations raised in the lawsuit against eClinicalWorks, and the idea that EHR vendors could, potentially, “game” the certification tests poses a genuine concern for the health IT community, Smith says. “That’s a real question that needs to be asked, ‘How do we stop it from happening?’”
Ramsey anticipates that the HHS will review the certification process. “This may be evidence that the certification program did have some faults in it. I think the government may start scrutinizing the certifiers.”
Smith says, “I do think there are potential avenues to mitigate these kinds of actions and potentially the enhanced oversight rule that ONC finalized late last year would be one avenue through which we could identify these issues earlier on when they are happening, as opposed to several years after the fact, which was the case here.”
Last October, ONC issued a final rule that updates the ONC Health IT Certification Program and sets up a regulatory framework for ONC to directly review certified health IT products and take necessary action in circumstances involving potential risks to public health and safety. The “Enhanced Oversight and Accountability” final rule focuses on three key areas—direct review, enhanced oversight and greater transparency and accountability.
In a written comment, Mostashari said, “This settlement proves that, for interoperability and safety, the country needs ONC to be accountable for the integrity of EHR certification. This is a clear case for why Congress should, at the least, maintain ONC’s funding to meet this accountability and protect patients.” Mostashari’s comment about funding relates to the Trump Administration’s proposed 2018 budget, which includes cutting $22 million from ONC’s budget.
However, some in the health IT industry have voiced concerns about increasing ONC’s regulatory oversight, saying it could slow innovation and adversely affect patient safety by impeding access to health IT products. When ONC announced its Enhanced Oversight and Accountability final rule in October, Health IT Now Coalition executive director Robert Horne issued a statement stating that ONC “is clearly overstepping its statutory authority by moving forward with direct review of uncertified functionalities and products, in addition to certified products.”
"Our chief concern is the potential for negative consequences from the ONC final rule. Simply put, the Office of the National Coordinator for Health IT was not created by Congress to be a regulator like the Food and Drug Administration (FDA),” Horne said in his statement.
Beyond federal oversight, EHR vendors will likely be under increased scrutiny from end-users, who will feel emboldened to speak up about problems with EHR software.
The second part of this article, which will post online Friday, will focus on how the eClinicalWorks lawsuit settlement sheds light on interoperability issues and the potential impact on the EHR vendor market.