eClinicalWorks Case Shines Spotlight on Data IntegrityWill Case Also Increase Scrutiny of Healthcare Providers?
Electronic health records software vendor eClinical Works has agreed to a $155 million lawsuit settlement that puts a spotlight on data integrity issues, a critical component of security.
See Also: HIPAA Audits: A Revised Game Plan
The Department of Justice announced that the Westborough, Massachusetts-based vendor has agreed to pay the financial settlement as well as enter into a five-year corporate integrity agreement with the Department of Health and Human Services' Office of Inspector General.
The lawsuit alleged the company falsely claimed it met the HITECH Act EHR incentive program's certification requirements. That includes accurately recording user actions - such as orders for diagnostic tests - that were conducted in the course of a patient's treatment and also satisfying requirements for data portability.
Those issues raise potential patient safety concerns, some experts say.
The settlement resolves allegations in a lawsuit filed under the whistleblower provisions of the False Claims Act, which permit individuals to sue on behalf of the government for false claims and to share in any recovery. The act also allows the government to intervene and take over the action, as it did in this case.
"This was not a criminal case and ECW was not prosecuted or found guilty," an HHS OIG spokesman tells Information Security Media Group. "It is a civil settlement in which ECW did not admit liability to violating the False Claims Act, including allegations of tainted claims from kickbacks. However, ECW agreed to settle this civil case by paying the settlement amount."
Corporate Integrity Agreement
The corporate integrity agreement signed by eClinicalWorks is innovative, the spokesman says, because "it's the first to address the quality of EHR software."
Under the agreement, eClinicalWorks will retain an independent software quality oversight organization to assess the company's software quality control systems and provide written semi-annual reports to OIG, the DOJ says.
The vendor also must provide "prompt notice to its customers of any safety-related issues and maintain on its customer portal a comprehensive list of such issues and any steps users should take to mitigate potential patient safety risks."
The agreement also requires eClinicalWorks to allow customers to obtain free updated versions of their software and to give customers the option to have the company transfer their data to another EHR vendor without penalties or service charges. eClinicalWorks must also retain an Independent Review Organization to review the vendor's arrangements with healthcare providers to ensure compliance with the Anti-Kickback Statute.
"OIG believes these provisions will reduce patient safety risks associated with the use of ECW's software because customers will have easier access to software updates, will be able to switch easily to other EHR vendors, and will be not be prevented from openly communicating with each other about ECW software problems and issues," the HHS OIG spokesman says.
Allegations of 'False Claims'
Under the HITECH Act, HHS offers incentive payments to healthcare providers that adopt certified EHR technology and meet certain requirements relating to their "meaningful use" of the technology.
The case against eClinicalWorks alleges that the vendor falsely obtained certification for its EHR software "when it concealed from its certifying entity that its software did not comply with the requirements for certification," federal prosecutors allege.
Among the allegations against eClinicalWorks is that its software "did not accurately record user actions in an audit log and in certain situations did not reliably record diagnostic imaging orders or perform drug interaction checks."
In addition, prosecutors say the vendor's software failed to satisfy "data portability requirements" intended to permit healthcare providers to transfer patient data from the eClinicalWorks EHR to other vendors' software.
Federal prosecutors allege eClinicalWorks also took other shortcuts.
For example, in order to pass certification testing without meeting the certification criteria for standardized drug codes, the company modified its software by "hardcoding" only the drug codes required for testing. "In other words, rather than programming the capability to retrieve any drug code from a complete database, ECW simply typed the 16 codes necessary for certification testing directly into its software," prosecutors say.
"As a result of these and other deficiencies in its software, ECW caused the submission of false claims for federal incentive payments based on the use of ECW's software," alleges the case complaint filed in a federal court in Vermont.
The government's case against eClinicalWork is an example of alleged healthcare-related fraud, says privacy and security attorney Stephen Wu of Silicon Valley Law Group.
"Depending on the enforcement priorities of the [Trump] administration, it wouldn't surprise me if we see more of these kinds of cases involving misrepresentation that costs the government money," he says. To date, more than $30 billion has been paid out by HHS to healthcare organizations attesting to meaningful use of certified EHRs.
Kate Borten, founder of privacy and security consulting firm The Marblehead Group, says the alleged problems related to eClinicalWorks audit log recording and other deficiencies are worrisome.
"Our main concern is always patient safety," she says. "And if PHI integrity is in question - and integrity is one of the three components of information security - this should raise major patient care concerns in those practices using this product," she says. "I would recommend that practices promptly implement interim processes to double check their data before treating and prescribing."
The eClinicalWorks case is a "complex situation," says John Halamka, CIO of Beth Israel Deaconess Health System in Boston.
"eClinicalWorks is an important member of the Massachusetts healthcare IT community," he says. "At one time [Beth Israel Deaconess] had 225 doctors running ECW and at this point we have 135 doctors using it. The marketplace for electronic health record software evolves rapidly, and ensuring vendors comply with regulatory requirements builds customer confidence in the industry."
More Scrutiny to Come?
The case potentially raises questions about whether eClinicalWorks' healthcare provider customers that received HITECH financial rewards by attesting to "meaningfully using" the vendor's certified EHR software are also now subject to scrutiny by HHS OIG.
"The settlement between the OIG and eClinicalWorks does not appear to change the status of the certification of the EHR products as eligible certified electronic health record technology," says attorney David Holtzman, vice president of compliance at the security consulting firm CynergisTek.
"The standards and process for certification of EHR technology are under the purview of the Office of the National Coordinator. The Centers for Medicare and Medicaid Services sets the standards and enforces the compliance with the meaningful use and EHR program requirements. It will be up to CMS to determine what direction they will take concerning payments made to eligible providers and hospitals," he says. "The more immediate challenge is that organizations currently using these products will need to take a hard look at how they approach meeting the program requirements for this current year."
In the meantime, healthcare organizations that attested to meaningful use using eClinicalWorks will be waiting to see the next steps CMS takes, Holtzman says. "It is not entirely clear if CMS will seek to recover meaningful use payments from eligible professionals and hospitals that attested using certified EHR technology produced by eClinicalWorks. "
Federal officials will need to closely review whether organizations had an obligation to identify and mitigate the issues that prevented the activities or measures required to meet the meaningful requirements, he says. "Or, could the organizations have placed reasonable reliance on the fact that ONC approved certification organizations had given their stamp of approval for these systems as meeting the requirements? These will be some of the issues that will need to be sorted out by CMS."
HHS did not immediately respond to an ISMG inquiry regarding whether regulators will potentially consider scrutinizing and retrieving meaningful use financial incentives paid to any eClinicalWorks customers.
HHS OIG also did not immediately respond to an ISMG inquiry about whether the allegation about eClinicalWorks software failing to satisfy "data portability requirements" could potentially constitute an example of "information blocking."
Under the 21st Century Cures Act signed into law last year, HHS OIG can impose civil monetary penalties against healthcare organizations and vendors that participate in intentional and inappropriate information blocking - preventing or materially discouraging access, exchange or use of electronic health information as permitted by law.
However, Holtzman says it's unlikely that OIG will take additional civil action against eClinicalWorks. "The terms of these settlements usually resolve all outstanding claims," he points out. "OIG will have the opportunity to address the issue of information blocking through the corrective action in the corporate integrity agreement eClinicalWorks entered into as part of the settlement with the government."
eClinicalWorks did not immediately respond to an ISMG request for comment.