Why Was Electronic Health Records Vendor Fined $145 Million?Prosecutors Cite Drug Company Kickbacks, HITECH Act Violations
Federal prosecutors say Practice Fusion - now a unit of Allscripts - will pay $145 million to settle civil and criminal investigations related to its electronic health records system. The case includes a kickback scheme involving opioids as well as false claims regarding compliance with HITECH Act certification requirements.
See Also: A Toolkit for CISOs
The U.S. Department of Justice said that as part of the criminal resolution, "Practice Fusion admits that it solicited and received kickbacks from a major opioid company in exchange for utilizing its EHR software to influence physician prescribing of opioid pain medications."
Court documents allege that Practice Fusion "extracted unlawful kickbacks from pharmaceutical companies in exchange for implementing clinical decision support alerts in its EHR software designed to increase prescriptions for their drug products," including opioids.
Practice Fusion agreed to pay over $26 million in criminal fines and forfeiture, the Justice Department says.
In addition, as part of separate civil settlements, Practice Fusion has agreed to pay a total of $118.6 million to the federal government and states to resolve allegations that it accepted kickbacks from the opioid company and other pharmaceutical companies and also caused its users to submit false claims for federal incentive payments by misrepresenting the capabilities of its EHR software.
Last August, Allscripts foreshadowed Practice Fusion's settlement with the Justice Department in a statement and during an earnings call with financial analysts. Allscripts at the time said it was taking a $145 million settlement expense in the quarter ended June 30, 2019. Allscripts acquired Practice Fusion in February 2018 for $100 million (see: Allscripts Faces $145 Million Settlement with DOJ).
"We are pleased to complete the settlement of these legacy matters, which as disclosed last August involve conduct predating Allscripts' acquisition of Practice Fusion," said Brian Farley, Allscripts executive vice president said in a statement provided to Information Security Media Group.
"As a company, we are committed to maintaining the highest levels of professionalism and integrity, and since learning of this matter we have further strengthened Practice Fusion's compliance program," Farley said.
Pharmaceutical Company Kickbacks
In court documents, federal prosecutors say that Practice Fusion, in exchange for "sponsorship" payments from pharmaceutical companies, allowed the drug companies to influence the development and implementation of the clinician decision support alerts in ways aimed at increasing sales of the companies' products.
"The CDS alerts that Practice Fusion agreed to implement did not always reflect accepted medical standards. In discussions with pharmaceutical companies, Practice Fusion touted the anticipated financial benefit to the pharmaceutical companies from increased sales of pharmaceutical products that would result from the CDS alerts," the Justice Department states.
Between 2014 and 2019, healthcare providers using Practice Fusion's EHR software wrote numerous prescriptions after receiving CDS alerts that pharmaceutical companies participated in designing, prosecutors say.
"Practice Fusion's conduct is abhorrent," said Christina Nolan, U.S. attorney for the District of Vermont. "During the height of the opioid crisis, the company took a million-dollar kickback to allow an opioid company to inject itself in the sacred doctor-patient relationship so that it could peddle even more of its highly addictive and dangerous opioids."
The Justice Department did not identify any of the pharmaceutical companies involved in the case.
HITECH Act Allegations
Practice Fusion's civil settlement also resolves allegations relating to the HITECH Act's financial incentive program for the "meaningful use" of certified EHRs.
Prosecutors allege that Practice Fusion falsely obtained HITECH certification for several versions of its EHR software by concealing that the software did not comply with all of the applicable requirements for certification.
To be certified under the 2014 Edition certification criteria from the Department of Health and Human Services' Office of the National Coordinator for Health IT, or ONC, EHR software was required to allow users to electronically create a set of standardized export summaries for all patients, prosecutors note.
When Practice Fusion sought certification of this 2014 Edition criteria, it "falsely represented to the certifying body that its software met this data portability requirement, when several versions of its software did not," the Justice Department says.
Practice Fusion's software also failed to incorporate standardized vocabularies as required for certification, according to prosecutors.
By allegedly fraudulently obtaining certification for its products, "Practice Fusion knowingly caused eligible healthcare providers who used certain versions of its 2014 Edition EHR software to falsely attest to compliance with HHS requirements necessary to receive incentive payments from Medicare during the reporting periods for 2014 through 2016 and from Medicaid during the reporting periods for 2014 through 2017," the Justice Department says.
"As new technologies continue to develop and evolve, so too do new and innovative fraud schemes," says Shimon Richmond, assistant inspector general for investigations at HHS.
'Deferred Prosecution Agreement'
The criminal charges against Practice Fusion include two felony counts for violating the Anti-Kickback Statute and for conspiring with its opioid company client to violate the anti-kickback statute.
"This case is the first ever criminal action against an EHR vendor, and the unique deferred prosecution agreement imposes stringent requirements on Practice Fusion to ensure acceptance of responsibility and transparency as to its underlying conduct, and to invest heavily in compliance overhauls and an independent oversight organization," the Justice Department says.
The portion of the settlement that pertains to the kickback allegations "is in lieu of a guilty plea to charges that Practice Fusion engaged in criminal conduct," notes privacy attorney David Holtzman of the security consulting firm CynergisTek.
"What is notable here is that DOJ is agreeing to suspend prosecution of the criminal case as part of a broader settlement that involves payment of penalties by Allscripts and agreement by DOJ to drop the criminal charges so long as the company does not engage in future criminal conduct," he points out.
In light of the findings that Practice Fusion failed to meet HITECH certification standards, healthcare entities should ramp up their scrutiny of all EHR vendors' claims regarding functionality that meets regulatory requirements, Holtzman contends.
"I do not see much appetite on the part of the Department of Justice, HHS or CMS [Centers for Medicare and Medicaid Services] to closely examine or provide marketplace surveillance that EHRs are actually capable of meeting the requirements for certified EHR technology," he says.
The ONC has significantly scaled back its internal programs to monitor EHR vendor compliance, Holtman says. "Nor are the certification bodies hired by ONC to review and certify technology in the marketplace incentivized to police the quality or safety of the EHR technology they come across," he adds.
"Healthcare organizations should take steps to independently verify that the certified EHR technology that are made a part of the enterprise information systems perform the operations required by the ONC standards and produce data that meets the Promoting Interoperability Program measures and objectives set by CMS. They also should expand the scope of the risk analysis to include assessment of the accuracy and integrity of the data produced by certified EHR technology to ensure that patient safety is not jeopardized."