chevron-down Created with Sketch Beta.
June 01, 2019 Healthcare

EHR Enforcement: Providers in the Crosshairs?

Benjamin H. Wallfisch, Norton Rose Fulbright, Austin, TX and Washington, DC

In April, the ABA Health eSource published an article about recent federal enforcement actions against Electronic Health Records (EHR) vendors, highlighting recent high-profile False Claims Act (FCA) settlements involving software companies, including Greenway Health and eClinicalWorks.[1] The investigations stem from alleged violations related to the so-called “meaningful use” EHR incentive program, in which the Department of Health and Human Services (HHS) offers incentives to hospitals and physicians for the adoption and “meaningful use” of certified EHR technology. The theory underlying the recent FCA cases against EHR software vendors is that those companies sold EHR technology to providers that did not meet the stated criteria for the meaningful use program, and therefore the providers were paid incentives that they had not earned.  Under this theory, EHR vendors did not themselves submit false claims, but caused providers to file false claims for meaningful use incentives.  

Although much of the recent enforcement focus has been on EHR vendors, April’s eSource article noted that healthcare providers remain at risk if the EHR technology they use does not meet the requirements of the meaningful use incentive program.  In fact, in recent years whistleblowers have filed a handful of FCA cases targeting providers’ receipt of EHR incentive payments.  Those cases have had mixed success, but a case unsealed in March of this year serves as a reminder that providers may still be in the crosshairs.

I.  Meaningful Use Basics

The meaningful use program was first enacted in 2009 as part of the HITECH Act,[2] and it sets forth incentives under the Medicare and Medicaid programs for hospitals and physicians that can demonstrate the “meaningful use of certified EHR technology.”[3] The HITECH Act also established the Office of the National Coordinator for Health Information Technology (ONC) to oversee the program.[4]  The program has evolved and expanded since it was first implemented in 2011, and eligibility requirements and technical requirements for providers have become increasingly complex.  As of October 2018, more than 1.5 million healthcare providers have received a total of almost $38 billion in incentive payments through the meaningful use program and its successors.[5]

In its early incarnation, the program provided incentive payments under Medicare and Medicaid for providers (including hospitals and individual physicians or physician practices) that demonstrated the ability to meet certain criteria set forth in the regulations.  In “Stage 1” of the program providers needed to demonstrate compliance with a number of “core” objectives, as well as a minimum number of “menu” objectives from a list of possible options offered by the Centers for Medicare & Medicaid Services (CMS).  The objectives set a threshold number of patient records that needed to contain certain clinical information entered as “structured data” — such as the requirement that more than 50 percent of all unique patients admitted to a hospital’s emergency department needed to have demographic data recorded in the EHR as structured data.[6]

The requirements to receive meaningful use incentives have changed over time, through Stages 1, 2, and 3 of the meaningful use program.  In addition, on April 16, 2015, Congress enacted the Medicare Access and Children’s Health Insurance Program Reauthorization Act (MACRA),[7] which, among other changes, established payment reforms that consolidated several programs into a Merit-based Incentive Payment System (MIPS) and made changes to the meaningful use program, which is now part of CMS’s Promoting Interoperability Program.

A key feature of meaningful use incentives and their progeny, from their inception and continuing to the present, are two sets of representations made to the government that form the basis of the FCA legal theories advanced by the government and whistleblowers:

First, software vendors must undergo a certification process before ONC and its contractors to demonstrate that the software meets functional requirements established by ONC.  The Greenway Health and eClinicalWorks cases were based, in large part, on the theory that those companies gave false statements as part of the certification process, which allegedly gave ONC the impression that their software met technical and functional criteria when in fact the software did not. 

Second, providers are required to submit annual attestations that they used certified EHR technology during the applicable reporting time period and that they satisfied the required objectives and measures set forth for each Stage of the program, as well as other requirements.[8]  Those attestation statements are at the center of FCA cases brought against providers.

II. Compliance and Enforcement

From the outset of the program, HHS’ Office of Inspector General (OIG) has expressed interest in policing meaningful use incentive payments, publishing in its fiscal year (FY) 2010 work plan that it would begin to review payment data, including an assessment of CMS’s actions to remedy any erroneous Medicare or Medicaid incentive payments.[9]  Ultimately, OIG published a report in 2017, concluding that CMS had paid approximately $729 million to physicians who did not qualify for meaningful use incentives between 2011 and 2014, an amount equal to approximately 12 percent of total spending on EHR physician incentives during that time period.[10]  (The report only reviewed incentive payments to physicians; it did not evaluate hospital incentive payments.)  The report was highly critical of CMS’s oversight of the program: “CMS’s minimal oversight of self-attestations left the EHR program vulnerable to abuse and misuse of federal funds.”[11]

Moreover, the report made several recommendations to CMS, including that it (1) determine which physicians did not meet meaningful use measures and attempt to recover improper incentive payments from them, and (2) review a random sample of providers’ documentation supporting attestations to identify additional inappropriate incentive payments made after the audit period.  CMS only “partially agreed” with these recommendations; CMS noted that it will continue to use targeted risk-based audits, including random sampling, to strengthen the program’s integrity, but CMS did not fully commit to following OIG’s recommended approach.[12]  CMS’s response apparently captured the attention of lawmakers, and in June 2017 Senators Chuck Grassley (R-IA) and Orrin Hatch (R-UT) wrote to CMS, inquiring about the agency’s reaction to the report and urging CMS to take “all reasonable steps” to recover taxpayer funds that were improperly spent.[13]  At present, OIG is conducting an audit of meaningful use incentive payments to hospitals from 2011 through 2016, during which time CMS paid Medicare EHR incentive payments totaling $14.6 billion to hospitals.[14]  That report is expected to be issued in FY 2019. 

III.  Past Enforcement Actions Involving Providers

Although providers have been earning meaningful use incentive payments since 2011, enforcement activities have been slow to mature, and the record of success in whistleblower cases that allege meaningful use violations has been mixed at best.  Here are highlights of the more significant provider enforcement actions.

A. Ahelby Regional Medical Center

In one of the earliest enforcement actions, federal prosecutors charged an individual hospital executive with making criminal false statements relating to meaningful use attestations.  In February 2014, the former Chief Financial Officer (CFO) for Texas-based Shelby Regional Medical Center was charged with making false statements to CMS for falsely attesting that the hospital met meaningful use requirements for program year 2012.  The indictment[15] alleged that these false attestations violated the federal criminal false statements law, which makes it a criminal offense to make “any materially false, fictitious, or fraudulent statement or representation” to the federal government[16] or to “make[] or use[]any false writing or document knowing the same to contain any materially false, fictitious, or fraudulent statement or entry.”[17]  The former CFO, Joe White, oversaw implementation of an EHR platform at the hospital. 

Under Stage 1, hospitals were required to meet 14 “core” objectives, at least five additional objectives chosen from a menu set, and 15 clinical quality measures.[18]  The indictment alleged that White, on behalf of the hospital, falsely attested that the hospital met all of these requirements for 2011 and 2012.  According to the Department of Justice (DOJ), the hospital generally used paper records during program year 2012, but White “directed its software vendor and hospital employees to manually input data from paper records into the [EHR] software, often times months after the patient was discharged and after the end of the fiscal year.”[19]

The indictment also alleged that White submitted the 2012 EHR attestation with the user ID of another hospital employee, without the other employee’s knowledge or authorization.  According to the indictment, the other employee refused to submit the attestation herself “because she did not believe the facility met the criteria for attestation.”  Shelby received meaningful use incentive payments of more than $1.1 million for 2011 and more than $785,000 for 2012.[20]  Ultimately, White pleaded guilty and was sentenced to 23 months in federal prison and ordered to pay nearly $4.5 million in restitution to CMS.  Shelby Regional Medical Center is no longer operating.[21]

B. 21st Century Oncology Settlement

In December 2017 the DOJ announced a $26 million settlement with 21st Century Oncology, a Florida-based business that owns and operates various subsidiaries across the country that provide integrated cancer care, including radiation oncology, medical oncology, and urology.[22]  In this case 21st Century Oncology actually approached the government with a voluntary self-disclosure, reporting that it had submitted false attestations to CMS regarding physicians’ use of EHR software.  In particular, the company self-disclosed that “its employees falsified data regarding the company’s use of EHR software, fabricated software utilization reports, and superimposed EHR vendor logos onto the reports to make them look legitimate.”[23]  The large settlement amount in this case was not driven entirely by EHR-related violations — the company simultaneously settled a qui tam suit brought by a former executive that alleged violations of the Stark Law.[24]  Because the meaningful use conduct arose in the context of a self-disclosure, there is little publicly available information about the case beyond the DOJ’s press release. 

C.  Recent FCA Dismissals

In other cases, courts have dismissed FCA complaints advancing creative, but ultimately unsuccessful, meaningful use theories.  For example, in April 2014 a whistleblower brought an FCA action against Ohio-based Kettering Health Network (KHN) alleging false meaningful use attestations.[25]  In order to receive incentive payments during meaningful use Stages 1 and 2, hospitals had to attest to a measure requiring the provider to protect electronic health information.  This included various requirements, such as conducting a security risk analysis, as well as complying with various HIPAA standards.[26]  The relator claimed that KHN falsely attested to this measure because: (1) several KHN employees impermissibly accessed the relator’s EHR in violation of HIPAA and its security and privacy regulations, and (2) KHN failed to run regular reports regarding data breaches.  In January 2015, a district court granted KHM’s motion to dismiss for failure to state a claim, concluding that an individual instance of a data breach is not an automatic violation of the general duty to protect patient data required by the meaningful use program.  The Sixth Circuit unanimously affirmed the dismissal in March 2016.[27]  In its opinion, the Sixth Circuit emphasized that a breach of patient data, by itself, does not constitute a violation of the HITECH Act or render the hospital’s attestations false.  Rather, HITECH regulations require hospitals to “[c]onduct or review a security risk analysis,” “implement security updates as necessary,” and “correct identified security deficiencies,” and CMS has explicitly recognized that providers may not be able to “fully mitigate all risks.”[28]  The Court even adopted a statement from KHN’s own brief: “[t]he regulations . . . do not impose a strict liability standard that requires hospitals to prevent all privacy breaches.”[29]  The Sixth Circuit also concluded that the relator failed to allege a specific claim for payment, as required under the FCA.[30]  Although the relator alleged generally that KHN “falsely certified to the United States Government that it had complied with the HITECH Act to collect ‘Meaningful Use’ monies” and that KHN received government funds “as a result” of its allegedly false attestations, the relator was unable to allege specific claims (or attestations) made to the government that amount to false claims.[31]

In September 2016 two relators brought an FCA action against 62 Indiana hospitals alleging false attestation of meaningful use requirements from 2011 to 2013.[32]  Meaningful use Stage 1 core measure 11 required hospitals to record the number of times a patient requested his/her EHR and the number of times the hospital provided the EHR within three business days, requiring hospitals to meet this standard at least 50 percent of the time.[33]  In this matter, the relators claimed that the hospitals falsified records to meet measure 11 but nevertheless attested that they met all requirements to receive EHR incentive payments.  

The case was brought not by an insider, but by two attorneys who had experienced “frustrations and delays” in seeking medical records from hospitals as part of their work as personal injury and medical malpractice attorneys.[34]  Based on this experience, they began to suspect that hospitals were not meeting the three-business-day standard at least half of the time.  The relators submitted actual records requests to only a small number of these hospitals — the remaining 66 defendant hospitals were part of what the relators dubbed the “Statistically Correlated Defendants” on the assumption that they had perpetrated “the exact same fraudulent reporting.”[35]  The complaint alleges that all defendant hospitals falsely attested that they complied with measure 11 when they did not. 

In late 2017 both the federal government and the State of Indiana declined to intervene, and the state went a step further and filed a motion to dismiss.[36]  In its motion, the state argued that it would “bear a substantial burden in monitoring the case, presenting its position on the interpretation of state laws, and participating in the discovery in this case – a case, which has little, if any merit.”[37]  The state’s motion then laid out a point-by-point takedown of the relators’ theory, concluding, harshly: “The problem with the Relators’ theory is that it is wrong.”[38]

In particular, the state’s brief cited the 2010 preamble to the EHR Incentive Program Final Rule, in which CMS made clear that the types of third party records requested by the attorneys/relators in this case should not be included in the core measure 11 calculation.[39]  In other words, the relators’ experience with requesting patient records did not reconcile with the hospital-reported data because hospitals were not required to report data based on the relators’ requests.  The relators did not oppose the state’s motion,[40] and within weeks they voluntarily dismissed the case before any of the defendants had filed responsive pleadings.[41]

IV.   Community Health Systems Qui Tam

In the most recent example of a provider targeted for its meaningful use incentives, Tennessee-based hospital chain Community Health Systems (CHS) was named in a qui tam suit filed last year and unsealed in March 2019.  The DOJ has been investigating this case — originally filed under seal in January 2018 by two whistleblowers — since at least July 2018, when CHS announced that it was responding to “a civil investigative demand relating to the Company’s adoption of electronic health records technology and the meaningful use program.”[42]  Although the DOJ ultimately declined to intervene in the case, the unsealed complaint reveals the types of arguments and legal theories that whistleblowers and government officials could use in future enforcement actions.

The case was brought by two former CHS employees who had roles in implementation and management of EHR systems for CHS hospitals.  From their positions, they allege an up-close view of the hospital system’s efforts to comply with the meaningful use incentives while using EHR software developed and sold by Medhost, Inc., a Tennessee-based health information technology company.  According to the complaint, the software developed and sold by Medhost contains “pervasive flaws” that prevent it from working properly and meeting meaningful use certification standards.[43]  The complaint also alleges that a separate EHR system — PULSE EHR — which was used by a hospital chain acquired by CHS in 2014, similarly failed to meet the certification standards. 

Critical to its legal theory, the complaint asserts that CHS knew the software did not meet the certification requirements for the meaningful use program but nevertheless made false attestations to the government in order to obtain incentive payments.  Those attestations, according to the complaint, allowed the CHS hospitals to receive a total of $544 million in meaningful use incentive payments.

A. Alleged Software Flaws and Implementation Errors

At the core of the relators’ allegations is that CHS and its hospitals knew of alleged software defects and that the software did not meet meaningful use criteria, but nevertheless continued to sign attestations to CMS.  In the 57-page complaint, the relators detail numerous specific types of functional problems with the software, including:

  • Poorly integrated functionality that in some cases forced providers to print clinical information when patients were transitioned from one care setting to another, rather than transferring that information electronically;

  • Requiring nurses to enter the same information into the EHR multiple times, multiplying the risk of a data entry error;

  • Failing to recognize non-formulary drugs, requiring entry of drug information as free text, which has less utility in an EHR system;

  • Failing to issue a warning when medication has been duplicated for a patient;

  • Failure to trigger delivery of medication at the correct time; and

  • Inability to reliably perform drug-drug, drug-allergy, and duplicate therapy checks.

    In one example described at length in the complaint, the Medhost software allegedly was unable to calculate weight-based dosing accurately, exposing patients to potential dosing errors.  In particular, the complaint alleged that the Medhost software made inaccurate drip-rate calculations for IV drugs, in one case creating a drip-rate nearly seven times too high.[44]  In another case, a “send dose now” feature designed to create medication orders for immediate delivery purportedly did not work properly and would instead schedule a dose for three hours into the future.[45]

B.  The Provider’s Knowledge of Software Issues and Response

The complaint alleges that not only did the software fail in important respects, but CHS was put on notice of the problems from several corners, most notably physician leadership.  CHS allegedly received complaints from physicians that the EHR software “created an unsafe practice,” “safety issues,” and “scary results.”[46]  Another employee warned that the system could map physician orders incorrectly to hospital formularies, causing doctors to inadvertently place orders for incorrect medications and medication dosages, which had “a very high potential for causing a catastrophic event.”[47]

In response to these and other issues and complaints, the relators allege that CHS, instead of pursuing actual fixes, implemented a series of “workarounds” designed to preserve the hospitals’ meaningful use incentive payments but without correcting the underlying software functionality issues.  The complaint also alleges that CHS did not warn physicians about problems with EHR functionality that could impact patients.  Meanwhile, CHS purportedly attempted to speed adoption of the EHR at as many hospitals as possible in order to maximize incentive payments.  As of press time, it is unclear whether the relators intend to go forward with the case.  Relators have 90 days from the date of unsealing to serve the defendants.[48]

V.  Potential Issues and Challenges for Providers

A.  Complexity

EHR technology is increasingly complex in its functionality, and implementation of a new EHR system presents many complex technical challenges.  Furthermore, the meaningful use incentive itself is built upon an elaborate and evolving set of standards, each of which has detailed performance specifications set forth in the regulations.  Understanding the intersection of the meaningful use requirements and the technical functionality of EHR software can be challenging for compliance and legal personnel who lack a technical background.  Providers should consider implementing a process for internal validation and documentation of compliance in order to substantiate attestation statements made to CMS.

B.  Role of Technical Staff

Relators in the CHS case, unlike in other recent meaningful use cases involving providers, purport to have been personally involved in the EHR implementation process.  The complaint is silent on whether the relators raised any concerns or complaints internally before filing their qui tam suit.  As part of a compliance program, providers may need to take steps to ensure that technical staff who are responsible for the implementation of their EHR systems have effective avenues to raise any questions or concerns through the provider’s “hotline” process, including the ability to raise issues anonymously.  Providers’ technical staff may not be as prominent a focus of typical compliance programs, which tend to focus on staff involved in direct patient care or billing, where most compliance issues arise.

C.  Duty to inspect or investigate?

Although the CHS complaint is lean on specific details of how the hospitals dealt with potential software use concerns, the tenor of the allegations is that CHS was so focused on earning meaningful use incentive payments that it rushed into place improvised solutions to create the appearance of compliance rather than implementing real fixes.  Because providers continue to benefit from the incentives under meaningful use programs, they will need to ensure that their EHR systems are functional, that they are being used properly, and that they are prepared to investigate alleged concerns about non-compliance with the evolving federal standards.

VI.  Conclusion

It remains to be seen whether investigations of providers for meaningful use fraud and abuse will dominate the next enforcement frontier.  As the value of meaningful use incentives earned by providers continues to grow, providers may become targets if insiders believe the providers have taken shortcuts or implemented workarounds in their EHR systems.  In addition, it is possible that investigations of EHR vendors could expand to target the providers who are attesting compliance and receiving the immediate benefit of the incentive programs.

[1] Scott R. Grubman, Department of Justice Continues Enforcement Against Electronic Health Record Vendors, ABA Health eSource, April 2, 2019, available at

[2] The EHR incentive provisions of the Health Information Technology for Economic and Clinical Health Act (the HITECH Act) were enacted as part of the American Recovery and Reinvestment Act of 2009 (ARRA), Public Law 111–5, 123 STAT. 115, 467-494 (Feb. 17, 2009).

[3] 42 U.S.C. § 1395w-4(o) (physicians); 42 U.S.C. § 1395ww(n) (hospitals).

[4] 123 STAT. 230-234.

[5] Promoting Interoperability (PI) Program: Combined Medicare and Medicaid Payments by State, January 2011 to October 2018, available at

[6] 42 C.F.R. § 495.20(f)(6).

[7] Pub. L. No. 114-10.

[8] 42 C.F.R. § 495.40(a) & (b).

[9] OIG Work Plan, FY 2010, available at

[10] “Medicare Paid Hundreds of Millions in Electronic Health Record Incentive Payments that Did Not Comply with Federal Requirements,” Department of Health and Human Services, Office of Inspector General (June 2017), available at

[11] Id. at 7.

[12] Id. at 20.

[13] Letter from Senators Charles Grassley and Orrin Hatch to CMS Administrator Seema Verma, July 12, 2017, available at

[14] OIG Active Work Plan Items: Nationwide Medicare Electronic Health Record Incentive Payments to Hospitals, available at

[15] Indictment, Jan. 22, 2014, in United States v. White, No. 6:14-CR-00005 MHS/JDL (E.D. Tex.), available at

[16] 18 U.S.C. § 1001(a)(2).

[17] Id. at § 1001(a)(3).

[18] 42 C.F.R. § 495.20(f)(g).

[19] “Former Hospital CFO Charged with Health Care Fraud,” Department of Justice Press Release, Feb. 6, 2014, available at

[20] Indictment, at 7-8.

[21] “Former Shelby County Hospital CFO Sentenced in EHR Incentive Case,” Department of Justice Press Release, June 17, 2015, available at

[22] “21st Century Oncology to Pay $26 Million to Settle False Claims Act Allegations,” Department of Justice Press Release, Dec. 12, 2017, available at

[23] Id.

[24] United States ex rel. Moore v. 21st Century Oncology, LLC, No. 2:16-cv-99 (M.D. Fl.).  The federal physician self-referral statute, commonly known as the Stark Law, prohibits any entity from billing Medicare for services referred by a physician who has a financial relationship with the billing entity.  42 U.S.C. § 1395nn.

[25] United States ex rel. Sheldon v. Kettering Health Network, No. 1:14–CV–345 (S.D.Ohio).

[26] Stage 1 and Stage 2 require providers to comply with HIPAA security and privacy standards, including the requirement to “implement policies and procedures to prevent, detect, contain, and correct security violations,” 45 C.F.R. § 164.308(a)(1), “[i]mplement a mechanism to encrypt and decrypt electronic protected health information,” Id. at § 164.312(a)(2)(iv), and implement “an equivalent alternative measure” if such an encryption mechanism is not “reasonable and appropriate.  Id. at § 164.306(d)(3).

[27] United States ex rel. Sheldon v. Kettering Health Network, 816 F.3d 399 (6th Cir. 2016).

[28] Id. at 409 (quoting 42 C.F.R. §§ 495.6(d)(15)(ii), (f)(14)(ii) & CMS, Security Risk Analysis Tipsheet: Protecting Patients' Health Information 5 (Revised Dec. 2013)).

[29] Sheldon, 816 F.3d at 410.

[30] Id. at 411 (“In this Circuit, there is [a] clear and unequivocal requirement that a relator allege specific false claims when pleading a violation of the FCA.” (citation and internal quotation marks omitted)).

[31] Id. at 412.

[32] Complaint, United States ex rel. Misch v. Memorial Hospital of South Bend, Inc., et al., No. 3:16-CV-00587-JD-MGG (N.D. Ind.) (Mar. 2, 2017).

[33] 42 C.F.R. § 495.20(f)(11).

[34] Misch, Complaint ¶ 89.

[35] Id. at ¶ 114.

[36] Dkt. 154, December 29, 2017.

[37] Id. at 1-2.

[38] Id. at 17.

[39] Id. at 17-18 (citing Medicare and Medicaid Programs; Electronic Health Record Incentive Program; Final Rule, 75 Fed. Reg. 44,314, 44,353-44,354 (July 28, 2010).

[40] Dkt. 166.

[41] Dkt. 169, 170, and 171.

[42] Community Health Systems, Inc., Form 10-Q for the quarterly period ended June 30, 2018 (July 23, 2018), at 78.

[43] Complaint ¶ 6, United States ex rel. Lewis v. Community Health Systems, Inc., et al. (S.D. Fla.). (February 1, 2018).

[44] Id. ¶¶ 79-83.

[45] Id. ¶¶ 87-90.

[46] Id. ¶¶ 72, 75, 85.

[47] Id. ¶¶ 12, 130.

[48] Fed. R. Civ. P. 4(m). 

Benjamin Wallfisch

Benjamin Wallfisch handles investigations and litigation for clients in the healthcare industry.  He is based in Norton Rose Fulbright’s Austin and Washington offices.  He may be reached at [email protected]