The rapid deployment of advanced technology and availability of massive capital investment created opportunities for major improvement in healthcare effectiveness and efficiency, but also introduced risks of unintended consequences, the worst being patient harm and fraudulent behavior. Since 2017, the healthcare industry has been rocked by news of large financial settlements between EHR vendors and the federal government to resolve litigation alleging fraud and subsequent patient safety problems.
This article dives into the topic of EHR regulation and how settlement agreements have allowed the legal representatives of the U.S. government to compel actions that Congress and the regulatory agencies have failed to do. It provides a background to the topic, including a history of EHRs and their regulation. The article then presents the cases of four EHR vendors who have been sued in federal court for False Claims Act (FCA) violations and other unlawful activities. The article describes the novel government approach to EHR oversight, including examining the legal foundation and showing how the litigation-related methods differ starkly from existing regulatory framework. It then presents recommendations for more effective EHR regulation.
History of the Electronic Health Record
An EHR is a system of “electronically maintained information about an individual’s lifetime health status and health care, stored such that it can serve…multiple legitimate users.”5 The following functions are essential for a basic EHR: health information and data, results management, order entry and management, decision support, electronic communication, and connectivity.6 The EHR can also perform important support functions, such as patient management and administrative process automation.7 Advanced functionality includes interoperability and the exchange of information.8
EHRs are real-time, patient-centered records that make information available instantly and securely to authorized users.9 While both paper and electronic records include key patient data, such as history, medications, allergies, and laboratory test results, EHRs include software features that automate and streamline provider workflow and provide evidence-based tools to help providers make decisions about a patient’s care.10 EHR systems can reduce medical errors and improve patient safety, especially through built-in decision support features.11
President George W. Bush set out a vision for nationwide adoption in his 2004 State of the Union Address. “By computerizing health records, we can avoid dangerous medical mistakes, reduce costs, and improve care.”12 His administration developed a plan to ensure that the technology covered most Americans within 10 years.13 Despite ambitious goals, a study published in 2009 in the New England Journal of Medicine reported that only four percent of physician practices and 1.5 percent of hospitals had adopted a fully functional EHR system.14
Congress enacted the Health Information Technology for Economic and Clinical Health (HITECH) Act as Title XIII of the American Recovery and Reinvestment Act of 2009 (ARRA),15 aimed to address the financial and technological barriers that providers said prevented EHR adoption.16 Most importantly, the HITECH Act authorized the Centers for Medicare & Medicaid Services (CMS) to award financial incentives to health providers through Medicare and Medicaid payments in a program called the “Meaningful Use Program” or “EHR Incentive Program.”17 To date, the program has allocated at least $38 billion in incentive payments.18 The financial incentives did result in significant growth in the meaningful use of EHRs across physicians’ offices and hospitals. Nearly 500,000 physicians received incentive payments19 and 82 percent of office-based physicians had some level of EHR support by 2014.20 By 2019, 96 percent of hospitals had adopted EHRs.21 The program continues under the new title of “Promoting Interoperability Program,” which CMS adopted in April 2018.22
Risks of EHR Use
Evidence has highlighted substantial and often unexpected risks resulting from the use of EHRs.23 Products with poor information display and navigation can impede rather than facilitate providers’ work.24 Poor usability was highlighted as a major factor in user dissatisfaction.25 Clinicians reported increasing incidence of burnout as a result of EHR implementations, with one study finding that system complexity resulted in physicians spending two hours of computer work for every hour spent face-to-face with patients.26 Stress and burnout were often cited as unintended negative consequences of EHR adoption.27
Undoubtedly the more concerning risk of EHRs is the potential for patient harm. A year-long investigation by Fortune and Kaiser Health News “found that alarming reports of patient deaths, serious injuries, and near misses—thousands of them—tied to software glitches, user errors, or other flaws have piled up, largely unseen, in various government-funded and private repositories.”28 Poor EHR usability, for instance, can have a greater negative impact than user dissatisfaction. These computer systems can “have functional errors, be unreliable, user-unfriendly, ill-functioning, or the environment may not be properly prepared to accommodate [them] within the clinical working processes.”29 Software failures have led to radiation overdosing, inaccurate calculations of Down syndrome risk, and the incomplete barcoding of blood.30 Technology that was inadequately fault tolerant to human errors caused the wrong identification of patients, resulting in providing wrong treatment and erroneously removing patients from cancer screening programs, leading to preventable deaths.31 A recent study of pediatric medication errors found that 36 percent of patient safety reports identified EHR usability as a contributing factor, with nearly 19 percent of those potentially resulting in patient harm.32
Regulating Electronic Health Records
Patient safety risks related to EHR adoption and use have prompted calls for more effective EHR oversight and regulation.33 EHR systems are not subject to the careful regulatory oversight that the Food and Drug Administration (FDA) administers for life-critical medical devices.34 A 2008 law review article, published before the widespread adoption promoted by the HITECH Act, asserted that since individual patients’ lives and public health would increasingly depend on EHRs, these systems should be regulated much like other goods and services that impact public welfare.35
As the Obama administration was developing plans for the infusion of money to promote EHR adoption through the Meaningful Use Program, experts from the American Medical Informatics Association (AMIA) and other key health IT leaders met in Washington, D.C. to discuss implications for the health industry.36 Supportive of the goal of transitioning from paper to electronic records, the group remained concerned about the possible consequences of deploying the new technology so quickly.37 More importantly, they recognized the potential patient safety issue of even a tiny error or omission in the system and concluded that safety should be a top priority as the government allocated billions of dollars for these systems.38 The experts recommended regulatory changes that would include the creation of a national databank to track reports of deaths, injuries, and near misses linked to EHR issues.39
In 2011, the Institute of Medicine echoed concerns about patient safety, expressing that the lack of a central repository for reporting error-prone software, patient injuries, and deaths, combined with nondisclosure and confidentiality clauses in vendor contracts, “pose unacceptable risks to safety.”40 It strongly recommended that the federal government mandate that vendors report deaths, serious injuries, and unsafe conditions to a centralized, government-designated entity and that deidentified reports should be made available to the public.41 A concurrent law review article concluded that “manufacturers and users should be required to report all adverse events that are attributable, or possibly attributable, to EHR systems.”42
More recently, as effective regulation remains elusive, Raj Ratwani, Ph.D., lead author of the pediatric medication error study43 and director of the National Center on Human Factors in Healthcare, has become an outspoken champion for more effective regulation and transparency of EHRs.44 Through his research, he has documented new patterns of medical errors tied to EHRs that he believes are both perilous and preventable, concluding that “[t]he fact that we’re not able to broadcast that nationally and solve these issues immediately, and that another patient somewhere else may be harmed by the very same issue—that just can’t happen.”45
The following section presents the history of past and current attempts at federal regulation of EHR products and the industry.
Certification Commission for Health Information Technology
The first wave of EHR oversight came in the form of voluntary, industry-led self-governance. After President Bush’s call in 2004 for widespread adoption of EHRs, his administration appointed David Brailer, M.D. as the first “Health IT Czar.” Brailer called upon the private sector to create an independent, nonprofit group to test and certify EHR systems.46 Thus was born the Certification Commission for Healthcare Information Technology (CCHIT), established by three major health information organizations: the American Health Information Management Association, the Healthcare Information and Management Systems Society, and the National Alliance for Health Information Technology.47 By the end of 2005, CCHIT created a detailed set of criteria to certify EHR products, approved by a 21-member board of commissioners.48 EHR functionality, measured by over 300 criteria, was one element of certification.49 In its heyday from 2005 to 2010, CCHIT was considered the benchmark for EHR certification.50
Although CCHIT was the first successful voluntary evaluation process for EHRs, it did have a number of critics who cited several key issues: its close industry ties, adequacy of its measures and rigor in their measurement, and uncertain practical outcomes. One of the most vocal concerns was the closeness of CCHIT to the vendors it was certifying.51 Likewise, the composition of the CCHIT board of trustees and board of commissioners spurred concerns about conflicts of interest, since executives from several major EHR vendors served on these boards, including sitting as commissioners charged with formulating the very certification criteria to be used.52 With the adoption of a new certification regimen introduced by the HITECH Act, CCHIT formally ceased operations in 2014.53
HITECH Act and the “Meaningful Use Program”
As noted above, the HITECH Act of 2009 promoted the widescale implementation of EHRs across the United States by providing nearly $38 billion of federal incentive funding through the Meaningful Use Program. Incentive payments were made through Medicare and Medicaid programs to “eligible hospitals” and “eligible professionals,” who demonstrated they were “meaningful users” of “certified EHR technology.”54 The HITECH Act formally defined the term:
(1) CERTIFIED EHR TECHNOLOGY.—The term ‘certified EHR technology’ means a qualified electronic health record that is certified pursuant to section 3001(c)(5) as meeting standards adopted under section 3004 that are applicable to the type of record involved (as determined by the Secretary, such as an ambulatory electronic health record for office-based physicians or an inpatient hospital electronic health record for hospitals).55
The HITECH Act charged the Department of Health and Human Services (HHS) with the responsibility to develop certification standards through two legislatively mandated committees: the HIT Policy Committee and the HIT Standards Committee.56 The Office of the National Coordinator for Health Information Technology (ONC), the successor to the Health IT Czar position, coordinated the standards development and certification process.57 ONC did not perform conformance testing or issue certifications itself, but rather collaborated with non-governmental organizations that it evaluated, approved, and authorized to perform these functions on its behalf. 58
Officially, the certification program is “voluntary” for EHR vendors.59 The government, however, used its considerable power of healthcare financing to encourage adoption. The HITECH Act required eligible hospitals and eligible professionals to use “certified” systems as a participation criterion for incentive payments.60 Provider participation in the Meaningful Use Program demonstrated the force of market pressures for adoption: The current list of active certified health IT products and vendors, tested against the latest (2015 Edition Cures Update) standards, includes 611 distinct products from 436 vendors.61
The certification program had a number of flaws and gaps. A major concern, echoing the earlier complaint against CCHIT, was that the committees formulating EHR standards were mostly led by EHR vendor representatives.62 Other issues included (1) the standards were voluntary and too limited in scope related to an EHR’s technical complexity; (2) they did not address the core issue of interoperability; (3) certification was delegated entirely to the health IT industry; (4) certification bodies had too much discretion in certification and enforcement; and (5) standard enforcement was promulgated through financing systems (Medicare and Medicaid) rather than the regulation of a potentially harmful technology affecting the public.63
Regulating EHRs as Medical Devices
One refrain that recurred in articles on EHR regulation was the option to classify the software as a medical device and put it under the regulatory oversight of the FDA, an agency under HHS. Legal authority for FDA regulation comes from the Food, Drug, and Cosmetic (FD&C) Act, originally passed in 1938, to oversee the safety of those named classes of products.64 In 1976, Congress amended the FD&C Act to include oversight of medical devices, requiring manufacturers to register with the FDA and follow quality control procedures.65 The FD&C Act defines a medical device as:
[A]n instrument, apparatus, implement, machine, contrivance, implant, in vitro reagent, or other similar or related article, including any component, part, or accessory, which is … intended for use in the diagnosis of disease or other conditions, or in the cure, mitigation, treatment, or prevention of disease.66
The law classified devices by their use in supporting or sustaining human life and risk of injury, establishing different requirements based on these classifications.67
There was much debate over whether EHRs qualify under the FD&C Act’s definition of “medical devices.”68 Historically, the agency avoided exercising control over these systems. In 1989, the FDA issued draft guidance that concluded it lacked regulatory authority over computer products intended for storage, retrieval, and dissemination of medical information.69 Furthermore, the Draft Software Policy, as it came to be known, denied authority over products that were “intended to involve competent human intervention before any impact on human health occurs.”70 It suggested that the risk to patient safety was lessened by the judgment and actions of the user, a clinical professional. The document unofficially established the FDA’s “noninterference policy” toward EHR regulation for over 15 years.71 The FDA officially withdrew it in 2005.72
In 2008, the FDA proposed a rule to expand regulation of medical device data systems (MDDSs), defined as “a device that electronically stores, transfers, displays, or reformats patient medical data.”73 While the Proposed Rule suggested it would not cover EHRs, the language was broad enough to elicit significant pushback from the health IT industry. The FDA never proceeded with the proposal. Soon thereafter, during hearings on the implementation of the HITECH Act, ONC’s National Coordinator David Blumenthal testified that in HHS’s view, EHRs did not qualify as medical devices.74
The 21st Century Cures Act
After a decade of widespread EHR deployment across hospitals and physician offices, regulating EHRs remained an important, yet incomplete, goal. Legal scholars, industry experts, medical professionals, and EHR users continued to call for more meaningful regulation to protect the public and healthcare providers who were investing in these systems.75 The topics garnering the most focus were improved interoperability and information access, EHR error reporting, and tighter control as medical devices. These issues ultimately were addressed in the 21st Century Cures Act of 2016 (Cures Act)76 and codified in HHS’s Final Rule, 21st Century Cures Act: Interoperability, Information Blocking, and the ONC Health IT Certification Program.77
The Cures Act included two major sections enforcing exchange of and access to electronic patient data, under the headings of “Interoperability” and “Information Blocking.” The law defined interoperability as health IT that enables the secure exchange of information to allow complete access and use of all electronically accessible health information for authorized use.78 Information blocking is a practice that interferes with, prevents, or materially discourages access, exchange, or use of electronic health information.79 To meet the requirements of the law, ONC enhanced its certification program requirements, as described in the Final Rule published in May 2020, and accordingly released the “2015 Edition Cures Update” measures.80
The Cures Act also established an EHR Reporting Program to provide publicly available, comparative information on certified health IT systems.81 The law directed ONC to seek stakeholder input on the mandated categories of security, usability and user-centered design, interoperability, conformance to certification testing, and other categories as appropriate.82 To carry out the provisions of the Cures Act, ONC contracted with the Urban Institute to develop and implement the reporting program.83 By late 2020, the program remained in development.84
The Cures Act did not call specifically for mandatory reporting of EHR errors or patient harm events, though advocates hoped that under its Transparent Reporting provision, a new requirement would emerge during the rulemaking and public comment phase.85 In the Final Rule, HHS summarized comments to its proposed rule calling for more action by ONC to ease and encourage reporting of health IT-related patient safety. The Final Rule fell short of FDA-like public reporting but did codify into law “unqualified protection” for any person or entity “[c]ommunicating information about adverse events, hazards, and other unsafe conditions to government agencies, health care accreditation organizations, and patient safety organizations.”86
Weighing in on the long debate on EHRs as medical devices, Congress chose not to take this tighter regulatory step. The Cures Act included a section entitled “Clarifying Medical Software Regulation,” which was regarded as a response to confusion created by the dormant 2008 FDA Proposed Rule to regulate health IT.87 The law narrowed FDA’s jurisdiction over medical software by amending the FD&C Act to remove categories of software from the definition of medical device, stating:
The term device…shall not include a software function that is intended … (C) to serve as electronic patient records, … so long as (i) such records were created, stored, transferred, or reviewed by health care professionals, or by individuals working under supervision of such individuals.88
EHR Fraud Investigations, Settlements, and Corporate Integrity Agreements
Eight years after the passage of the HITECH Act, EHR use was commonplace across the United States.89 Yet while the objective was to reduce medical errors exacerbated by illegible paper records and mine rich medical datasets to drive down healthcare costs and improve disease treatment, EHR vendors reaped the rewards of the infusion of new government money.90 Some of them, however, allegedly gamed the system to their benefit.91 Over the last three years, the Department of Justice (DOJ) entered FCA settlement agreements totaling over $350 million with EHR vendors. Announcing the first major settlement in 2017, John O’Brien, senior counsel with the HHS Office of Inspector General (OIG), stated plainly, “We’re entering an entirely new area of health care fraud.”92 The following section summarizes the major EHR fraud investigations and their resolution, as applicable.
The journey to the largest FCA settlement in the federal District of Vermont93 began with the filing of a medical malpractice lawsuit against Stowe Family Practice. As a Federally Qualified Health Center, the suit was brought against the United States and defended by the U.S. Attorney’s Office in Burlington.94 Annette Monachelli, wife of the plaintiff, sought care for severe headaches in late 2012 and within two months had died of a brain aneurysm.95 The physician had ordered a CT scan of the patient’s head but the order was not delivered.96
The assistant U.S. attorney began investigating the clinic’s EHR, created by eClinicalWorks (eCW), headquartered in Westborough, Massachusetts.97 He soon uncovered a number of complaints suggesting “the company’s technology didn’t work quite like it said it did.”98 The most critical evidence surfaced in a dormant whistleblower claim filed in 2011 by Brendan Delaney, a former British police officer.99 Delaney worked at the time for New York City to help the implementation of an eCW EHR system at Rikers Island jail and found numerous software malfunctions.100 He left the project and joined an EHR consulting company and continued to see errors in other implementations; he took meticulous notes and saved screenshots over a two-year period.101
Ultimately, the U.S. government intervened in the qui tam lawsuit, using the legal claim that eCW had violated the FCA for alleged misrepresentations under the Meaningful Use Program.102 In its complaint-in-intervention, the government contended that eCW falsely obtained certification for its EHR software when it concealed that it did not comply with all requirements for certification.103 For example, it modified the software to appear to process drug codes rather than programming the actual functionality.104 As a result of the deficiencies in its software, eCW also caused the submission of false claims for Meaningful Use payments based on the use of ECW’s software.105 eCW paid $155 million to settle the lawsuit.
As part of the overall resolution to the case, eCW also entered into a “first-of-its-kind”106 Corporate Integrity Agreement (CIA) with the OIG, which outlined 13 specific obligations that eCW must meet during its five-year term.107 Specific to the allegations of faulty software code and certification violations, eCW must retain an independent Software Quality Oversight Organization (SQOO) approved by the OIG to monitor its software quality control systems and report semi-annually to the OIG.108 The CIA compelled eCW to report transparently “on its customer portal, in a clear and conspicuous manner, a current and comprehensive list of all Patient Safety Issues” and to include the nature of the issue, how eCW was addressing the issue, and actions that users should take to mitigate risks before the issue was remediated.109 It also stipulated that eCW cannot restrict customers from reporting and discussing EHR software problems in any forum.110 These reporting measures extended further than any regulatory obligation in force in the EHR industry at the time.
A year after the agreement, issues appeared to continue. eCW customers complained that faulty software remained a problem and that the vendor had not complied with the terms of the CIA.111 One physician user stated plainly:
They are required to do root cause analysis, fix underlying problems, report to the Office of the Inspector General. None of that is happening in our experience. . . . There’s no way they’re complying. Our own government settled with eCW over software issues that didn’t get fixed and the government got $125 million out of this — but what about the users? What about us? The rest of us are out in the cold.112
The government fined eCW $132,500 in July 2018 for failure to comply with its obligation to timely report patient safety issues as dictated by the CIA.113 The software company explained that the penalty was related to software issues not leading to serious harm or death not reported within the prescribed timeframe and to its failure to report those issues also to the SQOO.114
On February 6, 2019, the DOJ announced that a second EHR vendor entered into a settlement agreement.115 Greenway Health, LLC, a Tampa, Florida-based EHR developer, agreed to pay $57.25 million116 to settle allegations that the company misrepresented its Prime Suite software’s capabilities, leading customers to submit false claims to the federal government under the Meaningful Use Program.117 It is notable that, unlike the eCW lawsuit, the Greenway case was not initiated by a qui tam relator, but pursued by DOJ directly.118 An assistant U.S. attorney plainly stated, “This resolution demonstrates our continued commitment to pursue EHR vendors who misrepresent the capabilities of their products, and our determination to promote public health while holding accountable those who seek to abuse the government’s trust.”119
The DOJ asserted that Greenway falsely obtained certification for its Prime Suite product when it concealed from its certifying entity that the software did not fully comply with the requirements for certification.120 The product did not fully incorporate the standardized clinical terminology necessary for the exchange of patient information and accuracy of electronic prescriptions.121 Greenway also deceived the certification agent by coding its test-run software to produce false results that made it appear that Prime Suite could use the requisite clinical vocabulary.122 Additionally, the software overcalculated a meaningful use measure resulting in false attestations by users, but Greenway intentionally did not correct the known code error, allowing users to continue receiving unearned incentive payments.123 The investigation uncovered a significant amount of internal emails, highlighted in the government’s complaint, that referenced fraudulent activities. In one message, an employee called the plan for passing the test as “not truely [sic] honest lol.”124
Under the terms of the deal, Greenway also entered into a five-year CIA with the OIG, with requirements similar to those imposed on eCW.125 “What were novel requirements in 2017 appear to have become the standard when OIG imposes CIA obligations on EHR vendors in connection with these types of cases.”126 Reflecting the focus on the patient safety concerns relating to EHR fraud, the CIA required Greenway to provide prompt notice to its customers of any patient safety-related issues and maintain on its customer portal a comprehensive list of such issues and any steps users should take to mitigate potential patient safety risks.127
Practice Fusion, a California-based EHR vendor used by 30,000 medical practices,128 became the third EHR vendor in three years alleged to defraud the federal government by falsifying the software’s ability to meet ONC certification criteria. Founded in 2005, it was acquired in 2018 by Allscripts, Inc., a competitor EHR vendor headquartered in Illinois, at a “fire sale” price of $100 million.129 Allscripts had originally offered $250 million to acquire the company, but about a year before the purchase, the fact that the DOJ had started an investigation into how Practice Fusion received its software certification became known.130
On January 27, 2020, the DOJ announced that Practice Fusion would pay $145 million to resolve civil and criminal investigations relating to its EHR software.131 In what was becoming a common refrain, the government’s civil complaint included claims that Practice Fusion knowingly represented that its software met certification program requirements for patient information sharing when it did not.132 After receiving certification, the vendor disabled the non-functional feature, though eligible professionals continued to attest for Meaningful Use incentive payments from 2014 to 2017 for use of the software.133
The admission of criminal liability and payment of fines therefor was a unique feature of the Practice Fusion settlement. The vendor admitted that it solicited and received nearly $1 million in illegal kickbacks from a “major opioid company” to create a clinical decision support alert to promote increased prescribing of extended release opioids.134 A key factor in the government’s case was the involvement of the drug company’s marketing department in the design of the alert.135
Practice Fusion entered into a Deferred Prosecution Agreement (DPA) with the government to resolve all civil and criminal complaints.136 Rather than executing a separate CIA with the OIG, the DOJ attached a Letter Agreement as Exhibit G to the DPA which included specific “Health IT Functionality and Compliance Terms.”137 Under the terms, Practice Fusion agreed to fix and re-certify its software and to post on its customer portal a comprehensive “bug list” relating to certification capabilities and patient safety.138 Similar to the CIAs for eCW and Greenway, the DPA also required Practice Fusion to identify and publicly report any issues impacting patient safety.139
On August 27, 2020, a fourth EHR vendor settled a lawsuit claiming false claims of EHR compliance under the certification program. Konica Minolta Healthcare Americas Inc., based in Wayne, New Jersey, agreed to pay $500,000 to resolve the allegations against its former subsidiary, Viztek LLC.140 Like the eCW case, the civil action against Viztek started as a whistleblower action under the FCA, initially filed in 2017 by Leighsa Wilson, a former employee of the company and project manager for its EHR project.141 The complaint alleged that the company founder pressured employees to achieve certification by any means while he was negotiating the sale of the privately held company to Konica Minolta.142 Certification testing was successful by manually adjusting the software to make it appear it could perform the required functions.143 The settlement agreement simply required the payment of $500,000; the company was defunct and Viztek EHR software was no longer on the market.
Novel Government Intervention in EHRs
Following the notoriety of the eCW case in 2017, industry leaders and watchers began wondering about the broader implications for EHR vendors and EHR regulation in general.144 At the time, the health IT industry took note of the size and scope of the settlement and speculated that it may not be a singular incident.145 Jeffrey Smith, vice president of public policy at AMIA, said, “I think we will learn more over the coming weeks and months about just how pervasive this kind of activity may well be.”146
What ultimately emerged from these four EHR fraud cases was a picture of an underlying problem with certification and a broader issue with EHR regulation. AMIA vice president Smith cautioned, “When you peel back the layers of the onion a little bit, what you find is that this case sheds light on genuine deficiencies in the current certification program, and it details the many ways that risks to patient safety can arise when software is not developed properly or when it’s not implemented or used properly.”147 Meaningful use certification was “essentially an open-book test” in which ONC provided vendors “the questions in advance,” such as the names of the 16 drugs the system would have to prescribe electronically. 148
This section analyzes the government’s civil and criminal actions to uncover and address EHR problems and their patient safety implications. It starts with a review of the legal framework of false claims, federal health program exclusion, CIAs, and DPAs. The DOJ and the OIG have employed these tools in an approach to promote compliance and public safety. The second part assesses the gaps in the EHR regulatory framework that were addressed, not through comprehensive reform of regulation, but instead through the piecemeal litigation against individual alleged wrongdoers.
False Claims Act
The FCA was enacted during the Civil War to prevent and resolve rampant fraud on the government perpetrated by army contractors.149 The FCA imposes civil liability on any person who (l) knowingly presents, or causes to be presented, to an officer, employee, or agent of the United States a false or fraudulent claim for payment or approval; and (2) knowingly makes, uses, or causes to be made or used a false record or statement material to a false or fraudulent claim.150 The FCA defines a "claim" to include "any request or demand, whether under a contract or otherwise, for money or property and whether or not the United States has title to the money or property that (i) is presented to an officer, employee, or agent of the United States; or (ii) is made to a contractor, grantee, or other recipient, if the money or property is to be spent or used on the Government's behalf or to advance a Government program or interest .... "151 The FCA does not require proof of specific intent to defraud.152 Any person who violates the law is liable for a mandatory civil penalty for each such claim, plus three times the damages sustained by the government.153
The government's primary civil tool for addressing healthcare fraud is the FCA.154 The healthcare industry relies extensively on government funds to reimburse it for services rendered, so every time a provider submits a claim for reimbursement to Medicare or Medicaid, it risks violating provisions of the FCA.155 Each bill constitutes a separate claim under the FCA, so the penalties could easily become very severe.156 Of the $3.1 billion recovered through FCA in fiscal year 2019, $2.6 billion came from cases involving HHS.157
Federal Healthcare Program Exclusion Authority
Section 1128 of the Social Security Act establishes a formal regimen for mandatory and permissive exclusion of individuals and entities from participation in Medicare and Medicaid.158 Congress first enacted the exclusion provision in 1977 as part of the Medicare-Medicaid Anti-Fraud and Abuse Amendments159 and mandated the exclusion of physicians and other practitioners convicted of program-related crimes.160
An exclusion by the OIG prohibits any payment from a federally sponsored healthcare program for any items or services furnished, ordered, or prescribed by the excluded individual or entity. 161 The law also prohibits any contracting with an excluded entity to furnish services in connection with a federal healthcare program or beneficiary,162 such as an EHR vendor selling to a hospital or physician practice if the provider received Medicare or Medicaid reimbursement. The broad payment prohibition applies not just to the excluded entity directly, but also indirectly to anyone who contracts with the excluded entity, effectively preventing the excluded entity from operating in the healthcare industry.163 The exclusion is enforceable regardless of who submitted healthcare claims to the government and applies to all administrative and management services furnished by the excluded person.164 In a list of examples that would violate an exclusion if provided by an excluded party, the OIG included “[i]tems … sold by an excluded manufacturer … used in the care or treatment of beneficiaries and reimbursed, directly or indirectly, by a Federal health care program.”165 Therefore, an excluded EHR vendor effectively could not sell products or services in the healthcare marketplace.
Section 1128 outlines both mandatory and permissive exclusions.166 A mandatory exclusion results from certain enumerated felonies, such as a criminal conviction for healthcare fraud.167 Less serious offenses, including reckless submission of false claims for Medicare reimbursement, trigger the OIG’s permissive exclusion authority.168 Permissive exclusions are those that the OIG has discretion to pursue, but that the OIG is not compelled to do so.169 The OIG makes a determination based on the risks of allowing the individual or entity to continue to participate in federal healthcare programs.170 Specific to fraud and false claims, Section 1128(b)(7) provides that “the Secretary may exclude … from participation in any Federal health care program … any individual or entity that has been convicted … of a criminal offense consisting of a misdemeanor relating to fraud, theft, embezzlement, breach of fiduciary responsibility, or other financial misconduct.”171
Exclusion from participation in federally funded healthcare programs is “without question, OIG’s nuclear option.”172 The OIG has been clear that exclusion of an individual or entity means that no organization receiving federal dollars can pay for any items or services furnished by an excluded entity.173 Accordingly, FCA actions relating to healthcare fraud often end in settlements, since the exclusion penalty is truly “devastating.”174
OIG Corporate Integrity Agreements
The OIG negotiates CIAs with healthcare providers and other entities as a component of settlements arising under a variety of civil false claims statutes.175 Most frequently, the OIG agrees as part of an FCA settlement agreement not to seek permissive exclusion in exchange for an organization’s willingness to enter into a CIA to resolve certain matters and to set the provider or company “on the right path to compliance.”176 The typical term is five years.177
The OIG evaluates healthcare fraud cases on a continuum of future risk to the federal healthcare programs and administrative response.178 Based on the information it gathers in an FCA investigation, OIG guidance calls for assessing the trustworthiness of the settling parties to decide whether an exclusion is appropriate or to take other action.179 The government often concludes that exclusion is not necessary if the entity agrees to appropriate integrity obligations.180 CIAs strongly enhance the OIG’s ongoing and in-depth oversight of the settling party.181
The OIG routinely imposes CIAs in healthcare fraud settlements.182 As a heavily regulated industry which relies substantially on government funds, HHS’s power is enormous.183 “Given this imbalance of power, health care providers have little choice but to agree to CIAs containing even the most onerous of terms in their settlement of suits.”184 The burdens can be significant, even unfavorable to an entity, but are developed through settlement negotiations and outside of review by a court of law.185 With the risk of heavy fines for FCA violations and/or threat of federal healthcare program exclusion, an organization has little bargaining power to change unfavorable terms.186 The conclusion in a seminal law review article on the topic was stark:
The imposition of Corporate Integrity Agreements, a sanction originally available as a penalty in criminal prosecutions, is problematic when utilized as a penalty in civil actions. Such agreements subject corporations to expanded liability and onerous terms that may not be in the best interests of the company’s shareholders, the industry, or the public.187
DOJ Deferred Prosecution Agreement
In a criminal case, attorneys in the DOJ have the option to enter non-prosecution agreements and DPAs, as outlined in the Justice Manual, Title 9, 9-28.000 Principles of Federal Prosecution of Business Organizations.188 DPAs can restore the integrity of a company's operations and preserve the financial viability of a corporation that has engaged in criminal conduct, while preserving the government's ability to prosecute a recalcitrant corporation that materially breaches the agreement.189 Generally, criminal settlement agreements for corporations include four main elements: an admission of facts, an agreement of cooperation, a specified duration for the agreement, and an agreement to monetary and non-monetary sanctions.190
Like CIAs, DPAs are not overseen by a court of law, since they are not filed in a court.191 Scholars have raised concerns about prosecutorial discretion, with authority that “turn[s] the prosecutor into judge and jury.”192 On the other hand, their use has the potential benefit of pursuing corporate reforms under strict oversight in lieu of criminal prosecution and the risk of putting them out of business.193
Litigation as a Piecemeal Way to Regulation
In the recent string of EHR fraud cases, the government appeared to employ all of the legal tools to achieve its goals: allegations of FCA violation, risk of federal healthcare program exclusion, and execution of CIAs or DPAs. As a basis for legal action, the complaints filed by the United States against the four EHR vendors all alleged violations of the FCA, including both for their own false statements to achieve certification and for causing eligible hospitals and/or eligible professionals to present false claims for Meaningful Use Program incentive payments. The complaints all sought the maximum amount of the United States’ damages, trebled as required by law, and all appropriate civil penalties. In the case of Practice Fusion, the additional allegation of criminal kickback payments heightened the stakes. Thus, the government set the strong legal foundation for the settlement processes.
Through the use of CIAs with eCW and Greenway and the DPA with Practice Fusion,194 the government introduced regulatory-like authority and active engagement in EHR software development and patient safety reporting that was fundamentally different—and more aggressive—than the voluntary certification program. The remainder of this section will highlight conflicts between existing regulatory requirements and settlement-related obligations.
Reporting EHR-Related Patient Safety Issues
As noted above, EHR experts and advocates have long called for the development of a comprehensive patient safety reporting and review system.195 Progress stalled “because manufacturers of electronic health records (EHRs), health care providers, federal health care policy wonks, academics and Congress have either blocked the effort or fought over how to do it properly.”196 In 2015, ONC released a road map to launch a “Health IT Safety Center” that would include a neutral site to improve the safety of the technology.197 Over the subsequent few years, members of Congress challenged the government’s authority to create it and later declined to fund it.198 The latest development for transparent reporting under regulation to comply with the Cures Act does not include patient safety information. What legislators in Congress and regulators at ONC failed to do regarding reporting of patient safety issues, the DOJ and the OIG took steps to establish in settlement agreements, CIAs and DPAs. While such obligations only pertain to the respective vendors and only narrowly require them to disclose to current customers on the vendors’ websites, they may serve as a starting point for more meaningful reporting and transparency.
Software Quality Assurance and Oversight
The current certification program requirements for software quality require EHR vendors to identify a Quality Management System (QMS) used in the development, testing, implementation, and maintenance for its software.199 The certification testing process solely confirms that the vendor’s self-disclosed QMS is one recognized by the government.200 This regimen had many critics for its lax requirements and flaws, and attention to underlying problems intensified after the publicity of the recent EHR fraud cases.201 It is noteworthy that only 30 certified EHR products (less than two percent) are currently flagged for corrective action due to non-conformities and ONC has decertified only five products.202 ONC’s philosophy has been to work with vendors to address problems rather than decertify products, acknowledging the negative impact to users if their products faced decertification.203
In contrast, possibly just down the hall from the hospital’s EHR data center, the software that operates medical devices, such as the code that controls magnetic resonance imaging (MRI) machines, is subject to considerable scientific review by the FDA.204 FDA regulations also require medical device software manufacturers to adhere to formal software validation procedures and processes.205 The agency originally promulgated the rigid rules in 1999, and reaffirmed them in 2002, after a review of medical device recalls showed that about eight percent were due to software failures and nearly 80 percent of those involved software changes after initial FDA certification.206 The guidance included effective use of software development standards and practices.207
In the last three years, the DOJ and the OIG, wielding their enforcement powers, have required three EHR vendors to engage independent review organizations to actively monitor software development quality. As with patient safety reporting, the litigation-related settlements fall short of the type of FDA review required by medical devices, but extend the government’s reach into EHR software development.
Recommendations For More Effective EHR Regulation
As presented above,208 the EHR industry has become subject to government regulation and oversight to promote software quality and patient safety through two diametrically divergent paradigms: the voluntary certification program of the HITECH Act on one end and fraud-fueled settlements (two CIAs and one DPA) with harsh compliance provisions on the other. Of the 436 active EHR vendors, the DOJ accused three of fraudulent acts and then subjected them to agreements aimed at ensuring quality software to protect and enhance patient safety; the other 433 EHR vendors continue to operate under a voluntary system without mandatory patient safety issue reporting or validated software quality programs. An important philosophical question to answer is whether the government’s methods—voluntary industry-wide regulation and piecemeal vendor-specific legal settlements—are most effective and appropriate to protect public welfare.
It is debatable whether any level of regulation can ever be effective in preventing deceit and fraud, and cases of intentional falsification ought to be rare. The government’s recourse for criminal prosecution and civil action under the FCA remains a viable threat for the most extraordinary circumstances. The severe penalty of federal health program exclusion should also be a strong deterrent. Identifying and prosecuting the most extreme cases have been bolstered by the whistleblower provisions of the FCA. Over the last three years, these legal tools have been employed in what hopefully are outlier cases of alleged malfeasance in the EHR industry, independent of a stronger regulatory framework.
More sensible and effective regulation could help promote the laudable goals of patient safety and end-user value, landing at the right point between the current extremes of government intervention in the industry. Congress should establish more formal regulation, whether as a new law or amendment of the HITECH Act that established the current voluntary system or the Cures Act that addressed some of its gaps.
First, certification of EHRs should be mandatory and overseen by ONC. While the current voluntary system in effect requires EHR vendors to sell certified products to hospitals and physicians that seek reimbursement benefits from Medicare and Medicaid, a mandatory regulatory structure would signal government interest in protecting public welfare.
Second, Congress should authorize and fund ONC to develop a system for public reporting of suspected and actual medical errors that were caused or exacerbated by EHR systems. The Health IT Safety System explored by ONC in 2015 may be a starting point. The goals should be that users can learn from and avoid errors, vendors can be made aware of and accountable for problems in software or its (mis)configuration, and patients can be safer.
Third, to promote software quality before a bug results in harm, EHR certification should include a requirement that the EHR vendor actively implement and monitor adherence with QMS, using these professionally recognized standards and practices in software development, quality assurance, and risk management. ONC should modify the certification program testing to enhance the rigor from simply ensuring that the vendor’s self-reported standard is government-recognized. Instead, vendors should maintain documentation of the program that is available for review by certification bodies. A trend of reported bugs or, worse, medical errors should trigger a deeper review to assess the vendor’s practices of quality software design, development, and testing, resulting in non-conformance or decertification.
These straightforward legislative and/or regulatory changes could ease health providers’ and the public’s concerns about EHR mistakes and fraud that have rocked the industry over the past few years. They do not extend the harsher control mechanisms that the government compelled vendors under civil and criminal enforcement action to follow, but maintain and extend sensible mandates of error reporting and software quality management.
Over the past three years, the EHR industry has taken great notice of landmark settlements with the DOJ and the OIG exceeding $350 million to resolve allegations of FCA violations and other illegal activity that risked the integrity of the Meaningful Use incentive payment program and patient safety. Under threat of civil and criminal prosecution for false claims and the mandatory exclusion “nuclear option,” EHR vendors entered into extensive agreements with the government. These agreements extended the government’s oversight of EHR products and their respective vendors far above the current scope of voluntary regulation in the field, which has been criticized as inadequate in light of the risk of harm to public safety.
An effective mandatory regulatory paradigm can and should be established that falls between the weak, voluntary program established by the HITECH Act and the rigorous oversight that defrauding vendors agreed to in their settlement of federal lawsuits. It can promote software quality management as a requirement for vendors to certify a product for use in U.S. healthcare and public reporting of EHR errors for transparency, accountability and—ideally—public safety. After all, public safety and optimal health is the core aim of a great EHR.