Regulating Electronic Health Records Through the "Nuclear" Threat and Other Enforcement Options: Federal Government Actions to Compel EHR Industry Changes

The rapid deployment of advanced technology and availability of massive capital investment created opportunities for major improvement in healthcare effectiveness and efficiency, but also introduced risks of unintended consequences, the worst being patient harm and fraudulent behavior.  Since 2017, the healthcare industry has been rocked by news of large financial settlements between EHR vendors and the federal government to resolve litigation alleging fraud and subsequent patient safety problems.

This article dives into the topic of EHR regulation and how settlement agreements have allowed the legal representatives of the U.S. government to compel actions that Congress and the regulatory agencies have failed to do.  It provides a background to the topic, including a history of EHRs and their regulation.  The article then presents the cases of four EHR vendors who have been sued in federal court for False Claims Act (FCA) violations and other unlawful activities.  The article describes the novel government approach to EHR oversight, including examining the legal foundation and showing how the litigation-related methods differ starkly from existing regulatory framework.  It then presents recommendations for more effective EHR regulation.

Background

History of the Electronic Health Record

An EHR is a system of “electronically maintained information about an individual’s lifetime health status and health care, stored such that it can serve…multiple legitimate users.”⁵  The following functions are essential for a basic EHR: health information and data, results management, order entry and management, decision support, electronic communication, and connectivity.⁶  The EHR can also perform important support functions, such as patient management and administrative process automation.⁷  Advanced functionality includes interoperability and the exchange of information.⁸

EHRs are real-time, patient-centered records that make information available instantly and securely to authorized users.⁹  While both paper and electronic records include key patient data, such as history, medications, allergies, and laboratory test results, EHRs include software features that automate and streamline provider workflow and provide evidence-based tools to help providers make decisions about a patient’s care.¹⁰  EHR systems can reduce medical errors and improve patient safety, especially through built-in decision support features.¹¹

Promoting Adoption

President George W. Bush set out a vision for nationwide adoption in his 2004 State of the Union Address.  “By computerizing health records, we can avoid dangerous medical mistakes, reduce costs, and improve care.”¹²  His administration developed a plan to ensure that the technology covered most Americans within 10 years.¹³  Despite ambitious goals, a study published in 2009 in the New England Journal of Medicine reported that only four percent of physician practices and 1.5 percent of hospitals had adopted a fully functional EHR system.¹⁴

Congress enacted the Health Information Technology for Economic and Clinical Health (HITECH) Act as Title XIII of the American Recovery and Reinvestment Act of 2009 (ARRA),¹⁵ aimed to address the financial and technological barriers that providers said prevented EHR adoption.¹⁶  Most importantly, the HITECH Act authorized the Centers for Medicare & Medicaid Services (CMS) to award financial incentives to health providers through Medicare and Medicaid payments in a program called the “Meaningful Use Program” or “EHR Incentive Program.”¹⁷  To date, the program has allocated at least $38 billion in incentive payments.¹⁸  The financial incentives did result in significant growth in the meaningful use of EHRs across physicians’ offices and hospitals.  Nearly 500,000 physicians received incentive payments¹⁹ and 82 percent of office-based physicians had some level of EHR support by 2014.²⁰  By 2019, 96 percent of hospitals had adopted EHRs.²¹  The program continues under the new title of “Promoting Interoperability Program,” which CMS adopted in April 2018.²²

Risks of EHR Use

Evidence has highlighted substantial and often unexpected risks resulting from the use of EHRs.²³  Products with poor information display and navigation can impede rather than facilitate providers’ work.²⁴  Poor usability was highlighted as a major factor in user dissatisfaction.²⁵ Clinicians reported increasing incidence of burnout as a result of EHR implementations, with one study finding that system complexity resulted in physicians spending two hours of computer work for every hour spent face-to-face with patients.²⁶  Stress and burnout were often cited as unintended negative consequences of EHR adoption.²⁷

Undoubtedly the more concerning risk of EHRs is the potential for patient harm.  A year-long investigation by Fortune and Kaiser Health News “found that alarming reports of patient deaths, serious injuries, and near misses—thousands of them—tied to software glitches, user errors, or other flaws have piled up, largely unseen, in various government-funded and private repositories.”²⁸  Poor EHR usability, for instance, can have a greater negative impact than user dissatisfaction.  These computer systems can “have functional errors, be unreliable, user-unfriendly, ill-functioning, or the environment may not be properly prepared to accommodate [them] within the clinical working processes.”²⁹ Software failures have led to radiation overdosing, inaccurate calculations of Down syndrome risk, and the incomplete barcoding of blood.³⁰  Technology that was inadequately fault tolerant to human errors caused the wrong identification of patients, resulting in providing wrong treatment and erroneously removing patients from cancer screening programs, leading to preventable deaths.³¹ A recent study of pediatric medication errors found that 36 percent of patient safety reports identified EHR usability as a contributing factor, with nearly 19 percent of those potentially resulting in patient harm.³²

Regulating Electronic Health Records

Patient safety risks related to EHR adoption and use have prompted calls for more effective EHR oversight and regulation.³³  EHR systems are not subject to the careful regulatory oversight that the Food and Drug Administration (FDA) administers for life-critical medical devices.³⁴  A 2008 law review article, published before the widespread adoption promoted by the HITECH Act, asserted that since individual patients’ lives and public health would increasingly depend on EHRs, these systems should be regulated much like other goods and services that impact public welfare.³⁵

As the Obama administration was developing plans for the infusion of money to promote EHR adoption through the Meaningful Use Program, experts from the American Medical Informatics Association (AMIA) and other key health IT leaders met in Washington, D.C. to discuss implications for the health industry.³⁶ Supportive of the goal of transitioning from paper to electronic records, the group remained concerned about the possible consequences of deploying the new technology so quickly.³⁷  More importantly, they recognized the potential patient safety issue of even a tiny error or omission in the system and concluded that safety should be a top priority as the government allocated billions of dollars for these systems.³⁸  The experts recommended regulatory changes that would include the creation of a national databank to track reports of deaths, injuries, and near misses linked to EHR issues.³⁹

In 2011, the Institute of Medicine echoed concerns about patient safety, expressing that the lack of a central repository for reporting error-prone software, patient injuries, and deaths, combined with nondisclosure and confidentiality clauses in vendor contracts, “pose unacceptable risks to safety.”⁴⁰  It strongly recommended that the federal government mandate that vendors report deaths, serious injuries, and unsafe conditions to a centralized, government-designated entity and that deidentified reports should be made available to the public.⁴¹  A concurrent law review article concluded that “manufacturers and users should be required to report all adverse events that are attributable, or possibly attributable, to EHR systems.”⁴²

More recently, as effective regulation remains elusive, Raj Ratwani, Ph.D., lead author of the pediatric medication error study⁴³ and director of the National Center on Human Factors in Healthcare, has become an outspoken champion for more effective regulation and transparency of EHRs.⁴⁴  Through his research, he has documented new patterns of medical errors tied to EHRs that he believes are both perilous and preventable, concluding that  “[t]he fact that we’re not able to broadcast that nationally and solve these issues immediately, and that another patient somewhere else may be harmed by the very same issue—that just can’t happen.”⁴⁵

The following section presents the history of past and current attempts at federal regulation of EHR products and the industry.

Certification Commission for Health Information Technology

The first wave of EHR oversight came in the form of voluntary, industry-led self-governance.  After President Bush’s call in 2004 for widespread adoption of EHRs, his administration appointed David Brailer, M.D. as the first “Health IT Czar.”  Brailer called upon the private sector to create an independent, nonprofit group to test and certify EHR systems.⁴⁶  Thus was born the Certification Commission for Healthcare Information Technology (CCHIT), established by three major health information organizations: the American Health Information Management Association, the Healthcare Information and Management Systems Society, and the National Alliance for Health Information Technology.⁴⁷  By the end of 2005, CCHIT created a detailed set of criteria to certify EHR products, approved by a 21-member board of commissioners.⁴⁸  EHR functionality, measured by over 300 criteria, was one element of certification.⁴⁹  In its heyday from 2005 to 2010, CCHIT was considered the benchmark for EHR certification.⁵⁰

Although CCHIT was the first successful voluntary evaluation process for EHRs, it did have a number of critics who cited several key issues: its close industry ties, adequacy of its measures and rigor in their measurement, and uncertain practical outcomes.  One of the most vocal concerns was the closeness of CCHIT to the vendors it was certifying.⁵¹ Likewise, the composition of the CCHIT board of trustees and board of commissioners spurred concerns about conflicts of interest, since executives from several major EHR vendors served on these boards, including sitting as commissioners charged with formulating the very certification criteria to be used.⁵² With the adoption of a new certification regimen introduced by the HITECH Act, CCHIT formally ceased operations in 2014.⁵³

HITECH Act and the “Meaningful Use Program”

As noted above, the HITECH Act of 2009 promoted the widescale implementation of EHRs across the United States by providing nearly $38 billion of federal incentive funding through the Meaningful Use Program.  Incentive payments were made through Medicare and Medicaid programs to  “eligible hospitals” and “eligible professionals,” who demonstrated they were “meaningful users” of “certified EHR technology.”⁵⁴  The HITECH Act formally defined the term:

(1) CERTIFIED EHR TECHNOLOGY.—The term ‘certified EHR technology’ means a qualified electronic health record that is certified pursuant to section 3001(c)(5) as meeting standards adopted under section 3004 that are applicable to the type of record involved (as determined by the Secretary, such as an ambulatory electronic health record for office-based physicians or an inpatient hospital electronic health record for hospitals).⁵⁵

The HITECH Act charged the Department of Health and Human Services (HHS) with the responsibility to develop certification standards through two legislatively mandated committees: the HIT Policy Committee and the HIT Standards Committee.⁵⁶  The Office of the National Coordinator for Health Information Technology (ONC), the successor to the Health IT Czar position, coordinated the standards development and certification process.⁵⁷  ONC did not perform conformance testing or issue certifications itself, but rather collaborated with non-governmental organizations that it evaluated, approved, and authorized to perform these functions on its behalf. ⁵⁸

Officially, the certification program is “voluntary” for EHR vendors.⁵⁹ The government, however, used its considerable power of healthcare financing to encourage adoption.  The HITECH Act required eligible hospitals and eligible professionals to use “certified” systems as a participation criterion for incentive payments.⁶⁰  Provider participation in the Meaningful Use Program demonstrated the force of market pressures for adoption: The current list of active certified health IT products and vendors, tested against the latest (2015 Edition Cures Update) standards, includes 611 distinct products from 436 vendors.⁶¹

The certification program had a number of flaws and gaps.  A major concern, echoing the earlier complaint against CCHIT, was that the committees formulating EHR standards were mostly led by EHR vendor representatives.⁶²   Other issues included (1) the standards were voluntary and too limited in scope related to an EHR’s technical complexity; (2) they did not address the core issue of interoperability; (3) certification was delegated entirely to the health IT industry; (4) certification bodies had too much discretion in certification and enforcement; and (5) standard enforcement was promulgated through financing systems (Medicare and Medicaid) rather than the regulation of a potentially harmful technology affecting the public.⁶³

Regulating EHRs as Medical Devices

One refrain that recurred in articles on EHR regulation was the option to classify the software as a medical device and put it under the regulatory oversight of the FDA, an agency under HHS.  Legal authority for FDA regulation comes from the Food, Drug, and Cosmetic (FD&C) Act, originally passed in 1938, to oversee the safety of those named classes of products.⁶⁴  In 1976, Congress amended the FD&C Act to include oversight of medical devices, requiring manufacturers to register with the FDA and follow quality control procedures.⁶⁵ The FD&C Act defines a medical device as:

[A]n instrument, apparatus, implement, machine, contrivance, implant, in vitro reagent, or other similar or related article, including any component, part, or accessory, which is … intended for use in the diagnosis of disease or other conditions, or in the cure, mitigation, treatment, or prevention of disease.⁶⁶

The law classified devices by their use in supporting or sustaining human life and risk of injury, establishing different requirements based on these classifications.⁶⁷

There was much debate over whether EHRs qualify under the FD&C Act’s definition of “medical devices.”⁶⁸  Historically, the agency avoided exercising control over these systems.  In 1989, the FDA issued draft guidance that concluded it lacked regulatory authority over computer products intended for storage, retrieval, and dissemination of medical information.⁶⁹  Furthermore, the Draft Software Policy, as it came to be known, denied authority over products that were “intended to involve competent human intervention before any impact on human health occurs.”⁷⁰  It suggested that the risk to patient safety was lessened by the judgment and actions of the user, a clinical professional.   The document unofficially established the FDA’s “noninterference policy” toward EHR regulation for over 15 years.⁷¹  The FDA officially withdrew it in 2005.⁷²

In 2008, the FDA proposed a rule to expand regulation of medical device data systems (MDDSs), defined as “a device that electronically stores, transfers, displays, or reformats patient medical data.”⁷³  While the Proposed Rule suggested it would not cover EHRs, the language was broad enough to elicit significant pushback from the health IT industry.  The FDA never proceeded with the proposal.  Soon thereafter, during hearings on the implementation of the HITECH Act, ONC’s National Coordinator David Blumenthal testified that in HHS’s view, EHRs did not qualify as medical devices.⁷⁴

The 21^st Century Cures Act

After a decade of widespread EHR deployment across hospitals and physician offices, regulating EHRs remained an important, yet incomplete, goal.  Legal scholars, industry experts, medical professionals, and EHR users continued to call for more meaningful regulation to protect the public and healthcare providers who were investing in these systems.⁷⁵  The topics garnering the most focus were improved interoperability and information access, EHR error reporting, and tighter control as medical devices.  These issues ultimately were addressed in the 21^st Century Cures Act of 2016 (Cures Act)⁷⁶ and codified in HHS’s Final Rule, 21st Century Cures Act: Interoperability, Information Blocking, and the ONC Health IT Certification Program.⁷⁷

The Cures Act included two major sections enforcing exchange of and access to electronic patient data, under the headings of “Interoperability” and “Information Blocking.”  The law defined interoperability as health IT that enables the secure exchange of information to allow complete access and use of all electronically accessible health information for authorized use.⁷⁸ Information blocking is a practice that interferes with, prevents, or materially discourages access, exchange, or use of electronic health information.⁷⁹  To meet the requirements of the law, ONC enhanced its certification program requirements, as described in the Final Rule published in May 2020, and accordingly released the “2015 Edition Cures Update” measures.⁸⁰

The Cures Act also established an EHR Reporting Program to provide publicly available, comparative information on certified health IT systems.⁸¹  The law directed ONC to seek stakeholder input on the mandated categories of security, usability and user-centered design, interoperability, conformance to certification testing, and other categories as appropriate.⁸²  To carry out the provisions of the Cures Act, ONC contracted with the Urban Institute to develop and implement the reporting program.⁸³  By late 2020, the program remained in development.⁸⁴

The Cures Act did not call specifically for mandatory reporting of EHR errors or patient harm events, though advocates hoped that under its Transparent Reporting provision, a new requirement would emerge during the rulemaking and public comment phase.⁸⁵  In the Final Rule, HHS summarized comments to its proposed rule calling for more action by ONC to ease and encourage reporting of health IT-related patient safety.  The Final Rule fell short of FDA-like public reporting but did codify into law “unqualified protection” for any person or entity “[c]ommunicating information about adverse events, hazards, and other unsafe conditions to government agencies, health care accreditation organizations, and patient safety organizations.”⁸⁶

Weighing in on the long debate on EHRs as medical devices, Congress chose not to take this tighter regulatory step.  The Cures Act included a section entitled “Clarifying Medical Software Regulation,” which was regarded as a response to confusion created by the dormant 2008 FDA Proposed Rule to regulate health IT.⁸⁷  The law narrowed FDA’s jurisdiction over medical software by amending the FD&C Act to remove categories of software from the definition of medical device, stating:

The term device…shall not include a software function that is intended … (C) to serve as electronic patient records, … so long as (i) such records were created, stored, transferred, or reviewed by health care professionals, or by individuals working under supervision of such individuals.⁸⁸

EHR Fraud Investigations, Settlements, and Corporate Integrity Agreements

Eight years after the passage of the HITECH Act, EHR use was commonplace across the United States.⁸⁹  Yet while the objective was to reduce medical errors exacerbated by illegible paper records and mine rich medical datasets to drive down healthcare costs and improve disease treatment, EHR vendors reaped the rewards of the infusion of new government money.⁹⁰ Some of them, however, allegedly gamed the system to their benefit.⁹¹  Over the last three years, the Department of Justice (DOJ) entered FCA settlement agreements totaling over $350 million with EHR vendors.  Announcing the first major settlement in 2017, John O’Brien, senior counsel with the HHS Office of Inspector General (OIG), stated plainly, “We’re entering an entirely new area of health care fraud.”⁹²  The following section summarizes the major EHR fraud investigations and their resolution, as applicable.

eClinicalWorks

The journey to the largest FCA settlement in the federal District of Vermont⁹³ began with the filing of a medical malpractice lawsuit against Stowe Family Practice.  As a Federally Qualified Health Center, the suit was brought against the United States and defended by the U.S. Attorney’s Office in Burlington.⁹⁴  Annette Monachelli, wife of the plaintiff, sought care for severe headaches in late 2012 and within two months had died of a brain aneurysm.⁹⁵ The physician had ordered a CT scan of the patient’s head but the order was not delivered.⁹⁶

The assistant U.S. attorney began investigating the clinic’s EHR, created by eClinicalWorks (eCW), headquartered in Westborough, Massachusetts.⁹⁷ He soon uncovered a number of complaints suggesting “the company’s technology didn’t work quite like it said it did.”⁹⁸  The most critical evidence surfaced in a dormant whistleblower claim filed in 2011 by Brendan Delaney, a former British police officer.⁹⁹  Delaney worked at the time for New York City to help the implementation of an eCW EHR system at Rikers Island jail and found numerous software malfunctions.¹⁰⁰  He left the project and joined an EHR consulting company and continued to see errors in other implementations; he took meticulous notes and saved screenshots over a two-year period.¹⁰¹

Ultimately, the U.S. government intervened in the qui tam lawsuit, using the legal claim that eCW had violated the FCA for alleged misrepresentations under the Meaningful Use Program.¹⁰²  In its complaint-in-intervention, the government contended that eCW falsely obtained certification for its EHR software when it concealed that it did not comply with all requirements for certification.¹⁰³  For example, it modified the software to appear to process drug codes rather than programming the actual functionality.¹⁰⁴  As a result of the deficiencies in its software, eCW also caused the submission of false claims for Meaningful Use payments based on the use of ECW’s software.¹⁰⁵  eCW paid $155 million to settle the lawsuit.

As part of the overall resolution to the case, eCW also entered into a “first-of-its-kind”¹⁰⁶ Corporate Integrity Agreement (CIA) with the OIG, which outlined 13 specific obligations that eCW must meet during its five-year term.¹⁰⁷  Specific to the allegations of faulty software code and certification violations, eCW must retain an independent Software Quality Oversight Organization (SQOO) approved by the OIG to monitor its software quality control systems and report semi-annually to the OIG.¹⁰⁸  The CIA compelled eCW to report transparently “on its customer portal, in a clear and conspicuous manner, a current and comprehensive list of all Patient Safety Issues” and to include the nature of the issue, how eCW was addressing the issue, and actions that users should take to mitigate risks before the issue was remediated.¹⁰⁹  It also stipulated that eCW cannot restrict customers from reporting and discussing EHR software problems in any forum.¹¹⁰  These reporting measures extended further than any regulatory obligation in force in the EHR industry at the time.

A year after the agreement, issues appeared to continue. eCW customers complained that faulty software remained a problem and that the vendor had not complied with the terms of the CIA.¹¹¹  One physician user stated plainly:

They are required to do root cause analysis, fix underlying problems, report to the Office of the Inspector General. None of that is happening in our experience. . . . There’s no way they’re complying. Our own government settled with eCW over software issues that didn’t get fixed and the government got $125 million out of this — but what about the users? What about us? The rest of us are out in the cold.¹¹²

The government fined eCW $132,500 in July 2018 for failure to comply with its obligation to timely report patient safety issues as dictated by the CIA.¹¹³ The software company explained that the penalty was related to software issues not leading to serious harm or death not reported within the prescribed timeframe and to its failure to report those issues also to the SQOO.¹¹⁴

Greenway Health

On February 6, 2019, the DOJ announced that a second EHR vendor entered into a settlement agreement.¹¹⁵ Greenway Health, LLC, a Tampa, Florida-based EHR developer, agreed to pay $57.25 million¹¹⁶ to settle allegations that the company misrepresented its Prime Suite software’s capabilities, leading customers to submit false claims to the federal government under the Meaningful Use Program.¹¹⁷  It is notable that, unlike the eCW lawsuit, the Greenway case was not initiated by a qui tam relator, but pursued by DOJ directly.¹¹⁸  An assistant U.S. attorney plainly stated, “This resolution demonstrates our continued commitment to pursue EHR vendors who misrepresent the capabilities of their products, and our determination to promote public health while holding accountable those who seek to abuse the government’s trust.”¹¹⁹

The DOJ asserted that Greenway falsely obtained certification for its Prime Suite product when it concealed from its certifying entity that the software did not fully comply with the requirements for certification.¹²⁰  The product did not fully incorporate the standardized clinical terminology necessary for the exchange of patient information and accuracy of electronic prescriptions.¹²¹  Greenway also deceived the certification agent by coding its test-run software to produce false results that made it appear that Prime Suite could use the requisite clinical vocabulary.¹²²  Additionally, the software overcalculated a meaningful use measure resulting in false attestations by users, but Greenway intentionally did not correct the known code error, allowing users to continue receiving unearned incentive payments.¹²³ The investigation uncovered a significant amount of internal emails, highlighted in the government’s complaint, that referenced fraudulent activities.  In one message, an employee called the plan for passing the test as “not truely [sic] honest lol.”¹²⁴

Under the terms of the deal, Greenway also entered into a five-year CIA with the OIG, with requirements similar to those imposed on eCW.¹²⁵  “What were novel requirements in 2017 appear to have become the standard when OIG imposes CIA obligations on EHR vendors in connection with these types of cases.”¹²⁶  Reflecting the focus on the patient safety concerns relating to EHR fraud, the CIA required Greenway to provide prompt notice to its customers of any patient safety-related issues and maintain on its customer portal a comprehensive list of such issues and any steps users should take to mitigate potential patient safety risks.¹²⁷

Practice Fusion

Practice Fusion, a California-based EHR vendor used by 30,000 medical practices,¹²⁸  became the third EHR vendor in three years alleged to defraud the federal government by falsifying the software’s ability to meet ONC certification criteria. Founded in 2005, it was acquired in 2018 by Allscripts, Inc., a competitor EHR vendor headquartered in Illinois, at a “fire sale” price of $100 million.¹²⁹  Allscripts had originally offered $250 million to acquire the company, but about a year before the purchase, the fact that the DOJ had started an investigation into how Practice Fusion received its software certification became known.¹³⁰

On January 27, 2020, the DOJ announced that Practice Fusion would pay $145 million to resolve civil and criminal investigations relating to its EHR software.¹³¹  In what was becoming a common refrain, the government’s civil complaint included claims that Practice Fusion knowingly represented that its software met certification program requirements for patient information sharing when it did not.¹³² After receiving certification, the vendor disabled the non-functional feature, though eligible professionals continued to attest for Meaningful Use incentive payments from 2014 to 2017 for use of the software.¹³³

The admission of criminal liability and payment of fines therefor was a unique feature of the Practice Fusion settlement.  The vendor admitted that it solicited and received nearly $1 million in illegal kickbacks from a “major opioid company” to create a clinical decision support alert to promote increased prescribing of extended release opioids.¹³⁴ A key factor in the government’s case was the involvement of the drug company’s marketing department in the design of the alert.¹³⁵

Practice Fusion entered into a Deferred Prosecution Agreement (DPA) with the government to resolve all civil and criminal complaints.¹³⁶  Rather than executing a separate CIA with the OIG, the DOJ attached a Letter Agreement as Exhibit G to the DPA which included  specific “Health IT Functionality and Compliance Terms.”¹³⁷  Under the terms, Practice Fusion agreed to fix and re-certify its software and to post on its customer portal a comprehensive “bug list” relating to certification capabilities and patient safety.¹³⁸  Similar to the CIAs for eCW and Greenway, the DPA also required Practice Fusion to identify and publicly report any issues impacting patient safety.¹³⁹

Viztek

On August 27, 2020, a fourth EHR vendor settled a lawsuit claiming false claims of EHR compliance under the certification program.  Konica Minolta Healthcare Americas Inc., based in Wayne, New Jersey, agreed to pay $500,000 to resolve the allegations against its former subsidiary, Viztek LLC.¹⁴⁰  Like the eCW case, the civil action against Viztek started as a whistleblower action under the FCA, initially filed in 2017 by Leighsa Wilson, a former employee of the company and project manager for its EHR project.¹⁴¹  The complaint alleged that the company founder pressured employees to achieve certification by any means while he was negotiating the sale of the privately held company to Konica Minolta.¹⁴²  Certification testing was successful by manually adjusting the software to make it appear it could perform the required functions.¹⁴³  The settlement agreement simply required the payment of $500,000; the company was defunct and Viztek EHR software was no longer on the market.

Novel Government Intervention in EHRs

Following the notoriety of the eCW case in 2017, industry leaders and watchers began wondering about the broader implications for EHR vendors and EHR regulation in general.¹⁴⁴ At the time, the health IT industry took note of the size and scope of the settlement and speculated that it may not be a singular incident.¹⁴⁵  Jeffrey Smith, vice president of public policy at AMIA, said, “I think we will learn more over the coming weeks and months about just how pervasive this kind of activity may well be.”¹⁴⁶

What ultimately emerged from these four EHR fraud cases was a picture of an underlying problem with certification and a broader issue with EHR regulation.  AMIA vice president Smith cautioned,  “When you peel back the layers of the onion a little bit, what you find is that this case sheds light on genuine deficiencies in the current certification program, and it details the many ways that risks to patient safety can arise when software is not developed properly or when it’s not implemented or used properly.”¹⁴⁷ Meaningful use certification was “essentially an open-book test” in which ONC provided vendors “the questions in advance,” such as the names of the 16 drugs the system would have to prescribe electronically. ¹⁴⁸

This section analyzes the government’s civil and criminal actions to uncover and address EHR problems and their patient safety implications.  It starts with a review of the legal framework of false claims, federal health program exclusion, CIAs, and DPAs. The DOJ and the OIG have employed these tools in an approach to promote compliance and public safety. The second part assesses the gaps in the EHR regulatory framework that were addressed, not through comprehensive reform of regulation, but instead through the piecemeal litigation against individual alleged wrongdoers.

Legal Background
False Claims Act

The FCA was enacted during the Civil War to prevent and resolve rampant fraud on the government perpetrated by army contractors.¹⁴⁹ The FCA imposes civil liability on any person who (l) knowingly presents, or causes to be presented, to an officer, employee, or agent of the United States a false or fraudulent claim for payment or approval; and (2) knowingly makes, uses, or causes to be made or used a false record or statement material to a false or fraudulent claim.¹⁵⁰ The FCA defines a "claim" to include "any request or demand, whether under a contract or otherwise, for money or property and whether or not the United States has title to the money or property that (i) is presented to an officer, employee, or agent of the United States; or (ii) is made to a contractor, grantee, or other recipient, if the money or property is to be spent or used on the Government's behalf or to advance a Government program or interest .... "¹⁵¹ The FCA does not require proof of specific intent to defraud.¹⁵² Any person who violates the law is liable for a mandatory civil penalty for each such claim, plus three times the damages sustained by the government.¹⁵³

The government's primary civil tool for addressing healthcare fraud is the FCA.¹⁵⁴  The healthcare industry relies extensively on government funds to reimburse it for services rendered, so every time a provider submits a claim for reimbursement to Medicare or Medicaid, it risks violating provisions of the FCA.¹⁵⁵ Each bill constitutes a separate claim under the FCA, so the penalties could easily become very severe.¹⁵⁶  Of the $3.1 billion recovered through FCA in fiscal year 2019, $2.6 billion came from cases involving HHS.¹⁵⁷

Federal Healthcare Program Exclusion Authority

Section 1128 of the Social Security Act establishes a formal regimen for mandatory and permissive exclusion of individuals and entities from participation in Medicare and Medicaid.¹⁵⁸  Congress first enacted the exclusion provision in 1977 as part of the Medicare-Medicaid Anti-Fraud and Abuse Amendments¹⁵⁹ and mandated the exclusion of physicians and other practitioners convicted of program-related crimes.¹⁶⁰

An exclusion by the OIG prohibits any payment from a federally sponsored healthcare program for any items or services furnished, ordered, or prescribed by the excluded individual or entity. ¹⁶¹ The law also prohibits any contracting with an excluded entity to furnish services in connection with a federal healthcare program or beneficiary,¹⁶² such as an EHR vendor selling to a hospital or physician practice if the provider received Medicare or Medicaid reimbursement. The broad payment prohibition applies not just to the excluded entity directly, but also indirectly to anyone who contracts with the excluded entity, effectively preventing the excluded entity from operating in the healthcare industry.¹⁶³  The exclusion is enforceable regardless of who submitted healthcare claims to the government and applies to all administrative and management services furnished by the excluded person.¹⁶⁴  In a list of examples that would violate an exclusion if provided by an excluded party, the OIG included “[i]tems … sold by an excluded manufacturer … used in the care or treatment of beneficiaries and reimbursed, directly or indirectly, by a Federal health care program.”¹⁶⁵  Therefore, an excluded EHR vendor effectively could not sell products or services in the healthcare marketplace.

Section 1128 outlines both mandatory and permissive exclusions.¹⁶⁶ A mandatory exclusion results from certain enumerated felonies, such as a criminal conviction for healthcare fraud.¹⁶⁷ Less serious offenses, including reckless submission of false claims for Medicare reimbursement, trigger the OIG’s permissive exclusion authority.¹⁶⁸ Permissive exclusions are those that the OIG has discretion to pursue, but that the OIG is not compelled to do so.¹⁶⁹  The OIG makes a determination based on the risks of allowing the individual or entity to continue to participate in federal healthcare programs.¹⁷⁰  Specific to fraud and false claims, Section 1128(b)(7) provides that “the Secretary may exclude … from participation in any Federal health care program … any  individual or entity that has been convicted … of a criminal offense consisting of a misdemeanor relating to fraud, theft, embezzlement, breach of fiduciary responsibility, or other financial misconduct.”¹⁷¹

Exclusion from participation in federally funded healthcare programs is “without question, OIG’s nuclear option.”¹⁷²  The OIG has been clear that exclusion of an individual or entity means that no organization receiving federal dollars can pay for any items or services furnished by an excluded entity.¹⁷³  Accordingly, FCA actions relating to healthcare fraud often end in settlements, since the exclusion penalty is truly “devastating.”¹⁷⁴

OIG Corporate Integrity Agreements

The OIG negotiates CIAs with healthcare providers and other entities as a component of settlements arising under a variety of civil false claims statutes.¹⁷⁵  Most frequently, the OIG agrees as part of an FCA settlement agreement not to seek permissive exclusion in exchange for an organization’s willingness to enter into a CIA to resolve certain matters and to set the provider or company “on the right path to compliance.”¹⁷⁶ The typical term is five years.¹⁷⁷

The OIG evaluates healthcare fraud cases on a continuum of future risk to the federal healthcare programs and administrative response.¹⁷⁸ Based on the information it gathers in an FCA investigation, OIG guidance calls for assessing the trustworthiness of the settling parties to decide whether an exclusion is appropriate or to take other action.¹⁷⁹ The government often concludes that exclusion is not necessary if the entity agrees to appropriate integrity obligations.¹⁸⁰  CIAs strongly enhance the OIG’s ongoing and in-depth oversight of the settling party.¹⁸¹

The OIG routinely imposes CIAs in healthcare fraud settlements.¹⁸² As a heavily regulated industry which relies substantially on government funds, HHS’s power is enormous.¹⁸³  “Given this imbalance of power, health care providers have little choice but to agree to CIAs containing even the most onerous of terms in their settlement of suits.”¹⁸⁴  The burdens can be significant, even unfavorable to an entity, but are developed through settlement negotiations and outside of review by a court of law.¹⁸⁵ With the risk of heavy fines for FCA violations and/or threat of federal healthcare program exclusion, an organization has little bargaining power to change unfavorable terms.¹⁸⁶ The conclusion in a seminal law review article on the topic was stark:

The imposition of Corporate Integrity Agreements, a sanction originally available as a penalty in criminal prosecutions, is problematic when utilized as a penalty in civil actions.  Such agreements subject corporations to expanded liability and onerous terms that may not be in the best interests of the company’s shareholders, the industry, or the public.¹⁸⁷

DOJ Deferred Prosecution Agreement

In a criminal case, attorneys in the DOJ have the option to enter non-prosecution agreements and DPAs, as outlined in the Justice Manual, Title 9, 9-28.000 Principles of Federal Prosecution of Business Organizations.¹⁸⁸ DPAs can restore the integrity of a company's operations and preserve the financial viability of a corporation that has engaged in criminal conduct, while preserving the government's ability to prosecute a recalcitrant corporation that materially breaches the agreement.¹⁸⁹  Generally, criminal settlement agreements for corporations include four main elements: an admission of facts, an agreement of cooperation, a specified duration for the agreement, and an agreement to monetary and non-monetary sanctions.¹⁹⁰

Like CIAs, DPAs are not overseen by a court of law, since they are not filed in a court.¹⁹¹ Scholars have raised concerns about prosecutorial discretion, with authority that “turn[s] the prosecutor into judge and jury.”¹⁹² On the other hand, their use has the potential benefit of pursuing corporate reforms under strict oversight in lieu of criminal prosecution and the risk of putting them out of business.¹⁹³

Litigation as a Piecemeal Way to Regulation

In the recent string of EHR fraud cases, the government appeared to employ all of the legal tools to achieve its goals: allegations of FCA violation, risk of federal healthcare program exclusion, and execution of CIAs or DPAs.  As a basis for legal action, the complaints filed by the United States against the four EHR vendors all alleged violations of the FCA, including both for their own false statements to achieve certification and for causing eligible hospitals and/or eligible professionals to present false claims for Meaningful Use Program incentive payments. The complaints all sought the maximum amount of the United States’ damages, trebled as required by law, and all appropriate civil penalties.  In the case of Practice Fusion, the additional allegation of criminal kickback payments heightened the stakes.  Thus, the government set the strong legal foundation for the settlement processes.

Through the use of CIAs with eCW and Greenway and the DPA with Practice Fusion,¹⁹⁴ the government introduced regulatory-like authority and active engagement in EHR software development and patient safety reporting that was fundamentally different—and more aggressive—than the voluntary certification program.  The remainder of this section will highlight conflicts between existing regulatory requirements and settlement-related obligations.

Reporting EHR-Related Patient Safety Issues

As noted above, EHR experts and advocates have long called for the development of a comprehensive patient safety reporting and review system.¹⁹⁵  Progress stalled “because manufacturers of electronic health records (EHRs),  health care providers, federal health care policy wonks, academics and Congress have either blocked the effort or fought over how to do it properly.”¹⁹⁶ In 2015, ONC released a road map to launch a “Health IT Safety Center” that would include a neutral site to improve the safety of the technology.¹⁹⁷  Over the subsequent few years, members of Congress challenged the government’s authority to create it and later declined to fund it.¹⁹⁸  The latest development for transparent reporting under regulation to comply with the Cures Act does not include patient safety information.  What legislators in Congress and regulators at ONC failed to do regarding reporting of patient safety issues, the DOJ and the OIG took steps to establish in settlement agreements, CIAs and DPAs. While such obligations only pertain to the respective vendors and only narrowly require them to disclose to current customers on the vendors’ websites, they may serve as a starting point for more meaningful reporting and transparency.

Software Quality Assurance and Oversight

The current certification program requirements for software quality require EHR vendors to identify a Quality Management System (QMS) used in the development, testing, implementation, and maintenance for its software.¹⁹⁹  The certification testing process solely confirms that the vendor’s self-disclosed QMS is one recognized by the government.²⁰⁰ This regimen had many critics for its lax requirements and flaws, and attention to underlying problems intensified after the publicity of the recent EHR fraud cases.²⁰¹  It is noteworthy that only 30 certified EHR products (less than two percent) are currently flagged for corrective action due to non-conformities and ONC has decertified only five products.²⁰²  ONC’s philosophy has been to work with vendors to address problems rather than decertify products, acknowledging the negative impact to users if their products faced decertification.²⁰³

In contrast, possibly just down the hall from the hospital’s EHR data center, the software that operates medical devices, such as the code that controls magnetic resonance imaging (MRI) machines, is subject to considerable scientific review by the FDA.²⁰⁴  FDA regulations also require medical device software manufacturers to adhere to formal software validation procedures and processes.²⁰⁵ The agency originally promulgated the rigid rules in 1999, and reaffirmed them in 2002, after a review of medical device recalls showed that about eight percent were due to software failures and nearly 80 percent of those involved software changes after initial FDA certification.²⁰⁶  The guidance included effective use of software development standards and practices.²⁰⁷

In the last three years, the DOJ and the OIG, wielding their enforcement powers, have required three EHR vendors to engage independent review organizations to actively monitor software development quality.  As with patient safety reporting, the litigation-related settlements fall short of the type of FDA review required by medical devices, but extend the government’s reach into EHR software development.

Recommendations For More Effective EHR Regulation

As presented above,²⁰⁸ the EHR industry has become subject to government regulation and oversight to promote software quality and patient safety through two diametrically divergent paradigms: the voluntary certification program of the HITECH Act on one end and fraud-fueled settlements (two CIAs and one DPA) with harsh compliance provisions on the other.  Of the 436 active EHR vendors, the DOJ accused three of fraudulent acts and then subjected them to agreements aimed at ensuring quality software to protect and enhance patient safety; the other 433 EHR vendors continue to operate under a voluntary system without mandatory patient safety issue reporting or validated software quality programs.  An important philosophical question to answer is whether the government’s methods—voluntary industry-wide regulation and piecemeal vendor-specific legal settlements—are most effective and appropriate to protect public welfare.

It is debatable whether any level of regulation can ever be effective in preventing deceit and fraud, and cases of intentional falsification ought to be rare.   The government’s recourse for criminal prosecution and civil action under the FCA remains a viable threat for the most extraordinary circumstances.  The severe penalty of federal health program exclusion should also be a strong deterrent.  Identifying and prosecuting the most extreme cases have been bolstered by the whistleblower provisions of the FCA. Over the last three years, these legal tools have been employed in what hopefully are outlier cases of alleged malfeasance in the EHR industry, independent of a stronger regulatory framework.

More sensible and effective regulation could help promote the laudable goals of patient safety and end-user value, landing at the right point between the current extremes of government intervention in the industry.  Congress should establish more formal regulation, whether as a new law or amendment of the HITECH Act that established the current voluntary system or the Cures Act that addressed some of its gaps.

First, certification of EHRs should be mandatory and overseen by ONC.  While the current voluntary system in effect requires EHR vendors to sell certified products to hospitals and physicians that seek reimbursement benefits from Medicare and Medicaid, a mandatory regulatory structure would signal government interest in protecting public welfare.

Second, Congress should authorize and fund ONC to develop a system for public reporting of suspected and actual medical errors that were caused or exacerbated by EHR systems.  The Health IT Safety System explored by ONC in 2015 may be a starting point.  The goals should be that users can learn from and avoid errors, vendors can be made aware of and accountable for problems in software or its (mis)configuration, and patients can be safer.

Third, to promote software quality before a bug results in harm, EHR certification should include a requirement that the EHR vendor actively implement and monitor adherence with QMS, using these professionally recognized standards and practices in software development, quality assurance, and risk management.  ONC should modify the certification program testing to enhance the rigor from simply ensuring that the vendor’s self-reported standard is government-recognized.  Instead, vendors should maintain documentation of the program that is available for review by certification bodies.  A trend of reported bugs or, worse, medical errors should trigger a deeper review to assess the vendor’s practices of quality software design, development, and testing, resulting in non-conformance or decertification.

These straightforward legislative and/or regulatory changes could ease health providers’ and the public’s concerns about EHR mistakes and fraud that have rocked the industry over the past few years.  They do not extend the harsher control mechanisms that the government compelled vendors under civil and criminal enforcement action to follow, but maintain and extend sensible mandates of error reporting and software quality management.

Conclusion

Over the past three years, the EHR industry has taken great notice of landmark settlements with the DOJ and the OIG exceeding $350 million to resolve allegations of FCA violations and other illegal activity that risked the integrity of the Meaningful Use incentive payment program and patient safety.  Under threat of civil and criminal prosecution for false claims and the mandatory exclusion “nuclear option,” EHR vendors entered into extensive agreements with the government.  These agreements extended the government’s oversight of EHR products and their respective vendors far above the current scope of voluntary regulation in the field, which has been criticized as inadequate in light of the risk of harm to public safety.

An effective mandatory regulatory paradigm can and should be established that falls between the weak, voluntary program established by the HITECH Act and the rigorous oversight that defrauding vendors agreed to in their settlement of federal lawsuits.  It can promote software quality management as a requirement for vendors to certify a product for use in U.S. healthcare and public reporting of EHR errors for transparency, accountability and—ideally—public safety.  After all, public safety and optimal health is the core aim of a great EHR.

1. Gillum, R.F., From Papyrus to the Electronic Tablet: A Brief History of the Clinical Medical Record with Lessons for the Digital Age, 126 Am. J. of Med. 853, 853 (October 2013).
2. Id. at 854.
3. Atherton, J., Development of the Electronic Health Record, 13 Am. Med. Ass’n. J. of Ethics 186, 187 (March 2011).
4. See infra History of EHRs; Promoting Adoption.
5. Hoffman, S. & Podgurski, A., Finding A Cure: The Case for Regulation and Oversight of Electronic Health Record Systems, 22 Harv. J.L. & Tech. 103, 104 n.1 (2008) (citing Biomedical Informatics: Computer Applications in Health Care and Biomedicine (Shortliffe, E. & Cimino, J. eds., 2006)).
6. Id. at 108. See also Robert Wood Johnson Foundation, Health Information Technology in the United States, 2015: Transition to a Post-HITECH World 10-11, (DesRouches, C. et al. eds., 2015).
7. Hoffman & Podgurski, supra n. 5, at 109.
8. Robert Wood Johnson Foundation, supra n. 6, at 11.
9. Benefits of EHRs: An electronic health record (EHR) is more than a digital version of a patient’s paper chart, Off. of the Nat’l Coordinator of Health IT, https://www.healthit.gov/topic/health-it-basics/benefits-ehrs.
10. Id.
11. Hoffman & Podgurski, supra n. 5, at 113.
12. President George W. Bush, State of the Union Address (Jan. 20, 2004), https://georgewbush-whitehouse.archives.gov/infocus/technology/economic_policy200404/chap3.html.  See also Fry, E. & Schulte, F., Death by a Thousand Clicks: Where Electronic Health Records Went Wrong, Fortune (Mar. 18, 2019), https://fortune.com/longform/medical-records/.
13. Transforming Health Care: The President’s Health Information Technology Plan, Promoting Innovation and Competitiveness (2004), https://georgewbush-whitehouse.archives.gov/infocus/technology/economic_policy 200404/chap3.html.
14. Robert Wood Johnson Foundation, supra n. 6.
15. American Recovery and Reinvestment Act (2009), Public Law 111-5.
16. Robert Wood Johnson Foundation, supra n. 6, at 12.
17. Public Health and Promoting Interoperability Programs (formerly known as Electronic Health Records Meaningful Use), Ctrs. for Disease Control and Prevention, https://www.cdc.gov/ehr meaningfuluse/introduction.html.
18. Schulte, F. & Fry, E., Electronic Health Records Creating a ‘New Era’ of Health Care Fraud, Officials Say. Fortune (Dec. 23, 2019), https://fortune.com/longform/electronic-health-records-fraud/.  See also Landi, H., Report: Meaningful Use Payments Total $34.7 Billion. Healthcare Informatics (June 27, 2016), https://www.healthcare-informatics.com/news-item/report-meaningful-use-payments-total-347-billion.
19. Id.
20. Robert Wood Johnson Foundation, supra n. 6, at 15.
21. Fry & Schulte, supra n. 12.
22. Promoting Interoperability Program, Ctr. for Medicare and Medicaid Servs., https://www.cms.gov/Regulations-and-Guidance/Legislation/EHRIncentivePrograms (page last modified Dec. 3, 2020).
23. Sittig, D. F. & Singh, H., Electronic Health Records and National Patient Safety Goals, New Eng. J. of Med.  367;19 (Nov. 8, 2012).
24. Hoffman & Podgurski, supra n. 5, at 106.
25. See Sittig & Singh, supra n. 23.  See also Rosenbaum, L., Transitional Chaos or Enduring Harm? The EHR and the Disruption of Medicine, 373 New Eng. J. of Med. 1585 (2015); Ratwani, R. M. et al., Identifying Electronic Health Record Usability and Safety Challenges in Pediatric Settings, 37 Health Affairs 1752, 1752-53 (2018) (noting that software usability is a measure of efficient, effective and satisfactory use of a system based on its design, citing International Organization for Standardization. ISO 9241-210:2010: ergonomics of human-system interaction).
26. Gawande, A., Why Doctors Hate Their Computers, The New Yorker (Nov. 12, 2018).
27. Fry & Schulte, supra n. 12.
28. Id.
29. Ammenwerth, E. & Shaw, N., Bad Health Informatics Can Kill—Is Evaluation the Answer, Methods of Information in Medicine (February 2005).
30. Id.  (The article cites examples from the website “Bad Health Informatics Can Kill” hosted by the University of Medical Informatics and Technology in Austria which presents “examples of direct harm from [EHR] failures” published in news media reports.).
31. Id.
32. Ratwani et al., supra n. 25, at 1753-54.  See also Howe, J., Adams, K., Hettinger, A.Z. & Ratwani, R., Electronic Health Record Usability Issues and Potential Contribution to Patient Harm, 319 JAMA 1276 (2018).
33. Kenagy, J. The Evolution of EHR Regulation, 31 The Health Lawyer 14 (April 2019).
34. Hoffman & Podgurski, supra n. 5, at 107.
35. Id. at 126.
36. Schulte, F. & Fry, E., No Safety Switch: How Lax Oversight of Electronic Health Records Puts Patients at Risk, Fortune (Nov. 21, 2010), https://fortune.com/longform/medical-records-government-regulation-patient-risk/.
37. Id.
38. Id.
39. Id.
40. Kern, C., Why Is There No Reporting of EMR Errors? Health IT Outcomes (July 30, 2014), https://www.healthit outcomes.com/doc/why-is-there-no-reporting-of-emr-errors-0001.  See also Fry & Schulte, supra n. 12 (Five years following that publication, the same concerns remain. “Compounding the problem are entrenched secrecy policies that continue to keep software failures out of public view. EHR vendors often impose contractual ‘gag clauses’ that discourage buyers from speaking out about safety issues and disastrous software installations.”).
41. Id.
42. Roth, J., Regulating Your Medical History Without Regulations: A Private Regulatory Framework to Electronic Health Record Adoption, 91 B.U. L. Rev. 2103, 2121 (2011).
43. Ratwani et al., supra n. 25.
44. Fry & Schulte, supra n. 12.
45. Id.
46. Hedges, L., CCHIT Certification May Be History, but There Are Other Options for Evaluating EHRs, Software Advice, https://www.softwareadvice.com/resources/cchit-certification-other-options/.
47. Health Information Technology-What was CCHIT?, Certification Comm’n Health Info. Tech., https://www.cchit.org/.
48. Versal, N., CCHIT Demise Should Herald Demise of EHR Certification. Forbes (Oct. 29, 2014), https://www.forbes.com/sites/neilversel/2014/10/29/cchit-demise-should-herald-demise-of-ehr-certification/#21c26d27470f.
49. Hedges, supra n. 46.  See also Cassidy, T., Dr. David Brailer Outlines EHR Plans, Advance for Health Info. Prof’ls (Nov. 22, 2004), http://health-information.advanceweb.com/Article/Dr-David-Brailer-Outlines-EHR-Plans.aspx.
50. Hedges, supra n. 46.
51. Versal, N., Critics Charge HIMSS-CCHIT connection ‘too cozy.’ Healthcare IT News (Mar. 6, 2009), https://www.healthcareitnews.com/news/critics-charge-himss-cchit-connection-too-cozy.  See also Hedges, supra n. 46.
52. Versal, supra n. 48.
53. Conn, J., CCHIT ending testing and certification of EHRs, Modern Healthcare (Jan. 29, 2014), https://www.modernhealthcare.com/article/20140129/NEWS/301299959.
54. American Recovery and Reinvestment Act (ARRA) (2009), Public Law 111-5.
55. Id. Title XXX. Health Information Technology and Quality § 3000.
56. Roth, supra n. 42, at 2110.
57. About the ONC Health IT Certification Program, Off. of the Nat’l Coordinator of Health IT, https://www.healthit.gov/topic/certification-ehrs/about-onc-health-it-certification-program.
58. Id.
59. Id.
60. ARRA, supra n. 54.
61. Certified Health IT Products List, Off. of the Nat’l Coordinator of Health IT, https://chpl.healthit.gov/#/charts (last visited Dec. 12, 2020).
62. Peel, D., HIT Standards: Big Vendors Rule, Healthcare IT News (Oct. 29, 2009), https://www.healthcareitnews.com/blog/hit-standards-big-vendors-rule.  (“It is my belief that the entire health IT standards-setting process is controlled by a few large corporate health IT vendors that dominate the market.”).
63. Id. See also Murphy, K., Is the ONC taking a new approach to health IT certification?  EHR Intelligence (Jan. 22, 2014), https://ehrintelligence.com/news/is-the-onc-taking-a-new-approach-to-health-it-certification.
64. Part II: 1938, Food, Drug, Cosmetic Act, U.S. Food and Drug Admin., https://www.fda.gov/ AboutFDA/History/FOrgsHistory/EvolvingPowers/ucm054826.htm.
65. Milestones in U.S. Food and Drug Law History, U.S. Food and Drug Admin., https://www.fda.gov/about-fda/fdas-evolving-regulatory-powers/milestones-us-food-and-drug-law-history.
66. The Food, Drug, and Cosmetic Act, Pub. L. 75-717. 21 U.S.C. § 321(h) 2006.
67. Id. § 360c.
68. Roth, supra n. 42, at 2104.
69. Id. at 2114.
70. Id.; See also Shah, D., The Oversimplification of Deregulation: A Case Study on Clinical Decision Support Software, 24 Mich. Telecomm. & Tech. L. Rev 115, 118-19.
71. Roth, supra n. 42, at 2115.
72. Medical Device Data Systems: A Rule by the Food and Drug Administration on 2/15/2011, Federal Register, https://www.federalregister.gov/documents/2011/02/15/2011-3321/medical-devices-medical-device-data-systems.
73. Devices: General Hospital and Personal Use Devices, 73 Fed. Reg. at 7500.
74. Roth, supra n. 42, at 2105.
75. See generally Fry & Schulte, supra n. 12.
76. 21^st Century Cures Act of 2016, Pub. L. 114-255 [hereinafter Cures Act].
77. 21st Century Cures Act: Interoperability, Information Blocking, and the ONC Health IT Certification Program, 85 Fed. Reg. 25,642 (May 1, 2020) (to be codified at 45 C.F.R. 170) [hereinafter Final Rule].
78. Cures Act, supra n. 76 at § 4003.
79. Id. at § 4004.
80. 2015 Edition Cures Update, Off. of the Nat’l Coordinator of Health IT, https://www.healthit.gov/curesrule/final-rule-policy/2015-edition-cures-update (last visited Dec. 12, 2020). (New certification requirements included electronic health information export, standardized application programming interface for patient and population services, and US Core Data for Interoperability adoption).
81. Cures Act, supra n. 76 at § 4002(c) (Transparent Reporting on Usability, Security, and Functionality).  See also EHR Reporting Program. Off. of the Nat’l Coordinator of Health IT, https://www.healthit.gov/topic/ certification-health-it/ehr-reporting-program (last visited Dec. 12, 2020).
82. Id.
83. EHR Reporting Program, Urban Institute, https://www.urban.org/policy-centers/health-policy-center/projects/ehr-reporting-program (last visited Dec. 12, 2020).
84. Id. (“The EHR Reporting Program will provide publicly available, comparative information on certified health IT based on input from developers and voluntary input from end users”)
85. Kenagy, supra n. 33, at 19.
86. Final Rule, supra n. 77 at 25,946.
87. Shah, supra n. 70, at 120.
88. Cures Act, supra n. 76 at § 3060.
89. See supra History of EHRs.
90. Fry & Schulte, supra n. 12.
91. Id.
92. U.S. Dep’t of Health and Hum. Serv. Off. Inspector Gen., Eye on Oversight – Electronic Health Records, YouTube (July 26, 2017), https://www.youtube.com/watch?v=AvouqE63cVk.
93. Press Release: Electronic Health Records Vendor to Pay the Largest Settlement in the District of Vermont, U.S. Dep’t of Just. D. Vt. (May 31, 2017), https://www.justice.gov/usao-vt/pr/electronic-health-records-vendor-pay-largest-settlement-district-vermont.
94. Complaint, Stern v. U.S., No. 2:14-CV-176 (D. Vt. Aug. 11, 2014).  See also Email from Owen Foster, Assistant U.S. Att’y, to John Kenagy (on file with author).
95. Fry & Schulte supra n. 12; Whistleblower: The Case Against eClinicalWorks Season 1, Episode 6 (CBS television broadcast Aug. 17, 2018).
96. Fry & Schulte supra n. 12.
97. Id.
98. Id.
99. Siwicki, B. eClinicalWorks Whistleblower: NYC Health Department Was Indifferent to EHR Flaws, Healthcare IT News (May 31, 2017), https://www.healthcareitnews.com/news/eclinicalworks-whistleblower-nyc-health-department-was-indifferent-ehr-flaws.  (Note: The FCA includes a provision that allows private citizens, called “relators” to bring lawsuits on behalf of the United States against defendants for filing false claims against the government. The government can intervene as plaintiff or allow the relator to bring the suit.).
100.   Fry & Schulte supra n. 12. (For instance, “The patient medication lists weren’t reliable; prescribed drugs would not show up, while discontinued drugs would appear as current, according to the complaint. The EHR would sometimes display one patient’s medication profile accompanied by the physician’s note for a different patient, making it easy to misdiagnose or prescribe a drug to the wrong individual.”).
101. Whistleblower, supra n. 95.
102.  United States’ Complaint in Intervention, U.S. ex rel. Delaney v. eClinicalWorks, No. 2:15-CV-00095-WKS (D. Vt. May 12, 2017) [hereinafter eCW Complaint].
103.  Id.
104.  Id.
105.  Id.
106.  Trunk, S. & Atkins, E., Not Just for Health Care Providers Anymore: Health IT Vendor Pays $155 Million to Settle False Claims Act Case, Lexology (June 6, 2017), https://www.lexology.com/library/detail.aspx?g=c7b72edb-2cdc-4173-8dd0-c5a4733599b8 (“This novel FCA settlement illustrates that health care fraud prosecution extends far beyond just the health care providers and payors that directly submit claims to Medicare, Medicaid and other federal health care programs, and can extend liability to subcontractors, agents, and vendors.”).
107.  U.S. Dep’t of Health and Hum. Serv. Off. Inspector Gen., Corporate Integrity Agreement Between the Office of the Inspector General of the Department of Health and Human Services and EClinicalWorks, LLC (May 26, 2017), https://oig.hhs.gov/fraud/cia /agreements/eclinicalworks 05302017.pdf. [hereinafter eCW CIA]. 
108.  Id. at 28.
109.  Id. at 9.
110. Id. at 27.
111. Sullivan, T., eClinicalWorks clients 'left out in the cold' as EHR vendor not complying with DOJ settlement, Healthcare IT News (May 7, 2018), https://www.healthcareitnews.com/news/eclinicalworks-clients-left-out-cold-ehr-vendor-not-complying-doj-settlement.
112. Id.
113. Corporate Integrity Agreement Enforcement, U.S. Dep’t of Health and Hum. Serv. Off. Inspector Gen., https://oig.hhs.gov/fraud/enforcement/ciae/ (last visited Dec. 12, 2020).
114. Sweeney, E., OIG fines eClinicalWorks $132,500 for patient safety reporting failures, FierceHealthcare (July 30, 2018), https://www.fiercehealthcare.com/tech/eclinicalworks-oig-corporate-integrity-agreement-ehr-patient-safety-fine-violation; See also Davis, J., eClinicalWorks fined $132,500 by HHS OIG for patient safety risk, Healthcare IT News (July 31, 2018), https://www.healthcareitnews.com/news/eclinicalworks-fined-132500-hhs-oig-patient-safety-risk.
115. Cannatti, J.A., Gottlieb, D.F. & Maida, T., Questions Remain for the EHR Industry as a Second EHR Vendor, Greenway Health, Settles False Claims Act Allegations, The Nat’l L. Rev. (Feb. 26, 2019), https://www.natlawreview.com/article/questions-remain-ehr-industry-second-ehr-vendor-greenway-health-settles-false-claims. See also Sullivan, T., Here’s What Greenway Has to Do as a Result of the $57.25 million False Claims Act Settlement, Healthcare IT News (Feb. 7, 2016), https://www.healthcareitnews.com/news/heres-what-greenway-has-do-result-5725-million-false-claims-act-settlement  (“It’s too soon to tell whether Greenway’s clients will face a similar fate or not, but this settlement is likely to fortify the thought that the DOJ will continue probing other EHR vendors with similar investigations.”).
116. Press Release: Electronic Health Records Vendor to Pay $57.25 Million to Settle False Claims Act Allegations (Feb. 6, 2019), U.S. Dep’t of Justice, https://www.justice.gov/opa/pr/electronic-health-records-vendor-pay-5725-million-settle-false-claims-act-allegations.
117. United States’ Complaint, U.S. v. Greenway Health, LLC, 2:19-cv-20 (D. Vt. Feb. 6, 2019) [hereinafter Greenway Complaint].
118. Cannatti et al., supra n. 115.
119. Press Release, supra n. 116.
120.  Press Release: Electronic Health Records Developer To Pay Second Largest Recovery In The History Of The District Of Vermont -- $57.25 Million -- To Settle False Claims Act Allegations, U.S. Dep’t of Justice, D. Vt. (Feb. 6, 2019), https://www.justice.gov/usao-vt/pr/electronic-health-records-developer-pay-second-largest-recovery-history-district-vermont.
121. Greenway Complaint, supra n. 117 at 11.
122. Id. at 15.
123. Id. at 18-25.
124. Id. at 15.
125. Cannatti et al., supra n. 115.
126. Id.
127. U.S. Dep’t of Health and Hum. Serv. Off. Inspector Gen., Corporate Integrity Agreement Between the Office of the Inspector General of the Department of Health and Human Services and Greenway Health, LLC (Feb. 5, 2019), https://oig.hhs.gov/fraud/cia/agreements/Greenway_Health_LLC_02052019.pdf [hereinafter Greenway CIA].
128. About Practice Fusion, Practice Fusion, https://www.practicefusion.com/about/ (last visited Jan. 3, 2020).
129. Truong, K., Allscripts Agrees to $145M Settlement for Practice Fusion Investigation, MedCity News (Aug. 9, 2019), https://medcitynews.com/2019/08/allscripts-agrees-to-145m-settlement-for-practice-fusion-investigation/ (“At its peak, the San Francisco-based company was valued at $1.5 billion.”).
130.  Id.
131. Press Release: Electronic Health Records Vendor to Pay $145 Million to Resolve Criminal and Civil Investigations, U.S. Dep’t of Justice, D. Vt. (Jan. 27, 2020), https://www.justice.gov/opa/pr/electronic-health-records-vendor-pay-145-million-resolve-criminal-and-civil-investigations-0.
132. Id.
133. Id.
134. Id.
135. Daniel, J.G., Hibbert, K.H., & Logan, I., Practice Fusion Settlement Highlights Government’s Increasing Focus on Health Information Technology Certification and Financial Relationships in Enforcement Actions, Crowell Moring Client Alert (Feb. 4, 2020), https://www.crowell.com/NewsEvents/AlertsNewsletters/all/Practice-Fusion-Settlement-Highlights-Governments-Increasing-Focus-on-Health-Information-Technology-Certification-and-Financial-Relationships-in-Enforcement-Actions/pdf.
136. United States’ Deferred Prosecution Agreement, U.S. v. Practice Fusion, Inc., No. 2:20-CR-00011-WKS (D. Vt. Jan. 27, 2020) [hereinafter Practice Fusion DPA].
137. Id. at Exhibit G.
138. Id.
139. Id.
140.  Press Release: New Jersey Electronic Health Records Company to Pay $500,000 to Resolve False Claims Act Allegations, U.S. Dep’t of Justice, D. N.J. (Aug. 27, 2020), https://www.justice.gov/usao-nj/pr/new-jersey-electronic-health-records-company-pay-500000-resolve-false-claims-act.
141. United States’ Complaint, U.S. ex rel. Wilson v. Viztek, Inc., (D. N. J. Aug. 27, 2020), https://www.justice.gov/usao-nj/press-release/file/1310086/download [hereinafter Viztek Complaint].
142. Id. (“[Founder and president] told Relator to get the software certified, ‘I don’t care if you have to lie, beg, cheat, steal, or kill.’ [He] indicated that if certification was not complete by February 2016, they could lose millions of dollars.”)
143. Id.
144. Landi, H., What Are the Potential Ripple Effects of the eClinicalWorks Settlement?, Healthcare Informatics (June 14, 2017), https://www.hcinnovationgroup.com/policy-value-based-care/article/13028770/what-are-the-potential-ripple-effects-of-the-eclinicalworks-settlement. See also Schulte & Fry, supra n. 19 (The authors introduced the first of their series of articles with a concise summary of the issue: “The U.S. government claimed that turning American medical charts into electronic records would make health care better, safer, and cheaper. Ten years and $36 billion later, the system is an unholy mess.”).
145. Farringer, D., The Computer Made Me Do It: Is There a Future For False Claims Act Liability Against Electronic Health Record Vendors?, 18 Nev. L.J. 735, 738 (2018).
146. Landi, supra n. 144.
147. Id.
148. Schulte & Fry, supra n. 12.
149. Finegan, S., The False Claims Act and Corporate Criminal Liability: Qui Tam Actions, Corporate Integrity Agreements and the Overlap of Criminal and Civil Law, 111 Penn St. L. Rev. 625, 641 (2007).
150. 31 U.S.C. §§ 3729(a)(l)(A) and (B).
151. d. § 3729(b)(2).
152. Id. § 3729(b)(l)(B).
153. Id. § 3729(a)(l).
154. Fraud Risk Indicator, U.S. Dep’t of Health and Hum. Serv. Off. Inspector Gen., https://oig.hhs.gov/compliance/corporate-integrity-agreements/risk.asp. (last visited Dec. 11, 2020).
155. Finegan, supra n. 149 at 650.
156. Id.
157. Fraud Statistics—Overview (Oct. 1, 1986 – Sept. 30, 2019), U.S. Dep’t of Justice, https://www.justice.gov/.
158. 42 U.S.C. § 1320a-7(b).
159. Pub. L. 95-142.
160.  The Effect of Exclusion from Participation in Federal Health Care Programs, U.S. Dep’t of Health and Hum. Serv. Off. Inspector Gen., (September 1999), https://oig.hhs.gov/exclusions/effects_of_ exclusion.asp.
161. Young, H., HHS OIG Exclusion Overview, AHLA Institute on Medicare and Medicaid Payment Issues (March 2013), https://www.healthlawyers.org/Events/Programs/Materials/Documents/MM13/e_young.pdf.
162. Id.
163. Id.
164. Exclusions FAQs, U.S. Dep’t of Health and Hum. Serv. Off. Inspector Gen., https://oig.hhs.gov/faqs/exclusions-faq.asp.
165. The Effect of Exclusion, supra n. 160.
166. Exclusion Authorities, U.S. Dep’t of Health and Hum. Serv. Off. Inspector Gen., https://oig.hhs.gov/exclusions/authorities.asp.
167. Id.
168. Id.
169.  Malkin, H., Settlement Considerations: CIA or No CIA? ProviderTrust (July 21, 2017), https://www.providertrust.com/blog/settlement-considerations-cia-or-no-cia/.
170. Young, supra n. 161.
171. 42 U.S.C. § 1320a-7(b)(1) and (7).
172. Malkin, supra n. 169.  See also Drissel, D. et al., Enforcement Focus on Individuals: The HHS OIG’s Multifaceted Assault, BNA’s Health Care Fraud Rep., (Dec. 1, 2010), https://www.hoganlovells.com/~/media/hogan-lovells/pdf/publication/ pdfartic2_pdf.pdf  (“Exclusion is often referred to within the industry as the ‘nuclear option’ based on its devastating effect on the excluded party.”).
173. Drissel, supra n. 172.
174. Finegan, supra n. 149 at 651 (citing Brainin, S.L., Health Care: A Unique Criminal and Civil Enforcement Environment, 45 S. Tex. L. Rev. 131, 132 (2003) (“Perhaps the most devastating civil sanction of all is an administrative sanction—exclusion from Medicare.”)).
175. Corporate Integrity Agreements, U.S. Dep’t of Health and Hum. Serv. Off. Inspector Gen., https://oig.hhs.gov/compliance/corporate-integrity-agreements/index.asp.
176. Malkin, supra n. 169.
177. U.S. Dep’t of Health and Hum. Serv. Off. Inspector Gen., Notice for Potential Monitors for Quality-of-Care Corporate Integrity Agreements, 74 Fed. Reg. 52964-03 (Oct. 15, 2009), https://www.federalregister.gov/documents/2009/10/15/E9-24715/office-of-inspector-general-notice-for-potential-monitors-for-quality-of-care-corporate-integrity.
178. Fraud Risk Indicator, supra n. 154 (The website includes a graph showing OIG typical responses based on a spectrum of risk, from self-disclosure requirements for lower risk, CIAs for medium risk, and exclusion for higher risk.)
179. Id.
180.  U.S. Dep’t of Health and Hum. Serv. Off. Inspector Gen., Criteria for implementing section 1128(b)(7) exclusion authority (Apr. 18, 2016), https://oig.hhs.gov/exclusions/files/1128b7exclusion-criteria.pdf.
181. Id.
182. Finegan, supra n. 149 at 657.
183. Id. at 657-58.
184. Id. at 658.
185. Id. at 660.
186. Id.
187. Id. at 667.
188. Justice Manual, U.S. Dep’t of Just. (revised July 2020), https://www.justice.gov/jm/justice-manual (last visited Dec. 11, 2020).
189.  Id.
190.  Alexander, C.R. & Cohen, M.A., The Evolution of Corporate Criminal Settlements: An Empirical Perspective on Non-Prosecution, Deferred Prosecution, and Plea Agreements, 52 Am. Crim. L. Rev. 537, 538 (2015).
191. Id. at 557.
192. Id.
193. Id. at 555.
194. See supra the discussion of the Viztek settlement. With Viztek defunct, there was no CIA or DPA in this case.
195. See supra Regulating Electronic Health Records.
196. Schulte & Fry, supra n. 18.
197. Murphy, K., ONC Details Plan for Health IT Safety Center, Patient Safety, EHR Intelligence (July 21, 2015), https://ehrintelligence.com/news/onc-details-plan-for-health-it-safety-center-patient-safety.
198. Schulte & Fry, supra n. 18 (“‘A lot of people involved with patient safety and medical informatics were horrified,’ said Ross Koppel, a University of Pennsylvania sociologist and prominent EHR safety expert. Koppel said the industry won legal status as a ‘regulatory free zone’ when it came to safety, an outcome he called a ‘scandal beyond belief.’”).
199. 45 C.F.R. § 170.315 (2016) (Examples of recognized QMSs from standards developing organizations are ISO 9000 Quality Management and ISO 13485 Medical Devices Quality Management Systems.)
200.    §170.315(g)(4) Quality Management System. Off. of the Nat’l Coordinator of Health IT, https://www.healthit.gov/test-method/quality-management-system#test_procedure (last visited Dec. 12, 2020).
201. Landi, supra n. 144 (“One of the things that has come to light is that the certification program itself is highly reliant on the honor system.”).
202.   Certified Health IT Product List, supra n. 61.
203.   Schulte & Fry, supra n. 18.
204.   Premarket Approval (PMA), U.S. Food and Drug Admin, https://www.fda.gov/medical-devices/premarket-submissions/premarket-approval-pma  (“Due to the level of risk associated with Class III devices, FDA has determined that general and special controls alone are insufficient to assure the safety and effectiveness of Class III devices. Therefore, these devices require a premarket approval (PMA) application under section 515 of the FD&C Act in order to obtain marketing approval….PMA approval is based on a determination by FDA that the PMA contains sufficient valid scientific evidence to assure that the device is safe and effective for its intended use(s).”).
205.   General Principles of Software Validation: Final Guidance for Industry and FDA Staff, U.S. Food and Drug Admin (Jan. 11, 2002).
206.   Id.
207.   Id.
208.   See supra Litigation as a Piecemeal Way to Regulation.