Allscripts Faces $145 Million Settlement With DOJAt Issue: HIPAA, HITECH Act, Anti-Kickback Statute Compliance of Company It Acquired
Health IT vendor Allscripts says it has reached a preliminary $145 million settlement with the Department of Justice related to the business practices of Practice Fusion, an electronic health record vendor the company acquired last year. Although details of the settlement are sketchy, it involved compliance with HIPAA, the HITECH Act electronic health record incentive program and the Anti-Kickback Statute.
In a statement about its second quarter earnings, and during a conference call with financial analysts on Thursday, Allscripts said it recorded the multimillion dollar settlement expense in the quarter ended June 30. Allscripts acquired Practice Fusion in February 2018 for $100 million.
In its statement, Allscripts says it believes the amount “will be sufficient to resolve all potential civil and criminal liability in connection with these investigations.” Company President Rick Poulton told financial analysts during the earnings call that the inquiries by investigators began prior to the acquisition of Practice Fusion, which has since been renamed Veradigm.
”These investigations had many similarities to investigations that have either been settled or remain active with many of our industry competitors,” Poulton told analysts, according to a transcript of the earnings call published by financial investment news site Motley Fool.
Last year, the Justice Department and the Department of Health and Human Services announced a $155 million lawsuit settlement with another EHR vendor, eClinicalWorks, in a case alleging the company falsely claimed it met the HITECH Act EHR incentive program's certification requirements.
Earlier SEC Filing
In a May filing with the Securities and Exchange Commission, Allscripts noted the federal investigations, saying that Practice Fusion in March 2017 received a request for documents and information from the U.S. Attorney’s Office for the District of Vermont related to a civil investigative demand, or CID.
”Between April 2018 and January 2019, Practice Fusion received five additional requests for documents and information through another CID and HIPAA subpoenas,” the SEC filing says.
”In March 2019, Practice Fusion received a grand jury subpoena in connection with a related criminal investigation. The document and information requests received by Practice Fusion relate to both the certification Practice Fusion obtained in connection with the HHS [HITECH Act] EHR incentive program and Practice Fusion’s compliance with the Anti-Kickback Statute and HIPAA as it relates to certain business practices engaged in by Practice Fusion,” the company’s SEC filing said.
The HHS Office of Inspector General describes the federal Anti-Kickback Statute as prohibiting the knowing and willful payment of "remuneration" – or anything of value - to induce or reward patient referrals or the generation of business involving any item or service payable by federal healthcare programs.
During the earnings call on Thursday, Poulton said that after Allscripts acquired Practice Fusion, the Justice Department investigations continued to expand and required expanding levels of resources from Allscripts to support.
”Thus, we were highly motivated to reach an accord with the DOJ as soon as possible so that we can put this chapter behind us,” Poulton said, according to the call transcript.
”So while the amount we have agreed to pay of $145 million is not insignificant, it is in line with other settlements in the industry, and we are happy to have reached the agreement in principle,” Poulton said. “We will work with the DOJ to finalize the details of the settlement over the coming months, and we expect to have recoveries from a variety of third parties that will help offset a portion of the amounts we have agreed to pay the government.”
Neither Allscripts nor the Justice Department immediately responded to Information Security Media Group’s requests for comment.
What’s Behind the Settlements?
Privacy attorney David Holtzman of the security consultancy CynergisTek notes that, so far, “there is scant information that helps us understand the evidence uncovered by the Department of Justice in its investigation of Practice Fusion. There seem to be two major thrusts involving whether the EHR had met the HITECH standards set to be eligible as certified electronic health record technology and a violation of the federal kickback standards governing anti-competitive behavior in healthcare.”
HHS will determine what direction to take concerning those who received HITECH Act incentive payments as a result of implementing the Practice Fusion EHR, Holtzman says. “If the 2017 settlement between the federal government and eClinicalWorks serves as a guide, CMS will not seek repayments” from Practice Fusion users, he adds. “It remains to be seen if healthcare professionals or facilities will be held accountable for business practices that are deemed in violation of the anti-kickback standards.”
As to the HIPAA-related aspects of the Practice Fusion investigations, Holtzman notes, “HIPAA authorized creation of an umbrella of standards and requirements ranging from the use of transactions and code sets to the privacy and information security of individually identifiable health information. Practice Fusion offered a range of services to healthcare organizations that touched on all facets of the HIPAA administrative simplification standards. There is no indication what provisions of HIPAA that Practice Fusion has been suspected of violating.”
This isn’t the first time Practice Fusion has faced a settlement with federal regulatory authorities related to allegations about its business practices.
In 2016, the Federal Trade Commission settled with Practice Fusion in a case involving the EHR vendor allegedly “deceiving consumers about privacy of doctor reviews and failing to adequately warn patients that survey responses would be posted on a public website.” (See: Analysis: FTC’s Privacy Settlement with EHR Vendor).