Healthcare Entities Off the Hook in eClincialWorks' CaseProviders Won't Be Penalized for Using Vendor's EHR to Obtain HITECH Incentives
Federal regulators will not penalize healthcare providers that attested to meeting HITECH Act "meaningful use" incentive payment requirements using electronic health records from eClinicalWorks, a vendor that recently settled a false claims case with federal prosecutors.
The vendor recently signed a $155 million deal to settle with federal prosecutors a case alleging that it made false claims about its software meeting certain technical requirements, including some related to security, under the HITECH EHR certification program (see eClinicalWorks Case Shines Spotlight on Data Integrity).
The Centers for Medicare and Medicaid Services, which administers EHR financial incentive payments under the HITECH Act, confirmed to Information Security Media Group that it will not punish eligible hospitals and healthcare providers that attested to meeting meaningful use requirements using eClinicalWorks' falsely certified technology.
"Providers that in good faith successfully attested using eCW software and received an incentive payment will not have to repay the incentive payment," a CMS spokesman says. "CMS realizes that providers may rely on the software they use for accuracy of reporting and CMS does not plan to audit eCW providers based on the settlement under which eCW has agreed to repay approximately $125 million to the Medicare and Medicaid EHR incentive payment program."
The resolution of the case in June also included a $30 million payment to a whistleblower - Brendan Delaney, a software technician formerly employed by the New York City Division of Health Care Access and Improvement - as well as eClinicalWorks signing a five-year corporate integrity agreement with the Department of Health and Human Services' Office of Inspector General.
Among other provisions, the corporate integrity agreement requires eClinicalWorks to retain an Independent Software Quality Oversight Organization to assess the company's software quality control systems and provide written semi-annual reports to OIG.
That agreement also requires eClinicalWorks to allow customers to obtain updated versions of their software free of charge and to give customers the option to have eClinicalWorks transfer their data to another EHR software provider without penalties or service charges.
Allegations of False Claims
Under the HITECH Act, HHS offers incentive payments to healthcare providers that adopt certified EHRs and meet certain requirements relating to their "meaningful use" of the technology.
The case against eClinicalWorks alleged that the vendor falsely obtained certification for its EHR software "when it concealed from its certifying entity that its software did not comply with the requirements for certification," federal prosecutors allege.
Among the allegations against eClinicalWorks is that its software "did not accurately record user actions in an audit log and in certain situations did not reliably record diagnostic imaging orders or perform drug interaction checks."
In addition, prosecutors say the vendor's software failed to satisfy "data portability requirements" intended to permit healthcare providers to transfer patient data from the eClinicalWorks EHR to other vendors' software.
To date, more than $35 billion has been paid to healthcare providers participating in the HITECH EHR incentive program, according to CMS.
Kate Borten, president of privacy and security consulting firm, The Marblehead Group, says she agrees with CMS' decision not to penalize healthcare providers that used eClinicalWorks' EHR to attest to and receive HITECH financial incentives.
"This is definitely the right decision. It is the vendor's actions that should be penalized," she says. "Providers had reasonable expectations that the eClinicalWorks software met the certification criteria, including data integrity verification. I believe the most serious issue is the risk to patient safety revealed in the failure to assure protected health information integrity."
More Scrutiny to Come?
So, does the eClinicalWorks case signal increased potential scrutiny of EHR software by HHS looking ahead?
Not necessarily, says privacy attorney David Holtzman, vice president of compliance at security consultancy CynergisTek.
"In a number of cases, [the HHS] Office of the National Coordinator for Health IT has revoked the certifications of EHR technology because of complaints from users," Holtzman notes. "However, there has been criticism about the complaint process being opaque and that healthcare organizations are left on their own to perform their own fitness and usability testing on EHRs that have been provided the ONC stamp of approval," he says.
In addition, it's unclear if HHS Secretary Tom Price supports having HHS take on an enforcement role over EHRs, Holtzman says. "We will have to see if this settlement with eClinicalWorks brings about a change in his thinking."
Borten says that for pragmatic reasons, she doubts there will be increased inspection by HHS of EHR vendors' meaningful use-related claims.
"I would like to see further scrutiny of certified EHRs, but I think it's unlikely given budget questions and higher priorities," she says.
While it appears that eClinicalWorks customers don't have to worry about the federal government trying to claw back meaningful use financial incentives that were paid by CMS, the case provides some lessons for healthcare entities when it comes to vetting the claims of EHR software vendors.
"Every organization should perform a risk assessment of the functions and operability of the EHR to determine if there are vulnerabilities that could alter or impact the integrity of the data entered into the system," Holtzman says.
"It is vital to patient safety clinicians and patients have confidence that the EHR is accurately recording or reporting data which could affect patient safety."
Borten says that ideally, healthcare providers should have a list of functional requirements - both for the user functions and for the security and privacy functions - before they shop for an EHR or other applications.
"Security functions that are missing or very cumbersome should be a red flag," she says.
"Typically, vendors let potential customers test-drive the product, including seeing security controls such as user account management. Unfortunately, many other security controls - such as data verification and encryption - can't be tested beforehand, and can be difficult to test even after the contract is signed. It becomes a matter of trust in the vendor. In this [eClinicalWorks] case, regrettably, it was misplaced."