On May 31, 2017, the U.S. Department of Justice (DOJ) announced a $155 million settlement with eClinical Works (ECW), a nationally-known electronic health records (EHR) software vendor. The settlement arises out of a lawsuit, United States of America, ex re. Delaney v. eClinicalWorks, LLC,1 alleging that ECW falsely obtained certification for its EHR software and therefore "caused the submission of false claims for federal incentive payments based on the use of ECW's software."2
The Medicare and Medicaid EHR Incentive Program, adopted pursuant to the HITECH Act,3 has provided monetary incentives to certain eligible providers of healthcare services (e.g., physicians and hospitals, collectively referred to for purposes of this alert as "Eligible Providers") who become "meaningful users" of "certified electronic health record technology (CEHRT)." Eligible Providers cannot use merely any EHR software product in order to become meaningful users; they must purchase or acquire CEHRT. Software vendors obtain certification for their EHR products by attesting that the products satisfy HHS-adopted criteria and by passing testing by an accredited independent certifying entity approved by HHS.4
Since the inception of the EHR Incentive Program, CMS has paid approximately $24 billion dollars in EHR incentive payments to Eligible Providers who have attested to achieving meaningful use with the aid of CEHRT.5 With so much federal money at stake, it is hardly surprising that audits of providers commenced shortly after the inception of payments and have increased in number and scope.
The Specific Allegations Against ECW
In its complaint in intervention in the Delaney case, the government asserted that "ECW falsely represented to its certifying bodies and the United States that its software complied with the requirements for certification and for the payment of incentives under the Meaningful Use program." Among the specific allegations was that "ECW … failed to adequately review its bugs or service tickets to analyze whether or not software issues impacted the software's ability to meet the standards, implementation specifications, and certification criteria and perform in a reliable manner consistent with its certification." Moreover, the government alleged that:
In advance of its certification testing, ECW reviewed the publicly available test scripts for ePrescribing and identified the sixteen drugs for which ECW would need to generate a prescription during testing [by the HHS-approved certification body]. ECW then "hardcoded" into its testing software only the sixteen … codes it knew in advance that its certification body would test. In other words, rather than programming the capability to retrieve any code from the entire database of Rx.Norm codes, ECW simply typed the sixteen Rx. Norm codes necessary for testing directly into its software. ECW hardcoded the requisite Rx. Norm codes for the purpose of making its certification body believe it had implemented the Rx. Norm drug vocabulary and to pass certification testing.
The government further alleged that ECW's software did not accurately record user actions in an audit log and in certain situations did not reliably record diagnostic imaging orders or perform drug interaction checks. In addition, ECW's software allegedly failed to satisfy data portability requirements intended to permit healthcare providers to transfer patient data from ECW's software to the software of other vendors. As a result of these and other deficiencies in its software, the government asserted that ECW caused the submission of false claims for federal incentive payments based on the use of ECW's software.
The $155 million Delaney settlement, which did not involve any determination of liability with respect to ECW, is the largest False Claims Act recovery in the District of Vermont. As part of the settlement, ECW entered into a Corporate Integrity Agreement (CIA) with the HHS Office of Inspector General covering the company's EHR software. This five-year CIA requires, among other things, that ECW retain an Independent Software Quality Oversight Organization to assess ECW's software quality control systems and provide written semi-annual reports to OIG and ECW documenting its reviews and recommendations. ECW must provide prompt notice to its customers of any safety related issues and maintain on its customer portal a comprehensive list of such issues and any steps users should take to mitigate potential patient safety risks. The CIA also requires ECW to allow customers to obtain updated versions of their software free of charge and to give customers the option to have ECW transfer their data to another EHR software provider without penalties or service charges.
Why is this Settlement Significant?
Attestations filed in order to obtain Medicare EHR incentive payments are considered federal claims in the same manner as the claims for healthcare services that Medicare-enrolled providers file. As such, they are subject to the Federal False Claims Act (FCA), which provides significant civil liability for any person who knowingly submits a false claim to the government or causes another to submit a false claim to the government or knowingly makes a false record or statement to get a false claim paid by the government,6 The FCA is the government's primary civil enforcement tool due to the damages and penalty provisions and because the FCA allows private persons, or qui tam relators, to file suit for violations of the FCA on behalf of the government.
The vast majority of FCA allegations and suits are filed against the healthcare providers who directly file the claims with the federal government and directly receive the federal dollars. Not nearly as much attention has been paid to the portion of the FCA that forbids a person knowingly to "cause another to submit a false claim."7 Yet, this high-dollar settlement involved a relator pursuing an EHR vendor, not the Eligible Providers who used the vendor's software and directly submitted the attestations for EHR Incentive payments to the federal government.
The ECW settlement is a cautionary tale not only for EHR vendors but also for any other vendors whose product capabilities are intrinsic to healthcare providers making claims to the federal government (and whose product capabilities might therefore be seen as a condition to payment of such claims). Moreover, for EHR vendors specifically, the potential for false claims exposure does not end with the sunset of the EHR Medicare Incentive Program at the end of 2018. Many of the elements of the EHR Medicare Incentive Program, including the need for using CEHRT, have been folded into the Merit-Based Incentive Payment System (MIPS), which CMS will use to start replacing the current Medicare physician fee schedule beginning in 2019.