The government accused eClinical Works, LLC (“eCW”), an EHR software company, of falsifying Meaningful Use certifications under the ONC Health IT Certification Program, https://www.healthit.gov/policy-researchers-implementers/about-onc-health-it-certification-program. The Feds claimed that the accused misrepresented the capabilities of its software. They alleged that, to pass certification testing without meeting the certification criteria for standardized drug codes, eCW modified its software by “hardcoding” only those drug codes required for testing. Because of ECW’s alleged falsifications, OIG asserted, any entities depending on the company’s software submitted false claims for federal meaningful use incentive payments. See Complaint, https://www.justice.gov/opa/press-release/file/970346/download.
The company and three of its founding executives have agreed to pay $155 million for allegedly prompting improper EHR incentive payments. The whistle-blower who entrained OIG’s attack will walk away with a tidy $30 million. eCW has also entered into a characteristically onerous, 5-year corporate integrity agreement (“CIA”) with the OIG, available at https://oig.hhs.gov/fraud/cia/agreements/eclinicalworks_05302017.pdf.
The CIA includes a full panoply of requirements, restrictions, hassles, and costs. As is often done, it requires the accused, here eCW, to
- name a compliance officer and committee
- create a Disclosure Program
- notify existing customers of options for upgrades or data transfer, at no charge to them
- prepare a wide array of reports, including of payments to health care providers
- develop a set of policies and procedures to promote compliance
- create a QA program and a code of conduct
- provide training and education for employees
- create a “Software Quality Assurance Dashboard”
- hire an Independent Review Organization to, among other things, follow a Focus Arrangements Tracking System and prepare an arrangements review report, and
- file periodic Management Certifications that the company is complying with the CIA.
The CIA also obliges eCW to hire an SQOO (software quality oversight organization) to oversee much of its business; though the “SQOO is not an agent of OIG[,]…[it] may be removed by OIG at its sole discretion.” Should a dispute arise, eCW is to try to work it out with the SQOO, but if it is unsuccessful OIG will simply impose whatever requirements it deems appropriate.
The CIA also prohibits eClinicalWorks from restricting its customers from discussing—in any forum—problems that they might be experiencing with the vendor’s software,
The CIA provides for stipulated penalties for failure to comply with certain obligations, and the risk of exclusion from federal health care programs for material breaches. The language is sweeping:
“Stipulated Penalties Review. Notwithstanding any provision of Title 42 of the United States Code or Title 42 of the Code of Federal Regulations, the only issues in a proceeding for Stipulated Penalties under this CIA shall be: (a) whether eCW was in full and timely compliance with the obligations of this CIA for which OIG demands payment; and (b) the period of noncompliance. eCW shall have the burden of proving its full and timely compliance and the steps taken to cure the noncompliance, if any.”
Note that (b) seems to assume that the answer to (a) will always be yes. Note also that the burden of proof is on the accused. OIG also retains all the inspection, audit, and review rights it had without entering into the CIA.
The CIA is also notable for its repeated use of the phrase: “the requirements of payment programs involving the use of health information technology and the regulations and other guidance related to these programs…” (emphasis added) This language seems to imply that OIG sees regulations as “guidance.” It’s but a baby step from that implication to the notion that guidance documents have the same stature, and legally binding effect, as actual regulations.
OIG claims that these burdensome restrictions will not only improve compliance, but advance patient safety, on the theory that the use of software that fails to meet the government’s certification requirements means that labs, critical tests, and prescriptions may not be accurately processed.
eClinicalWorks denied any wrongdoing.
This is the first time the government has entered into a civil settlement with a vendor of electronic health records software for allegedly violating the False Claims Act. The settlement seems unlikely to strengthen the confidence of healthcare professionals or institutions in the electronic record-keeping system they have been effectively forced to adopt. Companies providing electronic records should go to school on the experience of eCW, to reduce the chances they could be similarly treated.
The severity and complexity of the CIA are disturbing. Its provisions do provide a roadmap, however, for companies attempting to comply with the intricacies of fraud and abuse laws. Many, though certainly not all, of the CIA’s provisions are relatively old hat, such as establishing a compliance officer and committee, a training program, a disclosure program, and so forth. Taking all the steps in the CIA is not necessary. Taking just those that are well-established is taxing enough, but given the alternative, worth the trouble. The government is only too eager to launch attacks such as this, and is well aware that few if any companies can afford to risk a trial.