Data ProtectionOn May 31, 2019, the U.S. Attorney for the District of Kansas announced a $250,000 settlement with Coffey Health System, after two whistleblowers filed qui tam suit against Coffey for violations of the False Claims Act. The settlement resolved allegations that Coffey submitted false claims to Medicare and Medicaid pursuant to the Electronic Health Records Incentive Program. That program offers incentive payments to healthcare providers who adopt meaningful electronic health records (EHR) technology and systems. This case is the most recent in a slew pursued by the Department of Justice. It is a helpful reminder that clients should conduct effective risk analyses when determining whether to adopt EHR technologies in accordance with the federal incentive program.

What is the EHR Incentive Program?

The Electronic Health Records Incentive Program is a provision under the Health Information Technology for Economic and Clinical Health (HITECH) Act – a federal law enacted as part of the American Recovery and Reinvestment Act of 2009 (Pub. L. 111-5 (Feb. 17, 2009)), which amended the Health Insurance Portability and Accountability Act (HIPAA) to address privacy and security concerns associated with the electronic transmission of protected health information. The HITECH Act includes provisions aimed at encouraging health organizations to digitize their health records and record systems. The Act also includes a financial incentives program, or a “meaningful use program.”

Specifically, the Department of Health and Human Services (HHS), through Medicare and Medicaid, offers incentive payments to healthcare providers who agree to comply with certain EHR technology standards and requirements, such as using certified EHR systems, attesting that the organization satisfies certain implementation standards and security risk measures, and other ongoing compliance provisions. When companies attest they are in compliance with the incentive program’s requirements, healthcare providers must acknowledge that the filing of such an attestation equates to submitting a claim for federal funds. False statements in any federally filed documents related to the program are subject to federal and state criminal laws and civil penalties.

Businesses taking advantage of the incentive program must demonstrate meaningful use of the EHR records within one year of receiving funds, or face potential penalties, or delayed or cancelled future disbursements. Full noncompliance may lead to sanctions and mandatory reimbursement in full. Incentive payments are audited by HHS and Medicare/Medicaid, and often require documentation to support proof of any attestation that the providers are in compliance with the program, and have made the noted system improvements. Health care organizations who do not comply risk liability when making false attestations, or from knowingly receiving “reverse false claims” through overpayment or retention of payments unsubstantiated and unearned.

DOJ Enforces False Attestations in the EHR Incentive Program

The False Claims Act (31 U.S.C. Sections 3729-3733) creates civil liability for knowingly presenting, or causing to be presented, false or fraudulent claims to the United States. The Act permits private persons to file suit for violations of the state on behalf of the government, in what is known as a “qui tam” action. Such a suit triggers a government investigation if one has not already begun.

On May 7, 2019, the Department of Justice issued updated guidance on False Claim Act matters. Click here for prior post. Essentially, whistleblowers and cooperators are incentivized to voluntarily disclose misconduct within their organizations, and can receive financial compensation for their conduct. Companies are further encouraged to cooperate with any federal investigation, and under the updated policy, the Department will take into account any corrective action a company takes in response to an allegation of wrongdoing under the False Claims Act. Such credit generally takes the form of a reduction in damages assessed and/or civil penalties. Under the updated policy, the Justice Department “may” publicly acknowledge the company’s cooperation. The updated guidance is instructive insight to the Department’s recent push to prosecute those who falsely attest to complying with the EHR Incentive Program.

United States ex rel. Awad et al. v Coffey Health System (2:16CV02034 (D. Kan.))

Coffey Health System is a twenty-five-bed “critical access” hospital in central Kansas. In 2016, the hospital’s former Chief Information Officer (CIO) and corporate compliance officer filed a qui tam suit under the False Claims Act, claiming that Coffey falsely attested that it conducted and reviewed security risk analyses in accordance with the EHR Incentive Program. From 2011 through 2016, the whistleblowers contented that Coffey failed to comply with the appropriate standards, and received more than $3 million in payments from the incentive program, without adhering to its terms. During this same time period, the suit alleges that Coffey represented that patient data submitted to Medicare and Medicaid was captured and exported through certified EHR technology, when in fact it was captured and exported manually. The CIO stated that in 2014 he reported his concerns to hospital officials after he was able to access patient records through a county-wide shared firewall, in clear violation of EHR Incentive policies. Though the CIO attempted to correct many of the issues, the hospital allegedly failed to devote resources to the security risk analysis findings, and further failed to provide the CIO with the tools and support to correct the deficiencies. In addition, the hospital purportedly failed to properly document its efforts to adhere to the EHR. Coffey Health systems decided to settle the matter with the Department of Justice, returning $250,000 of the more than $3 million they received under the incentive program. Consistent with DOJ policy, the whistleblowers will receive $50,000 of the settlement.

Other Enforcement Actions

HHS and the Department of Justice have investigated and settled several similar cases. In 2015, the Eastern District of Texas criminally prosecuted the former Chief Financial Officer (CFO) of Shelby Regional Medical Center for making false statements in connection with funds distributed to the office by the EHR Incentive Program. The CFO pled guilty, was sentenced to 23 months in prison, and was personally ordered to pay over four million dollars in restitution. (U.S. v. White, 6:14CR0005-001 E.D. Tex.)

In what has been billed Vermont’s largest financial recovery, the Department investigated and negotiated a settlement with eClinicalWorks, one of the nation’s largest EHR software manufacturers, requiring them to pay $155 million to resolve the civil qui tam suit. (U.S. ex rel. Delaney v. eClinicalWorks LLC, 2:15CV00095 (D. Vt.)). In that case, the whistleblower filed suit alleging that the software company misrepresented its product’s capabilities to HHS, and falsely certified their software complied with the statutory requirements, among other claims. In that case, the qui tam claimant received more than $30 million as part of the settlement.

In 2019, Greenway Health, a Tampa, Florida-based developer of EHR software, agreed to pay a $57.25 million fine to settle allegations brought under the False Claims Act that Greenway misrepresented its software’s capabilities, leading to false claims submitted through its use. (U.S. v. Greenway Health, LLC, 2:19CV20 (D. Vt.)). In addition, Greenway was allegedly inducing new customers to use its software by making “unlawful remunerations,” thereby violating the Anti-Kickback statute. Greenway’s faulty software, according to the Department, did not comply with the requirements for EHR certification.

Best Practices: Requirements for Conducting Effective Risk Analysis

In general, electronic health records need to be maintained with an emphasis on sophisticated, HIPAA-compliant privacy systems. Participation in the EHR Incentive Program exacerbates a client’s potential exposure by requiring those receiving monies to consistently certify their adherence to the rules, and attest that the entity is consistently using, maintaining, and where necessary, improving the system in accordance with the guidelines. Health care providers should also do dogged due diligence to ensure their chosen EHR software is certified by HHS, and has a demonstrated successful track record of creating reliable outcomes. Further, when health care companies decide to implement EHR technological programs, they should provision for adequate internal processes and controls to collect and maintain appropriate records supporting the required incentive attestations, and to ensure the company is at all times in compliance with the program’s guidelines.