Has the DOJ Investigation Into eClinicalWorks Opened a Can of Worms?

by Megan R. George

eClinicalWorks, a provider of electronic health record software (“Software”) to physician offices and hospitals nationwide, recently reached a settlement with the United States government for its alleged involvement in falsely certifying the capabilities of its Software.  After Brendan Delaney, a former employee of the New York City Division of Health Care Access and Improvement alerted the government of perceived issues with the Software, the Department of Justice brought suit against eClinicalWorks for violating the False-Claims Act, more specially for allegedly misrepresenting the capabilities of the software and for allegedly paying kickbacks to customers in exchange for those customers certifying its product.

The American Recovery and Reinvestment Act of 2009 established the Electronic Health Record Incentive Program, which offered incentive payments to health care providers that switched from traditional paper medical records to an electronic health record system. In order to obtain an incentive payment, the health care provider was required to switch from paper records to an electronic medical record system that had been certified as having met certain technological specifications.

eClinicalWorks has held itself out as having certification for its Software under the requirements set forth in the American Recovery and Reinvestment Act. The Department of Justice stated that when obtaining such certification for its Software, eClinicalWorks did not disclose all information to the certifying body, ultimately rending the certification null and void. By creating and selling non-compliant Software, it is also alleged that eClinicalWorks knowingly caused health care providers who purchased its software to submit unknowingly fraudulent claims seeking incentive payments under the Electronic Health Records Incentive Program. 

In explaining the deficiency with the Software, the Department of Justice alleges that the Software does not comply with data portability requirements. Data portability is essential in patient care because it allows health care providers to exchange data. The Department of Justice gave the following example of a deficiency in the Software, “in order to pass certification testing without meeting the certification criteria for standardized drug codes, the company modified its software by ‘hardcoding’ only the drug codes required for testing. In other words, rather than programming the capability to retrieve any drug code from a complete database, [eClinicalWorks] simply typed the 16 codes necessary for certification testing directly into its software. [eClinicalWorks’s] software also did not accurately record user actions in an audit log, and in certain situations did not reliably record diagnostic imaging orders or perform drug interaction checks.”

So what now? As part of the settlement, eClinicalWorks entered into a five-year Corporate Integrity Agreement, which requires that the company retain an independent software quality overseer, and provide semi annual compliance reports to the Office of the Inspector General. eClinicalWorks must also provide free software updates to the Software to all current customers. Current customers will also have the opportunity to transfer their patient data to another electronic health record provider. This data transfer will be free of charge to customers who make this choice. Customers choosing this option must be cautioned, while switching vendors free of charge may appear on its face to be the best solution, the provider has to consider the pitfalls associated with switching to a different electronic health record system, including but not limited to time and capital spent on training staff and physicians on the new system, any hardware or software upgrades to ensure compatibility with the new electronic medical record system, and the resources that will be needed to back up the current system prior to migration.

The investigation into eClinicalWorks also raises the question of whether other electronic health record software vendors will undergo heightened scrutiny when submitting for certification or if those vendors will be required to submit for recertification under a heightened set of security standards. If it is found that other vendors are also non-compliant, health care providers could be at risk of unknowingly violating HIPAA.