Category: Electronic Health Records

Has the DOJ Investigation Into eClinicalWorks Opened a Can of Worms?

eClinicalWorks, a provider of electronic health record software (“Software”) to physician offices and hospitals nationwide, recently reached a settlement with the United States government for its alleged involvement in falsely certifying the capabilities of its Software.  After Brendan Delaney, a former employee of the New York City Division of Health Care Access and Improvement alerted the government of perceived issues with the Software, the Department of Justice brought suit against eClinicalWorks for violating the False-Claims Act, more specially for allegedly misrepresenting the capabilities of the software and for allegedly paying kickbacks to customers in exchange for those customers certifying its product.

The American Recovery and Reinvestment Act of 2009 established the Electronic Health Record Incentive Program, which offered incentive payments to health care providers that switched from traditional paper medical records to an electronic health record system. In order to obtain an incentive payment, the health care provider was required to switch from paper records to an electronic medical record system that had been certified as having met certain technological specifications.

eClinicalWorks has held itself out as having certification for its Software under the requirements set forth in the American Recovery and Reinvestment Act. The Department of Justice stated that when obtaining such certification for its Software, eClinicalWorks did not disclose all information to the certifying body, ultimately rending the certification null and void. By creating and selling non-compliant Software, it is also alleged that eClinicalWorks knowingly caused health care providers who purchased its software to submit unknowingly fraudulent claims seeking incentive payments under the Electronic Health Records Incentive Program. 

In explaining the deficiency with the Software, the Department of Justice alleges that the Software does not comply with data portability requirements. Data portability is essential in patient care because it allows health care providers to exchange data. The Department of Justice gave the following example of a deficiency in the Software, “in order to pass certification testing without meeting the certification criteria for standardized drug codes, the company modified its software by ‘hardcoding’ only the drug codes required for testing. In other words, rather than programming the capability to retrieve any drug code from a complete database, [eClinicalWorks] simply typed the 16 codes necessary for certification testing directly into its software. [eClinicalWorks’s] software also did not accurately record user actions in an audit log, and in certain situations did not reliably record diagnostic imaging orders or perform drug interaction checks.”

So what now? As part of the settlement, eClinicalWorks entered into a five-year Corporate Integrity Agreement, which requires that the company retain an independent software quality overseer, and provide semi annual compliance reports to the Office of the Inspector General. eClinicalWorks must also provide free software updates to the Software to all current customers. Current customers will also have the opportunity to transfer their patient data to another electronic health record provider. This data transfer will be free of charge to customers who make this choice. Customers choosing this option must be cautioned, while switching vendors free of charge may appear on its face to be the best solution, the provider has to consider the pitfalls associated with switching to a different electronic health record system, including but not limited to time and capital spent on training staff and physicians on the new system, any hardware or software upgrades to ensure compatibility with the new electronic medical record system, and the resources that will be needed to back up the current system prior to migration.

The investigation into eClinicalWorks also raises the question of whether other electronic health record software vendors will undergo heightened scrutiny when submitting for certification or if those vendors will be required to submit for recertification under a heightened set of security standards. If it is found that other vendors are also non-compliant, health care providers could be at risk of unknowingly violating HIPAA.


New Encryption Requirements For New Jersey Health Insurers May Catch On In Connecticut, But Probably Would Not Have Protected Anthem Subscribers

New Jersey has enacted and Connecticut is considering a bill that would require health insurance companies to encrypt electronic information in their possession. These developments come as the massive breach of personal protected health information at Anthem Health continues to reverberate throughout the healthcare industry.

While the New Jersey law and Connecticut proposal requiring encryption are important steps that will protect individuals in cases where a laptop or flash drive is lost or stolen, they are unlikely to provide any serious defense to a determined attack such as that involving Anthem Health, which involves the compromise of administrator-level credentials.

The New Jersey law, which goes into effect on August 1, 2015, requires all health insurance carriers issuing benefits in the state to encrypt or otherwise render unreadable any “personal information” which they compile or maintain.  This “personal information” includes a first name or initial and last name linked with their Social Security Number, driver’s license or State ID number, address, or any other form of individually identifiable health information such as medical or billing records, medical record numbers, or a variety of other identifiers.

The Connecticut proposal, much like New Jersey’s law, would require insurance companies operating in Connecticut to encrypt all personal information records stored and transmitted by them.  Connecticut would also go further by requiring that any health insurance company who holds, uses or transmits personal information adopt secure user authentication protocols (such as mandatory user IDs, unique passwords, and other measures) and upgrade information safeguards to limit future risks.

While encryption of protected health information is strongly encouraged by changes to HIPAA made by the HITECH Act and subsequent regulations, it is not currently required by federal law.  However, as targeted attacks on health care data become more sophisticated and commonplace, encryption and other security measures are quickly becoming the industry standard.

It is unlikely that either New Jersey law or Connecticut proposal requiring encryption would have protected Anthem subscribers who have been affected by the most recent breach which was discovered by a system administrator who noticed that their own credentials were being used to log into the system and submit queries.  Unauthorized individuals, who gain access to an administrator account, can end-run around most, if not all, technical defenses.  No amount of encryption will protect against thieves who use phishing, social engineering or other means to steal the keys to the virtual kingdom.

ONC to Tackle Interoperability in 2015 As Congress Requires New Certified EHR Tech to Include Interoperability and Direct De-Certification of Current Systems That “Proactively Block the Sharing of Information.”

Before the ubiquity of the internet, it was at best cumbersome and at worst impossible for computers using different operating systems or applications to share information or files with each other. The result was a balkanized world where Macintoshes couldn’t talk to IBM PCs and where venerable WordPerfect users could not share word processing documents with the young upstarts who adopted Microsoft Word. Although there remain some outliers, for the vast majority of users these issues have largely evaporated as technologies have coalesced to share data seamlessly across multiple platforms and applications today.

Unfortunately, most EHR systems are stuck in the virtual past, unable (sometimes by design) to communicate with their brethren in what has become known as “information blocking.” As previously discussed on this blog, the sharing of patient data among allied health professionals, insurers and researchers is fundamental to the ONC’s “10 Year Vision to Achieve An Interoperable Health IT Infrastructure.”

Just as EHR incentives transform into Medicaid penalties in 2015 for providers who fail to demonstrate appropriate Meaningful Use, the Office of National Coordinator for Health Information Technology (ONC) has been directed to only certify EHR systems “that clearly meet current meaningful use program standards and that do not block health information exchange.” As for current EHR systems, “ONC should take steps to decertify products that proactively block the sharing of information because those practices frustrate congressional intent, devalue taxpayer investments [certified EHR technology (]CEHRT[)], and make CEHRT less valuable and more burdensome for eligible hospitals and eligible providers to use.” (emphasis added).

Before the end of March, ONC is to submit a detailed report to Congress on the extent of the EHR information blocking problem which includes an estimate of the number of vendors or eligible hospitals or providers that block information, along with a strategy addressing the issue.  The first hints from ONC may come from its 2015 Annual Meeting scheduled for February 2-3, 2015 in Washington, D.C. Also sometime in 2015, the Health IT Policy Committee is to report on the technical, operational, financial and other barriers to interoperability and the role of certification in advancing or hindering interoperability across various providers. Presumably, these reports will strongly influence ONC’s Standards and Interoperability (S&I) Framework which remains in its nascent stage and perhaps even Stage 3 Meaningful Use requirements which remain undefined.

Noticeably absent from this Congressional mandate is any explicit directive that either ONC or the Health IT Policy Committee consider the privacy and/or security issues created by the widespread sharing of otherwise proprietary data that is called for by interoperability on the scale envisioned by ONC. Any discussion of interoperability must include consideration of the privacy and security implications created by even greater proliferation of healthcare data. This is particularly relevant given the increasingly specific targeting of HIT information by data thieves along with plans by the Department of Health and Human Services Office for Civil Rights to conduct audits of 200 covered entities and up to 400 business associates for HIPAA compliance in 2015.

$150,000 HIPAA Resolution Agreement Emphasizes Importance of Updating, Patching IT Systems under the Security Rule

In a Resolution Agreement announced on December 8, 2014, the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) made clear that the HIPAA Security Rule requires Covered Entities and their Business Associates who handle electronic protected health information (ePHI) to regularly patch and update their IT infrastructure.

This matter arose in March 2012 when OCR was notified by Anchorage Community Mental Health Services, Inc. (“ACMHS”) that due to a malware infection of its computer systems, a breach involving the unsecured ePHI of 2,743 individuals had occurred.

According to the Resolution Agreement, OCR’s subsequent investigation revealed that ACMHS failed to:  (1) conduct an accurate and thorough risk assessment of its IT infrastructure; (2) failed to implement policies and procedures requiring the implementation of security measures sufficient to reduce risks and vulnerabilities to its ePHI; and (3) failed to implement technical security measures to guard against unauthorized access to ePHI by failed to insure that firewalls were in place with “threat identification monitoring” of inbound and outbound internet traffic and that IT resources were adequately “supported and regularly updated with available patches.”

Under the terms of the Resolution Agreement, ACMHS will pay a $150,000 fine and adopt a corrective action plan designed to address deficiencies in its HIPAA compliance program.

This is the first explicit statement from OCR that the HIPAA Security Rule requires IT infrastructure to be “regularly updated with available patches.”   An unpatched vulnerability known as the “Heartbleed Bug” has been implicated in a breach reported earlier this year of 4.5 million health records from Community Health Systems which operates 206 hospitals in twenty-six states.

This should dispel any doubt that a thorough risk assessment and risk management plan should include an process by which hardware  (including firmware) and software are regularly patched updated to the latest versions that address known vulnerabilities which could be exploited and result in a breach.

AHiMA’s Position Statement Concerning Use of EMR “Copy and Paste” Calls for Industry Development of “Best Practices” and of Formal Guidance from ONC

The American Health Information Management Association (AHiMA) issued guidance this week intended to address the use of “copy and paste” functionality in electronic health record systems (EHRs).  As previously discussed on this blog, this comes in the wake of two recent reports issued by the Office of the Inspector General (OIG) which called on CMS to address this fraud and abuse concern which is unique to EMRs by developing formal guidance on the use of EHR “copy and paste” functionality.  In support of its recommendations, AHiMA cites a recent article published in MDAdvisor written by McElroy Deutsch attorney, Leonardo Tamburello.

AHiMA calls for broad collaboration among industry stakeholders, EHR system developers and the public to insure the appropriate use of copy/paste functionality in EHRs and reduce the risks associated by improper design and use.  It proposes that both public and private sector organizations work together to implement a number of recommendations, including that:

  • Industry stakeholders collaborate on the development and promulgation of “best practices” for monitoring compliance with governmental, regulatory and industry standards related to clinical documentation;
  • EHR systems be designed to allow organizations deploying them to configure the use of copy/paste functionality, including the recording of copy/paste user actions, audit capabilities and reporting;
  • the Office of National Coordinator for Healthcare Information Technology (ONC)  continue to address EHR usability issues which may present potential risks for quality of care, patient safety and fraud, and that ONC develop formal guidance for the appropriate use of copy/paste within the EHR certification criteria.

Many of AHiMA’s recommendations echo those made by the OIG’s recent reports, such as those related to the need for formal guidance on the use of EHR copy/paste and strengthened reliability of EMR audit logs.

The full text of AHiMA’s position statement is available here.

ONC Issues 2015 Voluntary EHR Certification Criteria; Promises More Frequent and Dynamic Future Updates

The Office of the National Coordinator for Health Information Technology, (ONC) has issued proposed regulations concerning 2015 Voluntary EHR Certification Criteria, Interoperability Updates and Regulatory Improvements (the “2015 Edition”).  For EHR-based providers, the 2015 Edition is important for two reasons:  first, its requirements are voluntary.  Second, it signals dramatic change in the frequency and manner which ONC will issue future EHR certification criteria updates. 

These Proposed Regulations come in the wake of ONC’s decision in December 2013 to extend Stage 2 Meaningful Use (MU) through 2016 and delay Stage 3 (whose criteria remain in development) until at least 2017.  By making the 2015 EHR Certification Criteria voluntary, ONC has given providers a short respite during which they can catch their breath and insure that all Stage 2 MU criteria have been met.  To date, the most pervasive MU deficiency cited by auditors has been providers’ failure to meet the requirements of Core Measure 14 – Protect Electronic Health Information.  This measure requires that providers conduct a security risk analysis in accordance with 45 CFR 164.308(a)(1) and implement security updates as necessary and correct identified security deficiencies prior to or during the EHR reporting period. 

“The proposed 2015 Edition EHR certification criteria reflect ONC’s commitment to incrementally improving interoperability and efficiently responding to stakeholder feedback,” said Karen DeSalvo, M.D., M.P.H., national coordinator for health IT. “We will continue to focus on setting policy and adopting standards that make it possible for health care providers to safely and securely exchange electronic health information and for patients to become an integral part of their care team.”

EHR developers that have certified EHR technology to the 2014 Edition do not need to recertify to the 2015 Edition for customers to participate in the Medicare and Medicaid EHR Incentive Programs. Similarly, health care providers eligible to participate in the Medicare and Medicaid EHR Incentive Programs would not need to “upgrade” to EHR technology certified to 2015 Edition to have EHR technology that meets the Certified EHR Technology definition. “This provides the opportunity for developers and health care providers to move to the 2015 Edition on their own terms and at their own pace,” said Dr. DeSalvo.

The 2015 Edition’s voluntary highlights include:

  • New certification criteria representing new functionality such as a certification criterion to support patient population filtering of clinical quality measures;
  • Enahanced interoperability with new or updated implementation specifications for several certification criteria, including transitions of care, clinical decision support, and a few related to public health reporting;
  • Improved interoperable exchange with policy revisions that changes the certification approach for transitions of care;
  • A path for the certification of “non-MU” EHR technology;
  • Codification of ONC regulatory guidance provided in Frequently Asked Questions issued since the 2014 Edition Final Rule;
  • Revisions to the 2014 Edition syndromic surveillance certification criterion;
  • Closer alignment with other HHS program policies (e.g., CLIA and clinical quality measure reporting) and to address Office of the Inspector General (OIG) recommendations;
  • To discontinue the “Complete EHR” definition and the issuance of Complete EHR certifications starting with the 2015 Edition; and
  • To solicit comment on new capabilities and standards-based requirements for potential future certification criteria (2017 Edition in support of MU Stage 3) to provide EHR technology developers advance visibility and time to react.

The 2015 Edition marks the first time ONC has proposed an edition of certification criteria separate from the “meaningful use” regulations. It also represent ONC’s new regulatory approach that includes more incremental and frequent rulemaking. This approach allows ONC to update certification criteria more often to reference improved standards, continually improve regulatory clarity, and solicit comments on potential proposals as a way to signal ONC’s interest in a particular topic area.

A final rule is expected by the summer of 2015.  Although compliance with it will be voluntary for the time being, it is expected that ONC will eventually make those requirements mandatory for all participating providers.  It is therefore recommended that EHR stakeholders make their concerns known to ONC so that they may be addressed in a final rule which is expected sometime in the summer of 2014.  Moreover, EHR users that want to best prepare for the coming more frequent updates to EHR requirements promised by ONC should consider upgrading their systems to comply with the 2015 Edition as soon as a final rule is announced.

OIG Report: Most Electronic Health Records Lack Adequate Program Integrity Practices

One of the Affordable Care Act’s signature objectives is the widespread implementation and adoption of Electronic Health Records (EHRs) by providers of all sizes and types.  To encourage EHR adoption, CMS will pay over $22.5 billion in incentive payments to eligible professionals and hospitals that demonstrate meaningful use of certified EHR technology.   Beginning in 2015, providers who fail to demonstrate such meaningful use will face Medicare payment reductions as a result.  In a January 2014 report, the Office of Inspector General (OIG) has determined CMS and most CMS contractors have yet to adopt program integrity practice specific to EHRs.   This is a glaring vulnerability for fraud and abuse to permeate and undermine one of the ACA’s flagship goals.

The most common vulnerabilities endemic to EHRs are “copy-pasting” and “overdocumentation.”  While opportunities for a provider to inappropriately copy and paste language or overdocument the medical record for higher payment exists in paper medical records as well as EHRs, the technology makes it easier for providers to utilize these practices in EHRs.   Without question, EHRs make it easier for providers to commit certain types of fraud.

Copy-pasting (sometimes called “cloning”) permits users to select information from one source and duplicate it in another location.   Copy-paste functionality is a familiar word-processing tool that has many legitimate uses in an EHR.  However, its unrestricted use in the EHR context has led to inaccurate medical records which could potentially lead to inappropriate charges being billed to patients and third-party health payers.   More troubling is that such functionality, if used in an intentionally deceptive manner, could facilitate inflation, duplication or submission of fraudulent claims.

Overdocumentation refers to the practice of inserting false or irrelevant documentation to create the impression of support for billing of higher level services.  Some EHR systems auto-populate fields or generate verbose text with single click.  These documentation aids, which were originally created to ease the learning curve for new users, can lead to significant inaccuracies if they are not appropriately edited by the provider by creating the suggestion that the provider performed more comprehensive services than were actually rendered.

Despite the incentive programs encouraging the use of EHR technology and its inherent fraud and abuse potential,  CMS and most of its contractors have yet to adjust their practices for identifying and investigating EHR fraud. Few contractors review EHRs differently from paper records, and additional scrutiny is not (yet) required by CMS.  Additionally, less than 20% of Medicare contractors reported using EHR audit log data as part of the reviews or investigative processes.    Medicare contractors reported varying ability to identify copied language and overdocumentation in both EHRs and paper medical records.  Overdocumentation appears to be easier to identify because it is evident within the supporting medical record for a single claim, while copied language in a single claim may not be detectable unless multiple claims from a single patient or provider are examined for such occurrences.

Although CMS has issued guidance to its contractors that “medical recordkeeping within an EHR deserves special considerations” and that “the original content, the modified content, and the dates and authorship” must be identifiable, these instructions have proven inadequate in light of the OIG’s findings, and require additional detail which takes into account the unique nature of the technology.

In response to the OIG report, CMS intends to develop guidance on the appropriate use of the copy-paste feature in EHRs.  It also plans to work with contractors to identify best practices for detecting fraud and abuse within EHRs.  Presumably, this will include addressing the automatic population of fields and generation of text instigated by a single keystroke or click.  In addition, CMS  will work with its contractors and other stakeholders to consider issues presented by digital clinical data including determining the authenticity of information in EHRs, but the exact manner in which this will occur remains uncertain.

The OIG’s full report is available from its website:

We have previously written about fraud and other vulnerabilities related to the use of EHRs: