TRENDING:

Fraud Management & Cybercrime , Governance & Risk Management , HIPAA/HITECH

EHR Vendor Settles HITECH Fraud Case

Whistleblower Lawsuit Alleges Konica Minolta Subsidiary Falsified Testing Marianne Kolbasuk McGee (HealthInfoSec) • August 31, 2020    
EHR Vendor Settles HITECH Fraud Case

Federal prosecutors say an electronic health records vendor has agreed to pay $500,000 to settle a whistleblower case about the software maker allegedly falsifying testing results in 2015 to obtain product certification for participation in the HITECH Act meaningful use incentive program.

See Also: Panel Discussion | Accelerate HITRUST certification for faster time-to-market and improved ROI

In a statement, the Department of Health and Human Services’ Office of Inspector General and Department of Justice say Konica Minolta Healthcare Americas Inc., based in Wayne, New Jersey, agreed to settle the case alleging that its former subsidiary, Viztek LLC, caused healthcare providers to submit false claims for federal incentive payments for EHR use by misrepresenting the capabilities of its EHR software.

Court documents in the case indicate that in December 2017, a former Viztek project manager responsible for the company’s EXA EHR product filed a lawsuit under the whistleblower provisions of the False Claims Act, alleging the company caused false claims to be submitted to HHS for federal EHR incentive payments.

A Justice Department spokesman tells Information Security Media Group the whistleblower in the case will receive about $100,000 of the settlement.

The whistleblower alleged that Viztek knowingly caused healthcare professionals who used EXA EHR to falsely attest to compliance with HHS Centers for Medicare and Medicaid Services’ meaningful use requirements during the 2015 and 2016 program years.

To obtain certification for their products, EHR vendors were required to demonstrate that their products met HHS-adopted criteria for the “meaningful use” of their products by eligible healthcare professionals and hospitals.

Falsified Testing

Court documents allege Viztek falsified a variety of EHR certification testing results because the company failed to build the capabilities into the product offered to customers. During part of the testing period, Viztek was being acquired by Konica Minolta in Oct. 2015.

”To ensure that their product was certified and that their customers received incentive payments, Viztek and Konica Minolta falsely attested to [testing company] InfoGard that their software met the certification criteria; hard-coded their software to pass certification testing requirements temporarily without ensuring that the software released to customers met certification criteria; and caused their users to falsely attest to using a certified EHR technology, when their software could not support the applicable certification criteria in the field,” prosecutors allege in court documents.

InfoGard is also named as a defendant in the federal government’s complaint in the case. Prosecutors alleged that the testing company “knew or recklessly disregarded the fact that Viztek’s EXA EHR did not meet the certification criteria.”

InfoGard was acquired in December 2015 by UL, a global safety science company.

Neither Konica Minolta nor UL immediately responded to ISMG’s request for comment on the case.

Allegedly Faked Capabilities

Among a long list of capabilities that Viztek allegedly falsified in its EHR product was the ability to provide patients with an online means to view, download and transmit to a third party their EHR data.

The ability for healthcare providers – and health IT products - to provide patients with access to their digital health information is an intensifying focus for HHS.

In addition to the HIPAA-mandated patient right to access their records, new health IT interoperability and information blocking regulations under the 21st Century Cures Act also spotlight patients’ records access rights.

”The new information blocking rules require that patients be provided access,” says regulatory attorney Marti Arvin of the security and privacy consultancy CynergisTek. “The new interoperability rule conditions of certification include a prohibition on information blocking and a requirement to develop application programming interfaces that allow patient selected applications to connect to the EHRs.”

The HITECH Act of 2009’s Medicare and Medicaid EHR incentive programs, which provided billions of dollars to hospitals and physicians for adopting certified EHR systems, have evolved over the last couple of years into the Promoting Interoperability Program for hospitals and the Quality Payment Program for eligible clinicians. Both offer new financial incentives to encourage healthcare providers to meaningfully use certified EHR technology.

In addition to falsifying information on patient access, Viztek allegedly falsified the EHR software’s ability to:

  • Reliably record the date that a patient’s medication list or medication history data were entered;
  • Reliably record the severity of medication allergies or the date that medication allergy data were entered;
  • Electronically receive and incorporate laboratory tests and results.

“The flaws in the EHR defendants’ software not only rendered the system unreliable and unable to meet meaningful use standards, but the flaws also created a risk to patient health and safety,” prosecutors alleged. “Rather than spend the time and resources necessary to correct the flaws in its EHR software, the defendants opted to do nothing.”

The HHS OIG declined comment to ISMG on the number of healthcare providers and hospitals using the Vitek product that attested to meaningful use of those EHRs and received financial incentives – or whether any of those healthcare providers would be asked to return the incentive payments.

“The claims settled by this settlement are allegations only, and there has been no determination of liability,” the Justice Department says.

Other Cases

The settlement with Viztek is among a handful of cases that the federal government has lodged against EHR vendors for allegations involving false claims about their products meeting the HITECH EHR incentive program's certification requirements.

For instance, in 2017, EHR vendor eClinicalWorks agreed to a $155 million settlement in a similar federal whistleblower case.

In January, Practice Fusion - now a unit of Allscripts – agreed to pay $145 million to settle civil and criminal investigations related to its EHR system. That case included several components, including allegations of false claims regarding compliance with HITECH Act certification requirements.

Considerations for Providers

Privacy attorney David Holtzman of the consulting firm HITprivacy notes that in the prior cases of falsified EHR certification involving e-Clinical Works and Practice Fusion, HHS did not seek to recover meaningful use payments from eligible professionals and hospitals that used improperly certified EHR technology.

”The settlement between the government and Konica-Minolta does not appear to change the status of the certification of the EHR products as eligible certified electronic health record technology,” he notes. “Healthcare organizations that attested to meeting the requirements for the ‘meaningful use’ program or its successor ‘promoting interoperability’ program will be waiting to see if any steps CMS takes.”

Holtzman says in considering if healthcare providers have liability in falsely attesting to meeting meaningful use requirements by using any of these products, federal officials would need to closely examine a number of factors. For example, “was it reasonable for the organizations to rely on the fact that the test laboratory approved by the Office of the National Coordinator had given their stamp of approval for these systems as meeting the requirements?”

In the meantime, Arvin of CynergisTek suggests that to protect themselves from potential legal issues, healthcare providers should “obtain something in writing from their [EHR] vendor that the system currently meets all certification criteria.”

Previous
Fighting Money Laundering: Overcoming Challenges
Next
Cybersecurity Leaders: Planning (and Budgeting) for 2021

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.



Around the Network

Evolving Threats Facing Robotic and Other Medical Gear
Evolving Threats Facing Robotic and Other Medical Gear
Why Health Firms Struggle with Cybersecurity Frameworks
Why Health Firms Struggle with Cybersecurity Frameworks
Identity Security and How to Reduce Risk During M&A
Identity Security and How to Reduce Risk During M&A
How 'Security by Default' Boosts Health Sector Cybersecurity
How 'Security by Default' Boosts Health Sector Cybersecurity
Medical Device Cyberthreat Modeling: Top Considerations
Medical Device Cyberthreat Modeling: Top Considerations
Safeguarding Critical OT and IoT Gear Used in Healthcare
Safeguarding Critical OT and IoT Gear Used in Healthcare
How the NIST CSF 2.0 Can Help Healthcare Sector Firms
How the NIST CSF 2.0 Can Help Healthcare Sector Firms
Protecting Medical Devices Against Future Cyberthreats
Protecting Medical Devices Against Future Cyberthreats
Is It Generative AI's Fault, or Do We Blame Human Beings?
Is It Generative AI's Fault, or Do We Blame Human Beings?
Transforming a Cyber Program in the Aftermath of an Attack
Transforming a Cyber Program in the Aftermath of an Attack

Continue »

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing fraudtoday.io, you agree to our use of cookies.