Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

Health IT Group Raises Good Questions About “Information Blocking”

Posted on September 8, 2017 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

The 21st Century Cures Act covers a great deal of territory, with provisions that dedicate billions to NIH funding, Alzheimer’s research, FDA operations and the war on opioid addiction. It also contains a section prohibiting “information blocking.”

One section of the law lists attempts to define information blocking, and lists some of the key ways healthcare players drag their feet when it comes to data sharing. The thing is, some industry organizations feel that these provisions raise more questions than they answer.

In an effort to nail things down, a trade organization calling itself Health IT Now has written to the HHS Office of Inspector General and ONC head Donald Rucker, MD, asking them to issue a proposed rule answering their questions.  Parties signing the letter include a broad range of healthcare and health IT organizations, including the American Academy of Family Physicians, athenahealth, DirectTrust, AMIA, McKesson and Oracle.

I’m not going to list all the questions they’ve asked. You can read the entirety yourself. However, I will share two questions and offer responses of my own. One critical question is:

  • What is information blocking and what is not?

I think most of us know what the law is trying to accomplish, e.g. foster the kind of data sharing needed to accomplish key research and patient care outcomes goals. And the examples of what it considers information blocking make sense:

  • Practices that restrict authorized access, exchange, or use [of health data] under applicable State or Federal law
  • Implementing health information technology in nonstandard ways that are likely to substantially increase the complexity or burden of accessing exchanging or use of electronic health information
  • Implementing health information technology in ways that are likely to lead to fraud, waste, or abuse, or impede innovations and advancements health information access, exchange, and use

The problem is, there are many more ways to hamper the sharing of electronic health data. The language used in the law can’t anticipate all of these strategies, which leaves compliance with the law very much open to interpretation.

This, logically, leads to how businesses can avoid running afoul of the law:

  • The statute institutes penalties on vendors to $1 million per violation. How should “per violation” be defined?

    Given the minimum detail included in the legislation, this is a burning question. Vendors need to know precisely whether they’re in the clear, violated the statute once or flouted it a thousand times.

After all, vendors may violate the statute

  • When they refuse data access to one individual within a business one time
  • When they don’t comply with a specific organization’s request regardless of how many employees were in contact
  • When a receiving organization doesn’t get all the data requested at the same time
  • When the vendor asks the receiving organization to pay an administrative fee for the data
  • When individuals try to access data through the web and find it difficult to do so

Would a vendor be on the hook for a single $1 million fine if it flat out refused to share data with a client?  How about if it refused twice rather than once? Are both part of the same violation?

Does the $1 million fine apply if the vendor inadvertently supplies corrupted data? If so, does the fine still apply if the vendor attempts to remedy the problem? How long does the vendor have to respond if they are informed that the data isn’t readable?

What about if dozens or even hundreds of individuals attempt to access data on the web can’t do so? Has the vendor violated the statute if it has an extended web outage or database problem, and if so how long does it should have to get web-based data access back online? Does each attempt to access the data count as a violation?

What standard does the statute establish for standard vs. non-standard data formats?  Could a vendor be cited once, or more than once, for using a new and emerging data format which is otherwise respected by the industry?

As I’m sure you’ll agree, these are just some of the questions that need to be answered before any organization can reasonably understand how to comply with the law’s information blocking provisions. Asking regulatory agencies to clarify their expectations is more than reasonable.

eCW (eClinicalWorks) Settles Whistleblower Lawsuit for $155 Million

Posted on May 31, 2017 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

In many of my press panels and other discussions at the Healthcare IT Marketing and PR Conference, I’ve argued that there’s very little “Breaking News” when it comes to healthcare IT. Today is an example where this is not true. The news just broke that EHR vendor, eCW (eClinicalWorks), has settled a whistleblower lawsuit against them for $155 million.

The suit was filed by Brendan Delaney, a software technician formerly employed by the New York City Division of Health Care Access and Improvement, by his law firm Phillips & Cohen LLP against eClinicalWorks. eClinicalWworks and three of its founders (Chief Executive Officer Girish Navani, Chief Medical Officer Rajesh Dharampuriya, M.D., and Chief Operating Officer Mahesh Navani) are jointly liable for the payment of $154.92 million. Separately, Developer Jagan Vaithilingam will pay $50,000, and Project Managers Bryan Sequeira, and Robert Lynes will each pay $15,000. As a whistleblower, Delaney stands to receive $30 million of the settlement.

Here’s the summary of the complaints against eCW from the Justice Department’s press release about the settlement:

In its complaint-in-intervention, the government contends that ECW falsely obtained that certification for its EHR software when it concealed from its certifying entity that its software did not comply with the requirements for certification. For example, in order to pass certification testing without meeting the certification criteria for standardized drug codes, the company modified its software by “hardcoding” only the drug codes required for testing. In other words, rather than programming the capability to retrieve any drug code from a complete database, ECW simply typed the 16 codes necessary for certification testing directly into its software. ECW’s software also did not accurately record user actions in an audit log and in certain situations did not reliably record diagnostic imaging orders or perform drug interaction checks. In addition, ECW’s software failed to satisfy data portability requirements intended to permit healthcare providers to transfer patient data from ECW’s software to the software of other vendors. As a result of these and other deficiencies in its software, ECW caused the submission of false claims for federal incentive payments based on the use of ECW’s software.

Most people are writing about how eCW didn’t fully integrate the RxNorm codes, but instead hard coded the 16 codes that the certification process used. That’s embarrassing so it’s not a surprise that so many people are sharing that part of the story. However, I think the bigger part of the violation is probably around the data portability requirements. I bet a lot of EHR vendors are sweating right now as they look at the way they implemented those requirements. Not to mention the EHR audit logs which are poor in many EHR. Plus, the scariest claim is eClinicalWork’s inability to reliably record diagnostic imagine orders or perform drug interaction checks. Those are patient safety issues and exist in many EHR software.

If you want to dig into the weeds like I did, then you can see the government complaint against eClinicalWorks that was filed May 12, 2017 and the final settlement agreement with eClinicalWorks. Even more insightful was looking at the original complaint from Delaney against eClinicalWorks. Comparing the original whistleblower complaint to the government complaint against eClinicalWorks is very interesting. You’ll see that the government didn’t grab on to everything that was originally filed by Delaney. I imagine that’s a standard legal practice to file as many areas as possible and see what the government decides to use. It seems like Phillips & Cohen have represented a number of whistleblowers so I’m sure they were expert at this.

Girish Navani, CEO and Co-Founder or eClinicalWorks, offered this statement about the settlement:

“Today’s settlement recognizes that we have addressed the issues raised, and have taken significant measures to promote compliance and transparency. We are pleased to put this matter behind us and concentrate all of our efforts on our customers and continued innovations to enhance patient care delivery.”

Looking at the bigger picture, I’m certain that every EHR vendor is going through their EHR certification process and looking at all the statements they’ve made to make sure they’re not going to be in a similar situation. Not to mention the anti-kick back laws that were mentioned in the settlement. I’m sure there are other EHR vendors that are in violation of both of these items just as much as eCW.

Former ONC National Coordinator, Farrzad Mostashari seems to agree with me. Farzad tweeted, “Wow!! I hope this changes the attitude of the EHR vendor space more broadly.” Then, he later tweeted, “Let me be plain-spoken. eClinicalWorks is not the only EHR vendor who flouted certification /misled customers
Other vendors better clean up.”

Farzad then nailed it when he tweeted “There are a LOT of doctor’s office staff looking at their EHR today and wondering if there’s $30M worth of false promises hidden there”

I do wonder if Farzad Mostashari feels a little guilty of the role he played in this process since he oversaw such a porous EHR certification process. I’ve been against EHR certification for a long time because I thought it provided so little value to providers. The fact that it can be gamed by 16 codes being hard coded is a perfect example of why EHR Certification is a waste. Although, one could argue that without EHR certification, this suit would have never happened and maybe eClinicalWorks could still be selling the same product today.

I do find this quote from the US Attorney’s Office for the District of Vermont press release a little over the top (which I think is common on these things):

“Electronic health records have the potential to improve the care provided to Medicare and Medicaid beneficiaries, but only if the information is accurate and accessible,” said Special Agent in Charge Phillip Coyne of HHS-OIG. “Those who engage in fraud that undermines the goals of EHR or puts patients at risk can expect a thorough investigation and strong remedial measures such as those in the novel and innovative Corporate Integrity Agreement in this case.”

Another topic I haven’t seen anyone else cover is the impact that this settlement will have on eCW’s customers that used eCW to attest to meaningful use. Technically it shows that eCW wasn’t appropriately certified, so that means that they weren’t using a certified EHR and therefore shouldn’t have been eligible for meaningful use incentives. I asked one friend about this and he suggested that CMS had previously said that it would not hold eligible providers and eligible hospitals responsible for EHRs that calculated the meaningful use measures the wrong way. So, we’ll probably see this same approach with eCW users that got EHR incentive money on what we now know was not appropriately certified.

I was also intrigued by the Corporate Integrity Agreement (CIA) that eClinicalWorks entered into with HHS-OIG. There are a lot of details and oversight that eCW will get from OIG, but it also required eClinicalWorks to “allow customers to obtain updated versions of their software free of charge and to give customers the option to have ECW transfer their data to another EHR software provider without penalties or service charges. [emphasis added]”

Free updates is pretty clear and ironic since not wanting to update all their clients is one possible hypothesis for why they didn’t really push the proper upgrades. Hopefully all eCW users will do it now or they might be facing their own violations for using outdated software that has known clinical issues. However, the kicker in the CIA detail above is that eClinicalWorks has to give customers the option to have eClinicalWorks transfer their data to another EHR without penalty or service charges. I wonder how many will take them up on this requirement and what the details will be. I still wish this was required of all EHR vendors, but that’s a story for another day.

How many EHR vendor marketing groups are putting together their eClinicalWorks Rescue Plan to take in the downtrodden eCW users? I’m not sure these will be as successful as other EHR switching marketing efforts like those we see when an EHR is being shut down.

I’m sorry to say that I think this is likely only the beginning of such lawsuits. In fact, it’s probably already woken up a lot of potential whistle blowers. Hopefully it’s woken up a lot of EHR vendors as well.