My last post, “Practice Fusion Part 1: The AKS and What It Means for You,” looked at the Anti-Kickback Statute’s (“AKS”) role in Practice Fusion’s settlement with the Department of Justice (“DOJ”). The AKS is a criminal statute. If a prosecutor has enough evidence to charge, they can effectively hamstring a company through a criminal indictment (not a conviction after a trial). A criminal indictment can have an immediate effect on a corporation’s value and stock, and depending on how severe the alleged conduct is, could wipe out a company’s value. But a criminal offense must be proved “beyond a reasonable doubt.” And that statute requires that a defendant engage in the prohibited conduct knowingly.
However, the False Claims Act (“FCA”), also makes an appearance in the Practice Fusion case. The FCA provides a vehicle for the federal government to recover its money when it has been distributed based on false claims. If a person recklessly submits, or causes to be submitted, a false claim to the federal government that results in improper remuneration, that person is liable for treble (triple, for my nonlegal audience) damages, plus approximately a $20K flat fine per claim. Importantly, the evidentiary standard is just “more likely than not,” as opposed to beyond a reasonable doubt. That’s a world of difference.
With respect to Practice Fusion, the DOJ alleged that its electronic health record did not conform to its certification under the 2014 Edition of Certified EHR Technology (“2014 Edition”). Its allegations focus on three certified capabilities that fall into two principal buckets, data export standards and the use of standardized clinical vocabularies:
- The ability for a user of the software to create standardized export summaries for all patients in the EHR;
- The ability to record a patient’s active problem list using Systematized Nomenclature of Medicine – Clinical Terms (“SNOMED”); and,
- The ability to incorporate clinical lab tests, values, and results using Logical Observation Identifiers Names and Codes (“LOINC”).
Each of these capabilities is incorporated into the 2014 Edition.
Providers use certified EHR technology for a number of reasons. One of them is to participate in the EHR Incentive Program, otherwise known as meaningful use (now recently renamed Promoting Interoperability). Under that program, providers receive incentives for demonstrating “meaningful use of certified EHR technology.” This means hitting certain thresholds on different measures that assess how frequently providers use certain functionalities in their EHR, like provider-provider or provider-patient secure messaging. As part of that program, providers also attested to using certified EHR technology. The DOJ alleges that because Practice Fusion’s technology did not meet the standards of the ONC Health IT Certification Program, the providers using that software filed false attestations. It cost Practice Fusion $118,642,000 in civil fines. Compare that to the $25,398,000 in criminal fines it agreed to pay.
The FCA is a potent statute, and the damages can add up fast in the healthcare space. Take the Medicaid side of the EHR Incentive Program – which today pays each provider a flat incentive payment of $8,500 for demonstrating meaningful use. Triple that and you reach $25,500. Tack on another $20,000 or so per claim. We’re up to $45,500. Let’s say a pediatrics group with 10 providers uses software that doesn’t conform to its certification criteria. Now we’re up to $455,000 in potential liability. And, that’s just one program. Numerous others require providers to attest to using certified EHR technology: Comprehensive Primary Care Plus, the Promoting Interoperability category of the Merit-based Incentive Payment System (“MIPS”), among others.
I can’t say this enough, but folks should be taking representatives from the DOJ, OIG, CMS, and ONC at their word when they say enforcement actions are coming. So, what does this mean for health IT developers and providers and what can they do about it? First and foremost, you must have a compliance program. I don’t care how big or small you are. You need a compliance program – full stop. What goes into that program is an extensive topic outside of the post’s scope. But if you have NOTHING, you are VULNERABLE. And it will likely be held against you should one of these enforcement actions come your way.
The results from the Practice Fusion investigation provide some insight into risk areas and ways you can manage that risk. First, when it comes to certified capabilities, the quality bar for any product should be quite high. The certification process is not set up to be your quality assurance department. The onus of keeping your product up to the ONC’s standards is on you, not your certifier. Just because your certifier does not catch something does not mean that you are off the hook because it signed off on your product. You have no guarantee that any government official who has authority to take action against you will agree with your certifier’s determination. Your quality assurance processes should go much, much further than passing ONC certification tests that are administered by private bodies. Next, paper the file. Practice Fusion’s deferred prosecution agreement requires that Practice Fusion maintain copies of the versions of its EHR that receive ONC certification. This is a good practice no matter who you are. You want to maintain copies of the software that you’ve put in front of a certifier, along with the test data that you used. Sometimes certifiers will record demonstrations. You should, too (while observing any applicable wiretap laws).
If you are a provider organization, these investigations should prompt you to consider several practices. First, how much oversight do you exercise over your vendor? What is your legal liability when you become aware of a certification issue with your vendor? How do you communicate with your vendor regarding these kinds of issues? How does your vendor provide notice of these kinds of issues? Does your compliance plan address potential IT certification issues? One of the most important things is that you know how these kinds of issues are communicated by your vendor. Next, you should understand how your vendor handles these kinds of issues when they are reported. I would also seriously contemplate how these actions influence your purchasing decisions. The DOJ, OIG, and ONC are signaling increased enforcement in this sector. Between new certification requirements; fraud, waste, and abuse investigations; and inclement information blocking investigations, how do you choose your software? How does it impact the RFP process? How about the specifications you call for in your contracts? These are all important considerations. The short answer is that you should be incorporating the government’s requirements into your contracts.
We will continue to look at compliance challenges in health IT. In the meantime, if you’re a health IT vendor and don’t have a compliance plan, please get one. Now. If you’re a healthcare provider, make sure you understand what these actions mean to you from a fraud, waste, and abuse perspective and make sure you integrate them into your existing compliance plans. Get your compliance program where it needs to be, paper and document those efforts every step of the way, and be proactive about it. The focus from the federal government on health IT will not go away any time soon.
eHealth Law Blog 
2 thoughts on “Practice Fusion Part 2: ONC Certification, the FCA, and What You Should Do NOW”