The Department of Justice announced that it would intervene in a False Claims Act case brought by a relator on behalf of the United States against a certified electronic health record vendor, Modernizing Medicine.
In summary, the relator has alleged that Modernizing Medicine faked its product’s certification – which did not meet the certification program’s technical requirements – resulting in improper payments from Medicare and Medicaid under the Electronic Health Record Incentive Program, known as Meaningful Use (“MU”). In addition, the relator here has claimed that Modernizing Medicine engaged in several kickback schemes that violated the federal Anti-Kickback Statute (“AKS”), which is a de jure FCA violation as well. This is the first post in a three-part series that will look at specific elements of the complaint: 1) those relating to the product’s capabilities, 2) the AKS allegations, and 3) allegations related to upcoding medical claims.
First, this action should not surprise anybody who is watching federal enforcement of health IT developers. Way back in 2020 when the Practice Fusion settlement dropped, I wrote that “folks should be taking representatives from the DOJ, OIG, CMS, and ONC at their word when they say enforcement actions are coming.” There, the “DOJ allege[d] that because Practice Fusion’s technology did not meet the standards of the ONC Health IT Certification Program, the providers using that software filed false attestations”
Modernizing is simply next up to bat, and there will be more. This case is interesting though because it has a very, very distinct bent towards not just product capabilities, but also product management and compliance in general. The party bringing the action on behalf of the United States is a former Vice President of Product Management at Modernizing medicine; and that perspective is reflected in the nature of the complaint which focused on 1) product management priorities, and 2) technical deficiencies.
In summary, the complaint alleges that Modernizing Medicine essentially prioritized profit over safety and compliance when developing its software. Notably, the complaint alleged that Modernizing Medicine was backlogged with a series of technical deficiencies that affected general performance, reporting integrity, and most importantly patient safety. These deficiencies allegedly existed for a very long time, and when faced with a choice between choosing to develop a new revenue generating opportunity or fixing these deficiencies, Modernizing Medicine chose to prioritize new revenue opportunities.
If true, this is a damning practice that will only invite new scrutiny on the industry, particularly in light of what the alleged deficiencies actually were. The one allegation that struck me particularly hard when reading the complaint was that data from patient medical records allegedly got mixed into other patients’ records. This is a massive patient safety problem and to me, represents a totally compromised system. If you cannot rely on the data in a patient’s record at the point of care, then what’s the point of having it? If a medication, allergy, or recent procedural history is wrong and populated with the wrong person’s information, if that patient presents at an ER unconscious then a doctor very well could prescribe something that could kill them. This problem allegedly was persistent and consistent. As a kicker, it’s also a relatively straightforward HIPAA violation.
Another allegation stated that Modernizing Medicine couldn’t finalize visit notes, rather, they would basically spin out and remain unsigned. This directly affects the MU program because a lot of the metrics are tied to “qualifying visits” that occur in a specific reporting period. Adding onto that, when confronted with the problem, Modernizing Medicine allegedly allowed providers to just change the notes to whatever they wanted. If you ever consider that option without reservation, please know that it’s very stupid and makes your product in a vehicle for fraud. Sure, it is the provider’s data and they have the right to change it. But if they have already signed a note, the way they change an already signed note is by amending it, which means they add a notation to the note and sign that too. They don’t get to just delete the old data like it never existed: these are insurance records not just patient records.
Unsurprisingly, the complaint alleges that Modernizing Medicine’s audit log did not meet the certification program’s requirements. It also alleged that it had issues with the ability to record a patient’s active problem list using Systematized Nomenclature of Medicine – Clinical Terms (“SNOMED”); and, the ability to incorporate clinical lab tests, values, and results using Logical Observation Identifiers Names and Codes (“LOINC”). I literally copied that text from the same blog posted linked above on Practice Fusion because it’s the same allegations. Also, RxNorm codes allegedly did not translate correctly. The short of this means that Modernizing Medicine allegedly could not talk to pharmacies or labs with a common dictionary, meaning that medication dosages, lab orders, results, actual medication(s) prescribed could all be thrown off a little, or very dramatically. That is another horrifying patient safety issue, although it is one typically mitigated by pharmacists and lab technicians when they see the patient and say “wait, what that’s not what your scrip or lab says here?”
I concluded my post on Practice Fusion with a recommendation and observation I stand by, and one that this complaint simply teaches again:
The results from the Practice Fusion investigation provide some insight into risk areas and ways you can manage that risk. First, when it comes to certified capabilities, the quality bar for any product should be quite high. The certification process is not set up to be your quality assurance department. The onus of keeping your product up to the ONC’s standards is on you, not your certifier. Just because your certifier does not catch something does not mean that you are off the hook because it signed off on your product. You have no guarantee that any government official who has authority to take action against you will agree with your certifier’s determination. Your quality assurance processes should go much, much further than passing ONC certification tests that are administered by private bodies. Next, paper the file. Practice Fusion’s deferred prosecution agreement requires that Practice Fusion maintain copies of the versions of its EHR that receive ONC certification. This is a good practice no matter who you are. You want to maintain copies of the software that you’ve put in front of a certifier, along with the test data that you used. Sometimes certifiers will record demonstrations. You should, too (while observing any applicable wiretap laws).
Then, once you’ve put a compliance program into place and start finding problems in your product, rather than ignoring them or panicking, I recommend fixing them and disclosing them to your customers and certifiers. I’ve linked below to a post on how to address known issues like these, and the answer is prioritize fixing them. Most product management principles assign priorities to statuses like: very low, low, medium-low, medium, medium-high, high, very high. Patient safety issues are a very high priority. Certification and fraud related issues are a high priority. Privacy issues are a high priority. Security issues are a high priority (check your insurance bill). Revenue generation is medium-high. Get your priorities right or the government will do it for you through a corporate integrity agreement.
eHealth Law Blog 