On May 31, 2017, the Department of Justice announced a $155 million settlement with eClincialWorks (ECW), an electronic health records (EHR) software vendor, to resolve a whistleblower complaint that alleged violations of the False Claims Act and the Anti-Kickback Statute. This settlement, the “largest financial recovery in the history of the State of Vermont,” should put EHR vendors on notice, as well as vendors that offer services or products to health care providers: providing misinformation to a government contractor or health care provider about their products or services, or furnishing nonconforming goods or services, may expose them to significant financial exposure under the False Claims Act, even if they do not themselves submit claims to the government.
Background: Pursuant to the Health Information Technology for Economic and Clinical Health Act (HITECH Act) of 2009, the United States Department of Health and Human Services (HHS) established a program to provide incentive payments to health care providers who demonstrated “meaningful use” of “certified” EHR technology. The incentive payments are to encourage health care providers to transition to using EHR. To obtain the proper certification, EHR vendors are required to affirm that their products meet certain requirements adopted by HHS and then pass certain tests by a certifying agency approved by HHS.
Allegations: The lawsuit, in which the federal government intervened, alleged that ECW falsely attested that its products met the applicable certification criteria and prepared its software to pass the certification testing without actually meeting the certification criteria. Significantly, ECW was alleged to have violated the False Claims Act because it had “caused” the end user health care providers to submit inaccurate attestations concerning their use of “certified” EHR in support of their claims to the government for “meaningful use” incentive payments.
Settlement: ECW agreed to pay $155 million to settle the complaint and entered into an onerous, five-year Corporate Integrity Agreement (CIA). In what the DOJ described as “innovative,” the CIA requires, among other things, that ECW (a) retain an Independent Software Quality Oversight Organization to assess ECW’s software quality control systems, (b) provide prompt notice to its customers of any safety related issues, (c) maintain on its customer portal a comprehensive list of issues and steps users should take to mitigate potential patient safety risks, (d) provide its customers with updated versions of their software free of charge, (e) offer customers the option to have ECW transfer their data to another EHR vendor without penalties or charges, and (f) retain an Independent Review Organization to review ECW’s arrangements with health care providers to ensure compliance with the Anti-Kickback Statute.
Implications: EHR and other health care vendors cannot assume that their liability is limited to breach of contract or indemnification of its customers. Rather, the ECW case points to the risk of direct exposure under the False Claims Act, without ever submitting a single claim to the government. In a similar vein, in the context of the Health Insurance Portability and Accountability Act (HIPAA), software and other vendors may also be directly subject to penalties under HIPAA for breaches of protected health information – as a business associate to their health care provider customers.