Whistleblowers Are Critical in Combatting EHR Certification- and Payment-Related Fraud

It should be no surprise that electronic health record (EHR) software – which is not only sophisticated software, but is managed by a matrix of highly skilled and sophisticated healthcare professionals – is a ripe target for fraud. When billions of dollars are on the table in any industry, the risk for fraud, waste and abuse rises significantly. While the overwhelming majority of companies and professionals that operate within the EHR matrix operate legitimately and legally, a number of bad actors have been identified for defrauding the federal government. In many cases, the only way EHR fraud is reported is by whistleblowers who share first-hand knowledge of potential fraud before major losses can occur.

Whistleblowers are crucial in the fight against healthcare fraud and can be compensated for doing so. Healthcare fraud involving EHR software is no exception. A 2012 Health and Human Services Office of Inspector General report estimated that the Centers for Medicare and Medicaid Services inappropriately paid over $700 million in connection with EHRs. Other recent settlements have demonstrated the potential for fraud and abuse in the EHR space and the role whistleblowers play. For example, eClinicalWorks, one of the largest providers of EHRs, settled with the Department of Justice for $155 million after a whistleblower exposed fraud. EHR fraud not only defrauds the American taxpayer, it potentially puts patients at risk.

Understanding the Complex EHR Matrix

Through the Health Information Technology for Economic and Clinical Health (HITECH) Act, which was enacted as part of the American Recovery and Reinvestment Act of 2009, many savvy medical organizations have purchased EHR technology.  As of June 2014, Medicare had made EHR incentive payments to eligible professionals (EPs) totaling $6 billion. As one example, the Kaiser Foundation alone received $358 million in EHR grant money in 2017 alone.

Three types of organizations that create and manage EHR systems. First, there are software companies such as EPIC, eClinicalWorks, Allscripts and Cerner. These EHR vendors create software that allows providers ranging from massive hospital networks to small private practices to do things such as electronically schedule appointments, access patient data, and create provider notes with just a few clicks. Second, an Accredited Test and Certification Body (ONC-ATCB) must review and certify that the EHR system meets federal requirements to qualify for Medicare and Medicaid EHR incentive payments. And finally, the last major organization that manages EHR systems are healthcare providers. In practice, the software is often used by professionals throughout healthcare organizations – clinical-level end-users, front office administrative staff, the billing department and more. Day-to-day, the software is often managed by a team of in-house IT administrators or consultants who are specially trained and certified on how to manage the complexity of the system that is in use. Healthcare providers pay for the EHR systems, receive government incentive payments to offset the cost of purchasing EHR software and, in many cases, use the EHR software to bill government healthcare programs such as Medicare and Medicaid.

Irregularities in EHR software and its implementation can be identified at any of these three types of organizations and anyone who regularly works with EHR software has the potential to uncover problems with the software and how it is being used.

Recent EHR Fraud Cases Raise an Alarm

In 2017, one of the nation’s largest EHR providers, eClinicalWorks, settled a lawsuit with the U.S. Department of Justice for $155 million. In that case, the government alleged that eClinicalWorks gave customers kickbacks for publicly promoting its products, while at the same time concealing from its certifying entity that its software did not comply with the requirements for certification. Similarly, in 2018, the DOJ settled with EHR provider Greenway Health LLC for $57.25 million, alleging that the company concealed from its certifying entity, Drummond Health, that its EHR product Prime Suite did not meet requirements for certification. Numerous other cases have alleged that improperly designed and implemented EHR systems have led to adverse patient outcomes.

While these cases represent a small fraction of the EHR industry, the fraud that was identified highlights the ease with which organizations can manipulate the system and costing taxpayers millions and potentially placing patients’ lives at risk.

Detecting EHR-Enabled Fraud

While regular audits of EHR systems are conducted by federal agencies, as well as by in-house auditors employed by many major health systems, there isn’t a “one-size-fits-all” template for these fraudulent schemes.

However, there are a few common signs that indicate EHR fraud may be occurring. For example, it may raise a red flag if a provider is receiving an overall greater reimbursement from government programs than they received while using paper records. Another potential cause for concern is if notes and details in patient records appear to be copy and pasted (such as consistently identical information on height, weight and blood pressure for many patients). Problems may also appear for healthcare administrators as regular glitches for routine tasks such as split billing.

Often though, the key to identifying fraud is to trust your instincts. If it looks suspicious, there is nothing to lose from raising your concerns.

How to report fraud

First and foremost, it’s critical to know that individuals who report fraud have a number of legal rights and protections, even if it is determined that fraud has not actually occurred. The Federal False Claims Act (FCA) provides protection to Whistleblowers from any type of retaliation. This means an employer cannot fire, demote or deny an employee the benefits they are normally entitled to in response to or in retaliation for reporting fraud. It’s recommended that whistleblowers consult an attorney to ensure protection, and if fraud can be proven, your attorney can take the allegations to the federal government so that the fraudulent organization can be brought to justice.

Cases brought under the federal FCA are filed under seal in a U.S. District Court. That means the potential case remains a secret to everyone except the federal judge and government prosecutors to  allow the Justice Department the time needed to investigate the matter. Once the DOJ’s investigation is complete, the government will determine whether or not it will join the whistleblower’s attorney and “intervene” in the case. When the government decides to intervene, these cases are frequently settled out of court and whistleblowers commonly receive financial compensation for identifying the fraud and helping the government pursue its case. Additionally, there are protective steps that your attorney can provide you to keep your personal identity protected during and after a case is unsealed.

As EHR systems continue to become increasingly prevalent throughout the healthcare system, it’s imperative for professionals who work throughout the EHR matrix to monitor their systems for irregularities and possible fraud. The first-hand knowledge these professionals bring can be the difference in saving taxpayer money and patient lives.

William G. Powers is an attorney with Baron & Budd’s Washington D.C. office, where he specializes in qui tam litigation.