Compliance
,
Electronic Healthcare Records
,
HIPAA/HITECH
Concerns Raised About Potential Impact on Patient Safety(
HealthInfoSec) •
February 7, 2019
Regulators have slapped electronic health records vendor Greenway Health with a $57 million fine.
For the second time, the Department of Justice has imposed a substantial fine on an electronic health records software vendor in a case that involves data accuracy and integrity issues that could affect patient safety.
See Also: Live Webinar | Underestimated Risk & Overestimated Security: When All You Do Is React, it May Be Too Late
In a settlement announced this week, DoJ slapped Greenway Health with a $57.25 million fine under the False Claims Act, with regulators alleging the company misrepresented the capabilities of its EHR software to meet the certification requirements of the HITECH Act meaningful use incentive program. HITECH has provided organizations with billions of dollars in incentive payments for using EHR software certified for the program.
The Justice Department says Greenway Health was aware that its Prime Suite EHR products did not correctly calculate the percentage of office visits for which its healthcare provider users distributed clinical summaries to patients, thereby causing certain users to falsely attest that they were eligible for HITECH incentive payments.
In a similar case back in 2017, the DoJ signed a $115 million settlement with Massachusetts-based EHR vendor eClinicalWorks, alleging the company falsely claimed it met the HITECH Act EHR incentive program's certification requirements.
The data accuracy and integrity issues in both the Greenway and eClinicalWorks cases raise potential patient safety and healthcare quality concerns, DoJ says.
"Medical professionals and patients depend on the security and competency of electronic health records as a means to improving both the quality and coordination of health care services."
—Byung Pak, U.S. Department of Justice
"These cases are important, not only to prevent theft of taxpayer dollars, but to ensure that the promise of health technology is realized in the form of improved patient safety and efficient healthcare information flow," says U.S. Attorney Christina Nolan for the District of Vermont. "We will be unflagging in our efforts to preserve the accuracy and reliability of Americans' health records and guard the public against corporate greed. EHR companies should consider themselves on notice."
DoJ Allegations
Among the allegations in the Greenway case, the DoJ claims that the company's product did not incorporate standardized clinical terminology necessary to ensure the "reciprocal flow" of information concerning patients and the accuracy of electronic prescriptions.
"Greenway accomplished its deception by modifying its test-run software to deceive the company hired to certify Prime Suite into believing that it could use the requisite clinical vocabulary," the DOJ said in a statement.
"Medical professionals and patients depend on the security and competency of electronic health records as a means to improving both the quality and coordination of health care services," noted U.S. Attorney Byung Pak for the Northern District of Georgia.
In addition, prosecutors also alleged that Tampa, Florida-based Greenway violated the Anti-Kickback Statute by paying money and incentives to its healthcare provider clients to recommend Prime Suite to prospective new customers.
"DOJ's complaint against Greenway ... leaves me stunned by how easy it was for them to game the system," says attorney David Holtzman, vice president of compliance at security consulting firm CynergisTek.
"Organizations should perform a risk assessment of the functions and operability of the EHR to determine if there are vulnerabilities that would indicate inconsistencies in how data is calculated or operations are performed or that the EHR fails to protect the integrity of the data entered into the system. Unfortunately, the certification of EHRs seems to be largely on the honor system for which there appears to be little oversight or testing. "
Corrective Actions
In addition to paying the hefty financial penalty, Greenway also has entered into a five-year corporate integrity agreement with the Department of Health and Human Services' Office of Inspector General.
The agreement requires that Greenway retain an independent review organization to assess Greenway's software quality control and compliance systems and to review its arrangements with healthcare providers to ensure compliance with the Anti-Kickback Statute.
"Greenway must provide prompt notice to its customers of any patient safety related issues and maintain on its customer portal a comprehensive list of such issues and any steps users should take to mitigate potential patient safety risks," OIG notes.
The corporate integrity agreement also requires Greenway to enable Prime Suite customers to:
Obtain the latest versions of Prime Suite at no additional charge;
Migrate their data from Prime Suite to another Greenway-developed software product without charge;
Have Greenway transfer their data to another EHR software vendor without penalties, service charges, or any other fees other than contractual amounts still owed in connection with goods or services already provided.
In a statement provided to Information Security Media Group, Greenway Health CEO Richard Atkin says: "The settlement is not an admission of wrongdoing by Greenway, and all our products remain [HHS] certified. This agreement allows us to focus on innovation while collaborating with our customers to improve the delivery of healthcare and the health of our communities."
Meaningful Use
Under the HITECH Act meaningful use program, HHS made incentive payments available to eligible healthcare providers that adopted certified EHR technology and met certain requirements relating to their use of the technology. To obtain certification for their EHR software, vendors are required to demonstrate that their products satisfy all applicable HHS-adopted certification criteria.
"In January 2013, Greenway submitted an application for testing and certification of Prime Suite to the 2014 Edition. As part of the application, Greenway represented that Prime Suite satisfied the certification criteria for a complete EHR and was capable of meeting those criteria and using the required standards in the field. This representation was false," the Justice Department alleged in court documents in the Greenway case.
Broken Trust
Healthcare providers who use a certified EHR trust that the products perform as they were certified to do, notes Kate Borten, president of privacy and security consultancy The Marblehead Group.
"Not only does this case shine a spotlight on Greenway, the offending vendor, but it undermines that trust," she says. "It's not unlikely that other vendors will be revealed as deficient in the future. The testing and certifying bodies should re-evaluate their processes, specifically to reduce the possibility of vendors being less than honest."
The Greenway case provides a wake-up call to the healthcare industry and government regulators regarding vulnerabilities in the testing and oversight of the EHR certification system, Holtzman notes.
"Healthcare organizations that attested to meaningful use using Greenway's products will be on bated breath waiting for HHS to decide what it will do," he says.