By Marti Arvin, VP, Audit Strategy, CynergisTek
Twitter: @cynergistek
eClinicalWorks (ECW), an EHR vendor, recently settled with the Department of Justice (DOJ) and the Office of Inspector General of HHS (OIG) for $155 million and entered a five-year Corporate Integrity Agreement (CIA). The settlement was the result of an allegation that ECW had structured their Electronic Health Record (EHR) in a manner that did not comply with the Office of the National Coordinator for Health Information Technology (ONC) certification requirements to be a certified EHR appropriate for health care providers to use in attesting for meaningful use incentive payments. The allegations against ECW were that the company took intentional steps to hide known flaws in its system from the authorized certifying body (ACB). The government’s intervening complaint alleged a number of items in the EHR did not function in the manner required for certification. How is this possible and what considerations should compliance professionals think about when the purchase of clinical software is being discussed?
The ONC sets standards that EHRs must meet to be certified and requires vendors of such systems submit their EHR to testing by an ACB to confirm the system meets those standards. Does the fact that it has now been discovered that the certified EHR does not meet those standards put Meaningful Use money at risk? Probably not based on the settlement document and the terms of the CIA.
But how did this happen in the first place?
In this case the allegations against ECW, if true, are significant. The allegations were that the company intentionally hid the flaws from the ACB it used and that known flaws were not fixed between their Stage 1 Meaningful Use certification as they submitted the product for Stage 2 certification. The allegations in DOJ’s intervening complaint alleged that ECW knew certain functionalities did not meet the certifying requirements but they intentionally modified the system to pass the pre-defined testing of the certifying body. If true, there is clearly a problem with their actions- but what about the certifying body? Some of the allegations tied to what could have been significant patient safety issues like the lack of drug-to-drug interactions, the lack of drug allergy warnings and the e-prescribing functionality that resulted in the possibility that a different drug was dispensed, a different dosage or a different form of the drug was given than what was ordered.
A health care organization should be able to rely on the integrity of not only the certified EHR it purchases but integrity of the certification process. The reliance would reasonably assume that the system has undergone rigorous testing methods that do not lend themselves to circumvention. In this case, the allegation against ECW regarding e-prescribing was they were able to do just that because they knew not only the type of test that would be performed but the specific medications it would be performed on. As a result, it is alleged they were able to hardcode the medications into the system without actually having a process for the system to appropriately e-prescribe all medications.
What can compliance professionals take away from this case?
Health care organizations should be able to rely on the certification process mandated by the ONC and assume that a “certified” EHR in fact meets all of the applicable criteria for said certification. Additional due diligence would not be expected. What about those technologies health care organizations are purchasing that do not have such a process behind them? It is not uncommon to hear a vendor say they are “HIPAA compliant.” As a health care organization looking at vendor products, due diligence should be exercised to assure the products are meeting the minimum security and privacy criteria.
Organizations should be posing questions to their vendors regarding whether technologies do have minimum criteria when there is no certification process for them to reasonably rely on. For example, the Security Rule requires access monitoring, so has it been verified that the system has audit log functionality? Accesses cannot be audited if the logging is not part of the system’s functionality. There are a multitude of issues a health care organization may wish to validate, but the days of simply taking the vendor’s word for it are over. Organizations need to be proactive and follow the mantra of “trust but verify.” There will likely be a pass for the users of ECW because of the alleged intentional acts by the company, but that would not necessarily be true for other vendors. OCR has not yet held a covered entity accountable of the failings of a vendor, but the lack of due diligence certainly poses a risk that can no longer be ignored.