Regulatory Penalties – When the HHS Comes Calling

Millions of citizens in the United States rely on the accuracy of Electronic Health Records (EHR) to make crucial decisions about their well-being. EHR systems are the conduits that host, exchange and retrieve patient health records for clinicians, patients and other dependent institutions that are an integral part of the care continuum. When the integrity of such an essential component of the US healthcare system is compromised, the repercussions can be perilous.

In 2017, one of the largest providers of EHR systems in the US, eClinical Works (ECW), was fined an astronomical $155million, making it the most extensive financial recovery in the history of the State of Vermont. The department of the Health and Human Services (HHS) instituted legal proceedings against ECW for concealing from the certifying entity that the application suite did not qualify for the requirements for certification.

Despite being a trusted name with over one million users, ECW had chosen to ‘read between’ the lines of the regulatory requirements to sail through the certification process. While the hefty fine settled the matter with the US Department of Justice and the HHS, it left the users of ECW EHR systems out in the open to battle quality and QPP settlement issues for their reporting period.

Problems at the Source (Code)

ECW’s EHR system had hardcoded standardized drug codes, and this ‘modification’ enabled the vendor to pass certification testing, but only when the drug codes in the test scenario were used. The capability to retrieve any drug codes from databases was absent! By integrating test scenarios directly into the source code of the software, the HIT vendor was able to clear the 8+ hour-long certification run.

Unfortunately, with the limited criteria hardcoded into their EHR suite, it was not reliable enough to support responsible clinical decisions. Despite the long and daunting legal proceedings in the ECW case culminating in a record penalty amount, many HIT vendors still swear by hardcoded EHR systems. The only explanation behind this motive appears to be reduced product development costs and the lucrative incentive payments Medicare & Medicaid EHR Incentive Programs.

Tick Tick Tick!

In 2020, history repeated itself, with two HIT vendors fined $1.7M and $500K respectively for hardcoding criteria designed to help sail through MU3 certification. These instances of ‘defrauding’, as the HHS calls it, begs the question,

“Are there more cases of source code manipulations out there that haven’t been identified yet?”

These examples of penalizing EHR vendors suggest that the HHS is out there homing in on instances where MU3 certification requirements have been disregarded. If you are a HIT vendor with such inconsistencies in your product, you are potentially sitting on a time bomb, which when explodes, will engulf you in a storm of legal consequences.

The Intervention

EHR product enhancements and regulatory compliance exercises become an ordeal only when HIT vendors don’t have the right resources. The services of a competent technical partner with experience in navigating risk-management environments, federal regulatory compliance requirements and data security protocols comprise the most effective solution to fix underlying grey areas in your product architecture.

The Right Approach: While it is possible to sneak under the loopholes of the regulatory guidelines, this approach is highly impractical. EHR systems altered to tiptoe past certification guidelines suggest inaccurate clinical interventions to care providers since they cannot account for real scenarios. The resulting flow can have a direct implication on the overall well-being of a patient, something which the HHS will NOT take lightly when you are under the scanner.

Expert Advice: The knowledge of what not to do is more important than the regulatory requirements of meaningful use. With the establishment of best practices, HIT vendors can establish fail-safe mechanisms that do not compromise the integrity of the clinical inputs suggested by the EHR product.

Mock Runs: EHR developers must leave no stone unturned in the pursuit of excellence in certification. Mock runs help HIT vendors to identify and fix shortcomings in the system architecture before they can become roadblocks. A technical partner familiar with the implementation guides of the 2015 CEHRT criteria and testing expertise will identify rough edges in the system architecture during mock runs.

With the compliance requirements from the 21st Century Cures Act and its deadlines drawing closer, HIT vendors have another chance to fix MU3 certification adherence with their EHR products in the process.

Remember! The HHS is the one who knocks!

Get in touch with us to know how you can ensure smooth transitions in the next phase for the ONC 2015 edition certification criteria: The 21st Century Cures Act. 

Drop us a line at

The following two tabs change content below.
Puneeth Salian

Puneeth Salian

A writer in Healthcare domain, who is also a science and technology enthusiast. Enjoys creating interesting pieces that elucidate the latest Healthcare IT trends and advancements.
Puneeth Salian

Latest posts by Puneeth Salian (see all)

Leave a Reply

Your email address will not be published. Required fields are marked *