In this episode of our monthly series on fraud and abuse issues, Matthew Wetzel, Associate General Counsel, Compliance Officer, GRAIL, speaks with Jessica Colarusso, Managing Director, Berkeley Research Group (BRG), and Adam Schwartz, Shareholder, Carlton Fields, about the latest in electronic health record (EHR) compliance and enforcement. The podcast discusses the recent uptick in the number of EHR developers being investigated by DOJ for false claims violations and where those investigations might be going in the future. From AHLA's Fraud and Abuse Practice Group. Sponsored by BRG.
To learn more about AHLA and the educational resources available to the health law community, visit americanhealthlaw.org.
In this episode of our monthly series on fraud and abuse issues, Matthew Wetzel, Associate General Counsel, Compliance Officer, GRAIL, speaks with Jessica Colarusso, Managing Director, Berkeley Research Group (BRG), and Adam Schwartz, Shareholder, Carlton Fields, about the latest in electronic health record (EHR) compliance and enforcement. The podcast discusses the recent uptick in the number of EHR developers being investigated by DOJ for false claims violations and where those investigations might be going in the future. From AHLA's Fraud and Abuse Practice Group. Sponsored by BRG.
To learn more about AHLA and the educational resources available to the health law community, visit americanhealthlaw.org.
The following message and support for A H L A is provided by Berkeley Research Group, a global consulting firm that helps organizations advance in the areas of disputes and investigations, corporate finance and strategy and operations. BRG helps clients stay ahead of what's next. For more information, visit think brg.com.
Speaker 2:Welcome to the latest edition of the American Health Law Associations Fraud Abuse Podcast. My name is Matt Wetzel, chair of the A H L A Fraud Abuse Practice Group. And today we're talking about electronic health records or ehr. What are the latest updates in enforcement? How have EHR developers and users been made subject to the False Claims Act or other laws? Joining me today to talk about these topics and more are two experts, Adam Schwartz and Jessica Lar Russo. Adam Schwartz is a shareholder with Carlton Fields in Tampa, Florida, where he chairs the government and Internal Investigations Practice Group. He concentrates on white collar criminal defense, false claims act, defense and healthcare fraud abuse matters. He previously served as an A U S A with the Eastern District of New York. Uh, Jessica Colarusso is a managing director with Berkeley Research Group, our sponsor for the podcast, where she leads the health, healthcare information technology, d n I and advisory team. She has 20 years of healthcare information, technology and management experience with a focus on integrated electronic health records, regulatory compliance, and adherence to EHR incentive programs. Adam, Jessica, welcome. Glad to have you today.
Speaker 3:Thank you so much. Great to be here.
Speaker 2:Thank you. Good morning. You know, let's just jump right into it. Over the last few years, we've seen an increase in the number of EHR developers being investigated, uh, you know, by the DOJ violations of the False Claims Act. What, what, what's the source of these investigations? Where's this coming from? And, and, and, and what are some of the trends that you've seen in, in those enforcement actions?
Speaker 3:Uh, if it's okay, I'll, I'll jump right in and start. Um, so Matt, from about 2009 to 2020, there were three congressional acts that established the framework for the various EHR incentive programs that we have in the country, uh, for a hospital or provider to participate in those EHR incentive programs commonly referred to as meaningful use. Um, ultimately they're required to adopt and utilize a certified electronic health record. Um, and that's a key, a key piece of this that it will need to keep in mind as we move through the discussion. Um, ultimately, between 2011 and 2018, uh, CMS has paid an in excess of 37 billion in incentive payments to hospitals and providers for their successful attestation to the Medicare and Medicaid EHR incentive programs. Um, in 2017, uh, health and Human Services released an audit report, and inside the report they identified an estimated 729 million in incentive over payments. And that was only for years 2011 to 2014. Wow. Wow. Ultimately, those overpayments were due to challenges adhering, uh, with the evolving program requirements. So a few examples of the root causes of these overpayments were inaccurate, meaningful use reporting periods, uh, misaligned payment years, and insufficient use of certified EHR technology. Um, so when we look at what's happening with regards to the investigations and the rise of them, ultimately I think it's the, the sheer volume of dollars involved and the identification of that high volume of overpayments. And ultimately, you know, with the responsibility to recoup those incentive overpayments. Uh, we're seeing some, some increased scrutiny on the programs. So we have, uh, CMF that ultimately examine the accuracy of hospital and provider attestations, and then o c that's closely assessing and validating the EHR developers compliance with the EHR certification criteria.
Speaker 2:So, you know, as as I, as I listen to, uh, the origins and, and, uh, some of the, um, you know, background of these investigations, it sounds like there's a complicated, uh, regulatory framework, uh, that really requires close attention by developers to ensure compliance
Speaker 3:App. Absolutely. Um, earlier I mentioned that to participate in EHR incentive program, a hospital or a provider must utilize certified EHR technology certification is a massive undertaking for a developer. There are multiple certification additions, each with their own unique set of certification criteria, standards, objectives, variables, EHR developers are responsible for monitoring the evolution of those program requirements, um, interpreting regulations, and then maintaining that certification, which is a tremendous undertaking for an organization. Um, just interpreting, oh, sorry. Go ahead, Adam.
Speaker 4:No, I was just, no, Jessica. I, I mean, you're making all good points and, and I think an additional sort of layer of problems, uh, arise because the, the standards or the regulations change from year to year, and so the goal posts keep moving. Um, and I think that's, that also sort of adds another layer of, of difficulty, um, for BHR companies or developers to try to, to try to maintain, um, uh, you know, compliance with these, with these regulations. Um, and I agree with Jessica too. I mean, any, any place there's a, there's a lot of money spent, uh, and there are overpayments identified, the government's going to be looking at it, and, um, the government's been pretty successful using the False Claims Act to combat healthcare fraud generally. Um, and, and they like it as a, as a sort of a weapon to combat healthcare fraud, cuz it provides for three times single damages, up to three times single damages. And it, and additionally per claim damages up to$21,000, um, as part of some recent, uh, amendments of the law. So it's a, it's a significant weapon, um, that the government has in Arsenal.
Speaker 2:So the state, it sounds to me as if, uh, the states are high and compliance is difficult, and, uh, Adam, you know, you, you, you've alluded to the False Claims Act. What, what would an EHR developer or someone in this space expect, uh, when an investigation would begin? How do they begin these investigations?
Speaker 4:Yeah, they, they can begin in, in multiple ways. Sometimes there are, um, parties called Relaters or whistleblowers, um, uh, that can I, that can identify what they believe are wrongdoing within a company and bring those claims to the government, um, and present their claims under seal to the government. And so the government can be working on, uh, and investigating these claims, um, for months before the companies even know about it. And I think in this space in particular, that's how the first, uh, couple of these investigations started. Another way that they can start in what we've seen as a trend lately are, uh, the government itself, uh, initiating their own investigations based on data mining and, um, and so they can bring these false claims, actions and investigations themselves. And we've seen that it appears to be the trend lately.
Speaker 2:Interesting. And, um, you know, uh, is council for an HR developer, what would you, uh, what would you suggest as an appropriate approach or, or response if one of your clients were under investigation?
Speaker 4:Yeah, one of the, the big thing you have to do to, to prepare yourself and to defend, uh, these investigations is you really have to conduct a very thorough and detailed internal investigation. Because as we alluded to before, these regulations are so complex, they change from year to year, and these incentive programs, you know, cross different years. Sometimes the programs change, um, depending on if you're applying for, uh, Medicare or Medicaid incentive payments. And so to really, to combat this, you have to conduct a thorough internal investigation. And so it's not only on the legal side, but because of the complexity of the regulations, you really need to, uh, to find qualified experts, uh, who know this area, have familiarity with it, and can help interpret some of these regulatory requirements.
Speaker 2:That's great advice. Uh, Adam and, uh, Jessica, you know, I wanna bring you in here. Uh, Adam mentioned the need for an expert, uh, someone with in depth knowledge, someone with experience, uh, uh, you know, especially in the complexity and evolution of this area, we've talked about, uh, how, uh, how complex, how complicated, uh, the regulations are. Can you elaborate on some of these complexities and, and, and, and a little bit of the, uh, of the, uh, uh, the position that would be expected here, the, um, the expert that you would be expected to, to engage?
Speaker 3:Um, absolutely. Thanks so much. You know, earlier Adam was, was mentioning the moving of goalposts. Um, and that always strikes me, um, early on in these programs, executives, senior executives at some of the largest integrated EHR developers in the United States actually went on record to say that their organizations were wholly unprepared for the High Tech Act, and the impact it was to have on their organization, you know, these folks had development roadmaps that went years out into the future. And what certification was to do to them completely derailed those plans for the future. Um, EHR developer's relationship to the concept of EHR certification was limited. They, um, lacked preparedness in-house expertise. Um, and ultimately those challenges cannot be overstated. Um, and their lack of preparedness cannot be overstated to date. Um, it was widely understood, um, that there was a dearth of expertise in experience in the healthcare IT industry, specifically for interpreting the program legislation and the evolving operational requirements needed to promote success in a highly regulated environment. So we were walking into a situation where we were needing to build the plane while we were required to start flying it. Um, what we see from a privileged consultancy standpoint, um, is, you know, we are looking for someone who comes in and has an in-depth knowledge in real world expertise. With the complexity and evolution of the O N C certified EHR technology, cms, EHR Incentive Program legislations, it's essential when you're dealing with these investigations, um, an intimate knowledge, uh, with these programs and requirements can illuminate key elements that have a direct impact on the case. You know, for example, words get thrown around, concepts get thrown around things such as RX norm requirements, uh, implementation and interoperability of snowed ct, and the impact that that can have on patient safety. Um, complexities of program participation, whether you're in program year one, stage one program, year three, stage two, if you ask a question and you're not sure of the state of a regulation or the state of a certification edition at the time, you get a very different answer. Um, so, so having that intimate knowledge of all of the different interdependencies and being able to triangulate those while assisting a client and in kind of sussing through and running to ground issues is, we think highly important. Um, the legislation governing the programs is extensive and complex, constantly evolving. Um, and we're looking at, you know, over three congressional acts, 20 bulls, um, over the last 10 years to support the requirements of those acts. Um, a really complicated environment.
Speaker 2:Absolutely. Absolutely. Again, great advice, Jessica, thank you. And, and great insight on some of the issues, uh, that EHR developers and others are facing. Final question, and I'd love to hear both of your thoughts on this. Where do you see investigations in this space going in the future?
Speaker 4:Yeah, that, that's a, that's a really, it's an interesting question. So I think, I think there are really two main points. We touched on the, um, on the penalty, some of the civil monetary penalties that the False Claims Act provides for the three times, the single damages and the per claim, uh, damages. But the False Claims Act is also a criminal statute, also provides for criminal penalties. And so I think, uh, two things. One, you're gonna see an increase in the government trying to use the False Claims Act to burying criminal penalties. And, um, in the most recent, uh, settlement that the government reached, uh, with a company, um, there was a criminal resolution to it, there was a deferred prosecution agreement that was signed with the company. Um, and I also think you're gonna, and the second part is I think you're gonna see, uh, more individuals included. So this is not, it's not just a, a company concerned, and as far as individual goes, it's not just going to be executives. Uh, the first prosecution that, that the government, uh, levied against, uh, an EHR company in this area included a civil settlement, um, that had individuals, uh, who ended up having to pay money. Um, and it also, two of those individuals were, were developers. So it's not just executives, um, folks really up and down the line of companies have to be concerned about this and really should be paying attention.
Speaker 2:Absolutely. Jessica, would love your, your, your reactions as well.
Speaker 3:Absolutely. Um, so we, we've seen some, some similarities in some of the, the earlier settlements that have made public. Uh, we we're, we're seeing things such as RX norms, nommed, ct, and, and we call those, um, standard, uh, standard nomenclature. Um, and ultimately those impact, uh, patient safety because they impact, um, the transmission of medications, uh, diagnos, uh, documentation, excuse me, of allergies, documentation of diagnoses, and then the transmission of that, that information. So are patient safety issues, I think true to all of our hearts and, you know, foundational to meaningful use of the system. So if there are challenges with those, we wanna make sure that those are rectified. Um, so certainly in in early area of investigation and consistency that we've seen, um, in, in settlement, uh, once made public in other areas that we've seen consistent is the CMS program reporting components. Uh, these are the components that I like to talk to as proving the meaningful use of a hospital or provider's system. Um, and there's complexities there and challenges with the way in which, um, items are calculated and then reporting is done. Um, you know, the most recent settlement we did, Adam mentioned the, the crossover, um, there looking more at the criminal side do, and that was ultimately due to the ability to configure the system and configure the system in a way that would impact physicians prescribing habits. So we can see the severity of the impact and u use of the system or misuse of the system as these cases are growing. Configuration elements that we saw on the most recent, um, settlement, I believe are one of the biggest areas of vulnerability moving forward. Um, configurations of EHRs were known in the industry to be differentiators, you often wanted to go with an electronic health record that allowed you to make, you know, bespoke configurations and, and take ownership of that and personalize that system. That opens you up to vulnerability. It also opens C D H R developer up to vulnerability, right? So I think, I think that's gonna continue to play a role and an evolving role in future investigations. Um, one other area to consider, um, are some of the later versions of certification. We've primarily seen 2011 certification edition brought into question in the investigations. Um, certification elements build in complexity, um, with meaningful use, along with utilization requirements of hospitals and providers. Um, you start with the system. So it's kind of a, a crawl, walk, run for utilization and system development. I ultimately believe that the 2014 and 2015 certification additions and the more complex utilization of the system, uh, specifically around patient safety issues, are going to continue to evolve as well.
Speaker 2:A again, great insight, Jessica, thank you so much. And, and Adam, I appreciate your thoughts as well. Uh, Adam Schwartz and Jessica Colusa, thank you again for joining us on the A H L A Fraud Abuse Podcast. Uh, and, uh, we are, uh, happy to have your insight and your input on ehr. And for those you who are listening, uh, their contact information is available on the website. Thanks again. Take care. Thank
Speaker 3:You. Thanks.