The Wall Street Journal recently reported that the Department of Veterans Affairs is in discussions with Apple to provide portable electronic health records (“EHRs”) to military veterans. The plan reportedly calls for Apple to develop specialized software tools that would allow veterans and their families to access their EHRs through Apple’s Health Records EHR data viewer. The proposed plan is intended to simplify and streamline health data access for patients visiting VA healthcare sites.

If the plan comes to fruition, patients will be able to transfer their EHRs directly to their personal iOS devices. Other features could provide services such as automatic prescription refills; geotagging to identify nearby VA healthcare facilities; sharing medical test results; and tracking prescriptions.

For its part, Apple stands to fare well in the deal-it will reportedly receive a 15% to 30% share of subscriptions to the service. But despite its prowess in the tech world, Apple may be bringing the proverbial knife to a gunfight. Apart from failing to account for veterans who don’t own iPhones (as of June 2018, 54.1 percent of U.S. smartphone subscribers used an Android device), issues relating to accuracy of patient records and fraudulent practices have loomed over EHRs since its inception.

The Office of Inspector General Identified Early Concerns of Potential EHR Fraud

The Office of Inspector General (“OIG”) for the Department of Health and Human Services issued a report in January 2014 addressing concerns over the transition from traditional paper medical records to EHRs. The report emphasized that EHR technology can make it easier to commit fraud. For example, poor design or inappropriate use of EHR documentation features can result in poor data quality or fraudulent billing.

The OIG report identified two examples of EHR documentation practices that could be used to commit fraud. Copy-Pasting, also known as cloning, allows users to select information from one source and duplicate it in another location. When healthcare providers copy-paste information but neglect to update it or ensure its accuracy, inaccurate information could become part of a patient’s medical record. These errors could lead to inappropriate charges and result in erroneous billing to patients and third-party payers. Inappropriate copy-pasting could also allow unscrupulous healthcare providers to inflate claims and duplicate or create fraudulent claims.

A practice known as overdocumentation is another fraud-related concern identified by OIG. Overdocumentation is the insertion of false or irrelevant documentation to create the appearance of substantiation for billing of higher-level services. OIG identified certain EHR technologies that have built-in templates that automatically populate fields in the patient’s record. Some EHR systems are designed to generate extensive documentation through a single click of a checkbox, some of which might be inaccurate if not properly edited by the practitioner. OIG noted that such features can produce information that suggests the provider performed more comprehensive services than were actually rendered.

The OIG report also found that few CMS contractors reviewed EHRs differently from paper medical records. A number of CMS contractors reported that they were unable to determine whether a healthcare provider had copied language or engaged in overdocumentation of medical records. The report also faulted CMS for having provided limited guidance to Medicare contractors about EHR fraud vulnerabilities.

More than three years after identifying concerns in its 2014 report, OIG recommended that the Office of the National Coordinator for Health IT and CMS develop a comprehensive plan to address fraud vulnerabilities in electronic health records. In its May 2017 edition of Compendium of Unimplemented Recommendations, OIG noted that “[e]xperts in health IT caution that EHR technology can make it easier to commit fraud.” For example, OIG found that nearly all hospitals with EHR technology had implemented recommended audit functions, but noted that many might not be fully utilizing them. The report warned that the Department of Health and Human Services “needs to address the risks that EHRs pose to the integrity of federal health programs.”

EHR-related Violations of the False Claims Act

The healthcare industry’s transition to EHRs creates a plethora of new opportunities for dishonest individuals and organizations to perpetrate fraud. The Department of Justice (“DOJ”) has stated that the identification and prosecution of false and fraudulent billings in healthcare is one of its highest priorities due to the pervasiveness of fraud that already exists in the industry.

In July 2016, DOJ announced a $3.3 million settlement with MD2U, a regional provider of home-based healthcare located in in Louisville, Kentucky. As part of the settlement, the company admitted to multiple violations of the False Claims Act. One of those violations involved the misuse of electronic medical records whereby non-physician providers electronically cut, copied and pasted medical notes from prior visits. The DOJ explained that the ability to copy-paste notes from visits that occurred weeks, months, or even years before the most recent patient visit created the illusion that the company’s employees performed a significant amount of work when, in fact, they had not. In cases where the documentation was insufficient to allow billing to the highest-level code, MD2U directed its employees to alter medical records after a patient visit had occurred. This fraudulent practice allowed the company to falsely document that additional work was performed during a patient visit in order to substantiate the highest level of billing.

DOJ settled another case involving EHR-related violations of the False Claims Act in May 2017. eClinicalWorks (ECW), one of the largest vendors of electronic health records software, agreed pay a total of $155 million to resolve a False Claims Act lawsuit based on allegations that the company misrepresented the capabilities of its software.

In its complaint-in-intervention, the government alleged that ECW falsely obtained certification for its EHR software by concealing from its certifying entity that its software did not comply with the requirements for certification. For example, rather than programming the capability to retrieve any drug code from a complete database, ECW simply entered the codes necessary for certification testing directly into its software. ECW’s software also failed to accurately record user actions in an audit log and, in certain situations, did not reliably record diagnostic imaging orders or perform drug interaction checks. The software also failed to comply with data portability requirements that were intended to allow healthcare providers to transfer patient data from ECW’s software to the software of other vendors. These deficiencies allegedly caused ECW to submit false claims for federal incentive payments based on the use of its software.

The foregoing cases illustrate how the future integrity of electronic health records falls squarely on the shoulders of healthcare practitioners and electronic health records vendors. Both groups will either reap the benefits and rewards of this emerging technology or find themselves in the crosshairs of a government investigation or worse – as a defendant in False Claims Act lawsuit.