What Healthcare Providers and Health IT Vendors Should Know About Changes to Regulatory Investigations

Tablet device showing a process of compliance in Health IT regulation, similar to the Civil Cyber-Fraud Initiative.

As entities that regularly receive federal funds, health systems, providers, medical device manufacturers, and Health IT vendors are frequent subjects of regulatory investigation and action by the federal government. Often these actions are taken under the False Claims Act (FCA), which was enacted to address improper use of federal funds involved in government programs.

The False Claims Act includes a whistleblower provision that allows private citizens to assist the federal government in discovering and pursuing fraudulent acts or conduct. The fraudulent acts can be wide-ranging – but historically, a notable subset of the actions are related to a failure to meet specific Health IT regulations. The act also includes the obligation to share a portion of any funds recovered with the whistleblower and protects whistleblowers who support the government’s investigation from retaliation.  These whistleblowers often file civil cases in secrecy, with the government joining the case later – known as a qui tam case.  

With regard to healthcare, medical device, and Health IT companies, historic data from the past 10 years shows that major FCA settlements can be loosely grouped into four categories:

  1. Medical billing and reimbursement (i.e., CMS regulations, Medicare/Medicaid Fraud)
  2. Anti-Kickback Statutes (Stark Law)
  3. Privacy and cybersecurity regulations (e.g., HIPAA)
  4. Meaningful Use/Certified Health IT regulations (e.g., HITECH Act, 21 Century Cures Act)

With regard to the fourth type, Meaningful Use/CEHRT regulations, several high-profile cases with 9-figure settlements in recent years involving Community Health Systems Inc, eClinicalWorks, LLC., and Greenway Health, LLC. illustrate the HHS-OIG’s and DOJ’s continued focus in this area, which include privacy and cybersecurity concerns.  

Civil Cyber-Fraud Initiative

The most recent Health IT vendor to settle with the federal government, Comprehensive Health Services, LLC (CHS), came as a direct result of the work of DOJ’s newly founded Civil Cyber-Fraud Initiative (CCFI).  The program cuts across all industries/services, not just Health IT, but given it is just the second settlement overall under the Initiative, the inclusion of  Health IT at this early stage is noteworthy. 

The CCFI focuses on ensuring that companies receiving federal funds for contract/sub-contract products or services to the federal government have the required cybersecurity controls, that these controls are effective, and that these companies are monitoring and reporting cybersecurity incidents and breaches in a timely manner. The DOJ intends to hold these companies accountable through civil enforcement by utilizing the False Claims Act.  Notably, the Civil Cyber-Fraud Initiative is directed by the Civil Division’s Commercial Litigation Branch, Fraud Section of the DOJ – the same Branch that handles False Claims [1].

Of the past eight cyber-related settlements mentioned on the DOJs website [2], four are Health IT providers or vendors,  and not all settlements are strictly related to Meaningful Use regulations. While the CCFI settlement was unique to a DOD medical services subcontractor, the applicable regulations are similar to those followed by conventional healthcare providers.

It is also worth noting that for every public DOJ settlement announced, there are several ongoing inquiries and investigations being conducted by the DOJ outside of the public eye. Sometimes entities have knowledge of these investigations, and receive Civil Investigative Demand (CID) letters from the DOJ; other times the DOJ’s work occurs without the knowledge of the entity being investigated. This can happen when a whistleblower files a qui tam case and the DOJ takes the opportunity to investigate the allegations and decide whether or not to join the suit.  Even for cases that never reach settlement or qui tam status, the effort, burden, and risk of responding to these serious allegations, even those without merit, can be costly, time-consuming and stressful, and the process foreign.

Changing Trends

In addition to the traditional risk that whistleblowers within an organization will come forward, Interoperability and Information Blocking regulations mean outside vendors and parties have direct access to and knowledge of documents which can be and have historically been used by whistleblowers in qui tam cases. For example, the eClinicalWorks whistleblower did not work at eCW, but rather a health information exchange.  

Health IT vendors should be aware that False Claims Act inquiries and prosecutions are not limited to Meaningful Use regulations, and can include HIPAA and other applicable regulations.

Because many recent False Claims Act settlements have focused on specific regulatory criteria, it is reasonable to assume that the DOJ will consider compliance with current regulations, including those in the 21st Century Cures Act (which include a range of new  cybersecurity related requirements). 

In a future Part 2 of this article, we will discuss advice and guidance on addressing risks related to False Claims Act allegations.

Note: None of the above material constitutes legal advice. Quandary Peak Research is not a law firm and does not offer legal advice or legal services. The article above is based on publicly available information. None of the information referenced above includes or relies upon the confidential information of any third party including the U.S. government.

Our Experience with False Claims Act cases in Health IT

Quandary Peak Research has a leading compliance and audit practice and offers a comprehensive approach in Health IT regulatory matters. Our team of experts brings perspective in technology and litigation earned over a decade of working on False Claims Act cases in the Health IT space. We have applied our experience in clinical informatics, software engineering, cybersecurity,  information security, and government regulations and programs to help companies navigate the complexities of regulatory compliance, including responding to DOJ inquiries and conducting internal investigations.