EHR HIPAA compliance is a growing concern in the healthcare industry, especially in the aftermath of the US Department of Justice’s (DOJ) recent settlement after the eClinicalWorks lawsuit.
Pair this fine with hints out of the Department of Health and Human Services (HHS) about forthcoming EHR HIPAA compliance guidance, and it seems likely that the trend in EHR HIPAA enforcement will continue to grow throughout the rest of 2017.
A $155M Violation
On May 31, 2017, the DOJ announced that EHR vendor, eClinicalWorks had reached a $155 million settlement for alleged abuses of the False Claims Act, which was related to HIPAA Meaningful Use requirements.
The settlement was reached after an investigation by the DOJ into claims that eClinicalWorks made about the status of its compliance with the Center for Medicare/Medicaid Services’ (CMS) Meaningful Use incentive program.
The DOJ’s investigation found that eClinicalWorks “falsely obtained [Meaningful Use] certification for its EHR software when it concealed form its certifying entity that its software did not comply with the requirements for certification.”
In falsely attaining Meaningful Use certification, ECW’s clients were able to claim Meaningful Use reimbursement from CMS under false pretenses. The $155 million settlement fine came as a result of the reimbursements that eClinicalWorks’ customers were able to claim from CMS under the unlawful certification.
Acting U.S. Attorney for the District of Vermont Eugenia Cowles went on record, saying “This resolution demonstrates that EHR companies will not succeed in flouting the certification requirements.”
eClinicalWorks disputed the allegations, but said that it settled with the DOJ to avoid litigation.
An Emerging Trend in EHR Regulatory Guidance, Enforcement
Back in May of 2017, HHS Secretary Tom Price and OCR Director Roger Severino suggested changes to privacy and security requirements for EHR platforms.
EHR platforms are currently beholden to HIPAA regulation as business associates (BAs) under the Ombinus Rule. A business associate is any vendor hired to handle, store, or process protected health information (PHI) in any way over the course of the work they’ve been hired to provide.
The Omnibus Rule was an addendum to HIPAA regulation enacted in 2013. This Rule made it mandatory for business associates to fully comply with HIPAA, or face enforcement efforts and fines. Because HIPAA investigations can take 3-4 years to complete, the first ever large-scale business associate HIPAA settlement was reached in July of 2016.
EHR platforms have been responsible for several data breaches since Omnibus was enacted in 2013, meaning that a new wave of EHR settlements and HIPAA enforcement efforts is very likely by the end of this year.
This potential trend in EHR HIPAA enforcement also comes in the aftermath of over $17.1 million in 2017 HIPAA fines levied since the start of the year. Compare that to $6.2 million in 2015 and $23.5 million in 2016.
So with overall fines increasing, and a high likelihood of EHR enforcement in the coming months, the time to educate yourself about HIPAA compliance is now.
To keep yourself informed about trends in EHRs and HIPAA compliance, view our HIPAA webinar series. To jumpstart HIPAA compliance for your EHR or practice, learn more about HIPAA compliance software and how to become HIPAA complaint.