Image Credit: Photo by rawpixel on Unsplash
Image Credit: Photo by rawpixel on Unsplash

Electronic Health Records (EHRs) have overtaken paper in many medical offices and are being promoted as a way to help healthcare providers better serve patients. EHRs have made it easier for healthcare providers to give patients immediate access to the results of medical exams and tests. They’ve also helped decrease instances of duplicate and inaccurate medical records, and they’ve generally improved the accuracy of health records by eliminating potential human error like sloppy handwriting. However, EHRs do not entirely eliminate the potential of errors in medical records or care; and when mistakes happen as a result of errors in EHR files or EHR system performance it’s not always clear if the electronic system or human workers should be held accountable.

A 2017 settlement between the Department of Justice and eCincical Works, an EHR provider, became one of the first cases where an EHR vendor was found liable for errors in patient care that resulted from malfunctions in its system. Deborah Farringer, assistant professor of law at Belmont University College of Law, looked at this case and explored whether it could mark the start of more EHR vendors being held accountable for how their software impacts the quality of patient care, as well as the accuracy of billing and payment. She discusses her findings in an article published in the Nevada Law Journal titled “The Computer Made Me Do It: Is There a Future for False Claims Act Liability Against Electronic Health Record Vendors?.” We caught up with her to learn more.

Q&A with Deborah Farringer

What was your impetus for researching false claims act liability against electronic health record vendors?

DF: I generally write in the area of healthcare compliance and am particularly interested in compliance with fraud and abuse laws. I noticed an article about the Department of Justice’s false claims act settlement with eClinicalWorks and it caught my attention because I had just completed an article regarding ransomware attacks in hospitals in which I explored the manner in which the electronic health record (EHR) industry could be contributing to hospital risk. One of the reasons that I found the EHR industry to be a contributing factor toward cybersecurity risk is because EHR vendors are frequently able to limit or avoid liability because they are often viewed simply as “software.” Thus, without the threat of potential liability or more adamant demand from the customer (health care providers, who also exhibit some apathy towards EHRs), EHR vendors have little pressure or motivation to assure strict and comprehensive security beyond existing requirements under the Health Insurance Portability and Accountability Act. When I saw the settlement, I wondered if perhaps this was a new way of thinking about EHR vendor liability or could be a way of putting more pressure on EHR vendors to be more thoughtful and diligent about health care compliance.

In promoting electronic health records it has been widely stated that they reduce medical errors - why is this not always the case?

DF: Electronic health records certainly are a great step towards better coordinating care and reducing some of the duplication of services and fragmentation of care that exists in the U.S. healthcare system today. To that end, there are a number of ways in which EHRs can help to reduce medical errors by providing better medication management and assuring notification of allergies, pre-existing conditions, or other sensitivities that might lead to medical errors. That being said, even EHRs are not an end all, be all. Some of the most frequently cited issues that compromise patient safety include cutting and pasting information from one record into another contributing to inaccurate charting, inaccurate patient tracking and improperly prescribed medications, and ransomware attacks and other security vulnerabilities to records that did not exist in a paper record system. In addition, as software is not updated or begins to malfunction, such issues can also compromise patient safety. Indeed, the eClinicalWorks case actually arose out of complaints made by physicians, pharmacists, and nurses at Rikers Island jail in New York City, alleging that the eClinicalWorks software was malfunctioning and was causing problems such as patient records that overlapped on the computer screen (and thus were unable to be read appropriately), errors within the medication list, and patients who left the jail without proper prescription or lab results. The claims were that such errors were actually caused by eClinicalWorks failure to address complaints for necessary fixes to the software. So, although there are certainly a lot of wonderful advantages that can be gained from the use of EHRs, EHRs are not error free and require diligence on the part of the provider and the EHR vendor.

How has medical technology created new challenges that could lead to different types of liability beyond human provider errors?

DF: One of the biggest challenges in all of this is actually trying to parse out this very question. Are there certain errors or issues that are created by the software alone that are independent of the human user or should the user always stand as the overseer to assure that EHRs are not causing more harm than good? As providers become more and more reliant on electronic systems and medical technology, the idea that the provider will serve as the overseer and be able to recognize when a computer-generated recommendation or suggestion might be inconsistent with practice standards will become more difficult. Independent of that, though, greater reliance on electronic systems will make providers more vulnerable to assuring continuity of care when such systems are unavailable for whatever reason. This can range from cyber attacks that might make the EHR system unable to be accessed for a period of time or natural disasters in which power outages or other internet access issues might also prevent such access. Lack of access to an EHR prevents a provider from having access to important medical information, including emergent information like time and amount of last medication dosage or patient notes necessary for a surgery, for example. When MedStar, a multi-facility system in the Washington, D.C. region, experienced a ransomware attack in 2016, it had to turn away patients from its emergency department and canceled appointments at a number of its outpatient clinics until it was able to treat patients appropriately.

How are EHR software vendors creating a disconnect between their services and responsibility for potential system errors/failures and what are the implications?

DF: EHR vendors historically have basically always taken the position that an EHR is simply software and providers and other users of the software are always ultimately responsible for the care to patients. Vendors have relied in court on this concept, known as the “learned intermediary” doctrine (typically a defense in products liability cases), which establishes that so long as the drug or device (or in this case the EHR) provided adequate instructions or warning of foreseeable risks, then the provider — not the drug or device — is in the position to reduce or limit the risks. In addition, most EHR vendor agreements have extensive limitation of liability provisions and also “hold harmless” provisions in which the provider agrees when it contracts with the EHR vendor that such vendor will be held harmless in the event of any medical errors as a result of patient care. This has made it exceedingly difficult for patients to successfully recover from an EHR vendor for injuries. Only recently have providers realized some success in filing claims against EHR vendors, but such claims are typically based on breach of contract claims and not in tort.

Can you briefly explain the eClinicalWorks case for those unfamiliar? What does the outcome suggest for EHR systems/services vendor liability? (Do you consider this an outlier or sign of changes to come?)

DF: While the eClinicalWorks case did include some patient safety allegations that were the origin of the suit, the main focus of the settlement with the Department of Justice was resolution of federal False Claims Act violations arising out of claims that eClinicalWorks knowingly obtained false certification for its EHR software that was then used by providers to seek reimbursement under the EHR Incentive Program. In 2009, in order to encourage more providers to adopt EHRs, the federal government established an incentive program under the Health Information Technology for Economic and Clinical Health Act (HITECH Act) in which it offered cash payments to providers who purchased and “meaningfully used” a certified EHR, known as the EHR Incentive Program. In order to qualify as a certified-EHR under the program (and thus increase the number of providers willing to license eClinicalWorks’ software), eClinicalWorks had to take a test to prove compliance with certification requirements. The settlement states that eClinicalWorks had not used the appropriate coding system in its software for certification for prescribing of drugs as required by regulations (the software could still prescribe drugs, it just did not utilize the drug coding system required to be used under applicable regulations). Rather than reprogram the software so that it used the required drug coding system, eClinicalWorks determined the 16 drug codes that would be used during the certification test and hard coded those drug codes into its software to enable its software to pass the certification requirements. The settlement agreement indicated that eClinicalWorks first did this in 2013 to pass its initial certification test and then did not make any certification-conforming changes before recertifying the software again in 2014 with the same drugs hard coded into the system. The settlement resolved claims that eClinicalWorks’ knowledge that it did not meet the certification criteria and then its subsequent sale and promotion of its software to providers, who in turn sought reimbursement from the federal government under the EHR Incentive Program, was a violation of the False Claims Act.

In your paper you discuss how EHR litigation compares to the pharmaceutical industry - can you explain this? Could the same means used to hold pharmaceutical companies liable be used for EHRs?

DF: This is an area that I address extensively in the paper. The federal False Claims Act has been a hugely successful and lucrative tool for the federal government in recovering funds from the pharmaceutical industry, primarily in the context of False Claims Act violations arising out of drug companies’ promotion of drugs for off-label use. One of the main questions that I wondered when I first saw the eClinicalWorks settlement was whether or not this might usher in a new error of EHR liability in the same way that the government has gone after the pharmaceutical industry. In comparing these two industries and the types of claims made against these providers, however, it seems unlikely that the government will be able to follow the same formula with EHR vendors as it does with the pharmaceutical industry. There are a number of factors that contribute to this including distinctions between the development of drugs and the development of EHRs, the impact of the patentability of a drug and its impact on the incentives for pharmaceutical companies to promote drugs for off-label use, and the limited nature of the EHR Incentive Program. The distinctions that lead to this conclusion are addressed more extensively in the article.