eCW Whistleblower case settlementThere are countless times we have covered the “my EHR vendor handles HIPAA for me” misconception. The recent $155 million whistleblower lawsuit settlement between eClinicalWorks (eCW) and the government really brings it home how wrong you can be about EHR vendors.  The eCW whistleblower made efforts to resolve a long list of serious problems with the EHR. If it weren’t for him the vendor failures may have continued for years.

Meaningful Use attestations relied heavily on the vendors supplying accurate information. eCW’s actions set up thousands of organizations to potentially take a major financial hit based on the details in this described in this case and its settlement. Especially, when you take into account that eCW is one of the biggest EHR vendors out there.  There may be no way to know just how serious these issues in the functionality of the software may have damaged the integrity of the medical records.

Confidentiality, integrity, and availability (or as we say the CIA) of PHI is the objective of the entire Security Rule under HIPAA. Unreliable data created by an application is clearly a data Integrity issue. If you can’t trust the data can you trust the system at all?

If you have knowledge of this kind of stuff going on somewhere you should review it closely. It includes civil payments by developers and project managers, not just the C-Suite folks involved.

So let’s get into the details of this case.

HIPAA For MSPs by David Sims eCW Whistleblower
00:00:00 00:00:00

In this episode:

The eCW Whistleblower Settlement

Where can you meet us

Topic for today: How the eCW whistleblower made the difference

List of problems identified

Settlement conditions


Today’s topic


The eCW whistleblower settlement

The details of the case are as follows:

  • May 2015 sealed complaint filed in Vermont US District Court requesting a jury trial
    • Brendan Delaney (and the US government) vs eCW
    • From 2010 – 2014 he worked as a project manager or consultant for several institutions that implemented eCW
      • Not little places either like Rikers Island Prison EHR, Arcadia Solutions consulting with Beth Israel Medical Group, Mount Sinai – University Medical Practice Associates to name a few.
      • There is a very long list. He knows this solution very well
      • Now, he is a project manager for UnitedHealth Group. He didn’t just walk away from healthcare after 2014
  • The complaint says:
    • Delaney has personal knowledge, relevant documents, and information and belief that eCW made false/fraudulent records, statements, and claims in violation of the federal False Claims Act.
  • What did they supposedly make false claims about?
    • They falsely represented to customers that the system complies with MU while concealing fundamental defects with the system.

    These hidden defects not only violate material conditions of the EHR
    Incentive Payment program but also create a significant risk to patient health and safety.

What important features does the EHR system fail to reliably perform you may ask?

  • properly document and display the meds administered to patients
  • properly report the results of lab tests

How did he figure out what was wrong?

  • He first worked with eCW at Rikers doing installs.
  • eCW contract with the state of NY was $27,713,333 through December 31, 2010, plus an anticipated extension through December 31, 2014, at a cost of $14,308,390 AKA a bunch of money
  • The roll out started there in 2008 and by 2010 this guy plus the providers there had already determined that the Current Medication Report was not accurate.
  • This guy and others start to point out to eCW – you know this doesn’t work and the whole point here is that we are going to get rid of paper records so EHR needs to be reliable. That was April 2010.
  • Then NYC Dept of Health gets involved and tries to get eCW to fix the problem
  • eCW refused to do it before the second cycle of updates
  • It started there and then he sees all these problems over and over until he is thinking these guys have big issues in core components of MU.
  • He watches for fixes in release after release but nothing ever comes – very sad face

The list of problems isn’t pretty

…the fundamental flaws described herein exist in each version of the
software and render the technology unreliable, dangerous, and non-compliant with Meaningful Use requirements.

Each of the following problems provides multiple examples of real examples. Many of the problems he was able to document in virtually all facilities he worked in on that long list.

  1. Fails to Document Medication Activity Properly
    • medications listed incorrectly after updates made
    • wrong patient displayed when doing progress notes
    • failure to log start and stop dates for medications – supposed to be doing stop dates automatically
    • failure to document previous medications
    • only allows one dosage to be documented – can’t do one med with two different dosages in one day so it might double the dosage sometimes
    • doctor enters branded medication and the EHR changed it to generic automatically on the order
    • telephone encounter system let the facilities call in changes to medications if you stopped or re-ordered using that tool it didn’t show up on the chart
    • two appointments on the same day with medication changes would make things show up out-of-order unless you force the appointments into the correct order manually
      • happened a lot when a telephone encounter would be done and then also see the patient that day the orders could get overwritten based on timing
    • A lot of these problems not only failed MU requirements but also Medicare E-Prescribing Incentive program so they let providers falsely claim they met the standards. That accounts for over $100,000 in Medicare and Medicaid overpayments by itself
  2. Fails Reliably to Record and Track Laboratory Results Properly
    • documented 1,884 Rikers lab reports that never arrived but that doesn’t include the ones they didn’t even try to run through the system because they needed to be sure.
    • another client had tens of thousands of Lab results left pending in the system not attached to a patient
  3. Inadequate Protections to Retain a Record of Prescriptions.
    • over-prescription and under-prescription can occur both purposefully and by accident

      eCW’s EHR system does not contain sufficient security protections to ensure that a record of prescriptions is maintained within the system. Prescriptions can be printed without being logged, and can be deleted permanently after being logged.

  4. Inadequate Protections Against Over-medication
    • You can order the same med twice – one generic and another version branded for the same patient at the same time

      On at least one occasion the eCW system documented a text message sent by a patient through the system’s “patient portal,” as though it was created by a physician. This vulnerability in the system essentially permits a patient to create an entry in his or her medical record.

  5. The eCW Software Does Not Automatically Lock Notes.
    • thousands and thousands of open notes on the systems that could be updated
    • it also allows anyone to create, modify, and delete the patient’s “Problem List,”

      When notes by physicians in a patient’s medical record are not locked, another person can later enter the system and edit the notes. The failure to lock notes is primarily an issue often human error, but the dangers can easily be eliminated by the software if it were programmed to automatically lock notes as soon as a physician closes the current note or opens another note. Under the current eCW software, however, any note left unlocked stays unlocked.

Knowledge didn’t matter

  • eCW corporate managers were aware of the significant flaws in the system since at least 2010 and likely earlier
  • Even with the knowledge they continually misrepresented their systems as having none of these defects.
  • Numerous upgrades have been made and none were done to fix the known issues.
  • Every location submitted repeated requests for resolution of these problems
  • At Rikers they were told it was a user training problem

eCW has a financial disincentive to fix its EHR system

  • The fix would require updates to every module along with the core of the system – all version and all releases. If they did a major update people would know about the defects and it would put eCW at a severe competitive disadvantage

So, you are competing with software that is defective that you have lied about and you can’t fix it because you wouldn’t be able to continue to compete if everyone knows you had to fix it. Oh, ok, so let’s just keep lying and hope no one dies!

Official charges

  • Defendant knowingly presented or caused
    to be presented, false or fraudulent claims to the United States Government for payment or approval.
  • Defendant knowingly made or used, or caused to be made or used, false or fraudulent records or statements material to false or fraudulent claims for payment by the Government.
  • By reason of Defendant’s acts, the United States has been damaged, and continues to be damaged, in a substantial amount to be determined at trial.
  • Additionally, the United States is entitled to the maximum penalty of up to
    $11,000 for each and every violation arising from Defendant’s unlawful conduct alleged herein.

The investigation picked up even secrets

  • They concealed from ONC that the software didn’t comply with certification requirements
    • They knew it didn’t accurately record user actions in audit logs and could have problem recording diagnostic orders and meds interaction checks
    • They knew it didn’t meet data portability requirements
  • To pass the certification tests they cheated
    • They hard coded only the drug codes required for testing into their programs so it only looked at the list of 16 codes, not at a full database
  • They paid kickbacks of at least $392,000 to influential customers to recommend eCW products to prospective customers as well as other kickbacks in the form of “consulting” and “speaker” fees*

Govt says “Show me the money”

As a result of these failings, the eCW system fails to comply with the core requirements for Meaningful Use to qualify for federal incentive payments.

All that HITECH stimulus money you got when you misled your clients into attesting with your software. Yeah, about that. We’re gonna want that back. That is where the $155 million settlement comes in.

Under the whistleblower laws, the eCW whistleblower, Brendan Delaney, will get a piece of that action for bringing the case and helping build it. What do all those other vendors think that point will bring out to their staff that may be aware of similar issues. Certainly makes you say Hmmmmmm

eCW did issue several advisories to its clients once things started falling apart.

The settlement conditions

  • Nobody admits to anything
  • eCW pays $154,920,000 plus interest of 2 percent per year from Feb 1, 2017 until they pay the settlement within 10 days after it is announced which was 5/31/17
    • Jointly and severally liable for the payment are CEO Girish Navani, CMO Rajesh Dharampuriya, M.D., and COO Mahesh Navani
  • Also in a separate deal Developer Jagan Vaithilingam pays $50K, and Project Managers Bryan Sequeira, and Robert Lynes each pay $15K
  • Brendon Delaney – well, no worries he gets $30,000,000 plus interest accrued on that amount once the money comes through to the feds
    • Wonder if he showed up for work the day after this came out?
  • No more chasing after Medicare, Medicaid, and other Federal health care program monies that might be owed in this mess
  • A Corporate Integrity Agreement with eCW and OIG-HHS
    • Retain an independent software quality oversight organization
    • Provide written semi-annual reports to OIG
    • Retain an Independent Review Organization to review arrangements with providers to ensure compliance with the Anti-Kickback Statute
    • Prompt notice to customers of safety related issues
    • Provide steps customers to follow to mitigate the risks to patient safety
    • Maintain a list of those issues on if’s website
    • Allow customers to get *free updates of their software
    • Allow customers to transfer to another EHR company without penalties or service charges
      • I saw the term eCW Rescue Plan already out there
  • eCW will cooperate with additional investigations into these claims and encourage all of its people to do so also.

This case may have far-reaching implications in the healthcare software and technology vendor business. When you select your vendors and count on them to do things for you, it is very important you understand what some of them may be doing behind the scenes. If you have a little problem here and there but they are in major areas – it is time to pay attention.

If you are using or have used eCW as your EHR you should carefully review all the information you get on this and figure out what is the best option for your organization. It will not be easy and this will be a huge mess.  At least the eCW whistleblower stepped up to stop these problems before someone dies from their carelessness, we hope.