January 28, 2020
Practice Fusion’s “abhorrent” conduct has resulted in a record-setting fine in the state of Vermont after pocketing $1 million in an opioid prescribing kickback scheme.
EHR vendor Practice Fusion will pay a historic $145 million fine after admitting to a kickback scheme aimed at increasing opioid prescriptions, according to a statement released by the Department of Justice for the District of Vermont.
Practice Fusion admitted that it solicited and received kickbacks from a major, unnamed opioid company in exchange for utilizing its EHR software to manipulate physician prescribing of opioid pain medications.
“Practice Fusion’s conduct is abhorrent,” said United States Attorney for the District of Vermont, Christina E. Nolan. “During the height of the opioid crisis, the company took a million-dollar kickback to allow an opioid company to inject itself in the sacred doctor-patient relationship so that it could peddle even more of its highly addictive and dangerous opioids.”
The Department of Justice said the vendor implemented clinical decision support (CDS) alerts in its EHR software to increase the sales of specific opioids.
The pharmaceutical companies “sponsoring” Practice Fusion could design and develop the CDS alerts. The companies also helped develop guidelines and criteria to generate physician alerts during the treatment process.
“The companies illegally conspired to allow the drug company to have its thumb on the scale at precisely the moment a doctor was making incredibly intimate, personal, and important decisions about a patient’s medical care, including the need for pain medication and prescription amounts,” Nolan continued.
“This recovery is commensurate to the nature of Practice Fusion’s misconduct, represents the largest criminal fine in the history of this District, and requires Practice Fusion to admit to its wrongs.”
Between 2014 and 2019, Practice Fusion garnered $1 million in “sponsorship” that were based on the CDS recommendations, according to the Department of Justice.
“It is another example of pioneering healthcare fraud enforcement by the talented Assistant US Attorneys and staff of this US Attorney’s Office, working with their partners in law enforcement,” said Nolan. “We cannot—and will not—tolerate technology companies influencing patient treatment merely because a pharmaceutical company provided a kickback.”
This is the first ever criminal action against an EHR vendor. Practice Fusion will be forced to accept responsibility and ensure transparency to its conduct and invest heavily in compliance overhauls.
The EHR developer will pay the $145 million fine to settle both the criminal and civil investigations. The company agreed to pay roughly $118.6 million to the federal government and states in separate civil settlements. Meanwhile, they agreed to pay over $26 million in criminal fines and forfeiture.
The EHR vendor was also charged with two felony counts of violating the Anti-Kickback Statute (AKS) and for conspiring with the unnamed opioid company to violate the AKS.
“Across the country, physicians rely on electronic health records software to provide vital patient data and unbiased medical information during critical encounters with patients,” said Principal Deputy Assistant Attorney General Ethan Davis of the Department of Justice’s Civil Division.
“Kickbacks from drug companies to software vendors that are designed to improperly influence the physician-patient relationship are unacceptable,” Davis concluded. “When a software vendor claims to be providing unbiased medical information – especially information relating to the prescription of opioids – we expect honesty and candor to the physicians making treatment decisions based on that information.”
In January 2018, Allscripts announced the acquisition of Practice Fusion in a $100 million cash deal to further expand its reach into ambulatory care settings.
January 27, 2020
RIP Windows 7. If you haven’t upgraded yet to Windows 10, follow these simple steps.
Support for Windows 7 is now officially over, which means Microsoft wants holdouts to upgrade to Windows 10 to keep devices running securely and smoothly. If you have an older PC or laptop still running Windows 7, you can purchase the Windows 10 Home operating system on Microsoft’s website for $139. But you don’t necessarily have to shell out the cash: A free upgrade offer from Microsoft that technically ended in 2016 still works.
When Windows 10 was first released in July 2015, Microsoft offered an unprecedented free upgrade offer for Windows 7, 8 and 8.1 users, good through July 2016. But in 2017, Ed Bott of CNET sister site ZDNet reported that the free upgrade tool was still functional. I tried it out in November 2019, and was able to upgrade a 2014 Dell OptiPlex 9020 desktop from Windows 7 Pro to Windows 10 Pro. As of January 2020, readers are still emailing me and commenting below, saying that it’s worked for them as well.
Windows 7 users who don’t upgrade to the new version will no longer be able to get Microsoft’s security updates or fixes, or technical support for any issues, leaving your computer at greater risk from viruses and malware. While Windows 10 users have experienced a number of bugs over the years, upgrading remains the best option for keeping your computer safe, analysts say.
Here’s how to get Windows 10 for free, if you’re currently running a licensed and activated copy of Windows 7, Windows 8 or Windows 8.1 Home or Pro:
- Go to the Download Windows 10 website.
- Under Create Windows 10 installation media, click Download tool now and Run.
- Choose Upgrade this PC now, assuming this is the only PC you’re upgrading. (If you’re upgrading a different machine, choose Create installation media for another PC, and save the installation files.)
- Follow the prompts.
- When the upgrade is complete, go to Settings Update & Security > Activation, and you should see a digital license for Windows 10.
It should be noted that if you have a Windows 7 or 8 Home license, you can only update to Windows 10 Home, while Windows 7 or 8 Pro can only be updated to Windows 10 Pro (the upgrade is not available for Windows Enterprise. Other users may experience blocks as well, depending on your machine). This upgrade using the media creation tool isn’t meant for the general consumer, but it works for many nonetheless.
To get the best Windows 10 experience and take advantage of features like passwordless sign-on through Windows Hello, you’ll want to purchase a new Windows 10 PC (or one released after July 2015) with all the hardware upgrades. If you’re a student or university faculty member, you may also be able to download Windows 10 for free (search for your school’s software offerings here).
February 6, 2013
Imagine conducting a consultation with a patient, and instead of jotting down chart notes on a form attached to a clipboard, you instead jot down chart notes with a stylus pen on your tablet that is displaying an electronic version of your form. Or, instead of waiting to find out from insurance companies whether a patient is or is not actually covered, your staff could verify the patient’s current insurance eligibility & benefits with the touch of a button. These are just a couple of simple features every healthcare provider should come to expect from their electronic health records & practice management system.
However, many doctors hesitate making the switch from pen & paper to touch-screen tablet or laptop due to fear of abandoning their familiar routine for a new one. Under federal law (HITECH Act of 2009), nearly all healthcare providers across the country must convert to a certified electronic health records system by the end of 2014, literally forcing many medical practices to go paperless, whether they want to or not. While making such a transition can be intimidating, healthcare providers should understand that EHR systems cannot be effective and one-size-fits-all at the same time. Rather, healthcare providers should seek out an EHR system that is customized to fit the way their practice already operates - patient intake, scheduling, clinician data, chart notes, ePrescriptions, coding, billing, accounting, and reporting.
But even with an EHR system that is customized to fit the existing workflow of your practice, the transition can still be a significant change. Medical practices should seek out EHR providers who offer hands-on training and transition support to ensure their entire staff is comfortable using the technology, ideally at no additional charge. Further, medical practices will inevitably have questions along the way, or evolving changes to their workflow, etc. They should seek out EHR providers who are responsive to their questions and requests for further optimization - again, ideally at no additional charge. Why? The goal of the EHR provider should be the same as that of the medical practice - to enable the medical practice to successfully transition and continue to utilize the EHR system long-term.
Another issue to consider with the transition to an EHR system is how to leverage your existing data from your current billing software or EHR software. Medical practices should seek out EHR providers who have the skill to export your existing database of data, and import that database into their EHR system so you can hit the ground running with your entire database of patients in the new system.
Finally, don’t ignore data security as the costs of a medical record breach can be enormous. Medical practices should ensure they ask prospective EHR providers about their data security methods, and if they have completed a credible 3rd party validation of their network & data security architecture.
April 2, 2012
We would like to educate healthcare professionals about the realities of medical record security breaches, and eliminate the “it couldn’t happen to me” attitude. The fact is - it can, and it is, happening to medical practices just like yours, all across the United States, and with significant consequences!
The HHS “Wall of Shame” (http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html) lists 400 reported medical record security breaches from September 2009 to March 2012, each involving more than 500 patients. The cumulative impact involves over 19 million patient records - about 6% of the U.S. population in just 2.5 years, from hospitals and medical practices, both large and small, encompassing nearly every specialty of medicine. The most common root causes of these actual medical record security breaches:
- Thefts (54%) such as stolen laptops with PHI stored on the local hard drive
- Unauthorized Access/Disclosure (22%) such as lost or stolen backup tapes, disks, etc.
- Lost/Improper Disposal (17%) such as papers with PHI that are lost or not properly destroyed
- Intentional Hacking (7%) including stolen passwords, exploiting inherent Windows® vulnerabilities, Trojan horses, exploiting defaults, Main in the Middle, wireless attacks, social engineering, etc.
In 2009, the laws changed such that medical record security breaches are now treated with the same force & effect as breaches of financial records. The HIPAA Breach Notification Rule defines a medical record breach as “an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information (PHI) such that the use or disclosure poses a significant risk of financial, reputational, or other harm to the affected individual.” with exceptions related to inadvertent and unintentional disclosures where the information cannot be further used or disclosed.
In the event your medical practice has a medical record security breach, you are required to do the following:
- Notice to Individuals: Provide written notice to all affected patients following the discovery of a breach of unsecured PHI. This notification must include a description of the breach; the types of information that were involved; the steps affected individuals should take to protect themselves from potential harm; a brief description of what your medical practice is doing to investigate the breach, mitigate the harm, and prevent further breaches; as well as, contact information for the medical practice.
- Notice to Media (> 500 patients affected): Provide notice (e.g. press release) to prominent media outlets serving the affected region including television, newspapers, etc. This notification must include the same details as the Notice to Individuals above.
- Notice to Secretary of Health and Human Services (> 500 patients affected): Provide notice to the Secretary of Health and Human Services by filling out and electronically submitting a breach report form on the HHS.gov website. The details of the medical record security breach will be posted on the HHS “Wall of Shame”.
From there, you should expect that your practice will be thoroughly investigated and scrutinized by federal investigators and auditors who will determine how rigorous your practice was in attempting to secure PHI, and how negligent you were in allowing unauthorized use or disclosure of PHI. Based on these findings, civil and/or criminal penalties will be imposed.
Civil penalties established in Section 13410(d) of the HITECH Act of 2009 are based on a tiered strategy that reflect increasing levels of culpability, and corresponding increasing penalty amounts:
- Tier 1: Violator had no knowledge of the violation, and by exercising reasonable diligence, would not have known of the violation. FINES: $100+ per identical violation (i.e. affected patients), not to exceed $25,000 in a calendar year, and no more than $50,000 per violation, not to exceed $1.5 million for all identical violations in a calendar year.
- Tier 2: Violations due to reasonable cause. FINES: $1,000+ per violation (i.e. affected patients), not to exceed $100,000 for all identical violations in a calendar year, and no more than $50,000 per violation, not to exceed $1.5 million for all identical violations in a calendar year.
- Tier 3: Violations caused by “willful neglect” that were corrected. FINES: $10,000+ per violation (i.e. affected patients), not to exceed $250,000 for all identical violations in a calendar year, and no more than $50,000 per violation, not to exceed $1.5 million for all identical violations in a calendar year.
- Tier 4: Violations caused by “willful neglect” that were not corrected. FINES: $50,000+ per violation (i.e. affected patients), not to exceed $1.5 million for all identical violations in a calendar year.
Additionally, criminal penalties established in Section 13410(d) of the HITECH Act of 2009 may be imposed if PHI was knowingly obtained in violation of the law.
- Up to $50,000 and 1 year in prison for knowingly obtaining or disclosing PHI
- Up to $100,000 and 5 years in prison if the offenses are committed under false pretenses
- Up to $250,000 and 10 years in prison if the offenses are committed with the intent to sell, transfer, or use PHI for commercial advantage, personal gain, or malicious harm.
So what’s a medical practice to do? Protect yourself by using an EHR platform with industry-leading security, that addresses every mode of medical record security breach, so that you can confidently avoid civil (and criminal) penalties, the pain & distraction of a federal investigation, and the long-term impacts on the reputation of your medical practice.
The SiliconMesa® EHR platform virtually eliminates the top 4 root causes of actual medical record security breaches:
- Thefts (54%): With SiliconMesa® EHR, there is no PHI stored locally on your PC, laptop, tablet, or smartphone. All data is securely accessed “over the cloud” from the HIPAA-compliant SiliconMesa Data Center with 256-bit encryption of all data, both “at rest” and in-transit using our secure SSL tunnel.
- Unauthorized Access/Disclosure (22%): With SiliconMesa® EHR’s 2-factor authentication, every user is required to authenticate using their mobile phone (or land line) before ever entering a username and password. Also, SiliconMesa will backup all of your data, so there is no need to deal with lost or stolen backups.
- Lost/Improper Disposal (17%): With SiliconMesa® EHR, you can effectively eliminate the need for PHI records on paper - go paperless!
- Intentional Hacking (7%): The SiliconMesa® EHR platform is built upon Security Enhanced Linux (SELinux) - not Windows(R). SELinux was co-developed by the U.S. National Security Agency to protect our country’s most sensitive defense and intelligence data. Also, the SiliconMesa Data Center keeps all firewalls, servers, and storage devices up-to-date with the latest security upgrades so you don’t have to worry about it.
Contact SiliconMesa today, to setup your 30-day risk-free trial, and get the piece of mind you need to focus on doing what you do best - caring for your patients!
March 9, 2012
With a federal mandate and all the stimulus money, why is EHR adoption so slow among medical practices? Our market research shows most EHR vendors on the market have missed the concept of delivering real added value for small-medium sized practices.
Some EHR vendors target the needs of large provider networks & institutions (and their incentive money) with expensive customer-hosted software licenses requiring locally purchased servers & storage networks, managed by in-house IT staff.
Other EHR vendors target mass volume with “bare bones” EHR products that are often abandoned for a variety of reasons. Many are difficult to use; require significant changes to existing workflows; provide poor customer service and technical support; have hidden hardware & software costs; and have unknown security risks.
SiliconMesa offers a complete solution with no upfront cost, and no commitment. Our success = your success; our goal is for you to become proficient, tell your friends, and collect your referral bonus! :-)
February 17, 2012
SiliconMesa believes that the right EHR must deliver:
- An affordable path to “Meaningful Use”, and YOUR stimulus incentive money
- Charting YOUR WAY with customized forms & templates to fit your existing workflows, and efficient data input technology to reduce data entry time
- A user-friendly experience with an intuitive interface that bundles all EHR and Practice Management functions of the medical practice
- A highly secure and robust architecture, accessible anywhere & anytime, to avoid security breaches and the resulting fines & penalties
- Customer service excellence
SiliconMesa is committed to fulfilling these needs, with a complete EHR and Practice Management solution that fits YOU - not the other way around!
January 20, 2012
In 2009, President Obama signed into law the HITECH Act (Health Information Technology for Economic & Clinical Health) as part of the American Recovery & Reinvestment Act (ARRA) - also known as the “Stimulus Package”. The goal of this legislation was to reduce healthcare costs and improve patient care quality by driving all medical data in the form of Electronic Hedical Records (EHR) to become the national standard by the end of 2014.
The HITECH Act significantly widens the scope of HIPAA privacy & security rules, increases potential legal liability & reduced Medicare reimbursement payments for non-compliance, and provides mechanisms for periodic government audits & enforcement. However, the HITECH Act also provides significant financial incentives designed to accelerate adoption of EHR technology.
Eligible healthcare providers who demonstrate “Meaningful Use” of an ONC-ATCB Certified EHR technology can qualify for federal stimulus money.
- Up to $44,000 over 5 years for Medicare eligible providers
- Up to $63,750 over 6 years for Medicaid eligible providers
However, if you choose the right EHR product to fit your practice’s actual workflow, then additional benefits include:
- Efficiency and productivity improvements leading to lower operating costs, and increased patient volume (i.e. revenue)
- Improved patient care quality, fewer mistakes, and possibly lower malpractice insurance premiums; and
- Accurate charge capture and faster revenue cycle.