Patient Safety Issues Highlighted in DOJ Settlement and Health Care Industry Cybersecurity Task Force Report

Practice area:

As we know, the move away from fee for service reimbursement models is not only intended to reduce costs by no longer paying providers based on the volume of services performed, but is also intended to improve the overall value in healthcare delivery by improving quality, outcomes, collaboration across the continuum of care, patient engagement, and, of course, patient safety. Clinical care delivery has undergone substantial transformation over the last several years prompted by the value based reimbursement movement.  We have seen a substantial uptick in telemedicine, an explosion of apps and wearables, as well as initiatives designed to support patients who wish to remain in their homes.  Technology of course plays a key role in the transformation of healthcare.

The DOJ’s recent announcement of a settlement with eClinicalWorks (“eCW”) generated a lot of interest insofar as it addressed False Claims Act allegations against a vendor of electronic health records that caused providers to submit false claims for incentive payments as a result of misrepresentations regarding the capabilities of the software. The settlement included a Corporate Integrity Agreement that, among other items, requires ongoing monitoring of “Patient Safety Issues”, i.e., “a defect, deficiency, design flaw, usability problem, or other condition with respect to” the software that “reasonably presents a material risk of harm to patients.” The Corporate Integrity Agreement requires the implementation of a quality assurance program to oversee whether “eCW is proactively monitoring sources of information about “potential software defects… and other issues that may present Patient Safety Issues” and notifying customers of any such issues with appropriate urgency.  Clearly, the ability to safely use electronic health records is an important component of value based care, a model that depends on accurate, actionable data and patient engagement.

The Health Care Industry Cybersecurity Task Force Report on Improving Cybersecurity in the Health Care Industry (the “Task Force Report”) issued last week noted in its Executive Summary that “healthcare cybersecurity is in critical condition” and secure connectivity is needed so as not to “betray patient safety.” The Task Force Report underscores the fact that cybersecurity can no longer be viewed as an IT issue, but rather notes that risk assessments need to include stakeholders from across the organization, and that “the health care industry must prioritize cybersecurity thinking across the continuum of health care.”  This shift in approach would “develop and sustain trust in the digital component of the health care system that is necessary for in(ter)operability.”  Clearly, engaging multiple representatives from across the organization in data governance and cybersecurity efforts will ensure that multiple perspectives are vetted, silos are broken down, and each member of the workforce understands the importance that his/her respective role plays in cybersecurity.  Further, a multi-stakeholder approach will foster an organization-wide understanding of and compliance with the current myriad of federal and state privacy and security laws.

Value based reimbursement ushered in the new era of the patient as a customer. Consumers need to trust the providers with whom they seek care.  Cybersecurity is an important avenue to improve patient safety, attract and retain customers, and ensure that the organization is seen as reliable.  As healthcare entities do more with data, from combining multiple data sources to better guide patient care, to leveraging remote patient monitoring capabilities, to acting as centers for designing and deploying new technologies, a multi-stakeholder approach to privacy and security matters will foster compliance with the various laws and regulations and improve patient engagement and loyalty.