Health IT Vendor Faces $145 Million Settlement

If you’re reading this, hopefully you can say that your organization is compliant with HIPAA, the national standards set in place to protect medical records and personal health information. If you’ve taken sufficient steps to prevent fraud and abuse in Medicare, you should be adhering to the Anti-Kickback Statute, and no initiative to implement electronic healthcare records would be complete without compliance with the HITECH Act and incentive program.

But the same cannot be said for Practice Fusion, an electronic health record vendor recently acquired by health IT provider Allscripts. In early August, Allscripts announced a preliminary $145 million settlement with the Department of Justice over Practice Fusion and certain business practices that tested the boundaries of compliance.

The details of the settlement have yet to be released, but according to Allscripts, they concern investigations into Practice Fusion that revealed potential “civil and criminal liability.”

A Troubled History

Allscripts’ May filing with the Securities and Exchange Commission revealed that in March 2017, Practice Fusion received a request for documents and other information from the District of Vermont U.S. Attorney’s Office, related to a civil investigative demand (CID).

The filing goes on to report that between April 2018 and January 2019, Practice Fusion received five additional subpoenas from HIPAA and CIDs. The final subpoena came in March 2019 from a grand jury, related to Practice Fusion’s HITECH Act certification and their compliance with the Anti-Kickback Statute and HIPAA regulations.

And this is hardly the first time Practice Fusion has faced allegations about its business practices—in 2016, they settled with the Federal Trade Commission over allegedly “failing to adequately warn patients that survey responses [and physician reviews] would be posted on a public website.”

So far, the DOJ has given no indication as to what HIPAA provisions Practice Fusion is suspected of violating. But the services it offered to healthcare organizations were wide-ranging and varied, which seems to indicate a troubling number of possibilities.

Don’t Rock the Boat

As we’ve seen, failing to be compliant with national standards is a slippery slope that can lead to hard conversations and harder consequences. But meeting requirements is only one of several mounting challenges in cybersecurity, especially when data breaches and attacks on healthcare organizations are at an all-time high.

Our HIPAA Risk Assessment will help you rise to the occasion. This comprehensive evaluation guarantees HIPAA compliance by addressing all levels of your organization, including:

  • Risk Management — Evaluate information and resources to ensure the capability to make risk management decisions
  • Policy and Procedures — Ensure policies and procedures follow best practices and are properly implemented
  • Infrastructure Security — Workstations, services, and server meet best practices security standards
  • Network security — Ensure network is secure and properly monitored
  • Data security — All PHI and data is secure and protected

Keep your money and your data secure, and contact us today to learn more.

Posted in BAI Security Blog, Compliance Requirements, Security Risks.