EHR Certification Fraud

I recently got this disturbing email in my inbox:

I recently came across a healthcare IT firm that used backdoor tactics with the 170.304b test case of Meaningful use certification. The message format has been tampered with making it compliant with NIST v8.1 XML while the actual transmitted message is not. Whom do I report this to? This can be proved if the company is again put through the same test case.

Will this be considered as fraud? if yes, whom should I notify. I wonder what other test cases have been tampered too.

This email comes as Anne recently reported that the EHR Safety Watchdog EHR Event was shutting down. I can’t say I’m really that surprised that some percentage of the 600+ certified EHR vendors are gaming the EHR certification process. The challenge is where do you turn when this is happening?

Obviously, the above comment was somewhat short on details, but I suggested that they take the information to ONC/CMS to report it. I guess they got a response that basically the people at HHS would look into it, but that they didn’t report findings. I also suggested that they might want to talk to the EHR certifying body for that EHR software. I’m not sure exactly what the EHR certifying can or would do, but it would be interesting to find out.

I know an EHR consultant that’s done a few hundred EHR certifications and he told me that not all EHR certifications are equal. However, when the EHR certification is issued, it gives the appearance of equal. It’s a fallacy that everyone should know and understand.

What I think also could get interesting is those doctors who use an EHR that’s using tactics like the ones mentioned above. Could this come back to damage those doctors who use an EHR that’s using less than honorable methods to get by? I still believe that it’s not in HHS’ best interest to drag a practice that’s implemented an EHR through the mud, but time will tell.

About the author

John Lynn

John Lynn

John Lynn is the Founder of the, a network of leading Healthcare IT resources. The flagship blog, Healthcare IT Today, contains over 13,000 articles with over half of the articles written by John. These EMR and Healthcare IT related articles have been viewed over 20 million times.

John manages Healthcare IT Central, the leading career Health IT job board. He also organizes the first of its kind conference and community focused on healthcare marketing, Healthcare and IT Marketing Conference, and a healthcare IT conference,, focused on practical healthcare IT innovation. John is an advisor to multiple healthcare IT companies. John is highly involved in social media, and in addition to his blogs can be found on Twitter: @techguy.


  • Sorry to say that at least HALF of ONC certified ONLY vendors are Fraud. This is why it is essential to make sure the vendor has CCHIT and ONC.

  • Additionally, it will be both provider and vendor getting bit in the rear end. The provider because when they attest, they are “swearing” they folowed the protocols when in fact, they never did. The attestation is black and white. Did you do this…..did you do that.

    Communicable disease reporting, syndrominc surveillance data, sending and receiving labs….. A1c….the list goes on. Unfortunately, most systems that are certified that I have come in contact with and are certified…..cannot do this.

  • Michael,
    I think it’s crazy that you think that CCHIT provides any additional benefit to a provider. There are as many bad apples in it as the others. In fact, one could make the argument that an EHR vendor wasting development time on CCHIT is not in the best interest of the customer.

  • wow….This is the problem. Too many people opining on something with zero credibility. CCHIT is more geared towards interoperability where these little ONC companies are primarily content. Race, Age, ethnicty…I could ONC certify on a Google page lol. Not that extreme but you get the point.

    You are correct in the sense CCHIT has as many bad apples. But, in an investment sense, once needs to protect themselves and make sure their vendor is CCHIT certified.

    With the CCHIT are they really protected against fraud? The answer is no. Lets wait and see what happens.

  • Zero credibility? How long have you been reading this blog? I’ve been following and writing about CCHIT since it first started. I’m not sure which Kool-aid you drank for CCHIT, but the best case you can make for CCHIT certification is interoperability?

    Reminds me of when I heard the CCHIT director at HIMSS talk (pre-ONC-ATCB) about the “assurance” that CCHIT provided. I got on the mic and asked him what assurance he was talking about. After he gave me a blank face not knowing what I was talking about I asked further, was it an assurance of better patient care? Was it an assurance of a better EHR implementation? Less likely to fail EHR implementation? Improved clinic revenue? What assurance was he providing?

    His answer was telling, “we assure that they meet our list of criteria.”

    Now you come and tell me interoperability. Yes, because so many CCHIT certified EHR software is sharing healthcare data right now. Very interesting.

    Man, this takes me back to the good old days. At least you’re more rational than many. You realize that CCHIT can’t protect against fraud.

    Also, just to be clear, I’m not saying that CCHIT systems are all bad. All the EHR certifying bodies have some good and bad apples. I don’t think the EHR certification differentiates an EHR at all. Luckily, post-EHR incentive money most people agree.

  • As John might know, I am an avid reader of this blog which is very informative as well as get to see good discussions as well.
    As a certified EHR vendor, we have gone through the experience; and we were probably the third or fourth product to get certified by Drummond Group; we did not chose CCHIT for various reasons. Generally, all the companies that are on the certification body are pretty reputable companies.
    Its a complex environment and initially they had limited time to do what they had to do. I am sure the next phase will be well thought out.
    On the Interoperability front, none of these testing bodies are participating in the community efforts. For instance in the S&I Framework effort by ONC, few of the EHR vendors participate and do some serious POCs to validate the concepts and Phase II MU requirements. All these are pro-bono work and needs to get done to validate and move forward. CCHIT or for that matter Drummond or any other group participates in such efforts. But having done all these POCs, as first movers, we will end up educating the certifying bodies.
    I guess all these will improve as the industry matures; health IT is probably in its childhood.
    Cheers and as always, we enjoy John’s topics and information.

  • Alright ladies, lets calm down.

    I have a simple rule of thumb when it comes to the EHR selection process:
    1) If the salesperson isn’t willing to spend a few days in your practice to see how your practice operates…they are out.
    2) FREE is very suspect…be a paranoid SOB with FREE EHR.
    3) Do an onsite visit with at least 2 practices using the EHR you are thinking to select. Ensure no salesperson will be there and talk with the staff…not just the doc. find out if there are any issues.
    4) It is a given that the EHR should be certified. Can you get screwed with fraud? Sure, but is you do the above and some due diligence, you should be fine.

    Let us not forget this is a serious business you are running…treat this process seriously.

  • Nice simple solution; yes this is a easy but sure shot way of selecting an EHR. Many practices fail to understand that this is an important step; a comprehensive EHR is almost like a ERP and requires some amount of investment of time and effort in selection. And as John rightly pointed out ‘FREE’ is not really free.

  • Can anyone report any examples of any “free EMR” that proved to be anything other than a Ponzi scheme that ended disastrously for all involved? There have been several claiming to be “free” over the years, and I am not aware of any that ever reached a sustainable business model. I would be very interested to learn of any exceptions. Thanks.

  • Dr. Oates,
    I think that’s a bit much to call them a ponzi scheme. In fact, they don’t take money which is the opposite of ponzi scheme. Certainly it’s worth questioning the business model of the Free EHR software vendors, but ponzi scheme they are not.

    I think Practice Fusion is the closest to success. I’m not sure if they’ll provide a great return for their investors since they’ve taken so much money, but I think they’ll be able to stay in business.

  • Practice Fusion just raised 30 million dollars. It is very realistic to be a high finance ponzi

    Would you invest in PF??

  • The issue is less that the certification bodies are unscrupulous and more that the certification criteria themselves are a joke.

    If one thinks that certification denotes that a system is safe, usable, reliable and will support the care delivery needs of any particular healthcare organization, then one will be quite disappointed.

    If one thinks that certification denotes that a company offering a system has certain financial stability, legal liability coverage or quality management systems in place, one will be similarly disappointed.

    ONC has no interest in rigorous certification. Only higher attestation numbers.

  • John – I’m not in a position to have the knowledge to state whether or not any currently existing “free EMR” has a sustainable business model or not. It would be great if/when this becomes possible.
    A Ponzi scheme is simply where early participants benefit in some sort of investment for a short time from an ever growing base of later participants. That is, the debt load of the scheme continues to grow until it pops for everyone. Those “free EMR” companies that no longer exist had a consistent pattern of being able to progressively grow a debt or capture greater levels of venture capital by either misrepresenting the size of their user base or misrepresenting the potential value of “selling data” which allowed them to progressively expand their debt load until it became unsustainable. I have no knowledge that this is taking place today with any current vendors, and I certainly hope this not to be the case.
    Again, I do ask if anyone has knowledge of an example of an EMR vendor that reached a sustainable business model that was leveraged greater than 3 to 1 for any significant length of time? Perhaps there are dozens?

  • What differentiates Ponzi schemes from other over leveraged constructs is the intent to defraud. While many businesses may be over leveraged due to cruddy management, or as an initial management strategy, that does not mean they are frauds. The term Ponzi scheme implicitly or explicitly means it was started and maintained to steal from the investors.

    There is much fault to be found in the business practices of EMR vendors, but investor fraud is quite rare, if it exists at all.

  • PONZI Scheme – it is not. In fact PF has developed a very good model and is charging for SUPPORT and for ‘ad free’ application; and also charges for the integrated PMS.

    As earlier commentors had mentioned – its not an intent to fraud; but could be the financial engineering or lack thereof that might result in questionable viability of some of the EHRs/Vendors. Like any other industry, there will be shakeup and consolidation over the next 48 months.

    Generally, if a EHR Vendor reaches the 2500+ mark, then they will have the critical mass required to sustain and invest in R&D.

    Taking a broader view, EHR vendors be able to offer enhancements such as PLATFORM to practice tele-medicine, further practice automation, interactive PHR and much more over time, thereby increasing their revenue per provider. And also the global markets – we are here talking about the US market; EHR built on standards is applicable to many of the emerging markets as well.

  • No one is claiming PF is a ponzi. Odds are that it is not. Back in the late 90’s Dell initiated the free PC for advertisements and it failed miserbly. Most EMR vendors are bleeding red ink. The constant upgrades and never ending programming will sink 90% of them. Don’t look for consolidation…….the accounts the vendor “contracted” with will not be worth much at all. You see..this is a tough industry to make money in as time passes prices for systems are falling precipitously. Never forget that the market is forward thinking. A Vendor with 2,000 users will be worth what? Nothing. Absolutely nothing. Now….Vendors with over 10k users ( Only 3 vendors can say this) might have some value. But not much. AllScripts, for example, isnt worth the paper the stock certificates are printed on. Most customers are suing them.

  • I agree with Anthony. It’s amazing how well an EHR vendor that held its costs low can do with even a couple thousand users.

    I think there’s a clear differentiation between a bad investment and a ponzi scheme. I’d say that a number of EHR companies will fall into the first category. I haven’t seen any in the second category.

    Good discussion though. I think the doctors are the ones getting the short end of the stick with many EHR, not the investors. Although, maybe I’m just more of a physician advocate than an investor advocate.

  • Would Medicare or Social Security in their current forms be the equivalent of Ponzi schemes? Just asking.

Click here to post a comment