RAC Audits and EHR Software – Who Bears the Burden of Non-compliance?

A False Claims Act case pits a prominent health system against its EHR software provider.

Over the last many years, healthcare providers have been financially incentivized to purchase electronic health records (EHR) software. These programs can cost upwards of $25,000 to $50,000, and, sometimes are renewable every year. In other words, these programs are extremely expensive.

So shouldn’t these programs be compliant with all applicable federal and state regulations? The truth is, most programs are not created by physicians or attorneys. Many companies producing the programs do not even have attorneys review the software for regulatory compliance. Yet healthcare providers rely on these EHR systems to submit their billings to Medicare and Medicaid – and guess what? Complying with state and federal regulations as well.

This poses a huge risk for healthcare providers, because the next regulatory audit, such as one from a Recovery Audit Contractor (RAC), is as sure as death and taxes. One hundred percent of provider’s service notes or healthcare records could be noncompliant, based on the underlying software, and the provider would never know. If the provider is accused of failing to report a $1 million overpayment based on a flaw in the software, who bears the burden? The provider? Or the noncompliant software company?

Currently, the answer is this: whichever national provider identification (NPI) number is used is the “captain of the ship,” and thus is liable for any noncompliance issues. However, with providers getting smarter and more comfortable navigating the EHR world, many have begun to negotiate indemnification clauses in their contracts with the software companies and/or sue on the back end for indemnification, regardless of the contract terms and based on multiple legal causes of action.

Common compliance issues found with using EHR software include the following:

1. Electronic signatures

Simply typing the healthcare provider’s name at the bottom of a service note does not mean compliance with Medicare criteria has been achieved. You can look at the Medicare Program Integrity Manual, Chapter 3, for more guidance.

2. Self-populating entries

These are the “time-savers.” And they are indeed that. However, I have seen that some software programs default to the pronoun “he,” and without the healthcare provider going back and revising the note to say “she,” there will be gender pronouns that clash. These are red flags for auditors. Internal inconsistencies within notes or other medical records also present liability issues to auditors. The same is true of massive amounts of cutting and pasting.

An example of internal inconsistencies is the following: some computer software programs default to “patient presents without pain.” Then, later on in the service note, the healthcare provider writes “patient c/o of severe pain.” An auditor may deny payment with respect to that service because of inconsistent documentation.

3. Retrospective self-populating entries

Some EHR software is programmed to populate information not only prospectively, but retrospectively, which creates significant risk for providers. In one case, a provider did not realize that each time a diagnostic test result was entered, this information was auto-populated prospectively as well as retrospectively. Results from a February 2010 test were included, not only in subsequent notes, but in notes dating prior to the test.

4. Customization to a specialty

In some instances, the software template may include information that would rarely be relevant to a particular provider. For example, a software program may include a review of the gastrointestinal system when the provider is a hand specialist. As ridiculous as it sounds, regardless of the specialty, blanks – or the absence of information that could be perceived to be needed – can lead to denials in an audit.

Legal Liability

In a very recently initiated and ongoing qui tam action under the federal False Claims Act, a relator alleges that Bon Secours Health System, Inc., fraudulently billed Medicare and Medicaid by millions of dollars.

The allegations derive from the installation and use of a billing system known as “McKesson billing software.” McKesson billing software, according to the complaint, “from the very start … was deliberately programmed not to do split-billing.”

“’Split-billing,’ otherwise known as ‘Medicare maximization,’ involves ‘identif(ying) and bill(ing) any liable third party prior to … Medicaid,” The filing reads. 

Billing such parties prior to billing Medicaid is a requirement of participation in the Medicaid program. For patients eligible for both Medicare and Medicaid, or “dual-eligible patients,” this means billing Medicare before billing Medicaid.

The impetus for this requirement is that Medicaid typically reimburses providers for the full cost of a patient’s treatment, whereas Medicare reimburses at a flat rate lower than the actual cost of treatment. Thus, the government saves money when a provider bills Medicare first. If a provider bills Medicaid first for services provided to a dual-eligible patient, it violates the split-billing requirement. 

Again, the allegation in Bon Secours was that the billing system or computer program for the EHR was purposefully unable to split-bill, which violates Medicaid regulations. Notice, however, that the billing company in Bon Secours was not a named defendant. Why not? Even if the plaintiff did not name the billing company as a party in the complaint, Bon Secours could have filed a third-party complaint bringing in the billing company as a party to indemnify it.

The law is not clear on the issue of who bears the burden of liability for regulatory noncompliance when the noncompliance is caused by the billing software company and not the provider. Certainly, the billing software company will argue that it is the burden of a healthcare provider to follow all rules and regulations pertaining to Medicare and Medicaid when the providers signs the Medicare/Medicaid contact. Obviously, the billing software companies do not sign a contract with Medicare or Medicaid.

Going forward, we will keep an eye on the outcome of Bon Secours. Until then, I am of the opinion that there is a strong legal argument for indemnification of the provider by the billing software company.

To be safe, I recommend demanding an indemnification clause in contracts with billing software companies. They may buck, but if that is the case, then maybe that software company is not the right choice for you.

Facebook
Twitter
LinkedIn

Knicole C. Emanuel Esq.

For more than 20 years, Knicole has maintained a health care litigation practice, concentrating on Medicare and Medicaid litigation, health care regulatory compliance, administrative law and regulatory law. Knicole has tried over 2,000 administrative cases in over 30 states and has appeared before multiple states’ medical boards. She has successfully obtained federal injunctions in numerous states, which allowed health care providers to remain in business despite the state or federal laws allegations of health care fraud, abhorrent billings, and data mining. Across the country, Knicole frequently lectures on health care law, the impact of the Affordable Care Act and regulatory compliance for providers, including physicians, home health and hospice, dentists, chiropractors, hospitals and durable medical equipment providers. Knicole is partner at Nelson Mullins and a member of the RACmonitor editorial board and a popular panelist on Monitor Monday.

Related Stories

Leave a Reply

Please log in to your account to comment on this article.

Featured Webcasts

The Cost of Ignoring Risk Adjustment: How HCCs Impact Revenue & Compliance

The Cost of Ignoring Risk Adjustment: How HCCs Impact Revenue & Compliance

Stop revenue leakage and boost hospital performance by mastering risk adjustment and HCCs. This essential webcast with expert Cheryl Ericson, RN, MS, CCDS, CDIP, will reveal how inaccurate patient acuity documentation leads to lost reimbursements through penalties from poor quality scores. Learn the critical differences between HCCs and traditional CCs/MCCs, adapt your CDI workflows, and ensure accurate payments in Medicare Advantage and value-based care models. Perfect for HIM leaders, coders, and CDI professionals.  Don’t miss this chance to protect your hospital’s revenue and reputation!

May 29, 2025
I050825

Mastering ICD-10-CM Coding for Diabetes and it’s Complications: Avoiding Denials & Ensuring Compliance

Struggling with ICD-10-CM coding for diabetes and complications? This expert-led webcast clarifies complex combination codes, documentation gaps, and sequencing rules to reduce denials and ensure compliance. Dr. Angela Comfort will provide actionable strategies to accurately link diabetes to complications, improve provider documentation, and optimize reimbursement—helping coders, CDI specialists, and HIM leaders minimize audit risks and strengthen revenue integrity. Don’t miss this chance to master diabetes coding with real-world case studies, key takeaways, and live Q&A!

May 8, 2025
2025 Coding Clinic Webcast Series

2025 ICD-10-CM/PCS Coding Clinic Update Webcast Series

Uncover critical guidance. HIM coding expert, Kay Piper, RHIA, CDIP, CCS, provides an interactive review on important information in each of the AHA’s 2025 ICD-10-CM/PCS Quarterly Coding Clinics in easy-to-access on-demand webcasts, available shortly after each official publication.

April 14, 2025

Trending News

Featured Webcasts

The Two-Midnight Rule: New Challenges, Proven Strategies

The Two-Midnight Rule: New Challenges, Proven Strategies

RACmonitor is proud to welcome back Dr. Ronald Hirsch, one of his most requested webcasts. In this highly anticipated session, Dr. Hirsch will break down the complex Two Midnight Rule Medicare regulations, translating them into clear, actionable guidance. He’ll walk you through the basics of the rule, offer expert interpretation, and apply the rule to real-world clinical scenarios—so you leave with greater clarity, confidence, and the tools to ensure compliance.

June 19, 2025
Open Door Forum Webcast Series

Open Door Forum Webcast Series

Bring your questions and join the conversation during this open forum series, live every Wednesday at 10 a.m. EST from June 11–July 30. Hosted by Chuck Buck, these fast-paced 30-minute sessions connect you directly with top healthcare experts tackling today’s most urgent compliance and policy issues.

June 11, 2025
Open Door Forum: The Changing Face of Addiction: Coding, Compliance & Care

Open Door Forum: The Changing Face of Addiction: Coding, Compliance & Care

Substance abuse is everywhere. It’s a complicated diagnosis with wide-ranging implications well beyond acute care. The face of addiction continues to change so it’s important to remember not just the addict but the spectrum of extended victims and the other social determinants and legal ramifications. Join John K. Hall, MD, JD, MBA, FCLM, FRCPC, for a critical Q&A on navigating substance abuse in 2025.  Register today and be a part of the conversation!

July 16, 2025

Trending News

Happy National Doctor’s Day! Learn how to get a complimentary webcast on ‘Decoding Social Admissions’ as a token of our heartfelt appreciation! Click here to learn more →

CYBER WEEK IS HERE! Don’t miss your chance to get 20% off now until Dec. 2 with code CYBER24