A False Claims Act case pits a prominent health system against its EHR software provider.
Over the last many years, healthcare providers have been financially incentivized to purchase electronic health records (EHR) software. These programs can cost upwards of $25,000 to $50,000, and, sometimes are renewable every year. In other words, these programs are extremely expensive.
So shouldn’t these programs be compliant with all applicable federal and state regulations? The truth is, most programs are not created by physicians or attorneys. Many companies producing the programs do not even have attorneys review the software for regulatory compliance. Yet healthcare providers rely on these EHR systems to submit their billings to Medicare and Medicaid – and guess what? Complying with state and federal regulations as well.
This poses a huge risk for healthcare providers, because the next regulatory audit, such as one from a Recovery Audit Contractor (RAC), is as sure as death and taxes. One hundred percent of provider’s service notes or healthcare records could be noncompliant, based on the underlying software, and the provider would never know. If the provider is accused of failing to report a $1 million overpayment based on a flaw in the software, who bears the burden? The provider? Or the noncompliant software company?
Currently, the answer is this: whichever national provider identification (NPI) number is used is the “captain of the ship,” and thus is liable for any noncompliance issues. However, with providers getting smarter and more comfortable navigating the EHR world, many have begun to negotiate indemnification clauses in their contracts with the software companies and/or sue on the back end for indemnification, regardless of the contract terms and based on multiple legal causes of action.
Common compliance issues found with using EHR software include the following:
1. Electronic signatures
Simply typing the healthcare provider’s name at the bottom of a service note does not mean compliance with Medicare criteria has been achieved. You can look at the Medicare Program Integrity Manual, Chapter 3, for more guidance.
2. Self-populating entries
These are the “time-savers.” And they are indeed that. However, I have seen that some software programs default to the pronoun “he,” and without the healthcare provider going back and revising the note to say “she,” there will be gender pronouns that clash. These are red flags for auditors. Internal inconsistencies within notes or other medical records also present liability issues to auditors. The same is true of massive amounts of cutting and pasting.
An example of internal inconsistencies is the following: some computer software programs default to “patient presents without pain.” Then, later on in the service note, the healthcare provider writes “patient c/o of severe pain.” An auditor may deny payment with respect to that service because of inconsistent documentation.
3. Retrospective self-populating entries
Some EHR software is programmed to populate information not only prospectively, but retrospectively, which creates significant risk for providers. In one case, a provider did not realize that each time a diagnostic test result was entered, this information was auto-populated prospectively as well as retrospectively. Results from a February 2010 test were included, not only in subsequent notes, but in notes dating prior to the test.
4. Customization to a specialty
In some instances, the software template may include information that would rarely be relevant to a particular provider. For example, a software program may include a review of the gastrointestinal system when the provider is a hand specialist. As ridiculous as it sounds, regardless of the specialty, blanks – or the absence of information that could be perceived to be needed – can lead to denials in an audit.
Legal Liability
In a very recently initiated and ongoing qui tam action under the federal False Claims Act, a relator alleges that Bon Secours Health System, Inc., fraudulently billed Medicare and Medicaid by millions of dollars.
The allegations derive from the installation and use of a billing system known as “McKesson billing software.” McKesson billing software, according to the complaint, “from the very start … was deliberately programmed not to do split-billing.”
“’Split-billing,’ otherwise known as ‘Medicare maximization,’ involves ‘identif(ying) and bill(ing) any liable third party prior to … Medicaid,” The filing reads.
Billing such parties prior to billing Medicaid is a requirement of participation in the Medicaid program. For patients eligible for both Medicare and Medicaid, or “dual-eligible patients,” this means billing Medicare before billing Medicaid.
The impetus for this requirement is that Medicaid typically reimburses providers for the full cost of a patient’s treatment, whereas Medicare reimburses at a flat rate lower than the actual cost of treatment. Thus, the government saves money when a provider bills Medicare first. If a provider bills Medicaid first for services provided to a dual-eligible patient, it violates the split-billing requirement.
Again, the allegation in Bon Secours was that the billing system or computer program for the EHR was purposefully unable to split-bill, which violates Medicaid regulations. Notice, however, that the billing company in Bon Secours was not a named defendant. Why not? Even if the plaintiff did not name the billing company as a party in the complaint, Bon Secours could have filed a third-party complaint bringing in the billing company as a party to indemnify it.
The law is not clear on the issue of who bears the burden of liability for regulatory noncompliance when the noncompliance is caused by the billing software company and not the provider. Certainly, the billing software company will argue that it is the burden of a healthcare provider to follow all rules and regulations pertaining to Medicare and Medicaid when the providers signs the Medicare/Medicaid contact. Obviously, the billing software companies do not sign a contract with Medicare or Medicaid.
Going forward, we will keep an eye on the outcome of Bon Secours. Until then, I am of the opinion that there is a strong legal argument for indemnification of the provider by the billing software company.
To be safe, I recommend demanding an indemnification clause in contracts with billing software companies. They may buck, but if that is the case, then maybe that software company is not the right choice for you.
EDITOR’S NOTE: The author of this article used AI-assisted tools in its composition, but all content, analysis, and conclusions were based on the author’s professional
Here at MedLearn, we know cardiology coders are the unsung heroes of patient care. Every day, as a cardio coder you navigate complex cardiovascular procedures, including the constantly –changing CPT® and ICD-10-CM
Please log in to your account to comment on this article.
Expert presenters Kathy Pride, RHIT, CPC, CCS-P, CPMA, and Brandi Russell, RHIA, CCS, COC, CPMA, break down complex fracture care coding rules, walk through correct modifier application (-25, -57, 54, 55), and clarify sequencing for initial and subsequent encounters. Attendees will gain the practical knowledge needed to submit clean claims, ensure compliance, and stay one step ahead of payer audits in 2026.
Accurately determining the principal diagnosis is critical for compliant billing, appropriate reimbursement, and valid quality reporting — yet it remains one of the most subjective and error-prone areas in inpatient coding. In this expert-led session, Cheryl Ericson, RN, MS, CCDS, CDIP, demystifies the complexities of principal diagnosis assignment, bridging the gap between coding rules and clinical reality. Learn how to strengthen your organization’s coding accuracy, reduce denials, and ensure your documentation supports true medical necessity.
Denials continue to delay reimbursement, increase administrative burden, and threaten financial stability across healthcare organizations. This essential webcast tackles the root causes—rising payer scrutiny, fragmented workflows, inconsistent documentation, and underused analytics—and offers proven, data-driven strategies to prevent and overturn denials. Attendees will gain practical tools to strengthen documentation and coding accuracy, engage clinicians effectively, and leverage predictive analytics and AI to identify risks before they impact revenue. Through real-world case examples and actionable guidance, this session empowers coding, CDI, and revenue cycle professionals to shift from reactive appeals to proactive denial prevention and revenue protection.
Sepsis remains one of the most frequently denied and contested diagnoses, creating costly revenue loss and compliance risks. In this webcast, Angela Comfort, DBA, MBA, RHIA, CDIP, CCS, CCS-P, provides practical, real-world strategies to align documentation with coding guidelines, reconcile Sepsis-2 and Sepsis-3 definitions, and apply compliant queries. You’ll learn how to identify and address documentation gaps, strengthen provider engagement, and defend diagnoses against payer scrutiny—equipping you to protect reimbursement, improve SOI/ROM capture, and reduce audit vulnerability in this high-risk area.
Stay ahead of the 2026-2027 audit surge with “Top 10 Audit Targets for 2026-2027 for Hospitals & Physicians: Protect Your Revenue,” a high-impact webcast led by Michael Calahan, PA, MBA. This concise session gives hospitals and physicians clear insight into the most likely federal audit targets, such as E/M services, split/shared and critical care, observation and admissions, device credits, and Two-Midnight Rule changes, and shows how to tighten documentation, coding, and internal processes to reduce denials, recoupments, and penalties. Attendees walk away with practical best practices to protect revenue, strengthen compliance, and better prepare their teams for inevitable audits.
As AI reshapes healthcare compliance, the risk of biased outputs and opaque decision-making grows. This webcast, led by Frank Cohen, delivers a practical Four-Pillar Governance Framework—Transparency, Accountability, Fairness, and Explainability—to help you govern AI-driven claim auditing with confidence. Learn how to identify and mitigate bias, implement robust human oversight, and document defensible AI review processes that regulators and auditors will accept. Discover concrete remedies, from rotation protocols to uncertainty scoring, and actionable steps to evaluate vendors before contracts are signed. In a regulatory landscape that moves faster than ever, gain the tools to stay compliant, defend your processes, and reduce liability while maintaining operational effectiveness.
Get clear, practical answers to Medicare’s most confusing regulations. Join Dr. Ronald Hirsch as he breaks down real-world compliance challenges and shares guidance your team can apply right away.
Federal auditors are zeroing in on Inpatient Rehabilitation Facility (IRF) and hospital rehab unit services, with OIG and CERT audits leading to millions in penalties—often due to documentation and administrative errors, not quality of care. Join compliance expert Michael Calahan, PA, MBA, to learn the five clinical “pillars” of IRF-PPS admissions, key documentation requirements, and real-life case lessons to help protect your revenue.
Happy National Doctor’s Day! Learn how to get a complimentary webcast on ‘Decoding Social Admissions’ as a token of our heartfelt appreciation! Click here to learn more →
CYBER WEEK IS HERE! Don’t miss your chance to get 20% off now until Dec. 1 with code CYBER25
CYBER WEEK IS HERE! Don’t miss your chance to get 20% off now until Dec. 2 with code CYBER24
