Skip to content

Alert! Health-Tech Under the Microscope

When the DOJ announced that its Antitrust Division would focus attention on regulating “market-leading online platforms,” you may not have guessed it would zero in on non-competition related violations by healthcare platforms seeking to unify doctors, patients, and e-prescribing pharmacies as opposed to Big Tech.1 The DOJ’s foray into digital markets, though, has already expanded beyond the “Big Four” and into the health technology sector — marking the first ever criminal action against an electronic health records (“EHR”) vendor and puncturing another vein in the opioid crisis. Last week, a San Francisco IT software development company, Practice Fusion, Inc., entered into a $145 million deferred prosecution agreement with DOJ, admitting to soliciting and receiving kickbacks in exchange for designing software and clinical decision support (“CDS”) alerts that influenced physicians’ decisions to prescribe opioid pain medications.2 A day later, the DOJ announced a “potentially major escalation” of its formal tech probe that could expand into issues concerning privacy and public safety by seeking “an open-ended number” of trial attorneys, 10 paralegals, and five statisticians in its San Francisco and D.C. offices.3 These alerts signal that the healthcare technology industry will be under the microscope for a while.

Practice Fusion admitted to violating the Anti-Kickback Statute, 42 U.S.C. § 1320a-7b(b)(1), which specifically prohibits referral payments in the context of federal health care programs, as well as conspiring to defraud the government under 18 U.S.C. § 371, both in connection with its scheme to receive payments from opioid companies in exchange for the pop-up CDS recommendations.4 The pharmaceutical companies, which were not named in the DPA, were invited to participate in Practice Fusion’s software design process, and gave input with respect to timing CDS alerts, setting alert guidelines and criteria, and drafting alert language. The goal of the alert system was to increase extended-release opioid sales (paid for in part by federal health care programs) by influencing doctors’ decisions at the point of patient diagnosis and treatment determinations. Practice Fusion received nearly $1 million in payments from the pharmaceutical companies, which were characterized as “kickbacks” in the DPA.5

Practice Fusion has agreed to pay a criminal fine of $25.4 million and to forfeit $959,700 of criminal proceeds, the largest criminal fine in the history of the Vermont district where the DPA was filed.6 As part of its cooperation and in order to “ensure transparency and public awareness,” Practice Fusion will publicize internal documents evidencing its unlawful conduct, enlist an independent oversight organization to review and approve CDS alerts, and design and implement a comprehensive compliance program.7

Also disclosed in the DPA is a settlement of $118.7 million that Practice Fusion will pay in a separate civil settlement agreement for alleged False Claims violations.8 The civil settlement resolves allegations of 13 CDS-based kickback schemes with other pharmaceutical companies, allegations involving fraudulent certification and misrepresentation of software capability relating to patients’ access to data, and allegations of knowingly causing healthcare providers to fraudulently obtain incentive payments from Medicare and Medicaid.9

In cracking Practice Fusion’s software-based fraud, the U.S. Attorney for the District of Vermont called this an example of “pioneering healthcare fraud enforcement.”10 Similar investigations are likely to follow. DOJ is actively recruiting statisticians, paralegals, and trial attorneys for its digital markets team, which was likely responsible for the Practice Fusion investigation.11 Several job postings have opened on the DOJ’s online employment platform,12 and at a recent Federal Bar Association event in San Francisco, Manish Kumar, Chief of San Francisco’s DOJ Antitrust Division, made a hiring pitch for individuals to join the public procurement strike force, data analytics development efforts, and digital markets team.13 The volume and breadth of help wanted suggests an imminent enforcement boom.

In the wake of the Practice Fusion settlement, Shimon Richmond, Assistant Inspector General for Investigations of the U.S. Department of Health and Human Services, remarked, “As new technologies continue to develop and evolve, so too do new and innovative fraud schemes…we will continue to be vigilant in detecting and investigating these schemes in order to protect the safety of patients in federal health programs and to ensure the appropriate use of electronic health records in providing their care.”14

In addition to fraud and false claims issues, evolving privacy laws will impact enforcement of healthcare digital markets. Health information research “often focuses on whether treatments, health technologies or changes in personal behaviors are successful over time” and data analysis in this realm is key to improving health care and reducing health care costs.15 Patient databases, like the one at issue in the Practice Fusion case, rely on aggregating patient data that is at the center of privacy regulation. Thus, as health information researchers grapple with obtaining “deidentified data” under increasingly stringent state privacy laws, like the California Consumer Privacy Act (“CCPA”), and overarching federal privacy laws stemming from the Health Insurance Portability and Accountability Act (“HIPAA”), health technology companies could be faced with less information about patient needs. Not to mention, Roger Severino, HIPAA enforcement lead and director of the Office for Civil Rights at the Department of Health and Human Services, commented in an interview that cybersecurity protections and proper controls on access to patient records are among the “low hanging fruit” that underscore the need for increased HIPAA enforcement.16 Hackers “have lucrative reasons to target heath care companies, which often store ‘incredibly valuable’ personal information.”17

With Uncle Sam’s increasing number of eyes on the industry, and, given the myriad ways healthcare technology companies could run afoul of government regulations, companies need to ensure their software systems, business models, and compliance programs are keeping up with the evolving regulatory landscape.

Subscribe to The V&E Report to receive weekly email updates.

1 Dep’t of Justice, Press Release, Justice Department Reviewing the Practices of Market-Leading Online Platforms (July 23, 2019),

2 Dep’t of Justice, Press Release, Electronic Health Records Vendor to Pay $145 Million to Resolve Criminal and Civil Investigations (January 27, 2020),

3 Bryan Koenig, Help Wanted: DOJ Seeks Attys, Paralegals For Tech Probe, Law360 (January 28, 2020),

4 Deferred Prosecution Agreement, United States v. Practice Fusion, Inc., 2:20-cr-00011-wks, ¶ 2.e (Jan. 27, 2020), available at

5 Information, United States v. Practice Fusion, Inc., 2:20-cr-00011-wks, ¶¶ 119, 124 (Jan. 27, 2020), available at

6 Supra note 4 ¶ 3.

7 Supra note 2.

8 Supra note 4 ¶ 3.

9 Supra note 2.

10 Id.

11 Dep’t of Justice, Antitrust Div, Division Spring Update 2019, updated September 30, 2019,

12 Dep’t of Justice, Antitrust Div, Employment, updated January 28, 2020,

13 Manish Kumar, Chief, Dept. of Justice, Antitrust Div, San Francisco, panel member at Views from the Top: Hot Issues & Trends in White Collar, Securities and Antitrust Enforcement (Jan. 30, 2020).

14 Supra note 7.

15 Joy Pritts, A Privacy Law Question Facing Health Data Researchers, Law360 (Jan. 28, 2020),

16 Jeff Overley, HIPAA Boss Sees ‘Low-Hanging Fruit’ Ripe For Enforcement, Law360 (Feb. 3, 2020),

17 Id.

This information is provided by Vinson & Elkins LLP for educational and informational purposes only and is not intended, nor should it be construed, as legal advice.