Electronic Health Record (EHR) Software Criminal Fraud Defense - 18 U.S.C. § 1030 (Computer Fraud and Abuse Act)
The Department of Justice has put EHR manipulation on its official enforcement priority list, and it is not bluffing.
On July 2, 2025, the DOJ announced the creation of a False Claims Act Working Group with HHS-OIG, focused on six priority areas, including manipulation of electronic health record systems to drive inappropriate utilization of Medicare-covered products and services.
For physicians, practice owners, billing technology vendors, and software developers who focus on this, the line between aggressive revenue optimization and federal fraud has narrowed considerably.
18 U.S.C. § 1030, the Computer Fraud and Abuse Act, has become one of the tools prosecutors turn to when the alleged conduct involves accessing or manipulating a computer system, including EHR platforms, to produce fraudulent results.
Combined with the Anti-Kickback Statute and the False Claims Act, it forms a layered prosecution framework that can reach providers, practice administrators, and the technology companies that build the software itself.
What Does the Computer Fraud and Abuse Act Actually Prohibit?
Among its core prohibitions, § 1030 criminalizes knowingly and with intent to defraud accessing a protected computer without authorization, or exceeding authorized access, and by means of that conduct furthering an intended fraud and obtaining anything of value.
The statute also criminalizes knowingly transmitting code, commands, or programs that cause unauthorized damage to a protected computer.
The Department will not charge defendants for accessing a computer without authorization unless, at the time of the conduct:
- The defendant was not authorized to access the protected computer under any circumstances by any person or entity with authority to grant such authorization, and
- The defendant knew of the facts making that access unauthorized, and prosecution would serve the Department's CFAA enforcement goals.
That DOJ policy guidance matters significantly in EHR cases, because most physicians and billing staff have legitimate, authorized access to the systems they are accused of manipulating.
The government's theory in these cases typically rests on exceeding authorized access for an improper purpose, not unauthorized access in the traditional hacking sense.
A 2021 Supreme Court ruling narrowed that theory considerably. In Van Buren v. United States, the Supreme Court ruled that a person exceeds authorized access under the CFAA when they access files or content that are off-limits to the portions of the system they were authorized to access.
The opinion restricted the CFAA from applying to cases where a person obtains information from areas they do have authorized access to, but uses that information for an improper purpose.
That ruling is significant for EHR cases, since it limits how broadly prosecutors can stretch CFAA theory against a clinician who used their own authorized system access, even if their purpose in using it was later characterized as fraudulent.
What is the HER-Specific Enhancement Within the Statute?
Congress wrote a healthcare-specific enhancement directly into the CFAA's damage provisions. Among the factors that elevate a CFAA violation to felony-level exposure is the modification or impairment, or potential modification or impairment, of the medical examination, diagnosis, treatment, or care of one or more individuals.
In an EHR fraud case, that provision allows prosecutors to argue that manipulating clinical decision support tools or treatment algorithms to trigger higher billing codes did not just cause financial loss; it potentially impaired patient care itself, a factor that raises sentencing exposure considerably beyond a standard fraud case.
Why Has EHR Manipulation Become a Federal Priority?
The defining case in this space remains United States v. Practice Fusion.
In the first-ever criminal action against an EHR vendor, Practice Fusion was charged with violating the Anti-Kickback Statute and conspiring with an opioid company client to violate that statute.
Practice Fusion admitted it solicited and received kickbacks from a major opioid company in exchange for using its EHR software to influence physician prescribing of opioid pain medications.
The deferred prosecution agreement required Practice Fusion to:
- Pay a criminal fine of over $25 million and
- Forfeit nearly $1 million in proceeds, in addition to
- A separate $118.6 million civil settlement.
Practice Fusion allowed pharmaceutical companies to influence the development of clinical decision support alerts in ways aimed at increasing prescriptions of their products.
The same architecture, software prompts engineered to steer clinical or billing decisions in a financially advantageous direction, is precisely what the DOJ's 2025 Working Group is now targeting in the context of billing codes rather than prescriptions.
That concern has only intensified with the rise of AI-assisted coding.
Justice Department investigators are scrutinizing the healthcare industry's use of AI embedded in patient records that prompts doctors toward particular treatments, and prosecutors have started subpoenaing pharmaceutical and digital health companies to learn more about generative technology's role in facilitating anti-kickback and false claims violations.
If a vendor represents that their billing tool can increase collections through more aggressive coding, the DOJ can use that representation to establish intent to defraud.
The law continues to hold the provider whose National Provider Identifier is attached to the claim accountable for the final submission, regardless of whether an EMR template or coding algorithm generated the suggestion.
Who Faces Exposure in These Cases?
The architecture of EHR fraud investigations can implicate several different categories of defendants simultaneously.
Physicians and practice owners face exposure when their billing reflects codes generated by software prompts they did not independently verify.
EHR vendors and software developers face exposure for designing algorithms or clinical decision support tools that were built to maximize reimbursement rather than reflect accepted medical standards.
Practice administrators and billing managers face exposure when they configure or maintain systems known to generate inflated codes.
EHR software that improperly influences providers or diminishes their independent medical judgment is treated as legally problematic by prosecutors, separate from any kickback arrangement that may also be present.
Frequently Asked Questions (FAQs)
Can a doctor be held criminally liable if an EHR software automatically suggests or generates an inflated billing code?
Yes. Under federal healthcare fraud frameworks, the physician whose National Provider Identifier (NPI) is attached to the claim bears ultimate legal responsibility for its accuracy.
If a provider consistently approves automated, upcoded suggestions without independently verifying that the clinical documentation supports that level of care, the government can pursue charges under theories of specific intent to defraud or "willful blindness."
Relying blindly on an algorithm or software template does not provide an absolute shield against federal prosecution.
How does the Supreme Court's Van Buren ruling protect healthcare providers against CFAA charges?
The Supreme Court's ruling in Van Buren v. United States restricted the scope of the Computer Fraud and Abuse Act (CFAA) by establishing that a user cannot be prosecuted for "exceeding authorized access" if they have permission to access a specific system area, even if they use that information for an improper or fraudulent purpose.
For healthcare workers, this means that if you use your own valid credentials to log into an EHR system and input data, the government cannot charge you with federal "hacking" under the CFAA—even if they dispute the integrity of the billing data entered.
What unique criminal penalties apply to EHR manipulation compared to standard financial fraud?
Congress explicitly integrated a healthcare-specific enhancement into the damage provisions of the CFAA (18 U.S.C. § 1030).
If the government proves that the modification or manipulation of an EHR system potentially impaired or modified a patient's medical examination, diagnosis, treatment, or clinical care, the offense is automatically elevated to a felony.
This clinical impairment factor significantly increases sentencing guidelines and federal prison exposure far beyond traditional white-collar or financial fraud metrics.
Can EHR software developers and tech vendors face criminal prosecution for design choices?
Yes. If software developers, EHR vendors, or technology executives intentionally design clinical decision support tools, automated prompts, or backend coding algorithms to artificially maximize corporate reimbursements rather than reflect objective medical standards, they face direct exposure.
Tech companies can be prosecuted under the False Claims Act and the Anti-Kickback Statute for causing false claims to be submitted or for configuring software algorithms to steer clinical choices in exchange for financial windfalls.
What is the role of the DOJ's False Claims Act Working Group in EHR investigations?
The Department of Justice, in coordination with the HHS-OIG, established a specialized False Claims Act Working Group to aggressively scrutinize systemic healthcare fraud.
The manipulation of EHR systems to drive inappropriate or artificial utilization of Medicare-covered products and services sits directly on its official enforcement priority list.
This group utilizes advanced data analytics to identify statistical billing outliers among providers and coordinates cross-agency resources to move investigations rapidly from civil audits to criminal referrals.
How do whistleblowers trigger federal EHR fraud investigations, and how should a firm respond?
Many EHR fraud investigations originate through qui tam lawsuits filed by whistleblowers, who are often current or former billing staff, practice administrators, or software engineers with internal access to the platform's configuration.
These matters usually begin covertly with a civil investigative demand (CID) or a federal subpoena. If your practice or software company detects a potential compliance issue or receives an administrative inquiry, you must engage experienced defense counsel immediately during this civil phase to shape the narrative before a formal criminal referral is formalized.
Defense Strategies for HER-Related Fraud Allegations
Challenging the CFAA's Authorization Requirement
Following Van Buren, the defense should examine closely whether the conduct alleged actually involves exceeding authorized access in the narrow sense the Supreme Court defined, or whether the government is improperly stretching the statute to cover authorized use for a disputed purpose.
A physician using EHR software exactly as their employer configured it, even if the configuration itself was later found problematic, has a materially different CFAA exposure than someone who broke into restricted system areas.
Separating Vendor Design Choices from Provider Intent
A physician who relied on an EHR system's built-in coding suggestions, without independent knowledge that the underlying algorithm was designed to inflate reimbursement, did not act with the fraudulent intent the government must prove.
A compliance plan that documents the human-in-the-loop review process used to verify AI-generated coding suggestions before submission is a critical piece of evidence establishing good faith.
Documenting Compliance and Review Processes
For both providers and vendors, contemporaneous documentation of coding audits, training records, and independent compliance review creates the evidentiary foundation for a good-faith defense.
This record must exist before any investigation begins; reconstructing it after a subpoena arrives carries far less weight.
Engaging Before Charges are Filed
EHR fraud investigations often begin as civil False Claims Act inquiries, frequently triggered by a qui tam whistleblower complaint from a current or former employee with direct knowledge of the software's design or implementation.
Engaging defense counsel during the civil investigative phase, before any criminal referral is made, gives the best opportunity to present a compliance narrative that can keep the matter in civil rather than criminal channels.
Practice Cleared of CFAA Allegations Through Authorization Defense
A multi-physician primary care practice was investigated after a departing billing coordinator alleged the practice's EHR system had been configured to default to higher-complexity billing codes for routine visits.
Federal investigators initially framed the matter as a potential CFAA violation, theorizing that practice staff had exceeded authorized access by altering system settings to misrepresent visit complexity.
Defense counsel was retained when the practice received a civil investigative demand.
Counsel reviewed the practice's IT vendor agreements and discovered that the default coding settings had been configured by the EHR vendor itself during initial system implementation, not by practice staff, and that the practice had never modified those settings or accessed any administrative function restricted from their authorized use.
Counsel presented this finding to the DOJ attorney handling the inquiry, along with documentation showing the physicians had independently reviewed and signed off on each visit's final billing code, consistent with the practice's existing compliance policy.
The investigation was redirected toward the EHR vendor's implementation practices. The practice was not charged, and the matter against the physicians was closed without any CFAA or healthcare fraud referral.
For more information on how Eisner Gorin LLP can help, contact our offices today.
