On March 7, 2016, the U.S. Court of Appeals for the Sixth Circuit decided United States ex rel. Sheldon v. Kettering Health Network, affirming a district court’s dismissal of a lawsuit alleging violations of the False Claims Act (FCA) relating to an alleged data breach. The relator alleged that violations of the HITECH Act caused the submission of false claims to the government.
Under the HITECH Act of 2009, the federal government will pay health care providers money for making “meaningful use” of electronic health records (EHR) technology. Providers who receive payments under the HITECH Act must certify compliance with approximately two-dozen meaningful use objectives. These objectives include compliance with various regulations promulgated under the Health Insurance Portability and Accountability Act (HIPAA), which require, inter alia, including conducting security risk analyses, addressing the encryption/security of data stored in certified EHR technology, and implementing policies and procedures to prevent, detect, contain and correct security violations.
The relator in this case, Vicki Sheldon, alleged that defendant Kettering Health Network (Kettering) falsely certified compliance with HITECH’s meaningful use objectives. Sheldon based her allegations on two letters she received from Kettering informing her that Kettering employees impermissibly accessed her Protected Health Information (PHI). In addition, Sheldon alleged that Kettering failed to run “CLARITY” reports at appropriate intervals. These reports are a tool present in Kettering’s EHR software and allegedly help providers monitor improper access to PHI.
The district court concluded – and the Sixth Circuit agreed – that Sheldon’s allegations were insufficient to survive Kettering’s motion to dismiss. The court concluded that Kettering’s individual breaches did not violate the HITECH Act. The Act and its implementing regulations require providers to maintain appropriate security protocols, not to prevent every possible data breach. In fact, the HITECH Act and the HIPAA regulations it incorporates by reference require providers to respond appropriately to breaches, and thus contemplate the occasional breach. Indeed, the only reason that Sheldon learned of the breaches was because Kettering informed her of them. The court suggested that Kettering’s notification letters actually hurt Sheldon’s case, because it was clear that Kettering had a breach-response protocol in place and was responding appropriately to them by informing affected individuals. Accordingly, the court concluded, Kettering’s “attestation of compliance [with the HITECH Act] is not rendered false by virtue of individual breaches.” And absent a false statement, Sheldon could not allege the existence of a false claim under the FCA.
As to Sheldon’s claim that Kettering failed to run CLARITY reports at an appropriate frequency, the court concluded that “[n]either the Act nor the HIPAA regulations to which it refers require that providers adhere to a particular schedule for running reports.”
Ultimately, the court concluded that allegations of data breaches cannot by themselves show that a certifying entity under the HITECH Act made a false certification to the government. This is undoubtedly an important ruling for defendants threatened with claims lying at the intersection between data breach legislation and the FCA.