On March 7, 2016, the U.S. Court of Appeals for the Sixth Circuit decided United States ex rel. Sheldon v. Kettering Health Network, affirming a district court’s dismissal of a lawsuit alleging violations of the False Claims Act (FCA) relating to an alleged data breach. The relator alleged that violations of the HITECH Act caused the submission of false claims to the government.
Under the HITECH Act of 2009, the federal government will pay health care providers money for making “meaningful use” of electronic health records (EHR) technology. Providers who receive payments under the HITECH Act must certify compliance with approximately two-dozen meaningful use objectives. These objectives include compliance with various regulations promulgated under the Health Insurance Portability and Accountability Act (HIPAA), which require, inter alia, including conducting security risk analyses, addressing the encryption/security of data stored in certified EHR technology, and implementing policies and procedures to prevent, detect, contain and correct security violations.
The relator in this case, Vicki Sheldon, alleged that defendant Kettering Health Network (Kettering) falsely certified compliance with HITECH’s meaningful use objectives. Sheldon based her allegations on two letters she received from Kettering informing her that Kettering employees impermissibly accessed her Protected Health Information (PHI). In addition, Sheldon alleged that Kettering failed to run “CLARITY” reports at appropriate intervals. These reports are a tool present in Kettering’s EHR software and allegedly help providers monitor improper access to PHI.
The district court concluded – and the Sixth Circuit agreed – that Sheldon’s allegations were insufficient to survive Kettering’s motion to dismiss. The court concluded that Kettering’s individual breaches did not violate the HITECH Act. The Act and its implementing regulations require providers to maintain appropriate security protocols, not to prevent every possible data breach. In fact, the HITECH Act and the HIPAA regulations it incorporates by reference require providers to respond appropriately to breaches, and thus contemplate the occasional breach. Indeed, the only reason that Sheldon learned of the breaches was because Kettering informed her of them. The court suggested that Kettering’s notification letters actually hurt Sheldon’s case, because it was clear that Kettering had a breach-response protocol in place and was responding appropriately to them by informing affected individuals. Accordingly, the court concluded, Kettering’s “attestation of compliance [with the HITECH Act] is not rendered false by virtue of individual breaches.” And absent a false statement, Sheldon could not allege the existence of a false claim under the FCA.
As to Sheldon’s claim that Kettering failed to run CLARITY reports at an appropriate frequency, the court concluded that “[n]either the Act nor the HIPAA regulations to which it refers require that providers adhere to a particular schedule for running reports.”
Ultimately, the court concluded that allegations of data breaches cannot by themselves show that a certifying entity under the HITECH Act made a false certification to the government. This is undoubtedly an important ruling for defendants threatened with claims lying at the intersection between data breach legislation and the FCA.
The Department of Health and Human Services Office of Inspector General (OIG) issued an update to its Work Plan on May 28 that included several new Medicare-related topics for OIG audit or inspection. These additions expand OIG’s work in areas that OIG has previously identified as priorities, such as hospital-based services, lab testing and Part D payments. These new topics included:
- Hospital outpatient intensity-modulated radiation therapy claims;
- Payments for clinical diagnostic laboratory tests, including the top 25 clinical diagnostic laboratory tests by Medicare expenditures in 2014. This report is required by the Protecting Access to Medicare Act; and
- Compliance with various aspects of the inpatient rehabilitation facility prospective payment system, including the documentation required 42 CFR § 412.622(a)(3) (4) and (5).
- Examining billing trends within the Part D program, especially those for opioid drugs and pharmacy billing patterns.
OIG also announced several new programmatic studies and reports, including:
- Examining hospital preparedness for public health emergencies due to high-risk infectious diseases.
- Identifying best practices and possible challenges in Accountable Care Organizations’ (ACO) use of electronic health records, such as interoperability issues.
- Whether the durable medical equipment competitive bidding program is affecting beneficiary access to certain items, citing to “anecdotal reports [that] allege that competitive bidding has led to reduced access to DME and, in turn, compromised the quality of care beneficiaries receive” as the reason for adding this review.
- Creating a portfolio report of the OIG’s Medicare Part D oversight work to summarize OIG audits, evaluations, legal opinions and investigative work, and provide progress information on recommendations to improve oversight of the program by the Centers for Medicare & Medicaid Services, plan sponsors and Medicare Drug Integrity Contractors or MEDICs. This report will likely be similar to the 2012 portfolio report highlighting OIG’s work on personal care services.
- Examining CMS’s management of the Open Payments program, including CMS’ oversight of manufacturers’ and group purchasing organizations’ compliance with data reporting requirements and whether the required data for physician and teaching hospital payments is accurately and completely displayed in the publicly available database.