Health Insurance Portability and Accountability Act

According to a report released last week, the Health Care Fraud and Abuse Control Program (HCFAC) returned over $3.3 billion to the federal government or private individuals as a result of its health care enforcement efforts in fiscal year (FY) 2016, its 20th year in operation. Established by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) under the authority of the Department of Justice (DOJ) and the Department of Health and Human Services (HHS), HCFAC was designed to combat fraud and abuse in health care. The total FY 2016 return represents an increase over the $2.4 billion amount reported by the agencies for FY 2015.

The report serves as a useful resource to understand the federal health care fraud enforcement environment. It highlights costs and returns of federal health care fraud enforcement, providing not only amounts recovered from settlements and awards related to civil and criminal investigations but also outlining funds allocated for each departmental function covered by the HCFAC appropriation. Total HCFAC allocations to HHS for 2016 totaled $836 million (approximately $255 million of which was allocated to the HHS Office of Inspector General (OIG)) and allocations to DOJ totaled $119 million. The report touts a return on investment of $5 for every dollar expended over the last three years.

The report also includes summaries of high-profile criminal and civil cases involving claims of violations of the False Claims Act (FCA), among other claims. The cases include OIG and HHS enforcement actions as well as some of those pursued by the Medicare Fraud Strike Force, which is an interagency task force composed of OIG and DOJ analysts, investigators, and prosecutors. Successful criminal and civil investigations touch virtually all areas of the health care industry from various health care providers to pharmaceutical companies, device manufacturers and health maintenance organizations, among others.

The report follows an announcement by the DOJ last December declaring FY 2016’s recovery of more than $4.7 billion in settlements and judgments from civil cases involving fraud and false claims in all industry sectors to be its third highest annual recovery, the bulk of which, $2.5 billion, resulted from enforcement in the health care industry.

The issue is one that various courts have addressed over the years: what recourse does a corporation have when a relator steals confidential information and discloses it to his or her attorney and to the government?  The answer is . . . it depends.  It depends on the scope of the materials taken, their relationship to the relator’s claim, and the breadth of the disclosure. Continue Reading When Relators Steal Corporate Documents: Northern District of Illinois Dismisses Counterclaim for Breach of Contract

On March 7, 2016, the U.S. Court of Appeals for the Sixth Circuit decided United States ex rel. Sheldon v. Kettering Health Network, affirming a district court’s dismissal of a lawsuit alleging violations of the False Claims Act (FCA) relating to an alleged data breach.  The relator alleged that violations of the HITECH Act caused the submission of false claims to the government.

Under the HITECH Act of 2009, the federal government will pay health care providers money for making “meaningful use” of electronic health records (EHR) technology.  Providers who receive payments under the HITECH Act must certify compliance with approximately two-dozen meaningful use objectives.  These objectives include compliance with various regulations promulgated under the Health Insurance Portability and Accountability Act (HIPAA), which require, inter alia, including conducting security risk analyses, addressing the encryption/security of data stored in certified EHR technology, and implementing policies and procedures to prevent, detect, contain and correct security violations.

The relator in this case, Vicki Sheldon, alleged that defendant Kettering Health Network (Kettering) falsely certified compliance with HITECH’s meaningful use objectives.  Sheldon based her allegations on two letters she received from Kettering informing her that Kettering employees impermissibly accessed her Protected Health Information (PHI).  In addition, Sheldon alleged that Kettering failed to run “CLARITY” reports at appropriate intervals.  These reports are a tool present in Kettering’s EHR software and allegedly help providers monitor improper access to PHI.

The district court concluded – and the Sixth Circuit agreed – that Sheldon’s allegations were insufficient to survive Kettering’s motion to dismiss.  The court concluded that Kettering’s individual breaches did not violate the HITECH Act.  The Act and its implementing regulations require providers to maintain appropriate security protocols, not to prevent every possible data breach.  In fact, the HITECH Act and the HIPAA regulations it incorporates by reference require providers to respond appropriately to breaches, and thus contemplate the occasional breach. Indeed, the only reason that Sheldon learned of the breaches was because Kettering informed her of them.  The court suggested that Kettering’s notification letters actually hurt Sheldon’s case, because it was clear that Kettering had a breach-response protocol in place and was responding appropriately to them by informing affected individuals.   Accordingly, the court concluded, Kettering’s “attestation of compliance [with the HITECH Act] is not rendered false by virtue of individual breaches.” And absent a false statement, Sheldon could not allege the existence of a false claim under the FCA.

As to Sheldon’s claim that Kettering failed to run CLARITY reports at an appropriate frequency, the court concluded that “[n]either the Act nor the HIPAA regulations to which it refers require that providers adhere to a particular schedule for running reports.”

Ultimately, the court concluded that allegations of data breaches cannot by themselves show that a certifying entity under the HITECH Act made a false certification to the government.  This is undoubtedly an important ruling for defendants threatened with claims lying at the intersection between data breach legislation and the FCA.

The Office of Audit Services of the Office of Inspector General (OIG) of the U.S. Department of Health and Human Services has begun a nationwide audit of a random sample of providers that have received incentive payments for achieving “meaningful use” under the Medicare Electronic Health Record (EHR) Incentive Program from January 1, 2011 to June 30, 2014.  Medicare pays EHR incentive payments for up to five years to physicians and hospitals that achieve meaningful use of certified EHR technology each year.  Providers that fail to achieve meaningful use face payment reductions beginning in 2015.

The OIG announced its intention to conduct these audits in its Work Plan for FY 2015. The OIG stated that it will review certain, but not all, meaningful use measures to determine whether providers received incentive payments in error.  Among the measures covered by the OIG audits is the core meaningful use measure that requires providers to conduct a comprehensive security risk analysis in accordance with the Health Insurance Portability and Accountability Act Security Rule.

OIG is sending audit notice letters requesting specific information and documents, including documentation of compliance with the particular meaningful use measures under review, to each provider in the audit sample. Providers should have documentation for each of the measures such as measure calculation reports printed from the provider’s EHR system, security risk analysis reports, and dated screen prints that demonstrate that the provider met the measure during the meaningful use reporting period or otherwise by the applicable deadline.

When responding to the OIG audits, providers should be mindful that deficiencies identified for one physician in a physician group or one hospital within a multi-hospital system, may apply to the other physicians and hospitals using the same EHR system and/or implementing meaningful use in the same way.  Thus, the incentive payments at risk in an audit may be greater than the payments to the particular provider being audited.

The OIG audits are in addition to the meaningful use audits conducted by Figliozzi & Company, the outside audit contractor of the Centers for Medicare and Medicaid Services. Unlike the Figliozzi audits, which cover a MU attestation for a single meaningful use reporting period, the OIG audits cover incentive payments paid from January 1, 2011 through June 30, 2014.  2011 is the first year that Medicare paid EHR incentive payments.  For more information about the Figliozzi meaningful use audits, see “What Have We Learned from Audits under the Medicare EHR Incentive Program?