In an important recent decision, the Sixth Circuit Court of Appeals confirmed that a qui tam relator's claim that her former husband improperly accessed electronic protected health information (e-PHI) of her and her relatives in violation of the Health Information Technology for Economic and Clinical Health Act (HITECH Act or the Act) could not support an FCA violation. U.S. ex rel. Sheldon v. Kettering Health Network, 2016 WL 861399 (6th Cir. Mar. 7, 2016).
As a result, providers should take comfort in the Court's conclusion that HITECH "does not impose a strict liability regime penalizing security that is not perfect" but instead mandates that providers "have reasonable and appropriate processes and procedures in place to prevent, detect, contain, and correct security violations" and generally that HITECH violations did not support FCA liability.
The relator alleged that Kettering Health Network (KHN) violated the Act after she received two letters from KHN informing her that the network's own internal investigation revealed that her former husband had improperly accessed e-PHI belonging to her and her daughter and grandson. The letters informed the relator that the impermissible access violated KHN's policy and procedure, KHN was investigating the incidents as a breach of HITECH, and KHN was going to notify the United States Department of Health and Human Services about the breaches. The relator then requested copies of certain reports from the network's EMR system designed to monitor e-PHI for improper access. KHN provided its own "homegrown" reports instead and declined to provide the requested reports.
The relator claimed that KHN violated the FCA by falsely attesting to compliance with HITECH so as to receive Meaningful Use payments "believed to exceed $75 million." Specifically, the relator claimed that the individual incidents in which her ex-husband improperly accessed her e-PHI constituted violations of the Act or evidenced that KHN failed to implement security processes and procedures as required by the Act. She further claimed that the network's failure to run the specific reports she requested breached KHN's duties under the Act.
Importantly, the Court found that the individual incidents of improper e-PHI access could not constitute a violation of HITECH because the Act does not prohibit such incidents. Instead, HITECH requires that providers "[c]onduct or review a security risk analysis," "implement security updates as necessary," "correct identified security deficiencies," and "[i]mplement policies and procedures to prevent, detect, contain, and correct security violations." Thus, HITECH compliance is based on the provider's process of reviewing and analyzing security procedures and policies, not a complete absence of security breaches. Indeed, the Court pointed out that CMS materials discussing HITECH compliance indicate that providers do not have to "fully mitigate all risks" of e-PHI breaches before attesting full compliance with the Act, as CMS anticipates some breaches will occur despite compliance.
The relator's claim that KHN lacked adequate policies and procedures under the Act was negated by her allegations that KHN sent her letters alerting her to the breaches that violated the network's policies and procedures. Moreover, the Court noted that the very fact that the letters were sent showed that KHN had at least some procedure in place to detect unauthorized e-PHI access and investigate such access.
The relator claimed that KHN's failure to run the specific report she requested showed that the network did not follow industry standards when protecting e-PHI. The Sixth Circuit agreed with the District Court that "[t]he HITECH Act requires hospitals to implement a system to protect e-PHI; it does not require covered entities to use a particular e-PHI product or vendor or to run a specific type of monitoring report."
The Court also found that the relator had not satisfied Rule 9(b)'s heightened specificity pleading requirements, as neither her complaint nor her proposed amended complaint identified a single specific claim for payment that was false.
The full text of the opinion is available here.