[BreachExchange] EHR security breach does not constitute false Meaningful Use attestation

[Audrey McNeil]

http://www.fierceemr.com/story/ehr-security-breach-does-not-constitute-false-meaningful-use-attestation/2016-03-14

Incurring individual security breaches of electronic patient health
information does not necessarily mean that a provider's attestation of
meeting Meaningful Use and receiving incentive payments is in violation of
the False Claims Act.

The U.S. Court of Appeals for the Sixth Circuit has upheld a lower district
court's ruling that dismisses a whistleblower's lawsuit against Ohio-based
Kettering Health System. Kettering had sent the whistleblower, Vicki
Sheldon, two security breach notification letters informing her that
several employees, including her ex-husband, had impermissibly accessed her
electronic protected health information (PHI) in Kettering's electronic
health record. The employees also impermissibly ran an expired medication
report that included Sheldon's information. When she asked Kettering for
access reports of her PHI, the hospital provided Sheldon with "homegrown"
reports, but not "clarity" reports directly from its system.

Sheldon claimed, among other things, that Kettering violated the False
Claims Act by falsely attesting to Meaningful Use since the hospital failed
to meet the Meaningful Use objective to protect patient electronic
information. She also claimed that Kettering violated the law because it
did not run regular "clarity" reports.

The court, however, agreed with a lower court's ruling that Sheldon failed
to state a plausible claim pursuant to the False Claims Act. Individual
breaches of patient information are not considered a violation of the
HITECH Act, which created the Meaningful Use program; compliance is
premised on having a process of analyzing and reviewing a provider's
security policies and procedures.

The court noted that the Centers for Medicare & Medicaid Services' own
guidance regarding meeting Meaningful Use objectives states that providers
need not "fully mitigate all risks" of breaches before attesting. The court
also stated that neither the breach notification nor the impermissible
running of the medication report rendered the attestation false. Moreover,
the law neither requires scheduled running of reports of EHR software nor
that particular software be used to run reports.

Sheldon claimed that Kettering falsely certified that it had met Meaningful
Use, but provided no specific false claim for payment as required by the
False Claims Act; implying that attestation had occurred by unnamed people
is not sufficient.

Providers can be liable under the False Claims Act for falsely certified to
Meaningful Use. A hospital's chief financial officer was sentenced to
prison in 2015 for false attesting and ordered to pay $4.4 million in
restitution.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160314/acb8f732/attachment.html>