[BreachExchange] Sixth Circuit Rejects FCA Claim Based on Health Data Breach

Tue Mar 15 19:15:52 EDT 2016

http://www.natlawreview.com/article/sixth-circuit-rejects-fca-claim-based-health-data-breach

On March 7, 2016, the U.S. Court of Appeals for the Sixth Circuit decided
United States ex rel. Sheldon v. Kettering Health Network, affirming a
district court’s dismissal of a lawsuit alleging violations of the False
Claims Act (FCA) relating to an alleged data breach.  The relator alleged
that violations of the HITECH Act caused the submission of false claims to
the government.

Under the HITECH Act of 2009, the federal government will pay health care
providers money for making “meaningful use” of electronic health records
(EHR) technology.  Providers who receive payments under the HITECH Act must
certify compliance with approximately two-dozen meaningful use objectives.
These objectives include compliance with various regulations promulgated
under the Health Insurance Portability and Accountability Act (HIPAA),
which require, inter alia, including conducting security risk analyses,
addressing the encryption/security of data stored in certified EHR
technology, and implementing policies and procedures to prevent, detect,
contain and correct security violations.

The relator in this case, Vicki Sheldon, alleged that defendant Kettering
Health Network (Kettering) falsely certified compliance with HITECH’s
meaningful use objectives.  Sheldon based her allegations on two letters
she received from Kettering informing her that Kettering employees
impermissibly accessed her Protected Health Information (PHI).  In
addition, Sheldon alleged that Kettering failed to run “CLARITY” reports at
appropriate intervals.  These reports are a tool present in Kettering’s EHR
software and allegedly help providers monitor improper access to PHI.

The district court concluded – and the Sixth Circuit agreed – that
Sheldon’s allegations were insufficient to survive Kettering’s motion to
dismiss.  The court concluded that Kettering’s individual breaches did not
violate the HITECH Act.  The Act and its implementing regulations require
providers to maintain appropriate security protocols, not to prevent every
possible data breach.  In fact, the HITECH Act and the HIPAA regulations it
incorporates by reference require providers to respond appropriately to
breaches, and thus contemplate the occasional breach. Indeed, the only
reason that Sheldon learned of the breaches was because Kettering informed
her of them.  The court suggested that Kettering’s notification letters
actually hurt Sheldon’s case, because it was clear that Kettering had a
breach-response protocol in place and was responding appropriately to them
by informing affected individuals.   Accordingly, the court concluded,
Kettering’s “attestation of compliance [with the HITECH Act] is not
rendered false by virtue of individual breaches.” And absent a false
statement, Sheldon could not allege the existence of a false claim under
the FCA.

As to Sheldon’s claim that Kettering failed to run CLARITY reports at an
appropriate frequency, the court concluded that “[n]either the Act nor the
HIPAA regulations to which it refers require that providers adhere to a
particular schedule for running reports.”

Ultimately, the court concluded that allegations of data breaches cannot by
themselves show that a certifying entity under the HITECH Act made a false
certification to the government.  This is undoubtedly an important ruling
for defendants threatened with claims lying at the intersection between
data breach legislation and the FCA.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160315/72d1d07a/attachment-0001.html>