Share this e-Alert:

Polsinelli - Health Care Polsinelli - Health Care
         

  

April 2016

  

Appeals Court Confirms that HITECH Violations Do Not Violate FCA

  

 
 

  

     

  

 
 
Best Lawyers - Law Firm of the Year - U.S. News and World Report - Health Care Law - 2015

  

Modern Healthcare - by the numbers 2015 - No. 1 Polsinelli - Largest healthcare law firms

  

For more information about this e-Alert, please contact:

  

Brian F. McEvoy

404.253.6021

Email | Bio

  

Sidney Welch

404.253.6047

Email | Bio

  

Jeremy Burnette

404.253.6059

Email | Bio

  

  

To learn more about our Health Care practice, to contact one of our Health Care attorneys, or for more Health Care Intelligence, click here.

  


View Polsinelli documents on JD Supra  

SUBSCRIBE

LinkedIn Twitter Facebook Polsinelli Podcast
   

In an important recent decision, the Sixth Circuit Court of Appeals confirmed that a qui tam relator's claim that her former husband improperly accessed electronic protected health information (e-PHI) of her and her relatives in violation of the Health Information Technology for Economic and Clinical Health Act (HITECH Act or the Act) could not support an FCA violation. U.S. ex rel. Sheldon v. Kettering Health Network, 2016 WL 861399 (6th Cir. Mar. 7, 2016).

As a result, providers should take comfort in the Court's conclusion that HITECH "does not impose a strict liability regime penalizing security that is not perfect" but instead mandates that providers "have reasonable and appropriate processes and procedures in place to prevent, detect, contain, and correct security violations" and generally that HITECH violations did not support FCA liability.

The relator alleged that Kettering Health Network (KHN) violated the Act after she received two letters from KHN informing her that the network's own internal investigation revealed that her former husband had improperly accessed e-PHI belonging to her and her daughter and grandson. The letters informed the relator that the impermissible access violated KHN's policy and procedure, KHN was investigating the incidents as a breach of HITECH, and KHN was going to notify the United States Department of Health and Human Services about the breaches. The relator then requested copies of certain reports from the network's EMR system designed to monitor e-PHI for improper access. KHN provided its own "homegrown" reports instead and declined to provide the requested reports.

The relator claimed that KHN violated the FCA by falsely attesting to compliance with HITECH so as to receive Meaningful Use payments "believed to exceed $75 million." Specifically, the relator claimed that the individual incidents in which her ex-husband improperly accessed her e-PHI constituted violations of the Act or evidenced that KHN failed to implement security processes and procedures as required by the Act. She further claimed that the network's failure to run the specific reports she requested breached KHN's duties under the Act.

Importantly, the Court found that the individual incidents of improper e-PHI access could not constitute a violation of HITECH because the Act does not prohibit such incidents. Instead, HITECH requires that providers "[c]onduct or review a security risk analysis," "implement security updates as necessary," "correct identified security deficiencies," and "[i]mplement policies and procedures to prevent, detect, contain, and correct security violations." Thus, HITECH compliance is based on the provider's process of reviewing and analyzing security procedures and policies, not a complete absence of security breaches. Indeed, the Court pointed out that CMS materials discussing HITECH compliance indicate that providers do not have to "fully mitigate all risks" of e-PHI breaches before attesting full compliance with the Act, as CMS anticipates some breaches will occur despite compliance.

The relator's claim that KHN lacked adequate policies and procedures under the Act was negated by her allegations that KHN sent her letters alerting her to the breaches that violated the network's policies and procedures. Moreover, the Court noted that the very fact that the letters were sent showed that KHN had at least some procedure in place to detect unauthorized e-PHI access and investigate such access.

The relator claimed that KHN's failure to run the specific report she requested showed that the network did not follow industry standards when protecting e-PHI. The Sixth Circuit agreed with the District Court that "[t]he HITECH Act requires hospitals to implement a system to protect e-PHI; it does not require covered entities to use a particular e-PHI product or vendor or to run a specific type of monitoring report."

The Court also found that the relator had not satisfied Rule 9(b)'s heightened specificity pleading requirements, as neither her complaint nor her proposed amended complaint identified a single specific claim for payment that was false.

The full text of the opinion is available here.

For More Information

For questions regarding this information, please contact one of the authors, a member of Polsinelli’s Health Care practice, or your Polsinelli attorney.

 
 

  

     

  

 
         

 

 

 

  

     

  

 
 

Atlanta  Boston  Chattanooga  Chicago  Dallas  Denver  Houston  Kansas City  Los Angeles  Nashville  New York
Overland Park  Phoenix  Raleigh  St. Joseph  St. Louis  San Francisco  Washington, D.C.  Wilmington
polsinelli.com

 
 

  

     

  

 
 

  

ABOUT POLSINELLI

real challenges. real answers.SM  
Polsinelli is an Am Law 100 firm with more than 800 attorneys in 19 offices, serving corporations, institutions, and entrepreneurs nationally. Ranked in the top five percent of law firms for client service*, the firm has risen more than 100 spots in Am Law's annual firm ranking over the past six years. Polsinelli attorneys provide practical legal counsel infused with business insight, and focus on health care, financial services, real estate, intellectual property, mid-market corporate, and business litigation. Polsinelli attorneys have depth of experience in 100 service areas and 70 industries. The firm can be found online at www.polsinelli.com. Polsinelli PC. In California, Polsinelli LLP.

* 2016 BTI Client Service A-Team Report

  

 
 

  

     

  

 
 

Polsinelli provides this material for informational purposes only. The material provided herein is general and is not intended to be legal advice. Polsinelli is very proud of the results we obtain for our clients, but you should know that past results do not guarantee future results; that every case is different and must be judged on its own merits; and that the choice of a lawyer is an important decision and should not be based solely upon advertisements.

Copyright © 2016 Polsinelli PC.

 
             
Connect with us on LinkedIn. Connection with us on Twitter. Connect with us on Facebook. Polsinelli Health Care Technology Health Care