EHR security breach does not constitute false Meaningful Use attestation

Incurring individual security breaches of electronic patient health information does not necessarily mean that a provider's attestation of meeting Meaningful Use and receiving incentive payments is in violation of the False Claims Act.

The U.S. Court of Appeals for the Sixth Circuit has upheld a lower district court's ruling that dismisses a whistleblower's lawsuit against Ohio-based Kettering Health System. Kettering had sent the whistleblower, Vicki Sheldon, two security breach notification letters informing her that several employees, including her ex-husband, had impermissibly accessed her electronic protected health information (PHI) in Kettering's electronic health record. The employees also impermissibly ran an expired medication report that included Sheldon's information. When she asked Kettering for access reports of her PHI, the hospital provided Sheldon with "homegrown" reports, but not "clarity" reports directly from its system.

Sheldon claimed, among other things, that Kettering violated the False Claims Act by falsely attesting to Meaningful Use since the hospital failed to meet the Meaningful Use objective to protect patient electronic information. She also claimed that Kettering violated the law because it did not run regular "clarity" reports.

The court, however, agreed with a lower court's ruling that Sheldon failed to state a plausible claim pursuant to the False Claims Act. Individual breaches of patient information are not considered a violation of the HITECH Act, which created the Meaningful Use program; compliance is premised on having a process of analyzing and reviewing a provider's security policies and procedures.

The court noted that the Centers for Medicare & Medicaid Services' own guidance regarding meeting Meaningful Use objectives states that providers need not "fully mitigate all risks" of breaches before attesting. The court also stated that neither the breach notification nor the impermissible running of the medication report rendered the attestation false. Moreover, the law neither requires scheduled running of reports of EHR software nor that particular software be used to run reports.

Sheldon claimed that Kettering falsely certified that it had met Meaningful Use, but provided no specific false claim for payment as required by the False Claims Act; implying that attestation had occurred by unnamed people is not sufficient.

Providers can be liable under the False Claims Act for falsely certified to Meaningful Use. A hospital's chief financial officer was sentenced to prison in 2015 for false attesting and ordered to pay $4.4 million in restitution.

To learn more:
- here's the court decision (.pdf)