In 2016, former C-suite executives from Kansas-based Coffey Health System filed a federal whistleblower lawsuit alleging the health system lied to the federal government about being in compliance with security standards to receive meaningful use incentive payments.
Now, three years later, the health system has agreed to repay $250,000 of the $2.2 million it received in incentive payments as part of a settlement announced May 31 with the Department of Justice (DOJ) over alleged False Claims Act violations.
The DOJ alleges that Coffey Health System, which operates a 25-bed critical access hospital located in Burlington, Kansas, falsely attested that it conducted or reviewed security risk analyses in accordance with requirements under a federal incentive program for the reporting periods of 2012 and 2013, according to a DOJ press release. They allege that also put the security of electronic health records (EHRs) at risk.
The health system says it's an issue of complex documentation
Wichita attorney Gary Ayers of Foulston Siefkin LLP, who is representing the health system, said the hospital denies any wrongdoing and has maintained that it properly implemented its EHR system and correctly documented it.
"The whistleblower lawsuit did not involve patient care issues, but rather complicated health care regulations regarding how to move from paper records to electronic records," he said.
Coffey decided to settle the lawsuit rather than continue the litigation with the government "because of the additional attorney’s fees and the risk of an unfavorable outcome, which is always possible in litigation," Ayers said. Also, Coffey was concerned the litigation with the government would distract its staff from their primary mission, he said.
The case could be a lesson for other hospitals.
Matthew Fisher, a partner with Boston-based law firm Mirick O’Connell who did not work on this case, told FierceHealthcare that in light of the settlement, every organization that submitted a meaningful use attestation should review its records and assess what support exists for each element of the attestation.
"If no documentation can be found and/or pieced together, then it may be beneficial to consider taking an affirmative step to address the issue with HHS (the Department of Health and Human Services) before the approach is made to the organization," Fisher said.
When HHS began auditing healthcare organizations for meaningful use attestations, many organizations were concerned about the security assessment aspect, Fisher said.
"Reports from those audits suggested that many organizations did not have sufficient if any, documentation to demonstrate that the required security assessment occurred. If the security assessment did not occur, then the meaningful use submission arguably contained an intentional false statement," he said.
He added, "Overall, the settlement underscores the inherent obligation to ensure that all necessary and appropriate documentation exists to support and back up any claim made to a government program."
Whistleblower lawsuit leads to DOJ investigation
According to the federal whistleblower lawsuit that was unsealed late last month, the Kansas hospital lied to the federal government so it would receive millions in incentive payments for using technology meant to better patient care. It was filed in January 2016 by former Coffey Health Chief Information Officer Bashar Sean Awad and former corporate compliance officer and grant writer Cynthia McKerrigan in the U.S. District Court for the District of Kansas.
The lawsuit was filed under the qui tam, or whistleblower, provisions of the False Claims Act, which permit private individuals to sue on behalf of the government for false claims and to share in any recovery.
The American Recovery and Reinvestment Act of 2009 established the EHR incentive program to encourage the healthcare sector to adopt and demonstrate meaningful use of their EHR systems. HHS offered incentive payments to providers that adopted certified EHR platforms as well as those that met requirements relating to its technology use.
Coffey Health System told the Medicare and Medicaid programs that it performed essential risk analyses in compliance with security standards meant to ensure the privacy and security of patient information on its EHR system when it actually didn't, the lawsuit alleges. These false attestations were made starting between 2011 and 2012 to the present, the lawsuit alleges.
According to the lawsuit, Awad said he performed a basic security test that revealed the hospital used a shared firewall, meaning anyone could access private patient records “simply by logging in to Coffey’s website through its IP address at the local schools or libraries, without any users names or passwords."
The lawsuit also alleges that from 2014 to the present the hospital falsely attested that the data it submitted to Medicare and Medicaid were captured and exported from its EHR, when it fact they were not. The data were reported manually, the lawsuit alleges.
As a result of the false attestations, the hospital collected at least $3 million in incentive payments.
Ayers said the lawsuit claims that the hospital had not properly documented its activities in implementing its EHR in 2012 and 2013. "The alleged missing documentation was related to incentive payments from HHS that were designed to assist hospitals like CHS in converting their old paper medical records to electronic medical records," he said.
The government decided to intervene in March 2016 and take over the action, according to court documents. The DOJ settlement resolves allegations in the lawsuit, the federal government said.
As whistleblowers, Awad and McKerrigan will receive a fifth about the settlement amount, approximately $50,000.
"Medicare and Medicaid beneficiaries expect that providers ensure the accuracy and security of their electronic health records,” U.S. Attorney Stephen McAllister said in a statement. “This office remains committed to protecting the federal health programs and to hold accountable those whose conduct results in improper payments.”