In United States ex rel. Sheldon v. Kettering Health Network, 816 F.3d 399 (6th Cir. 2016), the Sixth Circuit affirmed the lower court’s dismissal of a False Claims Act (“FCA”) suit based on a data breach involving electronic health records. The relator alleged that defendant Kettering Health Network (“Kettering”) violated the FCA by falsely certifying its compliance with the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act” or the “Act”), under which it received incentive payments from the federal government. The Sixth Circuit held that the conduct the relator complained of in this case did not constitute a violation of the Act, particularly as the Defendant had policies and procedures in place to protect the information. As a result, the relator had not alleged facts that established a false statement or false attestation of compliance. The panel also held that dismissal of the complaint was independently warranted because the relator had failed to plead any false claims for payment by the government with the particularity required by Rule 9(b).
The HITECH Act was designed to encourage health care providers to adopt the use of electronic health records (“EHR”).1 Under the Act the federal government makes incentive payments to health care providers that meet certain standards for the use of EHR technology. To receive such payments, a provider must certify that it meets roughly two dozen “meaningful use” objectives, one of which relates to the protection of electronically maintained health information.2 Providers must comply with certain Health Insurance Portability and Accountability Act (“HIPAA”) standards, including implementing encryption mechanisms, sanctioning those who fail to comply, and implementing policies to review system activity.3 Kettering allegedly certified that it had implemented the required protections, and therefore received such government payments.
The relator sued Kettering under the FCA, alleging that the hospital’s handling of her protected health information showed that Kettering was not in compliance with the HITECH Act. Arguing Kettering’s compliance certification was false, she sought recovery of the “meaningful use” payments, which were substantial. Specifically, the relator alleged that her then-husband, a Kettering employee, had accessed her medical records as well as those of other individuals, in the course of an affair with another Kettering employee. The relator learned of the breach when she was notified of it by a letter from Kettering. After learning of the breach, she asked the hospital to provide her with certain EHR system monitoring reports that she alleged should be routinely run, but the hospital refused to do so. From this, she inferred that the hospital did not run the reports at all and alleged that its assumed failure to do so was another breach of HITECH that made Kettering’s compliance attestations false. While this federal suit was pending but still under seal, the relator filed suit in Ohio state court alleging state law torts arising from the same data breach.4
The district court granted Kettering’s motion to dismiss, finding the relator had not plausibly alleged a violation of the HITECH Act, had failed to plead with sufficient particularity any specific false claims submitted by Kettering, and that the Ohio state court’s final judgment dismissing Sheldon’s state tort case served as res judicata to bar her FCA claims as well.
The Sixth Circuit’s Decision
The Sixth Circuit affirmed, unanimously holding the relator failed adequately to plead a “false statement” or a “claim for payment” as required by FCA.5
With regard to the alleged false statements, the court reasoned that the HITECH Act and its implementing regulations require Kettering take certain steps to secure its system, including conducting a risk analysis and implementing appropriate security policies and procedures for its EHR system. The Sixth Circuit found, however, that the alleged individual breaches did not amount to a violation of the HITECH Act, nor did Relator’s allegations regarding the individual breaches show a lack of the policies and procedures required by the Act. In reaching that conclusion, the court noted that the Act contemplates that breaches may occur, even when policies and procedures are in place, and does not impose strict liability for such occurrences. Furthermore, Kettering’s response to the alleged breaches demonstrates that it had measures in place to detect and investigate unauthorized access. As for Kettering’s decision not to provide the specific monitoring report requested by the relator, the court concluded that HITECH itself did not require the use of specific software, let alone use of that specific report, and thus, even if the court credited Relator’s assumption that failing to provide the report to her meant the report had not been run at all, relator had failed to allege a violation of the Act.
The Sixth Circuit also affirmed the district court’s determination that relator’s complaint failed to allege any false claims with the specificity required by Rule 9(b). In the Sixth Circuit, there is “[a] clear and unequivocal requirement that a relator allege specific false claims” in order to survive a motion to dismiss an FCA complaint. Sheldon, 816 F.3d at 411. A relator must plead with specificity “characteristic” examples that are “illustrative of the class” of claims covered by the alleged scheme. Id. at 412. Here, the relator failed to point to any specific claim for payment and instead relied on the assumption that false claims “must have been submitted at some point.” Because this approach is one the Sixth Circuit had previously held fails to satisfy Rule 9(b), the panel held the complaint had been properly dismissed.
Implications of the Decision
The Sixth Circuit’s decision offers some comfort to entities that must comply with the HITECH Act. A data breach and the resulting harms are distinct from a violation of the laws and regulations governing the protection of that data. Specific disclosures of information cannot be assumed to be sufficient to show non-compliance with a broader obligation to implement data security policies and procedures. Furthermore, the response to a data breach actually provides an entity with an opportunity to demonstrate its adherence to its policies and procedures.