The U.S. Court of Appeals for the Sixth Circuit recently affirmed a district court’s dismissal of a whistleblower lawsuit alleging violations of the False Claims Act based on an individual security breach. The case, United States ex rel. Sheldon v. Kettering Health Network, arose after the relator (or whistleblower) received letters from Kettering Health Network (KHN) informing her that KHN employees, including her now ex-husband, impermissibly accessed her medical records.

The relator argued that the unauthorized access led to the submission of false claims to the government under the Health Information Technology for Economic and Clinical Health (HITECH) Act.

The HITECH Act provides financial incentive payments for providers that satisfy “meaningful use” standards for their electronic health record systems. The meaningful use standards include certain data security safeguards. Kettering Health Network (KHN) received incentive payments under the HITECH Act after certifying that it met the meaningful use standards. The relator argued that KHN's certification that it met meaningful use standards was false as a result of the data breach. The relator further argued that the false certification constituted a violation of the False Claims Act.

The district court dismissed the case for failure to state a claim and the Sixth Circuit affirmed. The Sixth Circuit agreed with the lower court that an individual security breach is not proof that KHN failed to meet the meaningful use standards under the HITECH Act. The HITECH Act requires providers to implement policies and procedures to prevent, detect, and correct security violations. However, the Sixth Circuit noted that “attestation of compliance [with meaningful use standards] is not rendered false by virtue of individual breaches.” The court also noted that the HITECH Act requires providers to take appropriate actions in the event of a breach, thus contemplating the occasional breach.

The relator also argued that KHN failed to run certain compliance reports to monitor impermissible access to PHI on an appropriate schedule. The Sixth Circuit rejected this argument, noting that the HITECH Act does not require providers to adhere to a particular schedule for running reports.

This Sixth Circuit decision, which is binding in Michigan, confirms that an individual security breach does not, by itself, constitute a false certification of meaningful use compliance under the HITECH Act.