The Sixth Circuit Court of Appeals, in US ex rel. Sheldon v. Kettering Health Network, affirmed the dismissal of a False Claims Act (“FCA”) suit alleging fraud based upon certifications of compliance with the HITECH Act and a data breach.
The HITECH Act, or Health Information Technology for Economic and Clinical Health Act, encourages the adoption of electronic medical records. Providers receive incentive payments for adopting EMR and meeting certain “meaningful use” objectives and compliance requirements. Data security is included in those requirements.
Kettering Health Network (“KHN”), the defendant in the action, is a health network that includes hospitals and physicians. KHN certified that it implemented a system to protect electronic data as part of its HITECH certifications, and KHN did receive incentive payments.
Vicki Sheldon was the qui tam relator, or whistleblower, in the action. Her husband, Duane Sheldon, was having an affair with an employee, and the latter two accessed Mrs. Sheldon’s protected health information. Mrs. Sheldon was advised of this breach by a letter from KHN, which she argued demonstrated a per se violation of the HITECH Act and, therefore, the FCA.
The court explicitly rejected that argument, noting that the HITECH Act and subsequent regulations required a security risk assessment, security updates and correction of “identified security deficiencies,” all of which had been performed. It did not perfect prevention of breaches. CMS itself anticipated security deficiencies and required ongoing efforts to identify and correct them.
Health care providers can read this Sixth Circuit decision, which is binding in Kentucky, Michigan, Ohio and Tennessee, and persuasive in other jurisdictions, to offer protection from the FCA where electronic data breaches occur notwithstanding compliance with the HITECH Act.