BreachExchange mailing list archives
Sixth Circuit Rejects FCA Claim Based on Health Data Breach
From: audrey () riskbasedsecurity com (Audrey McNeil)
Date: Tue, 15 Mar 2016 17:15:52 -0600
http://www.natlawreview.com/article/sixth-circuit-rejects-fca-claim-based-health-data-breach On March 7, 2016, the U.S. Court of Appeals for the Sixth Circuit decided United States ex rel. Sheldon v. Kettering Health Network, affirming a district courtâs dismissal of a lawsuit alleging violations of the False Claims Act (FCA) relating to an alleged data breach. The relator alleged that violations of the HITECH Act caused the submission of false claims to the government. Under the HITECH Act of 2009, the federal government will pay health care providers money for making âmeaningful useâ of electronic health records (EHR) technology. Providers who receive payments under the HITECH Act must certify compliance with approximately two-dozen meaningful use objectives. These objectives include compliance with various regulations promulgated under the Health Insurance Portability and Accountability Act (HIPAA), which require, inter alia, including conducting security risk analyses, addressing the encryption/security of data stored in certified EHR technology, and implementing policies and procedures to prevent, detect, contain and correct security violations. The relator in this case, Vicki Sheldon, alleged that defendant Kettering Health Network (Kettering) falsely certified compliance with HITECHâs meaningful use objectives. Sheldon based her allegations on two letters she received from Kettering informing her that Kettering employees impermissibly accessed her Protected Health Information (PHI). In addition, Sheldon alleged that Kettering failed to run âCLARITYâ reports at appropriate intervals. These reports are a tool present in Ketteringâs EHR software and allegedly help providers monitor improper access to PHI. The district court concluded â and the Sixth Circuit agreed â that Sheldonâs allegations were insufficient to survive Ketteringâs motion to dismiss. The court concluded that Ketteringâs individual breaches did not violate the HITECH Act. The Act and its implementing regulations require providers to maintain appropriate security protocols, not to prevent every possible data breach. In fact, the HITECH Act and the HIPAA regulations it incorporates by reference require providers to respond appropriately to breaches, and thus contemplate the occasional breach. Indeed, the only reason that Sheldon learned of the breaches was because Kettering informed her of them. The court suggested that Ketteringâs notification letters actually hurt Sheldonâs case, because it was clear that Kettering had a breach-response protocol in place and was responding appropriately to them by informing affected individuals. Accordingly, the court concluded, Ketteringâs âattestation of compliance [with the HITECH Act] is not rendered false by virtue of individual breaches.â And absent a false statement, Sheldon could not allege the existence of a false claim under the FCA. As to Sheldonâs claim that Kettering failed to run CLARITY reports at an appropriate frequency, the court concluded that â[n]either the Act nor the HIPAA regulations to which it refers require that providers adhere to a particular schedule for running reports.â Ultimately, the court concluded that allegations of data breaches cannot by themselves show that a certifying entity under the HITECH Act made a false certification to the government. This is undoubtedly an important ruling for defendants threatened with claims lying at the intersection between data breach legislation and the FCA. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160315/72d1d07a/attachment-0001.html>
Current thread:
- Sixth Circuit Rejects FCA Claim Based on Health Data Breach Audrey McNeil (Mar 15)