The U.S. Court of Appeals for the Sixth Circuit recently affirmed the dismissal of a False Claims Act (FCA) case premised on protected health data breaches.  In United States ex rel. Sheldon v. Kettering Health Network, the relator alleged that employees of Kettering Health Network (“KHN”), including her former husband, impermissibly accessed and shared the relator’s electronic personal health information (“e-PHI”).  The relator argued that those actions violated the FCA because the Health Information Technology for Economic and Clinical Health Act (“HITECH”) required healthcare providers to comply with data security standards.  KHN had certified compliance with HITECH, and had received “meaningful use” incentive payments pursuant to the Act, but had in fact failed to comply.  

The district court dismissed the case for failure to state a claim under the FCA, and the Sixth Circuit affirmed. The Circuit Court agreed that, while HITECH requires providers to implement technology to protect e-PHI, “individual breaches do not negate compliance.”  HITECH required only that providers reduce risks of breaches to a “reasonable and appropriate level.”  Indeed, the “language [of the Act] plainly contemplates occasional breaches of e-PHI.”  

Furthermore, the relator’s allegation that the breaches indicated a lack of required policies and procedures were belied by the relator’s own Complaint.  The Court concluded that KHN had procedures in place in light of the relator’s assertions that KHN had sent the relator breach notification letters advising her of “‘inappropriate/unauthorized [breaches] in violation of [KHN] policy and procedure,’ that KHN conducted an investigation, and that it would be notifying [the Department of Health and Human Services] of the breach.”

Next, the Court held that KHN did not violate HITECH by allegedly failing to run a particular brand of compliance reports on a specific schedule because neither HITECH nor HIPAA “require that providers adhere to a particular schedule for running reports, or to purchase and use a particular brand of EHR software.” 

The Sixth Circuit also agreed with the district court that the FCA claims failed because the relator had not pled a specific claim for payment under the FCA, lacked personal knowledge of the alleged fraud, and had brought her claim after a prior state court action based upon the same facts was dismissed.

The Sixth Circuit’s decision confirms that individual e-PHI data breaches do not constitute per se HITECH violations.  Nevertheless, providers should not rest on their laurels.  The Court did not foreclose the possibility that an egregious violation of HITECH could give rise to FCA liability.