On March 7, 2016, the Sixth Circuit Court of Appeals ruled that security breaches of individual electronic health records (“EHRs”) do not violate the HITECH Act and cannot support False Claims Act allegations.  In United States ex rel. Sheldon v. Kettering Health Network, Case No. 1:14-cv-00345, 2016 WL 861399 (6th Cir. Mar. 7, 2016), the Relator appealed the district court’s dismissal of her qui tam action alleging that Kettering Health Network (“Kettering”) violated the False Claims Act by falsely attesting compliance with the Health Information Technology for Economic and Clinical Health Act (“HITECH Act”) and by receiving “Meaningful Use” incentive payments as a result.  The Sixth Circuit affirmed the lower court’s holding that the Relator failed to allege that Kettering submitted any false claims to the government.

The HITECH Act requires providers to meet roughly two dozen Meaningful Use objectives and accompanying measures of compliance as a condition of payment.  The Relator alleged that Kettering’s Meaningful Use attestations were false.  Id.  The Relator’s allegations were based on two letters she received from Kettering informing her that her protected health information (“PHI”) had been accessed without permission.  The Relator also alleged that Kettering failed to run regular “CLARITY” reports, used to monitor and prevent inappropriate PHI access.

The Sixth Circuit concurred with the district court’s conclusion that Kettering’s individual breaches did not violate the HITECH Act, as the HITECH Act itself “plainly contemplates occasional breaches.”  Because the HITECH Act requires only having a data security program in place and does not include provisions for specific performance of the program, Kettering’s “attestation of compliance [was] not rendered false by virtue of individual breaches.”  Id.   Additionally, the court held that because the Relator was never an employee of Kettering nor was she involved in any submission of claims, she lacked the requisite “personal knowledge” of any false claims or certification by Kettering, and thus failed to adequately plead a false claim for payment under the FCA.

As to the Relator’s claim that Kettering did not run regular CLARITY reports, the court held that “[n]either the Act nor the HIPAA regulations to which it refers require that providers adhere to a particular schedule for running reports,” and accordingly the Relator failed to adequately plead the false statement element of her FCA claim.

For the full Sixth Circuit Opinion, click here.

Reporter, Katy Lucas, Atlanta, +1 404 572 2822, klucas@kslaw.com.