News & Insights  |  Newsletters

Sixth Circuit: Notice of a Data Breach Alone Is Insufficient to Support an FCA Case

April 2016

In an important case for HITECH-certifying companies, the U.S. Court of Appeals for the Sixth Circuit affirmed a district court’s decision to dismiss a False Claims Act (FCA) case premised on an alleged data breach. In United States ex rel. Sheldon v. Kettering Health Network, No. 15-3075, 2016 U.S. App. Lexis 4236 (6th Cir. Mar. 7, 2016), the relator alleged that the defendant, Kettering, violated the FCA by falsely certifying compliance with the Health Information Technology for Economic and Clinical Health (HITECH) Act to receive “meaningful use” incentive payments allegedly exceeding $75 million. Specifically, the court rejected allegations that Kettering’s failure to run specific reports and notification of two potential data breaches evidenced the company’s knowing non-compliance with HITECH requirements.

Health Data Protection Requirement

Under the HITECH Act, the U.S. government will pay eligible health care providers incentives for adopting electronic health record technology. However, to receive such incentives, health care providers, like Kettering, must certify compliance with a set of “meaningful-use objectives” and accompanying measures of compliance. One of the meaningful-use objectives requires providers to protect electronic health information created or maintained by the electronic health record technology adopted through implementation of appropriate technical capabilities. To that end, to obtain incentive payments, providers are required to periodically certify that they have taken certain actions, such as security risk analyses and addressing the encryption/security of data stored in electronic health record technology. They must also certify compliance with the security and privacy standards established under HIPAA, including regulations requiring the implementation of policies and procedures to prevent, detect, contain, and correct security failures, among other requirements.

Here, Sheldon alleged that certifications Kettering submitted to receive incentive compensation under HITECH were false because Kettering did not comply with the meaningful-use objectives. Sheldon’s complaint relied on two letters she received from Kettering informing her that employees—one of whom was her former husband—improperly accessed her electronic personal health information (e-PHI), which she argued evidenced Kettering’s failure to comply with HITECH. Sheldon also argued that Kettering’s failure to regularly run “CLARITY” reports designed to monitor improper access to e-PHI rendered Kettering’s certifications false.

Appellate Analysis

The Sixth Circuit, affirming the district court’s decision to dismiss, rejected Sheldon’s position, writing that her “claim that [Kettering’s] individual breaches each constituted violation of the HITECH Act is an incorrect conclusion of law.” Notably, because compliance under the Act is “premised on the process of analyzing and reviewing security policies and procedures; attestation of compliance is not rendered false by virtue of individual breaches.” Indeed, the court indicated that the language of the governing regulation “plainly contemplates occasional breaches of e-PHI” and agreed that the “regulations . . . do not impose a strict liability standard that requires hospitals to prevent all privacy breaches.” As such, the court held that Kettering’s notices to relator regarding inappropriate access to her e-PHI could not, by themselves, render “false” Kettering’s certifications of HITECH compliance.

Like the district court, the Sixth Circuit also rejected Sheldon’s argument with respect to the CLARITY reports, holding that there is nothing in HITECH requiring Kettering to use a particular e-PHI product or vendor to run a specific type of monitoring report.

While the Sixth Circuit did not go as far as to say that repeated data breaches could not be indicative of a provider’s failure to comply with HITECH, providers should find some comfort in knowing that a circuit court has rejected the proposition that data breach notifications alone evidence non-compliance with HITECH for purposes of the FCA.

For more information, please contact Brandon J. Moss.