Beware new whistleblowers challenging your MU attestations

Tools

A lawsuit was decided last week that, on its face, may seem unimportant, but likely will have major ripple effects on providers participating in the Meaningful Use program.

A patient of Ohio-based Kettering Health System filed a whistleblower lawsuit claiming that Kettering violated the False Claims Act when it attested that it had met the Meaningful Use requirements after incurring a breach of the patient's medical records. Kettering had sent the whistleblower, Vicki Sheldon, two letters informing her that several employees had impermissibly accessed her electronic medical records. It turns out that the employees included Sheldon's soon-to-be ex-husband and his paramour. Sheldon claimed, among other things, that Kettering violated the False Claims Act because it didn't meet the Meaningful Use objective to protect patient information.

The court rightly upheld a lower court's ruling that Sheldon didn't state a plausible claim under the False Claims Act, and that individual breaches of patient information don't automatically mean that the Meaningful Use attestation was false. Meaningful Use, the court said, requires that providers have and follow certain processes to protect information, which Kettering did.  

The court also pointed out that the False Claims Act requires that there be a specific false claim submitted to the government for payment; Sheldon provided no information regarding the actual amount of the Meaningful Use incentive payment(s) Kettering had requested or received. She couldn't even identify who from Kettering had attested.

The fact that it was dismissed may make it look like this case, and others like it, are losers for whistleblowers.

Not so, though. Sheldon was onto something.

This case is actually very significant. It opens the door to the fact that a situation with a better fact pattern could be a violation of the False Claims Act, even without nefarious intent. This development is not to be taken lightly. This is from a federal circuit court, just one court level below the U.S. Supreme Court.

And the Kettering decision created a simple roadmap regarding what a court will look for to make a False Claims Act claim based on Meaningful Use attestation stick.     

  • The whistleblower must know what incentive payment(s) the attesting provider asked for and received. 
  • The whistleblower also needs information showing that the provider didn't meet one or more Meaningful Use objectives.  

And that's huge. It could open the floodgates for all sorts of similar false claims based on Meaningful Use attestation.

For example, let's take a look at the security of information MU objective at issue here. The court in Kettering noted that there is no strict liability standard and that the Centers for Medicare & Medicaid Services has advised that providers must take steps to protect information, but need not fully mitigate all risks of breaches before attesting. So a breach or breaches may not automatically mean that a provider isn't providing adequate security to patient records.

But that's not the same as saying breaches don't ever result in false attestations. It's going to depend on the circumstances surrounding the breach(es) and what steps a provider took to keep patient data secure. The court noted that Kettering had policies and procedures to protect patient information; in fact, the security breach notification letters Kettering sent Sheldon specifically said that the breaches were in violation of their policies. 

Kettering may also have been given some slack. It would be highly unlikely that Kettering could have foreseen that Sheldon's soon-to-be former husband would have an affair with another Kettering employee and that they would decide to access Sheldon's records. 

That's not the same as having lax security. And plenty of providers fall short here.

Providers cannot lie to the government about whether they met the Meaningful Use requirements. We've already seen from the Joe White prosecution that false certifications can lead to restitution and jail time. However, that case was egregious, with White attesting to Meaningful Use even though his hospital still used paper records and fudged its documentation.

What happened to Kettering could happen to any provider.

The question will be where the line will be drawn between Joe White and Kettering. How far does a provider have to go to ensure that it has met a Meaningful Use objective and thus prove that its attestation is legitimate?

Whistleblowing in healthcare is at an all-time high. Successful whistleblowers receive a percentage of the money recovered from a lawsuit, so they're incentivized to file such lawsuits on behalf of the government.   

This is one ripple that may well end up a flood. - Marla (@MarlaHirsch and @FierceHealthIT)

Related Articles:
EHR security breach does not constitute false Meaningful Use attestation
Meaningful Use attesters: Beware the False Claims Act
False MU attester sentenced; DCCA awarded MU system contract
Former hospital CFO to repay $4.4M over EHR fraud
Former hospital CFO pleads guilty of false MU attestation