Cybersecurity scenarios leading to false claims act recoveries

On March 30, 2022, Sara McClean, Assistant Director of the Litigation Branch of the Department of Justice, appeared in her individual capacity on Fraud in America – The Department of Justice’s Civil Cyber-Fraud Initiative. During the podcast, she highlighted the first settlement by the Department of Justice under its civil cyber-fraud initiative, which involved two main areas of false and fraudulent claims: (1) failure to store medical records on a secure EMR system; and (2) illicit procurement of controlled substances that were not FDA or EMA approved.

This article highlights DOJ and HHS-OCR settlements, which involve cybersecurity and/or privacy violations related to the creation, receipt, transmission, maintenance, and/or sale of protected health information, which could trigger liability under the False Claims Act:

• United States ex rel. Lawler v. Comprehensive Health Servs., Inc. et al. and United States ex rel. Watkins et al. v. CHS Middle East, LLC(EDNY) – civil settlement in the amount of $930,000 to resolve two False Claims Act qui tam cases. While both cases raised the issue of illicit procurement of controlled substances, only Dr. Lawler’s case addressed the lack of cybersecurity standards and HIPAA compliance, which put confidential medical records at risk. “The investigation and resolution of this matter illustrates the government’s emphasis on combatting cyberfraud.”
• United States ex rel. Delaney v. e ClinicalWorks, LLC (D. Vt.)– civil settlement in the amount of $155 million and a Corporate Integrity Agreement (CIA) to resolve a False Claims Act qui tam case for “ECW falsely obtaining that certification [under the EHR Incentive Program] for its EHR software when it concealed from its certifying entity that its software did not comply with the requirements for certification.” In turn, providers relied on the ECW’s EHR being certified as meeting certain standards in its attestations to the government that the requisite criteria were met and approved by an accredited independent certifying entity. “In its complaint-in-intervention, the government contends that ECW falsely obtained that certification for its EHR software when it concealed from its certifying entity that its software did not comply with the requirements for certification.”
• United States ex rel. Awad v. Coffey Health System (D. Kan.) - civil settlement in the amount of $250,000 to resolve a False Claims Act qui tam case for the hospital’s “submission [of] false claims to the Medicare and Medicaid Programs pursuant the Electronic Health Records (EHR) Incentive Program. … To obtain the payments, providers must attest that they satisfy applicable HHS-adopted criteria, including measures for analyzing and addressing security risks to electronic health records.” Said another way, the attestation that providers were required to sign in order to obtain the funds included complying with HIPAA’s Security Rule, which has defined technical, administrative, and physical safeguard requirements.
• Warner Chilcott Health Care Fraud & HIPAA Violations (D. Mass.) – criminal and civil liability for pharmaceutical company Warner Chilcott, as well as individuals, for the illegal promotion of drugs through paying kickbacks to physicians in order to gain access to patient medical records and submit and cause to submit claims for payment by government agencies. In addition to the former president of Warner Chilcott being arrested, “three former district managers pleaded guilty or agreed to plead guilty to conspiracy to commit healthcare fraud and criminal HIPAA violations, and a Springfield, Mass. Physician was indicted for taking kickbacks, criminal HIPAA violations and obstruction of justice.” The then Inspector General of HHS-OIG added, “[p]aying kickbacks and even providing instructions on how to defraud Medicare are practices that will not be tolerated.”

These four cases highlight that failing to adhere to government contract and claims submission requirements and attesting that the requisite HIPAA technical, administrative, and physical safeguards are being met and/or that patients’ protected health information is kept private and not accessed or sold without their knowledge and consent in exchange for some form of remuneration, is material to the government’s willingness to pay claims and even enter into contracts in the first place – whether through the State Department or participation in various programs administered through HHS.

In March 2022, HHS-OCR, the division that is tasked with enforcing HIPAA and relatedly, an individual’s civil rights, announced an enforcement action that is in line with the DOJ’s cybersecurity initiatives and the types of cases that led to False Claims Act liability previously mentioned in this article. Specifically, “a dental practice in Fairhope, Alabama, who impermissibly disclosed its patients’ PHI to a campaign manager and a third-party marketing company hired to help with a state senate election campaign, agreed to take corrective action and pay $62,500 to settle potential violations of the HIPAA Privacy Rule.” Providing access to PHI for remuneration, including to a third-party marketing company, is analogous to what happened in the Warner Chilcott case – instead of prescriptions, it was for votes.

In sum, the DOJ has highlighted four paths that led to False Claims Act liability involving cybersecurity and/or HIPAA violations. This is an important area to watch as more laws are passed and coordinated enforcement by various government agencies increases.

Rachel V. Rose, JD, MBA, advises clients on compliance, transactions, government administrative actions, and litigation involving healthcare, cybersecurity, corporate and securities law, as well as False Claims Act and Dodd-Frank whistleblower cases. She also teaches bioethics at Baylor College of Medicine in Houston. Rachel can be reached through her website, www.rvrose.com.