Sixth Circuit Denies Improper Disclosure of Protected Health Information as Claim under False Claims Act

POSTED MAY 5, 2016

A special to USLAW NETWORK and USLAW DigiKnow

By Karen Painter Randall, Connell Foley LLP, Roseland, New Jersey

The Sixth Circuit Court of Appeals upheld the lower court’s dismissal of a lawsuit involving a plaintiff filing suit under the False Claims Act for the improper access of her protected health information (“PHI”). In Sheldon v. Kettering Health Network, 2016 U.S. App. LEXIS 4236 (2016), Sheldon received a letter from Kettering that there had been an improper disclosure of her PHI. Sheldon argued that this disclosure demonstrated Kettering’s failure to implement procedures and mechanisms to keep her information safe, a requirement of HIPAA and HITECH. Sheldon’s suit further claimed that Kettering falsely stated that it was in compliance with the security requirements so it could receive meaningful use incentive payments. Sheldon claimed that this act specifically violated the False Claims Act because the incentive payments received by Kettering were based on its false certification of compliance.

The court did not agree with Sheldon, though, and found that the breach of PHI did not necessarily mean that Kettering was in violation of HITECH or HIPAA. Instead, the court stated that HITECH and HIPAA clearly contemplated occasional breaches of PHI, even when proper mechanisms are put in place and regulations are followed. Additionally they opined that there is no strict liability standard for breach of the regulations nor does it require hospitals to prevent all breaches of PHI. The court found that because breaches can occur even when a hospital is abiding by required regulations, a breach in it of itself is not sufficient to characterize Kettering’s representation of compliance with HIPAA and HITECH as a false one that warrants a cognizable claim under the Act.

The Court’s decision is helpful for healthcare providers whose customers may suffer an occasional breach in spite of their compliance with HIPAA and HITECH, and simultaneously, creates a higher threshold that plaintiffs must meet to satisfy a claim under the False Claims Act. Plaintiffs’ attorneys will need to find other ways to establish private causes of action for disclosure of PHI.

Designed & Developed by Peak Seven