The U.S. Sixth Circuit Court of Appeals has ruled that just because you've had a breach notification (or two!) doesn't mean you didn't fulfill the security risk assessment (SRA) requirement of meaningful use,
Politico reports.
The
ruling, issued March 7, comes in the case of
United States of America ex rel. Vicki Sheldon v. Kettering Health Network. Plaintiffs charged that their patient health information (PHI) files were exposed, and this meant that Kettering, an Ohio health system, was out of compliance with meaningful use as required under the HITECH Act, and had therefore defrauded the U.S. with a false claim when they took incentive payment money for complying.
The Court disagreed:
In this case, Relator alleges that KHN falsely certified its compliance with the HITECH Act’s requirements, and that KHN received meaningful-use incentive payments as a result. This allegation is premised on two conclusions drawn from the facts outlined in her complaint: first, that the individual breaches alleged in the complaint either constitute violations of the Act in themselves or suggest KHN failed to implement security policies and procedures; and second, that KHN’s failure to run CLARITY reports on a regular basis constituted a breach of its duties under the Act. Because these conclusions are either facially implausible or based on incorrect conclusions of law, we affirm the district court’s dismissal of Relator’s suit pursuant to Rule 12(b)(6).
The plaintiff had offered in support of her claim the fact that Kettering had not produced regular reports on the privacy performance of its EHR system, and that when it did produce them they were "'homegrown' reports" that "contained inconsistent information regarding the users who had impermissibly accessed Relator’s e-PHI." The Court retorted that "neither the Act nor the HIPAA regulations to which it refers require that providers adhere to a particular schedule for running reports, or to purchase and use a particular brand of EHR software."