Hospital to Pay $250,000 After Alleged False HITECH Claims

Electronic Healthcare Records , Governance , HIPAA/HITECH

Whistleblowers Say Hospital Falsely Attested to Conducting Risk Analysis for EHR Incentive Program(HealthInfoSec) • June 4, 2019    Hospital to Pay $250,000 After Alleged False HITECH Claims

A Kansas hospital has agreed to pay $250,000 to settle allegations that it falsely attested to conducting a security risk analysis as required under the HITECH Act electronic health records financial incentives program. Two whistleblowers in the case - the hospital's former CIO and corporate compliance officer - who filed a lawsuit under the federal False Claims Act - will receive $50,000 of the settlement.

See Also: Webinar | Passwords: Here Today, Gone Tomorrow? Be Careful What You Wish For.

The hospital had received at least $3 million in HITECH payments for its "meaningful use" of EHRs, federal regulators say.

The case illustrates the important role insiders can play in efforts in safeguard data.

"There are usually at least a few employees who know all of an entity's information security secrets, and this case demonstrates that these secrets sometimes can be very valuable in a False Claims Act action," says privacy attorney Adam Greene of the law firm Davis Wright Tremaine, who is not involved in the case. "Entities should not assume that security failures that don't result in a breach will go unnoticed."

"The government contended that the hospital submitted false claims to the Medicare and Medicaid programs pursuant the EHR incentive program."
—U.S. Department of Justice

Federal regulators have taken enforcement action against a handful of other organizations in cases involving alleged fraud related to the HITECH Act EHR incentive program.

'False Claims'

In a May 31 statement, the U.S. Department of Justice alleges Coffey Health System, which operates 25-bed Coffey County Hospital, a critical access hospital in Burlington, Kansas, falsely attested that the hospital conducted and/or reviewed security risk analyses in accordance with requirements under the HITECH Act incentive program for the reporting periods of 2012 and 2013.

"The government contended that the hospital submitted false claims to the Medicare and Medicaid programs pursuant the EHR incentive program," the justice department says in the statement.

Under the HITECH EHR "meaningful use program," the Department of Health and Human Services offers incentive payments to healthcare providers that adopt certified EHR technology and meet certain requirements relating to their use of the technology. To obtain the payments, providers must attest that they satisfy applicable HHS-adopted criteria, including measures for analyzing and addressing security risks to electronic health records, the Justice Department notes.

"Providers who fail to properly ensure the security of electronic health records must be held accountable," said Steve Hanson, special agent at the HHS Office of Inspector General, Kansas City Region.

Whistleblower Case

The whistleblower case lawsuit documents indicate that in January 2016, Coffey Health System's former CIO, Bashar Awad, and former corporate compliance officer, Cynthia McKerrigan, filed a lawsuit against Coffey in a Kansas federal court on behalf of the U.S. under the False Claims Act.

"Based upon personal knowledge, relevant documents, and information," the two former employees alleged that Coffey had been falsely attesting from 2011 or 2012 to the present to HHS that it was in compliance with certain security standards required to be eligible to receive EHR incentive payments from Medicare and Medicaid, which resulted in HHS wrongfully paying Coffey at least $3 million in incentive payments, the whistleblower lawsuit complaint notes.

The not-for-profit Coffey Health System is a unit of Coffey County, Kansas. In addition to its hospital, it operates a home health agency, five clinics and two long-­term care facilities.

HITECH Requirements

To participate in the EHR incentive program and receive an incentive payment, organizations are required to conduct an accurate and thorough security risk analysis to meet the standards of HIPAA and address any deficiencies identified, court documents note.

"All of [Coffey County Hospital's] yearly security risk attestations from 2012 through the present ... were knowingly false when submitted to the government," the 2016 lawsuit alleged.

CIO's Allegations

Court documents note that in June 2014, Awad began working as a consultant in Coffey's IT department, and in August 2014, he was promoted to CIO.

"By June 2014, Coffey had already made security risk attestations to CMS on at least two separate occasions for the program years 2012 and 2013. Shortly after Awad was promoted to CIO by Coffey in August 2014, Awad promptly sought to obtain copies of Coffey's most recent security risk analysis.

"During this process, Awad confirmed, on several occasions, that no security risk analysis had been performed ... for the years 2011 through 2013," court documents say.

Although the CMS attestation portal noted that Coffey had attested that appropriate security risk analyses had been performed from about 2012 through 2013, Awad learned that there was no documentation to support the attestations, according to the court filing.

After learning that Coffey had never conducted an appropriate risk analysis in 2014, Awad personally conducted some basic tests of Coffey's network security, the lawsuit notes.

During his testing, Awad discovered that Coffey County Hospital shared the same firewall as various Coffey county municipalities, according to the complaint.

"Because Coffey [County Hospital] shared the same firewall as various Coffey county municipalities, anyone could access [the hospital's] private patient records simply by logging into Coffey's website through its IP address at the local schools or libraries, without any usernames or passwords," the whistleblower lawsuit alleges.

Third-Party Analysis

The lawsuit says Awad arranged for a third-party company to perform an appropriate security risk analysis at the hospital in preparation for its upcoming meaningful use attestation to be submitted for 2014, and the assessment was completed by about October 16, 2014.

That risk analysis identified dozens of unique vulnerabilities in the hospital's systems, including five critical vulnerabilities, the complaint states.

Awad reported results of the 2014 security risk analysis to hospital officials and began attempting to address some of the highest priority vulnerabilities, the lawsuit says. But the hospital "was not interested in devoting resources to the 2014 security risk analysis findings and did not provide Awad with adequate tools or support to properly address the deficiencies," the complaint states. "As a result, very few of the deficiencies noted in the security risk analysis were corrected."

Soon after the hospital failed to act on the security risk analysis, it "caused another false security risk attestation to be submitted in 2014 to the government, seeking incentive payments under the EHR incentive programs," the lawsuit contends.

"The truth is that while HIPAA risk analyses are both a legal requirement and a good idea, they are also costly and time consuming, and OCR's preferred methodology often differs from what security professionals consider a risk assessment."
—Adam Greene, Davis Wright Tremaine

Awad refused to support the 2014 attestations by the hospital and was terminated while attempting to correct numerous security deficiencies, the lawsuit states.

Liability Concerns

The former Coffey CIO and compliance officer were likely concerned about their liability and responsibilities down the road, says Susan Lucci, a senior privacy and security consultant at tw-Security.

"What's worse here is that ... there is a huge HIPAA violation in the open access to health records due to the shared firewall which required no username or password to access medical records," she notes.

Other Cases

False attestations, including those related to EHR security features or practices under the HITECH Act, have been the subject of a handful of other enforcement actions by federal regulators.

For instance, in 2015, a former Texas hospital CFO was sentenced to 23 months in federal prison after pleading guilty in a case involving submitting false documents to HHS so that the now-shuttered Shelby Regional Medical Center in East Texas could receive payments under the HITECH Act EHR incentive program.

And in February, the DoJ slapped Greenway Health with a $57.25 million fine under the False Claims Act, with regulators alleging the company misrepresented the capabilities of its EHR software - including those involving data integrity and accuracy - to meet the certification requirements of the HITECH Act EHR incentive program.

Weak Spot

Security risk analyses continues to be a weak spot for many healthcare entities and their business associates.

"It's possible that some other hospitals may have attested [under the HITECH Act] that they completed a security risk analysis but in reality, they performed a HIPAA gap assessment against the HIPAA audit protocol," notes Keith Fricke, principal consultant at tw-Security. "A HIPAA gap analysis and a risk analysis are not the same. "

In addition to attestations in the meaningful use EHR incentive program, HIPAA requires that covered entities and business associates conduct thorough, enterprisewide risk analysis of PHI. The the failure of entities to conduct those risk analyses has often been at the center of HHS Office for Civil Rights HIPAA enforcement actions.

"The truth is that while HIPAA risk analyses are both a legal requirement and a good idea, they are also costly and time consuming, and OCR's preferred methodology often differs from what security professionals consider a risk assessment," Greene notes. "The result continues to be a lot of gap assessments, risk assessments that don't capture all of the organization's ePHI or entities continually putting off starting one."

Fricke offers a similar assessment. "Organizations may not fully understand what a security risk analysis really entails, and if they attempt completing risk analyses themselves, they may not get it right. In some cases, a risk analysis may have been completed, but no action ever taken on the findings. In other cases, the risk analysis was not complete."

Coffey Health System did not immediately respond to Information Security Media Group's request for comment on the case.