HIPAA Risk Analysis Tip – MU Attester Allegedly Bearing False Claims. Is this the Beginning of a New Flavor of Enforcement?
On January 22, 2014, the US District Court for the Eastern District of Texas handed down an indictment that is, to my knowledge, the first of its kind. United States of America v. Joe White is about addresses allegations of false statements regarding meaningful use of a Certified Electronic Health Record Technology (CEHRT) resulting in receipt of approximately $785,655 from the Medicare EHR Incentive Program.
Today’s big RISK ANALYSIS TIP – Double-Check the Quality, Completeness and Accuracy of Your HIPAA Risk Analysis
The indictment includes two counts: 1) a violation of Title 18, United States Code Section 1001 – False Statement; and, 2) Title 18, United States Code Section 1028A – Aggravated Identity Theft. Both charges are of interest, but the False Statement (AKA False Claim) charge is of greatest interest.
Mr. White, former CFO, is alleged to have made false claims and statements and also to have used false documents. He is further alleged to have created and used a User ID under the name of the Director of Nursing who apparently knew better and refused to complete the attestation.
All specific allegations of false statements center on various core objectives and certain menu set objectives.
As part of the attestation process, an Attestation Disclaimer is presented and reads as follows:
I certify that the foregoing information is true, accurate, and complete. I understand that the Medicare EHR Incentive Program payment I requested will be paid from Federal funds, that by filing this attestation I am submitting a claim for Federal funds and that the use of any false claims, statements, or documents, or the concealment of a material fact used to obtain Medicare EHR Incentive Program payment, may be prosecuted under applicable Federal or State criminal laws and may also be subject to civil penalties.
Is Risk Analysis the Next Frontier?
In this case of United States of America v. Joe White, no specific reference is made to Core Objective 14 (Risk Analysis) in Stage 1 or Core Objective 7 (Risk Analysis) in Stage 2. Will we begin to see False Claims Act filings based on failure to have completed a bona fide HIPAA Risk Analysis?
Importance of a Rigorous HIPAA Risk Analysis
Failure to meet the HIPAA Security Risk Analysis requirement at 45 CFR §164.308(a)(1)(ii)(A) will likely result in violations of the HIPAA Security Rule, the Meaningful Use Stage 1 Final Rule and the Meaningful Use Stage 2 Final Rule. Violations of these regulations carry significant penalties under the new Civil Monetary Penalty (CMP) system.
In attesting to completion of the risk analysis requirement for Meaningful Use Stage 1 or Stage 2, organizations also face a more serious liability risk. In the ONC Guide to Privacy and Security of Health Information, the Office of the National Coordinator (ONC) admonishes:
When you attest to meaningful use, it is a legal statement that you have met specific standards, including that you protect electronic health information. Providers participating in the EHR Incentive Program can be audited.
If you attest prior to actually meeting the meaningful use security requirement, you could increase your business liability for federal law violations and making a false claim. From this perspective, consider implementing multiple security measures as feasible, prior to attesting. The priority would be mitigating high-impact and high likelihood risks.
The False Claims Act carries significant consequences for organizations that knowingly submit a false claim to the government. With the commencement of both pre-payment audits along with the post-payment audits provided by CMS, it is likely that there will be adverse findings and grounds for filings under the False Claims Act for some hospitals and providers in 2014, given the early results of CMS MU audits and OCR HIPAA enforcement actions.
It is very important to note that while the focus of the Meaningful Use risk analysis requirement is on the Electronic Health Record (EHR) systems, Covered Entities (and Business Associates alike) are required under the HIPAA Security Rule to complete this risk analysis for all information assets and media that create, receive, maintain or transmit ePHI.
HIPAA Risk Analysis Resources Available to You
Clearwater Compliance offers best-in-class HIPAA-HITECH Privacy, Security and Breach Notification software and services. Our years of direct front-line, real-world experience with deep privacy and security skill-sets will help you assess and implement the required people, process and technology controls cost-effectively.
Please avail yourself of any of these free resources which you may access now by clicking on the links below:
- Risk Analysis Buyer’s Guide
- Expert 2nd Opinion on Your HIPAA Risk Analysis
- Clearwater Compliance White Paper: Risky Business: How to Conduct a Bona Fide HIPAA Security Risk Analysis
- Clearwater Recorded Webinar event entitled How to Conduct a Bona Fide HIPAA Security Risk Analysis
- IRM|Analysis™- Clearwater’s Risk Analysis and Risk Management software DataSheet
- IRM|Analysis™- Clearwater’s Risk Analysis and Risk Management software Free Trial for qualified organizations
- More Risk Analysis Resources
Wanna be even more hip on HIPAA? Learn more…
The complete HIPAA Privacy, Security and Breach regulations are here.
If you’d like to keep up to date on Risk Analysis or HIPAA-HITECH in general, please also consider (all optional!):
- Attending a HIPAA Compliance BootCamp™
- Joining our AboutHIPAA LinkedIn Group: http://AboutHIPAALI.org
- Following me: http://www.twitter.com/ClearwaterHIPAA
- Subscribing to our eNewsletter: http://clearwaterc.wpengine.com/newsletters/
- Subscribing to our RSS feed: Clearwater HIPAA Compliance Blog
- Checking our company web site: http://clearwaterc.wpengine.com/
- Attending a HIPAA HITECH live webinar: http://clearwaterc.wpengine.com/webinars/upcoming-live-webinars/
- Viewing a pre-recorded webinar:
Click edit button to change this text.
Latest posts by Bob Chaput (see all)
- HIPAA Risk Analysis Tip – What Level of Detail is Adequate? - April 29, 2017
- HIPAA Risk Analysis Tip – How Comprehensive Must Your HIPAA Security Risk Analysis Be? - April 25, 2017
- HIPAA Risk Analysis Tip – Does OCR really use the “Guidance on Risk Analysis Requirements under the HIPAA Security Rule”? - April 23, 2017