This entry is part 45 of 60 in the series HIPAA Security Risk Analysis Tips

HIPAA Risk Analysis Tip – MU Attester Allegedly Bearing False Claims. Is this the Beginning of a New Flavor of Enforcement?

On January 22, 2014, the US District Court for the Eastern District of Texas handed down an indictment that is, to my knowledge, the first of its kind.  United States of America v. Joe White is about addresses allegations of false statements regarding meaningful use of a Certified Electronic Health Record Technology (CEHRT) resulting in receipt of approximately $785,655 from the Medicare EHR Incentive Program.

Today’s big RISK ANALYSIS TIP – Double-Check the Quality, Completeness and Accuracy of Your HIPAA Risk Analysis

United-States-versus-Joe-White-MU-False-Claims-Indictment-Notice of PenaltyThe indictment includes two counts: 1) a violation of Title 18, United States Code Section 1001 – False Statement; and, 2) Title 18, United States Code Section 1028A – Aggravated Identity Theft.  Both charges are of interest, but the False Statement (AKA False Claim) charge is of greatest interest.

Mr. White, former CFO, is alleged to have made false claims and statements and also to have used false documents.  He is further alleged to have created and used a User ID under the name of the Director of Nursing who apparently knew better and refused to complete the attestation.

All specific allegations of false statements center on various core objectives and certain menu set objectives.

As part of the attestation process, an Attestation Disclaimer is presented and reads as follows:

I certify that the foregoing information is true, accurate, and complete.  I understand that the Medicare EHR Incentive Program payment I requested will be paid from Federal funds, that by filing this attestation I am submitting a claim for Federal funds and that the use of any false claims, statements, or documents, or the concealment of a material fact used to obtain Medicare EHR Incentive Program payment, may be prosecuted under applicable Federal or State criminal laws and may also be subject to civil penalties.

Is Risk Analysis the Next Frontier?

In this case of United States of America v. Joe White, no specific reference is made to Core Objective 14 (Risk Analysis) in Stage 1 or Core Objective 7 (Risk Analysis) in Stage 2.  Will we begin to see False Claims Act filings based on failure to have completed a bona fide HIPAA Risk Analysis?

Importance of a Rigorous HIPAA Risk Analysis 

Failure to meet the HIPAA Security Risk Analysis requirement at 45 CFR §164.308(a)(1)(ii)(A) will likely result in violations of the HIPAA Security Rule[1], the Meaningful Use Stage 1 Final Rule[2] and the Meaningful Use Stage 2 Final Rule[3].  Violations of these regulations carry significant penalties under the new Civil Monetary Penalty (CMP) system.

In attesting to completion of the risk analysis requirement for Meaningful Use Stage 1 or Stage 2, organizations also face a more serious liability risk.  In the ONC Guide to Privacy and Security of Health Information[4], the Office of the National Coordinator (ONC) admonishes:

When you attest to meaningful use, it is a legal statement that you have met specific standards, including that you protect electronic health information. Providers participating in the EHR Incentive Program can be audited.

If you attest prior to actually meeting the meaningful use security requirement, you could increase your business liability for federal law violations and making a false claim. From this perspective, consider implementing multiple security measures as feasible, prior to attesting. The priority would be mitigating high-impact and high likelihood risks.

The False Claims Act[5] carries significant consequences for organizations that knowingly submit a false claim to the government.  With the commencement of both pre-payment audits along with the post-payment audits provided by CMS[6], it is likely that there will be adverse findings and grounds for filings under the False Claims Act for some hospitals and providers in 2014, given the early results of CMS MU audits and OCR HIPAA enforcement actions.

It is very important to note that while the focus of the Meaningful Use risk analysis requirement is on the Electronic Health Record (EHR) systems, Covered Entities (and Business Associates alike) are required under the HIPAA Security Rule to complete this risk analysis for all information assets and media that create, receive, maintain or transmit ePHI. 

HIPAA Risk Analysis Resources Available to You

Clearwater Compliance offers best-in-class HIPAA-HITECH Privacy, Security and Breach Notification software and services. Our years of direct front-line, real-world experience with deep privacy and security skill-sets will help you assess and implement the required people, process and technology controls cost-effectively.

Please avail yourself of any of these free resources which you may access now by clicking on the links below:

Wanna be even more hip on HIPAA? Learn more…

The complete HIPAA Privacy, Security and Breach regulations are here.

If you’d like to keep up to date on Risk Analysis or HIPAA-HITECH in general, please also consider (all optional!):

Click edit button to change this text.

Series Navigation<< HIPAA Risk Analysis Tip – FTC Exerting Data Security AuthorityNew Study Estimates Data breaches Cost the Healthcare Industry $5.6 billion Annually >>

Bob Chaput

CEO at Clearwater Compliance
Bob Chaput is widely recognized for his extensive and in-depth knowledge of healthcare compliance and cyber risk management, and is one of the industry’s leading authorities in healthcare information security today. As a leading authority safeguarding health data, Chaput has supported hundreds of hospitals and health systems to successfully manage healthcare’s evolving cybersecurity threats and ensure patient safety.