HIPAA and False Claims Act, Partners in Fines
Don’t steal. The government hates competition.
The federal False Claims Act prohibits someone from knowingly presenting or causing a false claim for payment if the federal government will pay for that claim. Classic example: Medicare fraud. Providers who bill Medicare for services they did not actually provide and who present the bill with the knowledge that the service was not performed, have committed Medicare fraud. In this case, the provider may be liable for fines, penalties, and even jail time under the False Claims Act.
The False Claims Act is a federal government honeypot. Violators will incur a minimum $11,181 penalty for each separate false claim. Providers who bill Medicare often do not announce their intentions and conceal their activities. Therefore, the federal government has encouraged ordinary individuals to report instances of Medicare fraud. To this end, the False Claims Act contains a “whistleblower recovery” provision. Under this provision, if John or Jane Q publicly report Medicare fraud, and the government then, acting on the person’s tip, recovers money from the fraudster, the federal government may pay John or Jane Q. anywhere from 15 to 30 percent of the damages it recovers from the fraudster. Â
The Department of Justice (DOJ) recently announced an initiative to crack down on cybersecurity-related fraud by government contractors and grant recipients. The crackdown puts healthcare providers who participate in federal healthcare programs in the crosshairs.
Under the new initiative, the False Claims Act may be used against covered entities and business associates who knowingly:
- provide sub-par cybersecurity services;
- misrepresent their cybersecurity practices or protocols; orÂ
- violate obligations to monitor and report cybersecurity incidents and breaches.Â
In certain circumstances, HIPAA also comes into play. HIPAA and False Claims Act liability is discussed in detail below.
HIPAA and False Claims Act Liability: Requirements for Cybersecurity Providers
Cybersecurity products and service providers, as business associates of HIPAA providers, are required by that law to observe specific administrative, physical, and technical safeguards in creating, maintaining, transferring, or receiving electronic protected health information (ePHI). These requirements are found in the HIPAA Security Rule. Another HIPAA rule, the Breach Notification Rule, requires that covered entities and business associates not keep knowledge of breaches of unsecured PHI to themselves. Rather, under the Breach Notification Rule, covered entities and business associates have breach reporting obligations. Generally, if a business associate incurs a data breach, they must notify its covered entity of the breach details. In turn, the covered entity must then inform affected patients, and in the case of larger breaches, media outlets and HHS.Â
HIPAA and False Claims Act compliance cannot be viewed in isolation under the new initiative. HIPAA and the False Claims Act may now work together to prevent cybersecurity providers from taking the federal government for a ride. Picture this scenario: You are a revenue cycle management (“RCM”) company – a HIPAA business associate. You submit claims to Medicare and Medicaid on behalf of your covered entity partner. You experience a security incident, conduct a HIPAA risk assessment, and knowingly (and falsely) conclude that your cybersecurity practices were “just fine,” when in fact they were not “just fine,” and indeed, caused the incident.
You announce your “findings” to the provider. The provider determines that you are not being completely honest with it. The provider determines you, in fact, did not implement the necessary HIPAA safeguards. The specific violation under the new initiative is “knowingly misrepresenting cybersecurity practices or protocols.” HIPAA and False Claims Act liability are now implicated. It is possible that the covered entity, the government, or John Q can allege that, because you misrepresented your practices, you caused the submission of false claims. Meaning the government paid you only because you lied. Say the government paid you $100,000. Under the False Claims Act, can a whistleblower get 15 to 30 percent of the money the government claws back from you? Quite possibly – time, zealous prosecutors, and Supreme Court interpretations of whether the initiative reaches into HIPAA in this manner will tell.
Suppose you ensure that you comply with the HIPAA Privacy Rule, the HIPAA Security Rule, and the HIPAA Breach Notification Rule and that you are honest about the particulars of your compliance. In that case, you have one less potential HIPAA and False Claims Act headache to worry about.
