Materiality, the False Claims Act, HIPAA and the HITECH Act

© yavdat - stock.adobe.com

For years, there was pushback by the Government that violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA)[1] constituted a basis for False Claims Act (FCA) violations.[2] Afterall, The United States Department of Health and Human Services – Office for Civil Rights (HHS-OCR) had and continues to have the authority to enforce violations of the HIPAA Privacy, Security and Breach Notification Rules.[3]

An initial shift occurred with two events: (1) the Meaningful Use Program; and (2) the June 2016 Supreme Court Opinion in Universal Health Services, Inc. v. United States ex rel. Escobar, 136 S. Ct. 1989, 1995 (2016),which addressed materiality. Materiality “would attach importance to [it] in determining his choice of action in the transaction” or “if the defendant knew or had reason to know that the recipient of the representation attaches importance to the specific matter `in determining his choice of action,’ even though a reasonable person would not.”[4]

Subsequently, in October 2021, the United States Department of Justice (DOJ) announced its Civil Cyber Fraud Initiative (hereinafter “Cyber Initiative”). The first FCA case that DOJ intervened in and settled under the Cyber Initiative involved government contracts with the State Department and Air Force to provide medical services with an express requirement of HIPAA and HITECH Act compliance to ensure that the confidentiality, integrity and availability of the individually identifiable health information (IIHI) remained intact through adequate technical, administrative and physical safeguards. Hence, underscoring that alleged HIPAA violations are material and can be the basis of a FCA case.

The purpose of this article is to highlight different types of FCA cases involving HIPAA and/or the HITECH Act, as well as underscoring key areas of compliance that persons creating, receiving, maintaining and/or transmitting IIHI, which in the context of government contracts also constitutes federal contract information (FCI), may utilize to mitigate liability.

Analysis

The FCA, often referred to as the “Lincoln Law” stems back to 1863 and remains the Federal Government’s primary fraud fighting tool to return monies to the federal fisc. HIPAA passed in August 1996 and Congress expressly delegated authority to HHS to promulgate regulations to protect the privacy and security of an individual’s IIHI. In February 2009, the HITECH Act came into being and the Meaningful Use Program, which provided grants to electronic health record companies and providers alike to offset the costs of transitioning to electronic patient records and interoperability. Under the program, HHS offered incentive payments to healthcare providers that adopt certified EHR technology and meet certain requirements relating to their use of the technology, including compliance with HIPAA and the HITECH Act.[5] EHR companies had a similar obligation when obtaining product certification - attest that their product satisfies applicable HHS-adopted criteria, including HIPAA/HITECH Act compliance, as well as being approved by an accredited independent certifying entity approved by HHS.[6]

Pursuant to 45 CFR §164.530(c)(1), covered entities and business associates must have in place appropriate technical, administrative and physical safeguards “to protect the privacy of protected health information.” Protected health information (PHI) is a subset of IIHI. Additionally, reasonable safeguarding of PHI “from any intentional or unintentional use or disclosure that is in violation of the standards, implementation specifications or other requirements” is material.[7]Under the FCA, a breach is not required for liability to attach.[8]

Despite privacy and security being material to IIHI, one of the first successful FCA case involving HIPAA/HITECH Act violations was United States ex rel. Delaney v. eClinialWorks LLC, 2:15-CV-00095-WKS (D. Vt.), which settled in May 2017 for $155 million.[9]

Where does the requirement to comply with HIPAA/HITECH Act appear in either Government contracts, grants or claims for payment submitted to Government Programs (e.g., Medicare, Medicaid and TRICARE)? First, as the Supreme Court stated in Escobar, “[a] defendant can have ‘actual knowledge’ that a condition is material even if the Government does not expressly call it a condition of payment.”

Eventually, other cases followed. As Table A demonstrates, subsequent FCA cases have nuances in terms of the type of HIPAA/HITECH Act violations, types of defendants and intertwining with other health care laws. Select cases appear below:

Another area to watch are class action cases. For example, Gary Silvers, et al. v. HCA Healthcare, Inc., Case No. 3:20-cv-00684 (M.D. Tenn.), which affected 11 million individuals at 170 hospitals, recently settled.[1] This case is illustrative of a class action where HIPAA Privacy and Security Rule violations predicated on failure to secure IIHI and PHI led to a large-scale data breach.[2] Hence underscoring that when considering financial, reputational and legal liability, persons covered under HIPAA must consider the impact of potential class action lawsuits in addition to government enforcement actions and FCA cases.

Risk Mitigation

A prudent place to begin when considering ways to mitigate liability is an Enterprise Risk Management (ERM) program. The American Health Law Association “accepted the definition of ERM as, ‘a discipline that engages professionals in the practice of identifying, managing, controlling, and monitoring all risks to the organization.’”[3] In terms of cybersecurity and fraud, waste and abuse (FWA), persons need to consider a holistic approach that mitigates the financial, legal, operational and reputational liability. A first step for cybersecurity/HIPAA compliance is to conduct an annual risk analysis to appreciate the ingress and egress of data, as well as compliance with the requisite technical, administrative and physical safeguards, information blocking and privacy requirements.[4]

A prudent second step is to use the seven elements set forth in 42 CFR § 483.85, which include the following: (1) written policies and procedures; (2) compliance leadership and oversight; (3) training and education; (4) effective lines of communication with the compliance officer and disclosure program; (5) enforcing standards: consequences and incentives; (6) risk assessment, auditing, and monitoring; and (7) responding to detected offenses and developing corrective action initiatives.[5] These items are equally applicable to HIPAA/cybersecurity and to FWA, including the FCA. Finally, the November 2023 HHS OIG Guidance is a comprehensive roadmap that highlights FWA, HIPAA, cybersecurity and other related laws and regulations.[6] In sum, given the material nature of FWA, HIPAA and cybersecurity, prevention and risk mitigation are critical.

Conclusion

The Seventh Circuit’s Opinion in Sayeed signals a sea change in courts integration of HIPAA and the FCA. The last known United States Appellate Court to do so was the Sixth Circuit in Sheldon in 2016 which underscores that it is compliance with HIPAA and the HITECH Act and not a breach that forms the basis of liability. Since 2016, the DOJ, through the FCA, has deemed material a variety of different cases involving HIPAA and HITECH violations, as illustrated in Table A. Therefore, when evaluating cybersecurity, HIPAA and FWA compliance programs, effectiveness is critical, as well as addressing all gaps associated with technical, administrative and physical safeguards to ensure the confidentiality, integrity and availability of the IIHI and PHI.

Rachel V. Rose, JD, MBA, advises clients on compliance, transactions, government administrative actions, and litigation involving healthcare, cybersecurity, corporate and securities law, as well as False Claims Act and Dodd-Frank whistleblower cases. She also teaches bioethics at Baylor College of Medicine in Houston. Rachel can be reached through her website, www.rvrose.com.

[1] Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-191 (Aug. 21, 1996), as amended by the Health Information Technology for Economic Clinical Health Act, Pub. L. No. 111-5 (Feb. 2009) (“HITECH Act”).

[2] 31 U.S.C. 3729-3733.

[3] 45 C.F.R. Parts 160 and 164, Subparts A and E (the “Privacy Rule”); Health Insurance Reform: Security Standards; Final Rules at 45 C.F.R Parts 160 and 164, Subparts A and C (the “Security Rule”); Breach Notification for Unsecured Protected Health Information; Interim Final Rule at 45 C.F.R. Part 164, Subpart D (the “Breach Notification Rule”); and, Administrative Simplification: Enforcement: Interim Final Rule at 45 C.F.R. Part 160 (the “Enforcement Rule”).

[4] United States ex rel. Lemon v. Nurses To Go, Inc., 924 F.3d 155, 163 (5th Cir. 2019) (quoting Escobar I, 136 S. Ct. at 2002-03 (alteration in original) (quoting Restatement (Second) of Torts § 538 (1976))).

[5] U.S. Dep’t of Justice, Press Release, Electronic Health Records Vendor to Pay $155 Million to Settle False Claims Act Allegations (May 31, 2017), https://www.justice.gov/archives/opa/pr/electronic-health-records-vendor-pay-155-million-settle-false-claims-act-allegations#:~:text=For%20Immediate%20Release,meaningful%20use”%20of%20EHR%20technology; see also United States of America v. Greenway Health, LLC, Complaint, Case No. 2:19-cv-00020 (D. Vt. Feb. 6, 2019) (illustrating another electronic health records vendor case where attestations were falsified in order to become certified by HHS).

[6]Id.

[7] 45 CFR § 164.530(c)(1)(2)(i).

[8] Sheldon v. Kettering Health Network, 2016 U.S. App. LEXIS 4236 (6th Cir. 2016) (involving a single breach claim of wrongful access of PHI without any additional knowledge of specific HIPAA and HITECH Act deficiencies).

[9] Id.

[10] U.S. Dep’t of Justice, Press Release, Warner Chilcott Agrees to Plead Guilty to Felony Health Care Fraud Scheme and Pay $125 Million to Resolve Criminal Liability and False Claims Act Allegations (Oct. 29, 2015), https://www.justice.gov/archives/opa/pr/warner-chilcott-agrees-plead-guilty-felony-health-care-fraud-scheme-and-pay-125-million.

[11]Id.

[12] U.S. Dep’t of Justice, Press Release, Electronic Health Records Vendor To Pay The Largest Settlement In the District of Vermont (May 31, 2017), https://www.justice.gov/usao-vt/pr/electronic-health-records-vendor-pay-largest-settlement-district-vermont.

[13] Id.

[14] U.S. Dep’t of Justice, Press Release, Kansas Hospital Agrees to Pay $250,000 To Settle False Claims Act Allegations (May 31, 2019), https://www.justice.gov/usao-ks/pr/kansas-hospital-agrees-pay-250000-settle-false-claims-act-allegations.

[15] U.S. Dep’t of Justice, Press Release, Kansas Hospital Agrees to Pay $250,000 To Settle False Claims Act Allegations (May 31, 2019), https://www.justice.gov/usao-ks/pr/kansas-hospital-agrees-pay-250000-settle-false-claims-act-allegations.

[16] U.S. Dep’t of Justice, Press Release, Medical Services Contractor Pays $930,000 to Settle False Claims Act Allegations Relating to Medical Services Contracts at State Department and Air Force Facilities in Iraq and Afghanistan (Mar. 8, 2022) (noting that in the interest of full disclosure, Rachel V. Rose represented Dr. Lawler, the whistleblower who brought forth the cybersecurity and HIPAA allegations).

[17] See https://www.justice.gov/archives/opa/pr/jelly-bean-communications-design-and-its-manager-settle-false-claims-act-liability (Mar. 14, 2023).

[18] The inter-related violations of patients’ privacy rights and downstream remuneration constitute violations of both the AKS and HIPAA – both of which form the basis of a valid False Claims Act (FCA) case. Stop Illinois Care Fraud, LLC v. Sayeed, et al. 100 F.4^th 899 (2024).

[19] Sayeed at 905. (emphasis added).

[20] See https://hcahealthcaresettlement.com (last visited Jul. 18, 2025).

[21] See https://www.classaction.org/media/silvers-et-al-v-hca-healthcare-inc.pdf.

[22] R.V. Rose, Enterprise Risk Management and Your Medical Practice (Dec. 5, 2013), https://www.physicianspractice.com/view/enterprise-risk-management-and-your-medical-practice.

[23] R.V. Rose, HIPAA highlights: 2 disturbing class actions, OCR risk analysis enforcement (Apr. 24, 2025), https://www.physicianspractice.com/view/hipaa-highlights-2-disturbing-class-actions-ocr-risk-analysis-enforcement.

[24] R.V. Rose, Two Different HHS Office Items to Note.

[25] HHS-OIG, General Compliance Program Guidance (Nov. 2023), https://oig.hhs.gov/documents/compliance-guidance/1135/HHS-OIG-GCPG-2023.pdf.