false claimFalse claims settlements over meaningful use money have popped into the news again.  The provider was sued by whistleblowers and the DOJ for not doing a security risk analysis but attesting to one to get the meaningful use payments anyway.  There is whistleblower’s angle in this case which makes it even more interesting. If you know anyone that has received any meaningful use money they should check out this episode!


False claims settlement for no risk analysis

Let’s change things up a bit here and talk about a Security Risk Analysis for Meaningful Use instead of our normal HIPAA SRA discussion.  A false claim settlement was announced recently between the Department of Justice and Coffey Health System in Kansas.

Many of us are aware that a lot of people just clicked yes to that SRA attestation without having a clue what that really meant much less if they had done one.  I’ve talked with practice administrators who are dealing with the fact that their predecessor did exactly that and now they are being audited.  I tell them just to give the money back and hope they are not charged with fraud.  This story is why I give them that advice.

False claims in billions for healthcare 9 straight years

Before we get down the path about what happened, I want to point out that the DOJ has made multiple announcements about their pursuit of false claims cases.  When they announced the results from these settlements in 2018 it makes the HIPAA settlements seem like chump change:  Justice Department Recovers Over $2.8 Billion from False Claims Act Cases in Fiscal Year 2018.  Yes, that much money.  Some of that came from healthcare EHR companies like Greenway and others from companies accepting EHR incentive money but lying on their attestations.  In fact, while the department got settlements from military contractors for part of that money the vast majority of it, $2.5 billion, came from healthcare alone.

$2.5 billion involved the healthcare industry, including drug and medical device manufacturers, managed care providers, hospitals, pharmacies, hospice organizations, laboratories, and physicians.  This is the ninth consecutive year that the Department’s civil health care fraud settlements and judgments have exceeded $2 billion.

In their announcement of 2018 successes, the DOJ also had this nice quote from Assistant Attorney General Jody Hunt for us to ponder:

The Department of Justice has placed a high priority on rooting out and pursuing those who cheat government programs for their own gain. The recoveries announced today are a message that fraud and dishonesty will not be tolerated.

We keep saying that HIPAA penalties aren’t your biggest issue.  This case reiterates that statement to be sure.  HIPAA has no incentives for people to turn you in, at least not now.  The False Claims Act has had whistleblower incentives since 1986.  If they determine your information is correct and get a settlement you will get paid.  The eCW whistleblower made a major bank.  In 2018, the DOJ says they paid out $301 million to the individuals in whistleblower cases.

The good news is DOJ also says if you turn yourself in before someone else does they will be nicer to you and take into account several other circumstances.

False Claims Case Starts With Whistleblowers

So, what had happened was…..

Coffey Health System in Burlington, Kansas is pretty nice sized for a small town.  It has a home health agency, five clinics and two long-­term care facilities and a twenty-five-bed critical access hospital.  The hospital attested that they met the guidelines for meaningful use payments in both 2012 and 2013.  As most of us know, one of the items you attest to for those payments is that you have completed and/or reviewed a security risk analysis.

This case came to light when two whistleblowers filed a False Claims lawsuit in Jan 2016.  One was the former CIO and the other was the former corporate compliance officer.  Yes, that is two of the people in charge of documenting and attesting for the HITECH payments.  It isn’t someone who may be in the know, they are definitely in the know.

The CIO took over in August 2014.  First thing he did was ask for copies of the most recent SRA.  Sounds like a thing I would expect for a new CIO to do.  Here’s the thing, though.  There wasn’t one.  At least not from 2011 through 2013 which is when they had attested to doing them.  There was documentation that they even tried to do one.

At that point, he did some basic security tests on the network.  Bam, right away found some big problems.  Number one was that they were on the same firewall and network connections with several of the other county government offices.  Things like local schools and libraries were all connected to the hospital network.  Plus, no usernames and passwords were required according to one report.  OMG – run, run like the wind my friend.

Dozens of unique vulnerabilities found including 5 critical
But wait, there’s more.  Once the new CIO saw how much he found with just a few scans he called in a third-party to do the assessment for the 2014 attestation.  They found “dozens of unique vulnerabilities” which included five critical ones.  I would guess it had something to do with sharing the firewall.  Just saying.

You will never believe what happened next.  (Sarcasm is dripping in this spot in case you missed it.)  He submits the report to officials and begins to address the critical issues.  When the powers that be reviewed his report they tell him their decision which is shocking to some (but not to us).  The health system leadership said they were:

not interested in devoting resources to the 2014 security risk analysis findings and did not provide [the CIO] with adequate tools or support to properly address the deficiencies

That means the 2014 attestation was yet another false claims issue because they ignored it.  So the CIO refused to approve the attestation and kept trying to fix the problems.  He was concerned about protecting the patients.  What did the health system leadership do?  They “terminated” him!

Apparently, the compliance officer may have not understood until he explained they hadn’t done one.  But, she either left or was terminated over the incident as well.  The two of them get $50,000 for their trouble because these fraud cases include some payout to the false claims whistleblower.

Other false claims cases include:

The Shelby CFO pled guilty, was sentenced to 23 months in prison, and was personally ordered to pay over four million dollars in restitution.
In 2015, the Eastern District of Texas criminally prosecuted the former Chief Financial Officer (CFO) of Shelby Regional Medical Center for making false statements in connection with funds distributed to the office by the EHR Incentive Program. The CFO pled guilty, was sentenced to 23 months in prison, and was personally ordered to pay over four million dollars in restitution.

We also can’t forget the $155 million settlement with eClinicalWorks last year.  This was also a whistleblower case.

This year Greenway Health, another EHR vendor, settles for 57.25 million fine for misrepresenting their software’s capabilities to meet some MU standards.  They also had some kickback schemes going on with theirs.  False claims could have been a part of that one too.

One local news station ran the story with a big banner that said Medical Fraud.  Another local news station’s story included this quote:

Coffey Health System denies any wrongdoing and says it maintained and documented its electronic health records properly. However, it chose to settle because of ongoing costs and the risk of “an unfavorable outcome.”

A lot of things we learned here should be seen as a warning to some and awareness of what is out there to others.  It isn’t just about HIPAA and penalties.  It is about things like false claims (aka fraud) and much more when leaders of the organization learn of the issues and flat out refuse to do anything to fix the problems.  When they were informed that they were lying to the government by filing a false claim and getting money based solely on that false claim, it didn’t seem to bother them at all.  We all frown upon that behavior do we not?  At least those of us who do try to follow the big rules do.  I would really like to know where they spent all that money they received when they filed their false claim for meaningful use reimbursement, wouldn’t you?