So what does HIPAA have do to with the Federal False Claims Act? As simply stated as possible, the Meaningful Use criteria for getting government reimbursement for costs of obtaining and using an electronic health record (“EHR”) can lead to a false claim because an application implies that the requester is compliant with relevant laws and regulations, including HIPAA.
In this case, the federal government alleged that Greenway Health, LLC, an EHR software developer based in Tampa, Florida, had violated the False Claims Act, 31 U.S. Code § 3729, the government’s primary weapon against those who defraud the government.
For health care providers to qualify for Meaningful Use payments, they must use only EHR products that have been certified as meeting certain criteria stipulated by the Department of Health and Human Services (“HHS”). In order to receive certification, EHR software developers must have their products tested by an independent, accredited testing laboratory authorized by HHS. Certification is then provided by an official certification body.
Greenway allegedly falsely obtained certification for its Prime Suite software by concealing the fact that it did not fully comply with all HHS criteria, such as the use of standardized clinical terminology to ensure the reciprocal exchange of patient information and the accuracy of electronic prescriptions.
Health care providers who used Prime Suite had to meet, among other requirements, an EHR-related activities target to provide a certain percentage of patients clinical summaries in order to receive Meaningful Use incentive payments. The 2011 Edition of Prime Suite did not, however, accurately calculate the percentage of office visits for which users distributed clinical summaries and consequently caused users to submit false claims. Greenway Health did not correct the error because, if it did so, its users would not qualify for Meaningful Use incentive payments and thus misrepresented its product to its users.
This settlement in lieu of a fine was with the vendor, not the covered entities who used the non-compliant product. That scenario does not mean, however, that a covered entity or business associate could not face a False Claims Act enforcement action if their documentation that their attestation that they met the Meaningful Use criteria is not true and accurate.
For example, one of the criteria is that health professionals must provide patients an electronic copy of their health information upon request. This obviously ties in with the HIPAA requirements. HHS discussed the interrelationship as follows:
Under the HIPAA Privacy Rule, an individual has the right to access PHI maintained about the individual by a covered entity in a designated record set. This may contain electronic or non-electronic PHI. See 45 CFR 164.524(a)(1). Under the HITECH Act’s Electronic Health Record (EHR) Incentive Program, eligible professionals, eligible hospitals, and critical access hospitals (CAHs) may receive incentive payments under Medicare and Medicaid and avoid payment reductions under Medicare for successfully demonstrating meaningful use of Certified EHR Technology, which includes providing patients the ability to view online, download, and transmit their health information. It is important to note that in some respects the EHR Incentive Program contains more exacting standards than the baseline requirements of the HIPAA Privacy Rule, while the HIPAA Privacy Rule contains more comprehensive requirements than the EHR Incentive Program (e.g., the HIPAA Privacy Rule access right applies to electronic and paper records, while the EHR Incentive Program applies to certain electronic records). See HHS.gov, Category: HIPAA at https://www.hhs.gov/answers/hipaa/index.html.
This settlement demonstrates the importance of ensuring that your EHR is HIPAA compliant. So be careful if and when you seek to document that you meet the Meaningful Use criteria.