The Department of Justice recently announced the launch of its new civilian cyber fraud initiative (the “Initiative”) which intends to use the False Claims Act to prosecute “cyber security fraud by government contractors and grant recipients ”.

More specifically, the Initiative will target those who:

1. knowingly providing deficient cybersecurity products or services,
2. knowingly distorting their cybersecurity practices or protocols, or
3. knowingly violate obligations to monitor and report cybersecurity incidents and breaches.

This new initiative significantly expands the potential liability of federal contractors and healthcare providers who participate in federal healthcare programs related to data privacy and cybersecurity issues.

Misrepresentation Act

The False Claims Act broadly prohibits anyone, among others, from knowingly making or “causing” a false claim for payment if the claim is paid directly or indirectly by the federal government. The False Claims Act is the government’s primary enforcement tool in combating healthcare fraud, with more than $ 2.2 billion recovered in 2020. Penalties for False Claims Act violations include three times the actual damages suffered by the government, mandatory civil penalties of between $ 11,181 and $ 22,363 for each separate misrepresentation, as well as attorney fees and costs. In addition, the False Claims Act allows whistleblowers to sue on behalf of the federal government. Also known as a ‘qui tam’ real estate agent, a whistleblower who brings success qui tam the action can receive 15 to 30 percent of the damages that the government recovers from the defendants. The ability of an individual within their own organization to raise flags with the federal government under the False Claims Act particularly increases risk.

HIPAA

Pursuant to the Health Insurance Portability and Accountability Act 1996 (“HIPAA”), “Covered Entities” and their “Business Associates” are subject to certain obligations and limitations relating to their use and disclosure. “Protected Health Information” (“PHI”). The covered entities are healthcare providers, healthcare plans and healthcare clearinghouses that transmit any information in electronic form as part of a transaction for which HHS has adopted standards. A business associate is a person or entity who provides certain services or functions on behalf of the covered entity that involve the use or disclosure of PHI. Finally, PHI is all individually identifiable information, including demographic data, that relates to an individual’s past, present or future health or payment for the provision of health care.

The obligations imposed on Covered Entities and Business Partners under HIPAA include maintaining and complying with specific privacy and security policies and procedures regarding access, use, processing, transfer, storage and the disclosure of PHI and the implementation of physical, technical and administrative safeguards to protect the privacy and security of PHI. In addition, covered entities are required to notify affected persons, the Department of Health and Human Services and, for some larger breaches, the media of data breaches. Likewise, business partners are required to notify covered entities of data breaches.

Implications

The goal of holding accountable those who “knowingly provide deficient cybersecurity products or services, knowingly distort their cybersecurity practices or protocols, or knowingly violate obligations to monitor and report cybersecurity incidents and breaches” poses a risk particularly for covered entities and their business associates.

For example, consider a Revenue Cycle Management (“RCM”) company that submits claims on behalf of a healthcare provider (including claims to government payers) that experiences a security incident, performs a security incident. HIPAA risk assessment and shares that assessment with the covered entity. client who determines that RCM has not implemented the physical, technical and administrative protective measures required under HIPAA law. Could the customer, government or a whistleblower allege that RCM knowingly misrepresented its cybersecurity practices or protocols and thereby caused the submission of false statements?

Also, consider an Electronic Health Records (“EHR”) company certified by the Office of the National Coordinator that experiences an unsecured RPS violation, performs a HIPAA risk assessment, and determines that it is not obligated to report. violation on the basis of low risk of compromise per 45 CFR 164.402. Could the government or a whistleblower allege that the EHR company did not report a violation and thus caused the submission of bogus claims by healthcare providers who use their EHR and are able to avoid discounts? for Medicare Reimbursement Using a Certified EHR?

Cases of false claims are generally prosecuted under what is known as the “false certification theory”. A claim is considered false when a claimant “certifies compliance with a law or regulation as a condition of payment by the government”. The false certification theory considers that the applicant request for payment as “implicit certification” of compliance with such statutes or regulations. Despite the broad implications of the false certification theory, there is some control over the ability of the government or a whistleblower to prosecute HIPAA breaches through what one does. calls for the materiality requirement under the False Claims Act. In Universal Health Services v. United States ex rel. Escobar, the United States Supreme Court held that the onus is on the government and whistleblowers to prove the “rigorous and demanding” materiality requirement under the False Claims Act. The Supreme Court further stated that the False Claims Act is “not a means of imposing treble damages and other penalties for insignificant regulatory or contractual violations. Therefore, the government and whistleblowers must demonstrate that allegedly insufficient technical safeguards or an alleged failure to report a violation are in fact Equipment to the government’s payment decision.

The potential use of the False Claims Act to enforce HIPAA compliance may also change the way due diligence is performed on covered entities that bill government payers and their associates and associates. While security incidents are common, the potential for False Claims Act liability associated with such an incident increases the importance of exercising due diligence in connection with such incidents. The importance of exercising due diligence on a seller’s compliance with HIPAA requirements for administrative, technical and physical safeguards is also magnified by the potential for liability under the False Claims Act for failure to comply with these. requirements. The risk of performing a data breach risk assessment is also heightened and such assessments should be carefully considered as part of due diligence.

[View source.]