Case Study – Attesting Without Performing a Risk Assessment is a Crime

The goal of the HITECH Act was to encourage physicians and hospitals to move to electronic health records (EHR). HITECH used an incentive of monetary payments made to help incentivize practices and hospitals. To get these payments, practices had to attest under Meaningful Use to show that they were indeed using the EHR systems. This included measures to show the systems were being used correctly but it also had additional stipulations. These included practices performing a Risk Assessment and showing evidence that they were protecting the privacy and security of their patient data. In other words, they were HIPAA compliant. Filing for the incentive payments without doing these would be a federal crime. In this week’s case study, we see a healthcare entity that did exactly that and what happened afterward.

What happened?

Coffey Health Systems (CHS) is a hospital in Burlington, Kansas. In 2016, CHS’s CIO, Bashar Awad, and CHS’s former compliance officer, Cynthia McKerrigan, filed a lawsuit in the Kansas district federal court against CHS. The case alleged that CHS had knowingly committed fraud in its Meaningful Use filings. These claims violated the US False Claims Act.

During his employment at CHS, Mr. Awad discovered that CHS had not performed any form of Risk Assessment. He could find no documentation to show that any type of assessment had been done. He performed his own security checks and found that CHS shared its firewall with the local government offices of Coffey County. Any user inside the firewall on the county’s systems, which included schools, libraries, and government offices, were able to access the patient data of CHS without any username or password. This is a major violation of the HIPAA Security Rule.

Mr. Awad hired a third-party company to perform a Risk Assessment in 2014. This was for the 2014 attesting period. The assessment revealed 5 critical vulnerabilities that were never addressed and had been allowed to remain unresolved. Mr. Awad alleged that little effort had been made to correct these issues.

When CHS filed their 2014 attestation, Mr. Awad refused to do so. Several of the previously discovered issues had not been addressed. Filing the attestation stating that the Risk Assessment had been performed and all issues discovered had been resolved would have been fraud. Because he refused to file the attestation, Mr. Awad was terminated. Afterward, he and Ms. McKerrigan filed their lawsuit in federal court.

What was the result?

The case was given to the US Department of Justice to investigate. Mr. Awad and Ms. McKerrigan alleged in their suit that CHS submitted false attestation information and that CHS knew that they were false.

For the 2012 and 2013 attestation periods, CHS was able to collect $3 million under Meaningful Use that they weren’t legally entitled to receive.

As a result, CHS reached a settlement with the DOJ for $250,000. Under federal whistleblower portions of the False Claims Act, Mr. Awad and Ms. McKerrigan are entitled to $50,000 of the settlement. The provisions allow individuals to file cases on behalf of the US government and receive a portion of any monies collected.

“Medicare and Medicaid beneficiaries expect that providers ensure the accuracy and security of their electronic health records. This office remains committed to protecting the federal health programs and to hold accountable those whose conduct results in improper payments.”

United States Attorney Stephen McAllister

You can read the DOJ’s official statement on the case here.

Performing a Risk Assessment is mandatory

Performing a Risk Assessment is the first step to becoming compliant and it is required by HIPAA regulations. A Risk Assessment will show you what areas you need to address in your practice. Areas, where the confidentiality, integrity, and the availability of your patient data is at risk, need to be found and then addressed.

If you are filing attestations and not doing this, you are also committing fraud. As we can see in this case, all it takes is for one of your employees to file a lawsuit against you. With the possibility of a financial reward waiting for them, many employees may be tempted to take this route. This isn’t a threat that many practices consider. Your employees can file a complaint with HHS for possible violations as well.

Make sure you that you have done your part. Performing a Risk Assessment and then addressing what it discovers is absolutely necessary. Get started today and ensure that your practice takes your HIPAA obligations seriously.