United States ex rel. Sheldon v. Kettering Health Network, 15–3075.

Decision Date07 March 2016
Docket NumberNo. 15–3075.,15–3075.
Citation816 F.3d 399
Parties UNITED STATES of America ex rel. Vicki SHELDON, Relator–Appellant, v. KETTERING HEALTH NETWORK, Defendant–Appellee.
CourtU.S. Court of Appeals — Sixth Circuit

816 F.3d 399

UNITED STATES of America ex rel. Vicki SHELDON, Relator–Appellant,
v.
KETTERING HEALTH NETWORK, Defendant–Appellee.

No. 15–3075.

United States Court of Appeals, Sixth Circuit.

Argued: Oct. 8, 2015.
Decided and Filed: March 7, 2016.


816 F.3d 402

ARGUED:Robert F. Croskery, Croskery Law Offices, Cincinnati, Ohio, for Appellant. Natalie T. Furniss, Bricker & Eckler, LLP, Columbus, Ohio, for Appellee. ON BRIEF:Robert F. Croskery, Croskery Law Offices, Cincinnati, Ohio, for Appellant. Natalie T. Furniss, Anne Marie Sferra, Bricker & Eckler, LLP, Columbus, Ohio, for Appellee.

Before: KEITH, CLAY, and WHITE, Circuit Judges.

OPINION

CLAY, Circuit Judge.

Plaintiff Vicki Sheldon ("Relator," in this qui tam action) appeals from the district

816 F.3d 403

court's order, entered on January 6, 2015, denying her motion for leave to amend her complaint and granting Defendant Kettering Health Network's ("KHN") motion to dismiss. Relator alleges that KHN violated the False Claims Act ("FCA"), 31 U.S.C. § 3729(a)(1), by falsely attesting to compliance with the Health Information Technology for Economic and Clinical Health Act (hereinafter "HITECH Act" or "the Act"), Pub.L. No. 111–5, Title XIII, 123 Stat. 226 (2009), and by receiving "meaningful use" incentive payments as a result. The district court held that Relator's complaint failed to state a plausible claim, and denied as futile Relator's motion to amend. The district court held, in the alternative, that Relator's claims were precluded by a prior Ohio state court judgment in a case involving similar claims filed by Relator against KHN.

For the reasons set forth below, we AFFIRM the district court's order granting KHN's motion to dismiss and denying Relator's motion to amend.

BACKGROUND

On April 29, 2014, Relator brought a qui tam action under the False Claims Act, 31 U.S.C. § 3730(b), against KHN in federal court, alleging KHN falsely certified its compliance with certain provisions of the HITECH Act.

I. The HITECH Act

Enacted in 2009, the HITECH Act was designed to encourage the adoption of sophisticated electronic health record ("EHR") technology by health care providers. See, e.g., Vadim Schick, After HITECH: HIPAA Revisions Mandate Stronger Privacy and Security Safeguards, 37 J.C. & U.L. 403, 404 (2011). To that end, the Act creates incentive payments for eligible health care providers ("providers")—i.e. individual hospitals and health care professionals—that demonstrate "meaningful use" of certified EHR technology. 42 C.F.R. § 495.2 ; see also 42 U.S.C. §§ 1395w–4(o ), 1395ww(n) (establishing diminishing schedule for incentive payments to encourage early adoption by eligible professionals and hospitals). Incentive payments are calculated using a formula that takes account of each individual provider's volume of patients. See, e.g., 42 C.F.R. §§ 495.102(a)(1) (eligible professionals), 495.104(c)(2) (hospitals).

As a condition to receipt of incentive payments, the Act requires providers to meet roughly two-dozen meaningful-use objectives and accompanying measures of compliance. 42 C.F.R. § 495.20 ; 42 U.S.C. §§ 1395w–4(o ), 1395ww(n). Objectives and measures were released in two stages; Stage 2, which went into effect on September 4, 2012, added additional objectives and measures to the requirements for compliance with the Act. See Electronic Health Record Incentive Program—Stage 2, 77 Fed.Reg. 53,968 (Sept. 4, 2012) ; 42 C.F.R. §§ 495.20(h) -(m). After Congress passed the Act, the Centers for Medicare and Medicaid Services ("CMS"), an agency of the Department of Health and Human Services, promulgated specific standards for meeting these objectives. See, e.g., Medicare and Medicaid Programs; Electronic Health Record Incentive Program, 75 Fed.Reg. 44314–01 (July 28, 2010).

The meaningful-use objective relevant here (hereinafter "the objective" or "security and privacy objective") requires providers to "[p]rotect electronic health information created or maintained by the certified EHR technology through the implementation of appropriate technical capabilities." 42 C.F.R. §§ 495.20(d)(15)(i), (f)(14)(i), (j)(16)(i), (l ) (15)(i) (establishing the same security and privacy objective for different types of providers over different Stages of Act implementation). To

816 F.3d 404

meet the objective during Stage 1 of Act implementation, providers were required to "[c]onduct or review a security risk analysis in accordance with the requirements under 45 C.F.R. § 164.308(a)(1) and implement security updates as necessary and correct identified security deficiencies as part of [their] risk management process." Id. at §§ 495.20(d)(15)(ii), (f)(14)(ii). During Stage 2, providers are additionally required to "address[ ] the encryption/security of data stored in Certified EHR Technology in accordance with requirements under" 45 C.F.R. §§ 164.312(a)(2)(iv) and 164.306(d)(3). 42 C.F.R. §§ 495.6(j)(16)(ii), (l )(15)(ii). To receive incentive payments, individual providers must legally attest to meeting these standards. See id. at § 495.8. Attestation is required at intervals dependent upon the type of provider, the "EHR Incentive Program" chosen (Medicare or Medicaid), and the reporting year. See id. at § 495.4.

Both Stage 1 and Stage 2 measures for the security and privacy objective require providers to comply with 45 C.F.R. § 164.308(a)(1), which contains security and privacy standards established under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"). Subsection (a)(1) requires health care providers to "[i]mplement policies and procedures to prevent, detect, contain, and correct security violations." Specifically, the subsection requires providers to:

(A) ... Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.

(B) ... Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with § 164.306(a).

(C) ... Apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity or business associate.

(D) ... Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.

Id. at (a)(1)(ii).

Stage 2 measures for the objective require providers to comply with two additional HIPAA regulations—45 C.F.R. §§ 164.312(a)(2)(iv) and 164.306(d)(3) —that also contain security standards. 42 C.F.R. §§ 495.6(j)(16)(ii), (l )(15)(ii). The first standard, § 164.312(a)(2)(iv), requires providers to "[i]mplement a mechanism to encrypt and decrypt electronic protected health information." The second standard, § 164.306(d)(3), requires providers to implement such a mechanism if "reasonable and appropriate," and if not, to document why and implement "an equivalent alternative measure."

II. Relator's first amended complaint

According to Relator's first amended complaint, Defendant KHN is a network of hospitals, medical facilities, and physicians that provide medical services. "[D]uring the past several years," the complaint asserts, KHN certified to the United States that it implemented a system of protecting electronic protected health information ("e-PHI") in accordance with HITECH Act requirements, and it received meaningful-use payments as a result. (R. 4 at ¶ 5.) KHN would submit this certification to the government by "checking ‘Yes' to the question ‘Did you conduct or review a security risk analysis per 45 CFR 164.308(a)(1) and implement security updates

816 F.3d 405

as necessary and correct identified security deficiencies as part of its [sic] risk management processes.’ " (Id. at ¶ 25.)1

Relator alleges, however, that KHN's attestations of compliance under the Act were false. This allegation stems from two letters she received from KHN informing her that its employees had impermissibly accessed her e-PHI. These letters, which were attached to Relator's original complaint, state that based on its own internal investigation, KHN discovered Relator's e-PHI had been accessed on several occasions by Relator's (now former) husband, Duane Sheldon, and others.2 Relator's complaint asserts that while Duane Sheldon was serving as a director for KHN, he began an affair with a subordinate employee, and together they accessed Relator's e-PHI in furtherance of that affair. The letters Relator received from KHN also state that (1) "these instances of access are inappropriate/unauthorized and in violation of [KHN] policy and procedure, as well as law," (2) KHN was investigating these instances of access "as a breach under the [HITECH Act]," and (3) KHN would be notifying the United States Department of Health and Human Services of the breaches. (R. 1–1, Pg ID # 10–13.)

After Relator learned her e-PHI had been impermissibly accessed, she requested (through counsel) that KHN...

To continue reading

Request your trial
76 cases
  • Skatemore, Inc. v. Whitmer
    • United States
    • U.S. Court of Appeals — Sixth Circuit
    • July 19, 2022
    ...Review Typically, this Court reviews denials of motions for leave to amend for an abuse of discretion. U.S. ex rel. Sheldon v. Kettering Health Network , 816 F.3d 399, 407 (6th Cir. 2016). However, when a motion to amend is denied because amendment would be "futile," this Court reviews the ......
  • United States ex rel. Prather v. Brookdale Senior Living Cmtys., Inc.
    • United States
    • U.S. Court of Appeals — Sixth Circuit
    • June 11, 2018
    ...claim"; and (4) that the defendant submitted to the U.S. government causing it to pay the claim. United States ex rel. Sheldon v. Kettering Health Network , 816 F.3d 399, 408 (6th Cir. 2016) (quoting United States ex rel. SNAPP, Inc. v. Ford Motor Co. , 618 F.3d 505, 509 (6th Cir. 2010) ); ......
  • Puckett v. Lexington-Fayette Urban Cnty. Gov't
    • United States
    • U.S. Court of Appeals — Sixth Circuit
    • August 15, 2016
    ...(i.e. , that it would not withstand a motion to dismiss), we apply a de novo standard of review. United States ex rel Sheldon v. Kettering Health Network , 816 F.3d 399, 407 (6th Cir. 2016). When a Rule 15(a) motion is presented after a judgment against the plaintiff, courts must consider t......
  • United States ex rel. Prather v. Brookdale Senior Living Cmtys., Inc.
    • United States
    • U.S. Court of Appeals — Sixth Circuit
    • September 30, 2016
    ...or on discussions with employees directly responsible for submitting claims to the government,” United States ex rel. Sheldon v. Kettering Health Network , 816 F.3d 399, 413 (6th Cir. 2016). Prather's allegations satisfy this threshold. They provide a detailed overview of the alleged fraudu......
  • Request a trial to view additional results

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT