The Burlington, Kansas-based Coffey Health System is paying the U.S. government $250,000 to settle False Claims Act violations stemming from allegations that the provider organization falsely attested that it conducted and/or reviewed security risk analyses in accordance with Meaningful Use requirements during 2012 and 2013 reporting periods.
According to a DOJ press release, the government attested that the patient care system, which operates a 25-bed critical access hospital, “submitted false claims to the Medicare and Medicaid Programs pursuant the Electronic Health Records (EHR) Incentive Program.” Under the program, the U.S. Department of Health and Human Services (HHS) offers incentive payments to healthcare providers that adopt certified EHR technology and meet certain requirements relating to their use of the technology. To obtain the payments, providers must attest that they satisfy applicable HHS-adopted criteria, including measures for analyzing and addressing security risks to EHRs.
However, a basic security test revealed the hospital used a shared firewall, meaning anyone could access private patient records “simply by logging in to Coffey’s website through its IP address at the local schools or libraries,” the lawsuit says, according to a report in Kansas.com. Coffey Health System also gave the government data that didn’t come from the source it claimed it had, per the lawsuit.
The $250,000 payment is a portion of the $2.2 million in federal incentives that Coffey Health System received in 2012 and 2013. Notably, the organization is not admitting any wrongdoing; rather, it is settling to avoid the expensive costs of an ongoing litigation, according to Kansas.com. A Wichita attorney noted that the case involved “’complicated healthcare regulations regarding how to move from paper records to electronic records’ and had nothing to do with patient care,” according to the report.
The lawsuit was filed under the qui tam, or whistleblower, provisions of the False Claims Act, which permit private individuals to sue on behalf of the government for false claims and to share in any recovery. The Act also allows the government to intervene and take over the action; Bashar Awad and Cynthia McKerrigan, former executives at the health system, will receive approximately $50,000, according to the DOJ.
Steve Hanson, Special Agent in Charge, U.S. Department of Health and Human Services, Office of Inspector General, Kansas City Region, stated, “Providers who fail to properly ensure the security of electronic health records must be held accountable.”
