Coffey Health System agreed to settle alleged violations of the False Claims and HITECH Acts by paying $250,000 to the U.S. Department of Justice.
The health system based in Kansas say it satisfied the HITECH Act risk analysis requirements for the 2012 and 2013 reporting time period in claims to Medicaid and Medicare under the EHR Incentive Program.
One of the primary goals of the HITECH Act was to persuade healthcare providers to use electronic health records. The then named Meaningful Use Program require healthcare providers to show meaningful use of EHRs so as to get incentive payments. Besides showing meaningful use of EHRs, healthcare providers also need to satisfy particular requirements associated to EHR technology and handle the privacy and security risks linked with EHRs.
In 2016, Bashar Awad, Coffey Health System’s ex-CIO, and Cynthia McKerrigan, its past compliance officer, filed a legal action in Kansas federal court versus their ex-employer alleging False Claims Act violations.
The two alleged Coffey Health System had false claims of conducting risk analyses so as to get incentive payments and knew about the false claims when they were submitted. The false claims allowed Coffey Health System to receive $3 million of payments under the Meaningful Use program even if it was not eligible.
Awad did not find any documentation of having conducted risk analyses and had the following alarming discovery after doing basic tests on network security:
- Coffey health system shared a firewall with the municipalities of Coffey County.
- Anyone from areas protected by the same firewall, such as schools and libraries, can login to the system using its IP address and view patients records.
- Login does not require username or password, which is a big security failure and HIPAA Security Rule violation.
In 2014, Awad called in a third-party company to do a risk analysis for 2014. The result showed a number of security issues such as 5 critical vulnerabilities, which persisted unchecked. Though there were attempts to resolve the issues, Awad was not given enough resources to address those vulnerabilities. He reported that only some of the identified vulnerabilities were fixed.
During the submission of the 2014 attestation, Awad declined to submit because several vulnerabilities were not resolved. Because of his not supporting the attestation, Awad was dismissed from the company. Awad and McKerrigan after that filed a lawsuit against Coffey Health System.
The whistleblower provisions of the False Claims Act state that people can sue organizations for the government and get a percent of any settlement. The two plaintiffs will share $50,000 from the $250,000 settlement payment. Coffey Health System’s settlement is without admission of liability.