- Health Insurance Portability and Accountability Act under the False Claims Act
- June 25, 2013
- Law Firm: Berger Montague P.C. - Philadelphia Office
Are Health Insurance Portability and Accountability Act Violations an Independent Claim under the False Claims Act?
Qui Tam Relators often observe, in the course of their employment and in addition to blatant violations of the False Claims Act (FCA) through direct and obvious fraudulent billing to Medicare and Medicaid, violations of the Health Insurance Portability and Accountability Act (HIPAA). The question arises as to whether such HIPAA violations themselves are sufficient to support an independent claim under the FCA. If you violate HIPAA and present a proper bill to the Government for services actually rendered and covered, does that bill represent a false claim?
3 Ways a Claim Can be False or Fraudulent under the False Claims Act
Under the FCA, a claim can be false or fraudulent in one of three ways: (1) a factually false claims where goods or services have not been rendered to the Government; (2) a legally false claim based on an express certification where the contractor expressly certifies compliance with a contract term, statute, or regulation despite a breach or violation of that term statute, or regulation; and (3) a legally false claim based on an implied certification that the contractor is in compliance with relevant contract terms, statutes, or regulations when it is not. FCA claims based on express of implied certification must be material, which means that the certification has "a natural tendency to influence, or be capable of influencing, the payment or receipt of money or property." 
Government Involvement in False Claims Act Claims
Under an implied certification theory of liability, "a plaintiff must show that if the Government had been aware of the defendant's violations of the Medicare laws and regulations that are the bases of a plaintiff's FCA claims, it would not have paid the defendant's claims." United States ex rel. Wilkins v. United Health Group, Inc., 659 F3d 295, 307 (3rd Cir. 2011) In short, defendant's compliance must be a "condition of payment" as opposed to a "condition of participation." See United States ex rel. Gross v. AIDS Research Alliance-Chicago, 415 F.3d 601, 605 (7th Cir. 2005) (affirming dismissal of FCA complaint, noting that "where an FCA claim is based upon an alleged false certification of regulatory compliance, the certification must be a condition of the government payment in order to be actionable."). "Conditions of participation are enforced through administrative mechanisms, and the ultimate sanction for violation of such conditions is removal from the government program, while conditions of payment are those which, if the government knew they were not being followed, might cause it to actually refuse payment." U.S. ex rel. Conner v. Salina Reg'l Health Ctr., Inc., 543 F.3d 1211, 1220 (10th Cir.2008).
Courts have held that a Health Insurance Portability and Accountability Act Violation is a Condition of Participation and Not a Condition of Payment
Courts have held that a Health Insurance Portability and Accountability Act violation is a condition of participation and not a condition of payment, and thus, not sufficient to substantiate an independent claim under the FCA. In a Fourth Circuit case, the Court found that while a HIPAA violation could be a considered part of a larger fraud scheme, it is not a sufficient basis for an implied certification claim under the FCA on its own. United States ex rel. Knight v. Reliant Hospice, Inc., 2011 U.S. Dist. LEXIS 141159 (D.S.C. Dec. 8, 2011). In a qui tam case against a medical services provider, the Sixth Circuit held that a relator's allegation that the defendant violated HIPAA by failing to preserve patient confidentiality was not substantiated by a "statute or regulation that conditions payment of a claim on compliance with HIPAA." Chesbrough v. VPA. P.C., 655 F.3d 461, 469 (6th Cir. Mich. 2011). Therefore, according to existing case law, although limited, a HIPAA violation is an insufficient basis for an FCA claim.
Health Insurance Portability and Accountability Act Remedies
Further, HIPAA expressly provides administrative remedies for resolving Health Insurance Portability and Accountability Act issues and such remedies must be exhausted first before a plaintiff can pursue other remedies. See 45 C.F.R. § 160.306 (stating an aggrieved party may complain to the Secretary and that the Secretary may investigate the complaints filed under the Section).
The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule
The Health Insurance Portability and Accountability Act Privacy Rule  also provides an administrative process by which the Secretary may investigate and impose civil monetary penalties for a failure to comply with the Privacy Rule. See 45 C.F.R. §§ 160.500 -160.570. In Rigaud v. Garofalo, the court ruled that the plaintiff was "barred" from bringing a HIPAA claim because "she failed to exhaust her administrative remedies. HIPAA expressly provides defendants a right to notice and a hearing before an Administrative Law Judge, and the opportunity voluntarily to cooperate with the Secretary to resolve the matter through informal means." Rigaud v. Garofalo, 2005 U.S. Dist. LEXIS 7791, at *8-10 (E.D. Pa. May 2, 2005) citing 45 C.F.R. §§ 160.500 -160.570 (emphasis added). In Sebelius v. Uplift Med., a respondent was "specifically precluded from obtaining judicial review of the HIPAA penalty assessment for failure to exhaust his administrative remedies." Sebelius v. Uplift Med., P.C., 2012 U.S. Dist. LEXIS 123660, 14-15 (D. Md. Aug. 28, 2012) citing 45 C.F.R. § 160.422; 45 C.F.R. § 160.424(d).
Thus, HIPAA violations are currently not a sufficient basis to support an independent claim under the FCA.
 31 U.S.C. § 3729(b)(4) (Supp. III 2009).
 The HIPAA Privacy Rule establishes national standards to protect individuals' medical records and other personal health information and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically. The Rule requires appropriate safeguards to protect the privacy of personal health information, and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization. The Rule also gives patients rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections.