$250,000 Settlement Payment Agreed to Resolve False Claims and HITECH Acts by Coffey Health System

Coffey Health System decided to resolve alleged False Claims and HITECH Acts violations by paying to the U.S. Department of Justice the amount of $250,000.

The health system located in Kansas claim to have met the HITECH Act risk analysis prerequisites for the 2012-2013 reporting in claims to Medicaid and Medicare under the EHR Incentive Program.

One of the principal objectives of the HITECH Act was to convince healthcare companies to work with electronic health records. The then called Meaningful Use Program demand that healthcare companies demonstrate meaningful use of EHRs in order to have incentive payments. Apart from demonstrating meaningful use of EHRs, healthcare companies likewise ought to meet certain requirements connected to EHR technology and deal with the privacy and security threats connected with EHRs.

In 2016, Bashar Awad, the ex-CIO of Coffey Health, and Cynthia McKerrigan, a former compliance officer, submitted a lawsuit in Kansas federal court over the False Claims Act violations of their ex-employer.

The two claimed that Coffey Health System submitted false claims of performing risk analyses as a way to acquire incentive payments and were aware about the false claims submitted. Because of the false claims, Coffey Health System received $3 million of payments from the Meaningful Use program even when it was not entitled to it.

Awad didn’t locate any records proving the performance of the risk analyses. He also had alarming findings after undertaking basic assessments on network security:

Coffey health system was sharing a firewall together with the municipalities of Coffey County.

Anybody from locations using the same firewall, for instance schools and libraries, could login to the network using its IP address and access patients files.

No username or password is required when logging in, which is a serious security breakdown and violates HIPAA Security Rules.

In 2014, Awad hired a third-party firm to perform a risk analysis in 2014. The result exhibited several security problems which include the 5 critical vulnerabilities that remained unchecked. Although there were efforts to deal with the problems, Awad was not provided ample resources to manage those vulnerabilities. He noted that only a few of the known vulnerabilities were resolved.

In the 2014 attestation submission, Awad did not submit due to several unresolved vulnerabilities. Because Awad did not help with the attestation, he was laid off by the company. After that, Awad and McKerrigan filed charges against Coffey Health System.

The whistleblower terms of the False Claims Act point out that people could sue companies in behalf of the federal government and will have receive a share in the settlement. The two plaintiffs expects to get $50,000 from this settlement payment of $250,000. Coffey Health System agreed to a settlement without admitting liability.