The US Court of Appeals for the Sixth Circuit recently dealt qui tam plaintiffs and their lawyers a setback in their campaign to expand federal False Claims Act (FCA) liability in the healthcare industry. Addressing an issue of first impression, the court affirmed the dismissal of a relator’s claim that non-compliance with the Health Information Technology for Economic and Clinical Health Act (HITECH Act) gives rise to FCA liability. U.S. ex rel. Sheldon v. Kettering Health Network not only found the relator’s complaint deficient on several grounds, but it also held that a dismissed state-court action that Ms. Sheldon filed subsequent to bringing the FCA suit precluded the federal action.
The case arose when the defendant, Kettering Health Network (KHN), sent the relator a letter informing her that several KHN employees had impermissibly accessed some of her protected health information. Such access, the relator alleged, violated the FCA because KHN received payments under the HITECH Act, which incentivizes participants to maintain and review privacy procedures to protect members’ private information. The relator alleged that by receiving payment, KHN falsely implied certification of compliance with the HITECH Act, in violation of the FCA. In her complaint, the relator alleged that HITECH Act compliance required KHN to prevent all unauthorized access of her private information and to use a particular risk-assessment program which KHN did not use.
The Sixth Circuit outlined that under the FCA a relator must plead:
 that the defendant [made] a false statement or create[d] a false record  with actual knowledge, deliberate ignorance, or reckless disregard of the truth or falsity of the information;  that the defendant … submitted a claim for payment to the federal government; … and  that the false statement or record [was] material to the Government’s decision to make the payment sought in the defendant’s claim.
U.S. ex rel. Sheldon, slip op. at 10, quoting U.S. ex rel. SNAPP, Inc. v. Ford Motor Co., 618 F.3d 505, 509 (6th Cir. 2010). The court held that the relator’s complaint failed to establish that KLN made a false statement or a claim under the FCA.
As to the false-statement element, the court held that even if the relator’s allegations were true, KHN’s certification of compliance with the HITECH Act was not false. The court held that all the HITECH Act required was for KHN to have security policies and procedures and to analyze potential security risks. Individual breaches of clients’ protected information, clearly anticipated by the statute, did not place KHN out of compliance with the HITECH Act. The letter KHN sent to the relator regarding the breach was evidence of the defendant’s compliance with the HITECH Act, not evidence of an FCA violation.
In addition, the court held that the relator did not adequately plead that KHN submitted a specific false claim. In her complaint, the relator alleged that KHN “must have … submitted” an attestation of compliance with the HITECH Act because it received payments. However, this speculation was not sufficient under the heightened pleading standards of Federal Rule of Civil Procedure 9(b). Without identifying particular examples of claims submitted to the government, the relator cannot survive a motion to dismiss.
Finally, the court held, separate and apart from the complaint’s multiple infirmities that a suit the relator filed in state court against KHN concerning the same unauthorized accessing of her private information precluded her federal FCA lawsuit. The doctrine of res judicata, or claim preclusion, states that a “final judgment on the merits bars further claims by parties or their privies based on the same cause of action.” After she filed her FCA suit but before it became unsealed, the relator filed a case in Ohio state court alleging KHN violated the Health Insurance Portability and Accountability Act (HIPPA) by failing to prevent her protected information from becoming compromised. Such failures, she alleged, violated various state tort laws, the Fair Credit Reporting Act, and the Fair Debt Collection Practices Act. However, her state case was dismissed in its entirety because the state court held that “HIPAA does not allow private causes of action according to Ohio law.” The relator lost each of her appeals.
The Sixth Circuit held that the relator’s state case constituted a valid, final decision on the merits because her suit was dismissed in its entirety and she exhausted her appeals. Further, because her state-court claims were “nearly identical” to her FCA claims, the Sixth Circuit held that relator’s state-court suit arose from the same transaction or occurrence as her FCA allegations. Therefore, her FCA claims were precluded.
The Sixth Circuit’s decision in U.S. ex rel. Sheldon v. Kettering Health Network is notable for several reasons. As a matter of first impression in federal appellate courts, the Sixth Circuit correctly interpreted the HITECH Act as requiring participants to maintain data-breach-prevention plans, not to completely eliminate data breaches. Further, the court made it clear that Rule 9(b) does not permit courts to rubber stamp relators’ assumptions that defendants submitted federal claims; rather, relators must provide evidence of specific claims to survive a motion to dismiss. Finally, the Sixth Circuit reminded relators that claim preclusion prevents them from taking two bites of the liability apple. Hence, an adverse final ruling in state court arising from the same facts will preclude a federal FCA action.