Opinion
Case No. 1:14-cv-345
01-06-2015
UNITED STATES OF AMERICA, ex. rel, VICKI SHELDON, Relator, v. KETTERING HEALTH NETWORK, Defendant.
ORDER: (1) DENYING RELATOR'S MOTION TO AMEND (Doc. 14); and (2) GRANTING DEFENDANT'S MOTION TO DISMISS (Doc. 8)
This civil action is before the Court on: (1) Defendant's motion to dismiss (Doc. 8) and the parties' responsive memoranda (Docs. 17, 18); and (2) Relator's motion to amend (Doc. 14), and Defendant's responsive memorandum (Doc. 16).
I. FACTS ALLEGED BY THE RELATOR
For purposes of this motion to dismiss, the Court must: (1) view the amended complaint in the light most favorable to Relator; and (2) take all well-pleaded factual allegations as true. Tackett v. M&G Polymers, 561 F.3d 478, 488 (6th Cir. 2009).
The Relator's qui tam complaint stems from an alleged breach of privacy relating to her electronic protected healthcare information ("e-PHI") and that of two of her family members. Relator alleges that her husband, Duane Sheldon, a former employee of Kettering Health Network ("KHN"), began an extramarital relationship with another KHN employee. (Doc. 46 at ¶¶ 10-11). Relator alleges that in furtherance of this relationship, Mr. Sheldon accessed and shared Relator's e-PHI with others. (Id.) As a result, Relator alleges that KHN failed to comply with a provision of the Health Information Technology for Economic and Clinical Health Act ("HITECH Act") and violated the False Claims Act ("FCA") in accepting "Meaningful Use" dollars available to KHN through the HITECH Act. (Id. at ¶¶ 16, 19).
Relator does not allege that she worked at KHN.
II. STANDARD OF REVIEW
A. Motion to Dismiss
A motion to dismiss pursuant to Fed. R. Civ. P. 12(b)(6) operates to test the sufficiency of the complaint and permits dismissal of a complaint for "failure to state a claim upon which relief can be granted." To show grounds for relief, Fed. R. Civ. P. 8(a) requires that the complaint contain a "short and plain statement of the claim showing that the pleader is entitled to relief."
While Fed. R. Civ. P. 8 "does not require 'detailed factual allegations,' . . . it demands more than an unadorned, the-defendant-unlawfully-harmed-me accusation." Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) (citing Bell Atl. Corp. v. Twombly, 550 U.S. 544 (2007)). Pleadings offering mere "'labels and conclusions' or 'a formulaic recitation of the elements of a cause of action will not do.'" Id. (citing Twombly, 550 U.S. at 555). In fact, in determining a motion to dismiss, "courts 'are not bound to accept as true a legal conclusion couched as a factual allegation[.]'" Twombly, 550 U.S. at 555 (citing Papasan v. Allain, 478 U.S. 265 (1986)). Further, "[f]actual allegations must be enough to raise a right to relief above the speculative level[.]" Id.
Accordingly, "[t]o survive a motion to dismiss, a complaint must contain sufficient factual matter, accepted as true, to 'state a claim to relief that is plausible on its face.'" Iqbal, 556 U.S. at 678. A claim is plausible where "plaintiff pleads factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged." Id. Plausibility "is not akin to a 'probability requirement,' but it asks for more than a sheer possibility that a defendant has acted unlawfully." Id. "[W]here the well-pleaded facts do not permit the court to infer more than the mere possibility of misconduct, the complaint has alleged—but it has not 'show[n]'—'that the pleader is entitled to relief,'" and the case shall be dismissed. Id. (citing Fed. Rule Civ. Proc. 8(a)(2)).
B. Motion to Amend
Rule 15(a)(2) provides that leave to amend should be freely given when justice so requires. The rule is to be liberally construed in favor of allowing amendments, and reinforces the principle that cases "should be tried on their merits." See, e.g., Moore v. Paducah, 790 F.2d 557, 559 (6th Cir. 1986). Leave to amend should be granted unless there is "undue delay, bad faith, or dilatory motive ... repeated failure to cure deficiencies by amendments previously allowed, undue prejudice to the opposing party, [] futility of amendment," or lack of notice to the opposing party. Foman v. Davis, 371 U.S. 178, 182 (1962).
III. ANALYSIS
The FCA creates civil liability for any person who "knowingly presents, or causes to be presented" to the Government "a false or fraudulent claim for payment or approval." United States ex rel. Hobbs v. Medquest, 711 F.3d 707, 713 (6th Cir. 2013) (quoting 31 U.S.C. § 3729(a)). A relator must have "personal knowledge of the facts relating to the alleged scheme or fraud against the government in order to bring a lawsuit." Kinney v. Stoltz, 327 F.3d 671, 674 (8th Cir. 2003). This requirement serves the underlying purpose of the FCA, which is "to encourage individuals who are either close observers or involved in the fraudulent activity to come forward...[the FCA] is not intended to create windfalls for people with secondhand knowledge of the wrongdoing." Id. (concluding that the plaintiff did not have "direct knowledge" of the allegations and was "neither involved in nor a close observer of the alleged illegal act," so his claim was not permitted under the FCA).
Federal courts do not have jurisdiction over an action based upon public disclosure of allegations or transactions unless the person bringing the action "is an original source of the information." 31 U.S.C. § 3730(e)(4). A person is the original source when she has "direct and independent knowledge of the information" which formed the basis of the allegations. Id. The qui tam provision of the FCA and its potential for large cash awards was designed to incentivize participants in the false claim, i.e., the people with sufficient knowledge of the scheme's details, to come forward. Id. If a putative relator does not know the specifics of the FCA claim, she cannot allege a valid cause of action, and is not a proper relator. Id.
The policy behind the qui tam provision is to provide "adequate incentives for whistle-blowing insiders with genuinely valuable information," United States ex rel. Poteet v. Medtronic, Inc., 552 F.3d 503, 507 (6th Cir. 2009), which is why "[t]he archetypal qui tam False Claims Act action is filed by an insider at a private company[.]" United States ex rel. Compton v. Midwest Specialties, 142 F.3d 296, 303 (6th Cir. 1998).
The HITECH Act imposes stringent federal protections on the privacy and security of healthcare data. The HITECH Act established incentive payments for the meaningful use of certified electronic health record ("HER") technology by eligible professionals and eligible hospitals participating in the Medicare program. 42 C.F.R. § 495.4.
A. Motion to Amend
Defendant filed a motion to dismiss on November 12, 2014. (Doc. 8). Subsequently, the Relator filed a motion for leave to file a second amended complaint (Doc. 14), which would purportedly cure the deficiencies alleged in the motion to dismiss. This Court must resolve the motion to amend before it determines whether the motion to dismiss is moot. When a motion to amend only addresses a discrete issue, it may not moot the underlying motion to dismiss. In Re: GI Holdings, 122 F. App'x 554, 556 (3rd Cir. 2004).
See, e.g., Pethtel v. Washington County Sheriff's Office, No. 2:06cv799, 2007 U.S. Dist. LEXIS 60105, at *2 (S.D. Ohio Aug. 16, 2007) (the amended complaint was substantially identical to the original complaint where the amended complaint merely designated additional parties and did not attempt to cure the alleged defects in the original complaint).
In Count I, the Relator asserts a claim for violation of the FCA, because KHN allegedly "violated [the] HITECH Act, when it failed to protect the privacy of Relator Vicki Sheldon...and falsely certified to the United States Government that it had complied with the HITECH Act to collect 'Meaningful Use' monies." (Doc. 4 at ¶ 24). Specifically, the Relator alleges that KHN did not satisfy the HITECH requirements set forth at 45 C.F.R. §§ 164.308 and 164.312(a), which, as set forth below, require covered entities to implement policies and procedures to protect e-Phi. (Id. at ¶ 25). Because a claim stemming from a violation of the FCA is essentially a claim of fraud, the Relator must "allege the circumstances surrounding the fraud with particularity as required by Rule 9(b)." Walburn v. Lockheed Martin Corp., 431 F.3d 966, 972 (6th Cir. 2005). At a minimum, the Relator "must allege the time, place, and content of the alleged misrepresentation...; the fraudulent scheme; the fraudulent intent of the defendants; and the injury resulting from the fraud." United States v. Marlar, 525 F.3d 439, 444 (6th Cir. 2008).
Pursuant to 45 C.F.R. § 164.308, entities such as hospitals are required to "[i]mplement policies and procedures to prevent, detect, contain, and correct security violations." 45 C.F.R. § 164.308(a)(1)(i). The regulations also set forth four specific requirements, or "Implementation Specifications," that covered entities must follow:
• Conducting an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality of e-PHI;
• Implementing security measures specific to reduce risks and vulnerabilities;
• Applying appropriate sanctions against workforce members who fail to comply with security policies and procedures; andId. at § ii.
• Implementing procedures to regularly review records of information system activity.
The second regulation that KHN is alleged to have violated, 45 C.F.R. § 164. 312(a), entitled "Technical Safeguards," also sets forth four implementation specifications for compliance under the Act:
• Assigning a unique name and/or number for identifying and tracking the identity of individuals accessing the medical records system;45 C.F.R. § 164.312(a)(2).
• Establishing procedures for obtaining e-Phi during an emergency;
• Implementing procedures that terminate an electronic session after a period of inactivity; and
• Implementing a mechanism for encrypting and decrypting e-Phi.
Both regulations set forth requirements that relate to systemic measures that healthcare providers should take to increase the security of e-PHI. There is no case law that suggests that an isolated privacy breach or discrete series of related breaches constitute a violation of the HITECH Act. Moreover, the Relator fails to allege that KHN failed to implement policies and procedures to address various security risks.
Count II, while it is brought as a separate cause of action, appears to assert the same legal claim as Count I - that KHN committed fraud by falsely certifying that it complied with the HITECH Act and accepting Meaningful Use dollars from the government. (Doc. 4 at ¶¶ 30-31). The sole distinction appears to be Relator's additional reliance on subsection (b) of 45 C.F.R. § 164.312, which provides that a covered entity must: "[i]mplement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information." Relator alleges that KHN falsely certified that it met this objective. (Doc. 4 at ¶¶ 30-31). However, this allegation directly contradicts other allegations set forth in the Amended Complaint ("AC") - such as Relator's acknowledgements that KHN implemented the EPIC system and quickly identified the privacy breach that occurred with respect to Relator's e-PHI.
The only example of KHN's alleged failure to comply with the requirement to "implement hardware, software, and/or procedural mechanisms that ... examine activity in information systems" containing e-PHI is Realtor's claim that KHN did not routinely run a particular type of CLARITY report on a weekly or monthly basis. (Doc. 4 at ¶ 32). However, this allegation is rooted in unfounded notions that: (1) the HITECH Act required KHN to run a particular type of CLARITY report; and (2) simply because KHN did not provide the Relator with the specific type of CLARITY report, KHN was not properly monitoring its e-PHI System. The HITECH Act requires hospitals to implement a system to protect e-PHI; it does not require covered entities to use a particular e-PHI product or vendor or to run a specific type of monitoring report.
In case of a security breach, KHN is required to provide Realtor with the following: (1) a description of what happened, including the date of the breach and the type(s) of unsecured PHI that was involved; (2) any steps the individual should take to protect him/herself; (3) a brief description of what the covered entity is doing to investigate the breach and protect against any further breaches; and (4) contract procedures for the individual to ask questions or learn additional information. 45 C.F.R. § 164.404(c). There was no requirement that KHN provide any particular type of report, CLARITY or otherwise.
The new factual allegations in Relator's proposed Second Amended Complaint ("SAC") include the identification of a "team" of four KHN employees, who are alleged to have "participated" in KHN's certification that it complied with the HITECH Act. (Doc. 14-1 at ¶ 24). However, the SAC does not articulate the factual basis for Relator's apparently newly formed "belief" that these individuals were involved in the certification process, other than to identify the alleged job titles of such individuals. The proposed amendments fail to provide any factual basis to support Relator's claim that these individuals were somehow involved in the scheme. Additionally, none of the newly alleged facts remedy Relator's failure to allege facts to establish an actual violation of the HITECH Act.
Specifically, the SAC does nothing to remedy the following flaws: (1) the Relator does not identify when the allegedly fraudulent HITECH certifications were made; (2) the Relator does not allege that the person making the HITECH certifications had actual knowledge of its falsity at the time it was made; (3) the Relator does not allege a single violation of the HITECH Act and relatedly does not cite to a single regulation that requires hospitals to purchase EPIC software or subscribe to its trademarked CLARITY analytics service; and (4) the Relator does not allege that any violation of the HITECH Act (or even any isolated privacy breach) predated KHN's alleged "meaningful use" certification. Additionally, the Relator does not allege and therefore has failed to establish personal knowledge of: (1) KHN's system for storing, securing, or monitoring of electronic healthcare information (e-PHI); (2) the specific manner in which KHN failed to meet the requirements of the HITECH Act; (3) other incidents in which other patients' e-PHI was compromised; or (4) the details surrounding KHN's alleged misrepresentation to the government of its compliance with the HITECH Act.
In sum, Plaintiff simply alleges that KHN violated the HITECH Act because one of its employees (her estranged husband) accessed her family's medical records. Accordingly, Plaintiff fails to state a claim; and Relator's motion to amend is denied, as an amendment would be futile.
B. Motion to Dismiss
1. KHN's violation of the HITECH Act
Relator fails to allege any personal knowledge of KHN's failure to comply with the HITECH Act. Rather, she infers that KHN failed to comply with the HITECH Act.
As discussed in Section III.A, the Relator identifies two regulations promulgated under the Health Insurance Portability and Accountability Act ("HIPPA"), which were amended by the HITECH Act, that KHN is alleged to have breached. These regulations relate to the implementation of administrative and technical safeguards designed to prevent, detect, and contain security violations. See, e.g., 45 C.F.R. §§ 164.308(a)(1)(ii); 164.132(a)(2). The AC does not include factual allegations to establish that KHN failed to meet any of these objectives. Instead, the Relator's claim is based upon an allegation that KHN violated some unspecified regulation because it allegedly: "failed to run reports designed to protect information, [and that] the lack of proper reports ... allow[s] the strong inference that KHN has not, in fact, implemented policies and procedures designed to protect electronic private health information." (Doc. 17 at 5). However, Relator fails to allege that KHN did not run reports to detect possible data breaches; instead, the AC simply presumes that KHN failed to run "proper" reports. (Doc. 4 at ¶ 17). The inference Relator has drawn, that KHN violated the HITECH Act, is based upon the Realtor's presumption that KHN failed to run these reports.
In fact, the AC indicates that KHN provided the Relator with a detailed report of the suspected security breach. (Doc. 4 at ¶ 18). The Relator wanted a "CLARITY" report (Id. at ¶ 16-18), despite the fact that she now concedes that the HITECH Act does not require KHN to run or provide a CLARITY report. (Doc. 17 at 2). The Relator claims that the onus was on KHN to prove that it complied with the HITECH Act. (Id. at 5). However, she offers no law to support such an argument.
In fact, all of the Realtor's filings lack case law to support her arguments.
Next, Relator argues that KHN violated the HITECH Act because "Plaintiff-Relator's information was breached and not detected, even though, when run properly, and properly implemented, a policy and procedure would have provided early detection of the breach." (Doc. 17 at 6). However, this argument is contradicted by the facts alleged in the AC (and proposed SAC):
• KHN "bought and implemented a computer software system...for the purpose of maintaining electronic medical information...and protecting medical information from unapproved personnel." (Doc. 4 at ¶ 7).These claims simply do not allege sufficient facts to state a violation of the HITECH Act.
• KHN informed Relator that there appeared to have been a privacy breach relative to her e-PHI. (Doc. 4 at ¶ 16).
• KHN conducted an investigation into the breach. (Doc. 1, Ex. A).
• KHN prepared (and provided to Relator) audit reports detailing the instances in which her information was accessed. (Doc. 1, Ex. A).
• KHN notified the Department of Health and Human Services of the incident. (Doc. 1, Ex. A).
2. Personal knowledge of KHN's "false claim" to the government
The HITECH ACT requires the implementation of "policies and procedures to prevent, detect, contain and correct security violations." 45 C.F.R. § 164.308(a)(1)(i). The Relator states that KHN implemented some "software" created by a company named EPIC, but she does not allege any additional details. (Doc. 4 at ¶¶ 6-7). Where, as here, "a relator alleges a 'complex and far-reaching fraudulent scheme,' in violation of [the FCA], it is insufficient to simply plead the scheme[s]; he must also identify a representative false claim that was actually submitted to the government." Chesbrough v. VPA P.C., 655 F.3d 461, 470 (6th Cir. 2011). While the Relator is not required to identify every false claim allegedly submitted for payment, she must identify with specificity examples that are illustrative of the class of all claims covered by the fraudulent scheme. Id. Relator has not alleged facts to support her claim that KHN's security policies and procedures are insufficient.
Relator is required to alleged facts such as: "(1) precisely what statements ... or what omissions were made, and (2) the time and place of each such statement and the person responsible for making (or in the case of omissions, not making) same, and (3) the content of such statements and the manner in which they misled the [government], and (4) what the defendants obtained as a consequence of the fraud." Sanderson v. HCA-The Healthcare Co., 447 F.3d 873, 877 (6th Cir. 2006).
Relator alleges that she has adequate knowledge of KHN's false claim because of her "own individual experiences" with her husband's alleged unauthorized access to her e-PHI. (Doc. 17 at 2). However, Relator's claim cannot be based on her husband's allegedly unauthorized access to her medical records, because the FCA is not concerned with any injury to a private party, including the Relator. The only wrongdoing that is actionable is a false claim made to the government in furtherance of receiving meaningful use money from the government. 31 U.S.C. § 3729(a)(1)(B) ("The FCA only imposes liability on a person who 'knowingly makes, uses, or causes to be made or used, a false record or statement to get a false or fraudulent claim' paid or approved by the Government."). As with all FCA claims, the government is the potential victim, not the relator. Clausen v. Lab. Corp. of Am., 290 F.3d 1301, 1313 n. 24 (11th Cir. 2002) (explaining that an FCA relator only acts on behalf of the "real victim, the Government."). Relator does not allege that she was an employee of KHN, and she has admitted that she has no first-hand knowledge of key information necessary to support her RCA claim. (Doc. 10 at 2). Therefore, the Relator's FCA claim fails as a matter of law.
While Realtor seeks to amend her complaint to identify various individuals whom she believes may have made the misrepresentations, the proposed SAC does not include any other factual detail to establish that she has actual knowledge that these individuals were involved in making the alleged misrepresentations.
3. Res Judicata
Finally, even if Relator's claim did not fail as a matter of law, it is barred by the doctrine of res judicata.
This is not the first lawsuit that Relator has brought based upon the same set of facts. Relator filed a similar action in the Court of Common Pleas, in Montgomery County, Ohio. Sheldon, et al v. Kettering Adventist HealthCare, et al., 2014-cv-3304 (Montgomery County C.C.P.). In that action, Relator brought several tort claims, all relating to her ex-husband's allegedly unauthorized access to her medical records. As in this case, Relator claimed that KHN: (1) wrongfully failed to run CLARITY reports; (2) violated the HITECH Act; and (3) improperly accepted Meaningful Use funds from the government. (Doc. 8, Ex. A at ¶¶ 15-17).
Judge O'Connell, of the Montgomery County Court of Common Pleas, recently dismissed Sheldon's state court action in its entirety, finding that the complaint failed to state a claim upon which relief could be granted. (Doc. 8, Ex. B).
"Where...federal and state actions have proceeded simultaneously, the first judgment entered must be regarded as res judicata for issues in the remaining case." Childs v. Van Wert Cnty., No. 91-3138, 1992 U.S. App. LEXIS 6297, at *13 (6th Cir. Mar. 30, 1992) ("Where...federal and state actions have proceeded simultaneously, the first judgment entered must be regarded as res judicata for issues in the remaining case."). The doctrine precludes not only re-litigating a claim previously adjudicated; but also, "litigating a claim or defense that should have been raised, but was not, in the prior suit." Mitchell v. Chapman, 343 F.3d 811, 819 (6th Cir. 2003).
The factual allegations in this case are nearly identical to those underlying the state court action, and, accordingly, Relator was required to bring her current claims as part of that earlier legal action. Therefore, because the Ohio court entered judgment first (see Sheldon v. Kettering Adventist Healthcare, Montgomery County, No. 2014cv3304 (Oct. 21, 2014)), Relator's federal court action, which is based upon and arises from the same set of facts, is barred by the doctrine of res judicata.
IV. CONCLUSION
Accordingly, for the reasons stated here:
(1) Relator's motion to amend (Doc. 14) is DENIED; and
(2) Defendant's motion to dismiss (Doc. 8) is GRANTED. The Clerk shall enter judgment accordingly, whereupon this case shall be CLOSED in this Court.
IT IS SO ORDERED. Date: 1/6/15
/s/ Timothy S. Black
Timothy S. Black
United States District Judge