Kansas hospital pays $250K to settle charges it falsified EHR security risk assessment

The Department of Justice charged Coffey Health System with failing to conduct the risk analyses required by the Medicare and Medicaid EHR Incentive Programs.
By Nathan Eddy
12:27 PM

Coffey Health System, a 25-bed critical access hospital in Kansas, has agreed to pay a $250,000 settlement for alleged False Claims Act violations related to its meaningful use attestation.

Specifically, the U.S. Department of Justice charged that the hospital falsely attested that it had conducted the necessary security assessment to comply with the federal Electronic Health Records Incentive Program.

Back in 2012 and 2013 the hospital falsely claimed it had undergone the security analysis required to qualify for the meaningful use program, which was established in 2009 by the American Recovery and Reinvestment Act.

The health system was found to have submitted false claims to the Medicare and Medicaid Programs to obtain the payments granted by the incentive program.

The investigation was led by the U.S. Department of Health and Human Services' Office of the Inspector General and the United States Attorney’s Office for the District of Kansas.

As part of the settlement, Bashar Awad and Cynthia McKerrigan, who filed the lawsuit under the whistleblower provision of the False Claims Act, will receive about $50,000.

There has been a 50 percent increase in the exposure of medical-related data over the past year, according to a recent report from Digital Shadows, a San Francisco-based provider of digital risk protection solutions.

Earlier this year the HHS released a four-volume voluntary cybersecurity guidance resource for healthcare organizations, which was developed by a task force of more than 150 cybersecurity and healthcare experts.

The report listed the five most relevant and current threats to the industry as phishing, ransomware, loss of theft of equipment or data, insider accidental data loss, and attacks against digital health tool.

It’s all part of the department’s work to raise awareness and help implement the suggested cybersecurity practices across the healthcare industry

"Providers who fail to properly ensure the security of electronic health records must be held accountable," said Steve Hanson, special agent in charge for the Kansas City Region of HHS OIG, in a statement.

"Medicare and Medicaid beneficiaries expect that providers ensure the accuracy and security of their electronic health records," added U.S. Attorney Stephen McAllister in a statement. "This office remains committed to protecting the federal health programs and to hold accountable those whose conduct results in improper payments."

Nathan Eddy is a healthcare and technology freelancer based in Berlin.

Email the writer: nathaneddy@gmail.com

Twitter: @dropdeaded209

More regional news

President Joe Biden stands in front of monitors

 (Photo by Alex Wong/Getty Images)

telehealth visit using Tyto Care technology

Karen Martin, DNP, director of pediatrics, conducts a telehealth visit using Tyto Care technology.

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.