In United States ex rel. Markus v. Aerojet Rocketdyne Holdings, Inc., et al. (“Aerojet”), the United States District Court for the Eastern District of California refused to dismiss a False Claims Act (“FCA”) case predicated on a defense contractor’s failure to comply with U.S. government cybersecurity contract requirements. The case has significant implications for healthcare providers who, like defense contractors, operate in a heavily regulated area in which sensitive information is exchanged and the government establishes data and technology requirements.  As such, Aerojet could have FCA implications for health care providers for non-compliance with health data requirements, such as those under the Centers for Medicare & Medicaid Services’ (CMS) Promoting Interoperabilty Program.

In Aerojet, the relator, Aerojet’s former Senior Director of Cyber Security, Controls and Compliance, alleged he was terminated soon after refusing to sign documents verifying that Aerojet was compliant with the government contract cybersecurity requirements.  The relator further alleged that Aerojet knew that it was not compliant with the relevant standards, repeatedly misrepresenting that it was compliant with those standards in communications with government officials, and the government awarded Aerojet a contract based on these allegedly false and misleading statements.

In considering Aerojet’s motion to dismiss the action, the court began its analysis by recognizing that the relator had sufficiently alleged “implied false certification” and “promissory fraud” theories of liability under the FCA.

The implied false certification theory requires that a defendant make specific representations about the goods or services it is providing and that it fails to disclose noncompliance with material statutory, regulatory, or contractual requirements.

Promissory fraud is a broader theory of liability which holds a company liable for each claim submitted to the government under a contract originally obtained through false statements or fraudulent conduct.

Both theories require that the fraud be “material,” and Aerojet’s motion to dismiss was based on its contention that the relator did not sufficiently allege materiality.

In denying the motion to dismiss, the court recognized that Aerojet provided some disclosure of its noncompliance, but found that partial disclosure insufficient.  The court found that the nondisclosures, as alleged, actually understated the extent of Aerojet’s noncompliance and thus could be material for purposes of the FCA because the government may not have awarded Aerojet the contracts had the government known the extent of the nondisclosure. The court also found that the specific misrepresentations identified by the relator could have influenced the central purpose of Aerojet’s work under the contract, since “cybersecurity requirements could have affected [Aerojet’s] ability to handle technical information pertaining to missile defense and rocket engine technology.”  The court concluded that the complaint sufficiently alleged that the purported fraud was material.

The Implications for Healthcare Providers

The potential applicability of Aerojet to healthcare is readily apparent in the context of CMS’ Promoting Interoperability Program.  In 2011, CMS established the Medicare and Medicaid EHR Incentive Programs (now known as the Promoting Interoperability Program) to reportedly “encourage” clinicians, eligible hospitals, and critical access hospitals to adopt, implement, upgrade, and demonstrate meaningful use of certified electronic health record technology.

Beginning in 2019, all Medicare-eligible hospitals, dual-eligible hospitals, and critical access hospitals are required to use 2015 edition certified electronic health record technology and meet the new requirements outlined in the 2019 inpatient prospective payment system.  Relatedly, CMS’ 2019 proposed rule 84 Fed.Reg.7610, which is intended to further its Promoting Interoperability Program, would expand Medicare conditions of participation to include a requirement that hospitals send electronic notifications when a patient is admitted, discharged, or transferred to another health care facility or to another community provider. In light of these health data and technology requirements, Aerojet raises the specter of potential FCA liability for providers who fail to meet these electronic record or electronic notification requirements but attest or represent otherwise to the government.

For more information or questions regarding this client alert, please contact:

Lee Arian