
    UNITED STATES of America ex rel. Vicki SHELDON, Relator-Appellant, v. KETTERING HEALTH NETWORK, Defendant-Appellee.
    No. 15-3075.
    United States Court of Appeals, Sixth Circuit.
    Argued: Oct. 8, 2015.
    Decided and Filed: March 7, 2016.
    
      ARGUED: Robert F. Croskery, Crosk-ery Law Offices, Cincinnati, Ohio, for Appellant. Natalie T. Furniss, Bricker & Eckler, LLP, Columbus, Ohio, for Appel-lee. ON BRIEF: Robert F. Croskery, Croskery Law Offices, Cincinnati, Ohio, for Appellant. Natalie T. Furniss, Anne Marie Sierra, Bricker & Eckler, LLP, Columbus, Ohio, for Appellee.
    Before: KEITH, CLAY, and WHITE, Circuit Judges.
   OPINION

CLAY, Circuit Judge.

Plaintiff Vicki Sheldon (“Relator,” in this qui tam action) appeals from the district court’s order, entered on January 6, 2015, denying her motion for leave to amend her complaint and granting Defendant Kettering Health Network’s (“KHN”) motion to dismiss. Relator .alleges that KHN violated the False Claims Act (“FCA”), 31 U.S.C. § 3729(a)(1), by falsely attesting to compliance with the Health Information Technology, for Economic and Clinical Health Act (hereinafter “HITECH Act” or “the Act”), Pub.L. No. 111-5, Title XIII, 123 Stat. 226 (2009), and by receiving “meaningful use” incentive payments as a result. The district court held that Relator’s complaint failed to state a plausible claim, and denied as futile Relator’s motion to amend. The district court held, in the alternative, that Relator’s claims were precluded by a prior Ohio state court judgment in a case involving similar claims filed by Relator against KHN.

For the reasons set forth below, we AFFIRM the. district court’s order granting KHN’s motion to dismiss and denying Relator’s motion to amend.

,BACKGROUND

On April 29, 2014, Relator brought a qui tam action under the False Claims Act, 31 U.S.C. § 3730(b), against KHN in federal court, alleging KHN falsely certified its compliance with certain provisions of the HITECH Act.

I. The HITECH Act

Enacted in' 2009, the HITECH Act was designed to encourage the adoption of sophisticated electronic health record (“EHR”) technology by health care providers. See, e.g., Vadim Schick, After HI-TECH: HIPAA Revisions Mandate Stronger Privacy and Security Safeguards, 37 J.C. & U.L: 403, 404 (2011). To that end, the Act creates incentive payments for eligible health care providers (“providers”)—i.e. individual hospitals and health care professionals—that, demonstrate “meaningful use” of certified EHR technology. .42 C.F.R. § 495.2; see also 42 U.S.C. §§ 1395w-4(o), 1395ww(n) (establishing diminishing schedule for incentive payments to encourage early adoption by eligible professionals and hospitals). Incentive payments are calculated using a formula that takes account of each individual provider's, volume of. patients. See, e.g., 42 C.F.R. §§ 495.102(a)(1) (eligible professionals), 495.104(c)(2) (hospitals).

As a condition tó réceipt of incentive payments, the Act requires providers to meet roughly 'two-dozen meaningful-use objectives and accompanying measures of compliance. 42 C.F.R. § 495.20;’ 42 U.S.C. §§ 1395w-4(o), 1395ww(n). Objectives and measures’ were released in- two stages; Stage 2, which went into effect on September 4, 2012, added additional objectives and measures to the requirements for compliance with the Act. See Electronic Health Record Incentive Program—Stage 2, 77 Fed.Reg. 53,968 (Sept. 4, 2012); 42 C.F.R. §§ 495.20(h)-(m). After Congress passed the Act) the Centers for Medicare and Medicaid Services (“CMS”), an agency of the Department of Health and Human Services, promulgated specific standards for meeting these objectives. See, e.g., Medicare and Medicaid Programs; Electronic Health Record Incentive Program, 75 Fed.Reg. 44314-01 (July 28,2010).

The meaningful-use objective relevant here (hereinafter “the objective” or “security and privacy objective”) requires providers to “[pjrotect electronic health information created or maintained by the certified EHR technology through the implementation of appropriate technical capabilities.” 42 C.F.R. §§ 495.20(d)(15)(i), (f)(14)(í), (j)(16)(i), (l)(15)(i) (establishing the same ’ security and privacy objective for different types of providers over different Stages of Act implementation). To meet the objective during Stage 1 of Act implementation, providers were required to “[cjonduct or review a security risk analysis in accordance with - the requirements under- 45 C.F.R. § 164.308(a)(1) and implement security updates as necessary and correct identified security deficiencies as part of [their] risk management process.” Id. at §§ 495.20(d)(15)(ii), (f)(14)(ii). During Stage 2, providers are additionally required to “address[] the encryption/security-of data stored in Certified EHR Technology in accordance with requirements under” 45 C.F.R. §§ 164.312(a)(2)(iv) and 164.306(d)(3). 42 C.F.R. §§ 495.6(j)(16)(ii), (l )(15)(ii). To receive incentive payments, individual providers must legally attest to meeting these standards. See id. at § 495.8. Attestation is required at intervals dependent upon the type of provider, the “EHR Incentive Program” chosen (Medicare or Medicaid), and the reporting year. See id. at § 495.4.

Both Stage 1 and Stage 2 measures for the security and privacy objective require providers to comply with 45 C.F.R. § 164.308(a)(1), which contains security and privacy standards established under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). Subsection (a)(1) requires health care providers to “[ijmplement policies and procedures to prevent, detect, contain,' and correct security violations.” Specifically, the subsection requires providers to:

(A) ... Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and. availability of electronic protected health information held by the covered entity or business associate.
(B) ... Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with § 164.306(a).
(C) ... Apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity or business associate.
(D) ... Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.

Id. at (a)(1)(h).

Stage 2 measures.for the objective require providers to comply with two additional HIPAA regulations—45 C.F.R. §§ 164.312(a)(2)(iv) and 164.306(d)(3)—that also contain security standards. 42 C.F.R. §§ 495.6(j)(l6)(ii), (l)(15)(ii). The first standard, § 164.312(a)(2)(iv), requires providers to “[i]mplement a mechanism to encrypt and decrypt electronic protected health information.” The second standard, § 164.306(d)(3), requires providers to implement such a mechanism if “reasonable and appropriate,” and if not, to document why and implement “an equivalent alternative measure.”

II. Relator’s first amended complaint

According to Relator’s first amended complaint, Defendant KHN is a network of hospitals, medical facilities, and physicians that provide medical services. “[Djuring the past several years,” the complaint asserts, KHN certified to the United States that it implemented a system of protecting electronic protected health information (“e-PHI”) in accordance with HITECH Act requirements, and it received meaningful-use payments as a result. (R. 4 at ¶ 5.) KHN would submit this certification to the government by “checking Yes’ to the question -‘Did you conduct or review a security risk analysis per 45 CFR 164.308(a)(1) and implement security updates as necessary and correct identified security deficiencies as part of its [sic] risk management processes.’”. (Id. at ¶25.)

Relator alleges, however, that KHN’s attestations of compliance under the Act were false. This allegation stems from two letters she received from KHN informing her that its employees had impermissibly accessed her e-PHI. These letters, which were attached to Relator’s original complaint, state that based on its own internal investigation, KHN discovered Relator’s e-PHI had been accessed on several occasions by Relator’s (now former) husband, Duane Sheldon, and others. Relator’s complaint asserts that while Duane Sheldon was serving as a director for KHN, he began an affair with a subordinate employee, and together they accessed Relator’s e-PHI in furtherance-of that affair. The letters Relator received from KHN also state that (1) “these- instances of access are inappropriate/unauthorized and in violation of [KHN] policy and procedure, as well as law,” (2) KHN was investigating these instances of access “as a breach under the [HITECH Act],” and (3) KHN would be notifying the United States Department of Health and Human Services of the breaches. (R. 1-1, Pg ID # 10-13.)

After Relator learned her e-PHI had been impermissibly accessed, she requested (through counsel) that KHN provide her with specific e-PHI access reports generated by a software system called “EPIC.” Relator asserts that KHN bought and implemented the EPIC software system sometime before her e-PHI was breached. The complaint states that when properly utilized, the -EPIC system helps KHN to “maintain!] electronic health information,” and allows approved persons to access medical information while protecting such information from unapproved access. (R. 4 at ¶ 7.) With EPIC, health care providers can run a comprehensive series of reports,. known as “CLARITY” reports, which help providers monitor improper access to e-PHI. Relator, .who apparently has .some personal familiarity with the -EPIC - software, lists several of these -reports by name in her complaint and asserts that EPIC’s training materials suggest providers run such reports on a regular basis to safeguard against unauthorized access to e-PHI.

Relator states that when she asked for specific CLARITY reports by name, KHN refused to provide them. Instead, KHN provided her with a series of “homegrown” reports that contained inconsistent information regarding the users who had im-permissibly accessed Relator’s e-PHI. At some point, Relator discovered that her daughter and grandson’s e-PHI had also been inappropriately accessed, arid that their medical billing information had béen manipulated. Finally, Relator alleges that an employee who reported to Duane Sheldon routinely ran an “expired medication report” containing the e-PHI of Relator and numerous other patients. According to Relator, there was no reason for this employee to run that report, and the report sat on an unmonitored printer for hours.

Based on these facts, the complaint avers that KHN’s attestation of compliance with the HITECH Act’s security and privacy objective was false.

III. Subsequent procedural history

On June 4, 2014, while her federal complaint was still under seal pending possible government intervention,' Relator filed a second suit against KHN'iri the Court of Common Pleas for Montgomery County, Ohio. In this suit; Relator was joined by her daughter Haley Dercola and grandson Tucker Dercola as plaintiffs, and together they alleged state torts arising from the same breach of Relator’s and co-plaintiffs’ electronic health records. They also alleged violations of the Fair Credit Reporting Act, 15 U.S.C. § 1681, et seq., and the Fair Debt Collection Practices Act, 15 U.S.C. § 1692, et seq., stemming from KHN’s alleged mishándling of bills accumulated during Haley Dercola’s hospitalization while giving birth to Tucker.

* On August 29, 2014, the United States filed a notice of election to decline intervention in Relator’s qui tarn action in federal court. That same day, the district court ordered the complaint be unsealed.

On October 21, 2014, the Montgomery County Court of Common Pleas dismissed Relator’s state action in its entirety for “failure to state a claim upon which relief can be- granted.” Sheldon v. Kettering Adventist Healthcare, 2014 CV 03304, at *3, 2014 WL 10585679, at *2 (Montgomery Cty.Ct.Com.Pl.2014). -The court based its dismissal on the fact that (1) “Every allegation related to Plaintiff’s tort claims in the ‘facts’ section of the complaint revolves around KHN’s alleged failure to run certain ‘Clarity reports,’ which Plaintiffs alleged were required of KHN under HI-PAA;” and (2) “HIPAA does not allow private causes of action, according to Ohio law.” Id. Plaintiffs appealed that decision to the Court of Appeals of Ohio.

On November 12, 2014, KHN filed a motion to dismiss in the federal case arguing: (1) Relator had failed to state a claim under the heightened pleading standards applicable to FCA claims, and (2) the Ohio state court’s, dismissal,of,Relator’s state case was res judicata, and Relator’s federal claim was therefore precluded., On. December 12, 2014, Relator filed a motion to amend her complaint, attaching a proposed amended complaint that Relator argued “cures any perceived defects in insufficient particularity.” (R. 14, Pg ID # 326.)

Relator’s proposed second amended complaint alleged that KHN’s breaches affected not only Realtor and her family members, but also dozens of other people whose e-PHI was mistakenly shared with Relator. The proposed complaint further stated that to obtain meaniñgful-use money from the federal government, KHN certified its compliance with the HITECH Act on a- yearly basis, and that such certification was required in 2011, 2012, and 2013, Finally,, the proposed complaint listed four •KHN employees that Relator claimed “participated” in KHN’s false certification of HITECH Act compliance.

On January 6, 2015, the district court issued an order denying Relator’s motion to amend and granting KHN’s motion to dismiss under Rule 12(b)(6). The district court held that Relator failed to plead her claims with sufficient particularity because she had not alleged a specific false claim by KHN, and because she failed to plausibly plead that KHN did not meet the HITECH Act’s standards. The court further held that because Relator’s proposed amended complaint failed to cure these deficiencies, granting her leave to amend would be futile. Finally, as an alternative basis for its decision, the district court noted that the factual allegations in Relator’s federal case “are nearly idéntica! to those underlying the state court action,” and therefore Relator’s claims were barred by the doctrine of res judicata. (R. 19, Pg ID # 387.) .Relator timely appealed.. .

On August 14, 2015, the Court of Appeals of Ohio rendered its decision on Relator’s state action. Sheldon v. Kettering Health Network, 40 N.E.3d 661 (Ohio Ct. App.2015). The court affirmed the dismissal of Relator’s state case and reiterated that her claims “stemmed from KHN’s alleged failure to protect the privacy of the plaintiffs’ electronic medical information and the improper accessing and disclosure of that information by KHN administrator Duane Sheldon, the former spouse of Vicki Sheldon.” Id. át 664. On September 25, 2015, Relator appealed that decision to the Ohio Supreme Court. That appeal is currently pending.

DISCUSSION

I. Standard of Review

We review de novo a district court’s dismissal of a suit pursuant to Rule 12(b)(6). Riverview Health Inst. LLC v. Med. Mut. of Ohio, 601 F.3d 505, 512 (6th Cir.2010). A district court’s order denying a Rule 15(a) motion to amend is typically reviewed for abuse of discretion. Rose v. Hartford Underwriters Ins. Co., 203 F.3d 417, 420 (6th Cir.2000). However, where the district court denies leave to amend because the complaint as amended would not withstand a motion to dismiss under Rule 12(b)(6), that denial is reviewed de novo. Seaton v. TripAdvisor LLC, 728 F.3d 592, 596 (6th Cir.2013) (discussing standard for denial of leave to amend for “futility”). Likewise, we review de novo a district court’s application of the doctrine of res judicata. Bragg v. Flint Bd. of Educ., 570 F.3d 775, 776 (6th Cir.2009).

II. Analysis

A. Pleading standards urider the False Claims Act

The False Claims Act imposes liability on any person who “knowingly makes, uses, or causes to be made or used, a false record or statement material to a false or - fraudulent claim.” 31 U.S.C. § 3729(a)(1)(B); see also id. at § 3730(b) (“A person may bring a civil action for a violation of - section 3729”). As with all claims, plaintiffs alleging violations of the FCA must plead- sufficient facts that, when taken as true, “state a claim to relief that is plausible on its face.” Ashcroft v. Iqbal, 556 U.S. 662, 678, 129 S.Ct. 1937, 173 L.Ed.2d 868 (2009) (internal quotation marks omitted). “The.district court must construe the complaint - in a light most favorable to the plaintiff, accept all of, the factual allegations as true, and determine whether the plaintiff undoubtedly can prove no set of facts in support of his claims that would entitle him to relief.” Columbia Nat. Res., Inc. v. Tatum, 58 F.3d 1101, 1109 (6th Cir.1995),

In addition, “[cjomplaints alleging FCA violations must comply with Rule 9(b)’s requirement, that fraud be pled with particularity.” Chesbrough v. VPA, P.C., 655 F.3d 461, 466 (6th Cir.2011). Under Rule 9(b), a party alleging fraud or mistake “must state with particularity the circumstances constituting fraud or mistake.” Fed.R.Civ.P. 9(b); see also U.S. ex rel. SNAPP, Inc. v. Ford Motor Co., 532 F.3d 496, 505 (6th Cir.2008) (“SNAPP I”) (noting the “knowledge” element of FCA claims “does not need to be pled with particularity”). Specifically, a plaintiff must “allege the time, place, and content of the alleged misrepresentation ... the fraudulent scheme; the fraudulent intent of the defendants; and the injury resulting from the fraud.” U.S. ex rel. Bledsoe v. Cmty. Health Sys., Inc., 342 F.3d 634, 643 (6th Cir.2003) (“Bledsoe I”) (quoting Coffey v. Foamex L.P., 2 F.3d 157, 161-62 (6th Cir.1993)).

Importantly, Rule 9 should not be read to “reintroduce formalities to pleading.” U.S. ex rel. Bledsoe v. Cmty. Health Sys., Inc., 501 F.3d 493, 503 (6th Cir.2007) (“Bledsoe II ”); see also SNAPP I, 532 F.3d at 503-04 (noting -Rule 9’s heightened pleading standards “should not be read to defeat the general policy of ‘simplicity and flexibility in pleadings contemplated by the Federal Rules”). A complaint sufficiently pleads the time, place, and content of the alleged misrepresentation so long as it “ensure[s] that [the] defendant possesses sufficient information to respond to an allegation of fraud;” providing the defendant with sufficient information to respond is Rule 9’s “overarching purpose.” SNAPP I, 532 F.3d at 504.

B. Application to Relator’s amended and proposed amended complaints

To state a claim under the FCA, the plaintiff must sufficiently plead:

[1] that the defendant [made] a false statement or create[d] a false record [2] with actual knowledge, deliberate ignorance, or reckless disregard of the truth or falsityof the information; [3] that the defendant ... submitted a claim for payment to the federal government; ..-. and [4] that the false statement- or record [was] material to the Government’s decision to make the payment sought in the defendant’s claim.

U.S. ex rel. SNAPP, Inc. v. Ford Motor Co., 618 F.3d 505, 509 (6th Cir.2010) (“SNAlPP II”). In dismissing Relator’s suit pursuant to Rule 12(b)(6), the district court identified two deficiencies in the amended and proposed amended complaints—rnamely, failure to plead facts sufficient to plausibly establish the [1], false statement and [3] claim for payment elements above. These deficiencies are addressed in turn.

1. Relator failed to plausibly allege that KHN’s attestation of HITECH Act compliance was false

The FCA requires relators to establish “that the defendant [made] a false statement or create[d] a false record.” SNAPP II, 618 F.3d at 509. We have held that “[w]hen a claim [for payment] expressly states that it complies with a particular statute, regulation, or contractual term that is a prerequisite for payment, failure to actually comply” satisfies this element. See Chesbrough, 655 F.3d at 467 (citing Mikes v. Straus, 274 F.3d 687, 697-99 (2d Cir.2001)). This theory of liability under the FCA is referred to as “false certification,” Id.

As noted above, a relator’s pleadings of false certification must “contain[] ‘enough facts to state a claim to relief that is plausible on its face.’ ” Id. (quoting Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570, 127 S.Ct. 1955, 167 L.Ed.2d 929 (2007)). “Plausibility is not the same as probability, but rather ‘asks -for more than a sheer possibility that a defendant has acted unlawfully.’ ” Ctr. for Bio-Ethical Reform, Inc. v. Napolitano, 648 F.3d 365, 369 (6th Cir.2011) (“CBER”) (quoting Iqbal, 556 U.S. at 678, 129 S.Ct. 1937). And “[although a court must construe a complaint’s allegations in favor of the plaintiff, ... and must accept all factual allegations as true, ... the court need hot accept legal conclusions or unwarranted factual inferences.” Debevec v. Gen. Elec. Co., 121 F.3d 707, 1997 WL 461486, at *2 (6th Cir.1997) (table) (internal citations omitted).

In this case, Relator alleges that KHN falsely certified its compliance with the HITECH Act’s requirements, and that KHN received meaningful-use incentive payments as a result. Tfiis allegation.is premised on two conclusions drawn from the facts outlined in her complaint: first, that the individual breaches alleged in the complaint either constitute violations of the Act in themselves or suggest KHN failed to implement security policies and procedures; and second, that KHN’s failure to run CLARITY reports on a regular basis constituted a breach of its duties under the Act. Because these conclusions are either facially implausible or based on incorrect conclusions of law, we affirm the district court’s dismissal of Relator’s suit pursuant to Rule 12(b)(6).

i. KHN’s alleged breaches of Relator’s e-PHI

Relator’s complaint alleges KHN’s individual breaches, by themselves, constituted violations of the Act. Specifically, Relator argues: (1) KHN’s letters alerting Relator to breaches of her e-PHI contained or constituted an admission that KHN violated the HITECH Act; and (2) the impermissible running of the “expired medication report” constituted, in itself, a breach of KHN’s duties under the HI-TECH Act: Relator , also argues that when taken together,' these individual- breaches suggest an absence of necessary policies or procedures.

To begin, Relator’s claim that KHN’s individual breaches each constituted a violation of the HITECH Act is an incorrect conclusion of law. The Act’s implementing regulations require providers to “[c]onduct or review a security risk analysis,” “implement security updates as necessary,” and “correct identified security deficiencies.” See, e.g., 42 C.F.R. §§ 495.6(d)(15)(ii), (f)(14)(ii). This language indicates that compliance is premised on the process of analyzing and reviewing security policies and procedures; attestation of compliance is not rendered false by virtue of individual breaches. See-id. Indeed, materials distributed by CMS discussing compliance with the objective - state that providers need not “fully mitigate all risks” of e-PHI breaches before attesting to Act compliance. See CMS, Security Risk Analysis Tipsheet: Protecting Patients’ Health Information 5 (Revised- Dec. 2013), https:// www.cms.gov/Regulations-and-Guidance/ Legislation/EHRIncentivePrograms/ Downloads/SecurityRiskAssessment_Fact Sheet_Updated20131122.pdf. . Instead, “[t]he EHR incentive program, requires correcting any deficiencies [in security] (identified during the risk analysis)....” Id.

Similarly, 45 C.F.R. § 164.308(a)(1) requires health care providers to “[i]mplement policies and procedures to prevent, detect, contain, and correct security violations.” The more detailed regulations contained in subsection (a)(1)(h) likewise indicate, that individual breaches do not negate compliance: those regulations state that risks should be reduced to a “reasonable and appropriate level,” and that providers should “[a]pply appropriate' sanctions against” employees who violate security policies. Id. This language plainly contemplates occasional breaches of e-PHI. Thus, as KHN aptly states, “[t]he regulations ... do not impose a strict liability standard that requires hospitals to prevent all privacy breaches.” (Def.’s Br. at 11.)

For these reasons, KHN’s admissions that Relator’s e-PHI was improperly accessed could not, by themselves, render “false” any of KHN’s attestations of Act compliance. The same holds true for the impermissible running of the “expired medication report.” See CBER, 648 F.3d at 369 (“[T]he general rule that the court must accept as true all allegations in the complaint ‘is inapplicable to legal conclusions.’” (quoting Twombly, 550 U.S. at 570, 127 S.Ct. 1955)).

Relator’s complaint also states that these individual breaches, taken together, indicate a lack of policies and procedures. Her proposed amended complaint adds no new facts to support this claim. Assuming occasional breaches of e-PHI can support a reasonable inference that security policies and -procedures do not exist, Relator’s allegations fail to support such an inference. See id. (“A claim is plausible on its face if the plaintiff pleads factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged.” (emphasis added) (internal quotation marks omitted)).

Relator’s own allegations, which we must accept as true, indicate that KHN did have policies and procedures in place. Those allegations assert that “[KHN] revealed that there had been a breach of Relator Vicki Sheldon’s private electronic health records” in the two letters she attached to her complaint. (R. 4 at ¶ 16.) Notably, these letters state that the breaches of Relator’s e-PHI were “inappropriate/unauthorized and in violation of [KHN] policy arid procedure,” that KHN conducted an investigation, and that it would be notifying HHS of the breach. (R. 1-1, Pg ID # 10, 12.) Even assuming, however, that these statements are not true, that Relator even received such letters indicates that KHN has some procedure in .place for detecting unauthorized access to e-PHI, as well as a policy of investigating such unauthorized access and notifying patients whose information was breached.

For these reasons, we agree with the district court’s conclusion that Relator’s allegations that KHN lacked the requisite policies and procedures are not facially plausible. U.S. ex rel. Sheldon v. Kettering Health Network, No. 1:14-CV-345, 2015 WL 74950, at *5-6 (S.D.Ohio Jan. 6, 2015).

ii. KHN’s alleged failure to run CLARITY, reports on a regular basis

In support of her claim that KHN falsely attested to HITECH Act compliance, Relator relies on the following chain of inference: first, 'KHN’s failure/refusal to provide Relator with CLARITY reports when asked indicated that it had not run them; second, KHN’s failure to run CLARITY reports indicated that it “had failed to follow the usual, steps and standards in the industry to protect medical information” (R. 4 at ¶ 16); and third, failing to follow industry standards by running CLARITY reports on a regular basis constituted a breach of KHN’s duties under the HITECH Act. Relator’s proposed amended complaint does nothing to bolster this chain of inference or the facts supporting it; the amended complaint merely adds the conclusory allegation that “failure to use and run [CLARITY] reports and review them for violations indicates that a provider has failed-,to implement policies and procedures for protecting patient private health information.” (R, 1.4-1 ,at ¶10.)

Even assuming the cogency of the first two links in Relator’s inferential chain, the final link is an incorrect conclusion of law. As we stated above, HITECH Act compliance is premised on the process of- conducting security risk analyses and correcting any security deficiencies located thereby, see. 42 C.F.R. §§ 495.6(d)(15)(ii), (f)(14)(ii), as well as implementing appropriate policies and procedures. 45 C.F.R. § 164.308(a)(1). Neither the Act nor the HIPAA regulations to which it refers require that providers adhere to a particular schedule for running reports, or to purchase and use a particular brand of EHR software. See id. In sum, we agree with the district court’s conclusion that “[t]he HITECH Act requires hospitals to implement a system to. protect e-PHI; it does not require covered entities to use a particular e-PHI product.or vendor or to run a specific type of monitoring report.” U.S. ex rel. Sheldon v. Kettering Health Network, No. 1:14-CV-345, 2015 WL 74950, at *4 (S.D.Ohio Jan. 6,2015).

Because' Relator’s claim that KHN’s attestation of HITECH Act compliance was false is based either on implausible inferences or incorrect conclusions of law, we conclude that Relator failed .to .adequately plead the “false statement” element of her FCA claim. See SNAPP II, 618 F.3d at 509.

2. Relator failed to plead a specific claim for payment

The FCA requires relators to establish “that the defendant ... submitted .a claim for payment to the federal government.” SNAPP II, 618 F.3d at 509-In this Circuit, there is ,-“[a], dear and unequivocal requirement that a relator allege specific false claims” when pleading a violation of the FCA. Bledsoe II, 501 F.3d at 504. This requirement derives from the fact that “the [FCA] statute attaches liability, not to the underlying fraudulent activity or to the government’s wrongful payment, but to the ‘claim for payment.’” Sanderson v. HCA-The Healthcare Co., 447 F.3d 873, 877-78 (6th Cir.2006) (quoting United Stales v. Rivera, 55 F.3d 703, 709 (1st Cir.1995)); see also U.S. ex rel. Clausen v. Lab. Corp. of Am., 290 F.3d 1301, 1311 (11th Cir.2002) (“The submission of a claim is thus not .... a ‘ministerial act,’ but the sine qua non of a- False Claims Act violation.”).

In SNAPP I, for example, the relator alleged that the defendant received, between 1991 and 2001, an undetermined number of government contracts based on fraudulent misrepresentations made in reports filed annually with the federal government. 532 F.3d at 506. The relator also alleged the approximate value of those contracts. Id. Despite pleading these details with specificity, id., we affirmed dismissal of the relator’s complaint because the relator had “not complied with Bledsoe IPs mandate that ‘[i]n order for a relator to proceed' to discovery on a fraudulent scheme,’ it must plead with specificity ‘characteristic example[s]’ that are ‘illustrative of [the] class’ of all claims covered by the fraudulent scheme.” Id. (quoting Bledsoe II, 501 F.3d at 510-11); see also Sanderson, 447 F.3d at 877 (“Rule 9(b) ‘does not permit a False Claims Act plaintiff merely to describe a private scheme in detail but then to allege' simply ... that claims requesting illegal payments must have been submitted, were likely submitted or should have been submitted to the Government.’ ”).

This case is on all fours with SNAPP I. At its most specific, Relator’s complaint alleges that KHN “falsely certified to the United States Government that it had complied with the HITECH Act to collect ‘Meaningful Use’ monies” (R. 4 at ¶25) in an amount “believed to exceed $75,000,000.00.” (Id. at ¶27.) Nowhere, however, does the complaint allege a specific false claim for payment. Although Relator asserts KHN received government money “as a result” of false certification, this equates to an allegation that claims “must have been submitted” at some point—allegations explicitly held insufficient in Sanderson, 447 F.3d at 877. Thus, the district court was correct in dismissing Relator’s complaint for, inter alia, failing to “identify with specificity examples that are illustrative of the class of all claims covered by the fraudulent scheme.” U.S. ex rel. Sheldon v. Kettering Health Network, No. 1:14-CV-345, 2015 WL 74950, at *6 (S.D.Ohio 2015).

. The additional facts in Relator’s proposed amended complaint likewise fail to meet the FCA’s heightened pleading standards. The additional facts relevant here allege that KHN falsely attested to its compliance with the HITECH Act on an annual basis, and that certification was “required- ... -in 2011, 2012, and 2013.” (R. 14-1 at ¶ 23, Pg ID # 332.) Even with these additional facts, however, Relator’s pleadings are insufficient under this Court’s holding in SNAPP I because she fails to allege a characteristic example of a false claim for payment. The Act’s implementing regulations establish that attestation is provider-specific: incentive payments are calculated, in part, using the volume of patients that a particular hospital or professional treated during the reporting year. See 42 C.F.R. §§ 495.102(a)(1) (eligible professionals), 495.104(c)(2) (hospitals). CMS materials likewise suggest that meeting the security and privacy objective requires review of the “physical safeguards”'and security protocols at each individual provider’s “facility and other places where patient data is accessed.” See CMS, Security Risk Anal ysis Tipsheet: Protecting Patients’ Health Information 4 (Revised Dec. 2013), supra.

Relator’s proposed amended complaintl states that KHN is “a network of hospitals, medical facilities and physicians” (R. 14-1 at ¶ 4), and that KHN “serves as the records custodian for many doctors and physicians” (id. at ¶ 25), but it fails to name a single hospital or professional in KHN’s network for whom attestation was rendered “false” by virtue of KHN’s allegedly deficient security protocols. Relator’s allegations might create an inference that security flaws affected all providers in KHN’s network. But’ this amoünts to an allegation of a broader fraudulent scheme. Under our holding in SNAPP I, “[i]n order for a relator to proceed to discovery on a fraudulent scheme, it must plead with specificity characteristic example[s] that are illustrative of [the] class of all claims covered by the fraudulent scheme.” 532 F.3d at 506 (internal quotation marks omitted). Merely implying that attestations “múst have been submitted” by certain unnamed providers in the KHN network does not satisfy Rule 9(b). See id. (quoting Sanderson, 447 F.3d at 877).

Relator argues on appeal that she has sufficient “first-hand knowledge” of KHN’S false claims to satisfy Rule 9(b)’s heightened pleading standards. (Pl.’s Reply Br. at 13-16.) This argument is similar to one made by the relators in Chesbrough, 655 F.3d at 471. In that case, the relators cited footnote 12 in Bledsoe II, 501 F.3d at 504, for the proposition that:

the, requirement that a relator identify an actual false claim may be relaxed when, even though the relator is unable to produce an actual billing or invoice, he or she has pled facts which support a strong inference that a claim was submitted. Such an inference may arise when the relator has “personal knowledge that the claims were submitted by Defendants ... for payment.”

Id. In holding that a “relaxed” standard— to the extent it even exists in this .Circuit—was not applicable in that case, we observed that, cases applying a relaxed standard involved relators with “personal knowledge” that was based either on working in the defendants’ billing departments, or on discussions with, employees directly responsible, for submitting claims to the government. Id. at 471-72 (distinguishing Hill v. Morehouse Med. Assocs., Inc., 2003 WL 22019936 (11th Cir. August 15, 2003) (unpublished); United States v. R & F Prop. of Lake Cty., Inc., 433 F.3d 1349 (11th Cir,2005); U.S. ex rel. Lane v. Murfreesboro Dermatology Clinic, PLC, 2010 WL 1926131 (E.D.Tenn. May 12, 2010)); see also U.S. ex rel. Marlar v. BWXT Y-12, L.L.C., 525 F.3d 439, 446 (6th Cir.2008) (declining to apply Bledsoe II’s “relaxed standard”).

As in Chesbrough, we need not decide whether a relaxed standard exists in this Circuit because Relator lacks the “personal knowledge” necessary to qualify. Although Relator has some personal knowledge regarding the nature of the alleged fraudulent certification—specifically, knowledge of EPIC software and KHN’s alleged failure to use that software effectively—such knowledge is not relevant to specific claims analysis. Relator does not claim that she worked in KHN’s security or billing departments, or that she ever spoke with those directly responsible for HITECH Act certification. And although her relationship’ with a KHN employee likely provided her with additional insight into KHN’s policies and procedures, Relator never alleges that this relationship gave her the sort of “personal knowledge” found in cases applying a relaxed standard. See Chesbrough, 655 F.3d at 471-72. Thus, Relator lacks the personal knowledge necessary to “support a strong inference—rather than simply a possibility— that a false claim was presented to the government.” Id. at 472.

( For these reasons, Relator’s complaint and proposed amended complaint fail to satisfy the “clear and unequivocal requirement that a relator allege specific false claims” when pleading a violation of the FCA. Bledsoe II, 501 F.3d at 504. This deficiency, combined with Relator’s failure to adequately plead a false claim, leads us to conclude that neither of Relator’s complaints “contain[s] sufficient factual matter, accepted as true, to ‘state a claim to relief thát is plausible on its face.’ ” Iqbal, 556 U.S. at 678, 129 S.Ct. 1937 (quoting Twombly, 550 U.S. at 570, 127 S.Ct. 1955); see also In re Omnicare, Inc. Sec. Litig., 769 F.3d 455, 469 (6th Cir.2014) (noting Twom-bly’s plausibility requirement applies “to each element of the cause of action”),

C. Res judicata

Although we ultimately agree with the district court’s determination that Relator’s complaint fails to state a claim, we note that even had we felt differently, Relator’s claims would likely be barred under the doctrine of res judicata. Thus, like the district court below, we conclude that res judicata provides an alternative basis for dismissing Relator’s complaint.

Under the doctrine of res judicata, “a final judgment on the merits bars further claims by parties or their privies based on the same cause of action.” Montana v. United States, 440 U.S. 147, 153, 99 S.Ct. 970, 59 L.Ed.2d 210 (1979) (citations omitted). When evaluating whether a state-court judgment bars further claims in a federal forum, “[fjederal courts must give the same preclusive effect to a state-court judgment as that judgment receives in the rendering state.” Abbott v. Michigan, 474 F.3d 324, 330 (6th Cir.2007) (citing 28 U.S.C. § 1738). Thus, because KHN argues that the Ohio state court’s decision precludes Relator’s federal action, 'we analyze the preclusive effect of that decision under Ohio law.

In Grava v. Parkman Township, 73 Ohio St.3d 379, 653 N.E.2d 226, 229 (1995), the Ohio Supreme Court held that “[a] valid, final judgment rendered upon the merits bars all subsequent actions based upon any claim arising out of the transaction or occurrence that was the subject matter of the previous action.” The court explained':

When a valid and final judgment rendered in an action extinguishes the plaintiffs claim pursuant to the rules of merger or bar ..., the ' claim extinguished includes all rights of the plaintiff to remedies against the defendant with respect to all or any part of the transaction, or series of connected transactions, out of which the action arose.

Id. (alteration in original) (quoting Restatement (Second) of Judgments § 24(1) (Am. Law Inst.1982)).

In Hapgood v. City of Warren, 127 F.3d 490 (6th Cir.1997), we distilled Gram’s holding into a four-element test for establishing res judicata under Ohio law. There must be:

(1) a prior final, valid decision on the merits by a court of competent jurisdiction; (2) a second action involving the same parties, or their privies, as the first; (3) a second action raising claims that were or could have been litigated in the first action; and (4) a second action arising out of the transaction or occurrence that was the subject matter of the previous action.

Id. at 493; see also Ohio ex rel. Boggs v. City of Cleveland, 655 F.3d 516, 520 (6th Cir.2011) (“The party asserting' the defense bears the burden of proof.”). These elements are addressed in turn.

1. Final decision on the merits

Under Ohio law, “a dismissal grounded on a complaint’s failure to state a claim upon which relief can be granted constitutes ... an adjudication on the merits. As a result, res judicata bars refiling the claim.” State ex rel. Arcadia Acres v. Ohio Dep’t of Job & Family Servs., 123 Ohio St.3d 54, 914 N.E.2d 170, 174 (2009) (internal quotation marks omitted) (citing Ohio Civ. R. 41(B)). Here, the Montgomery County Court of Common Pleas dismissed Relator’s state action in its entirety for “failure to state a claim upon which relief can be granted.” Sheldon v. Kettering Adventist Healthcare, 2014 CV 03304, at *3, 2014 WL 10585679, at *2 (Montgomery Cty.Ct.Com.Pl.2014).

Relator argues that this decision was not “final” because her state case involves “new law that is still under review by an appellate Court, and, most probably, is on its way to the Ohio Supreme Court however decided.” (Pl.’s Reply Br. at 10.) We addressed a similar argument in Hapgood. See 127 F.3d at 494 n. 3. In Hapgood, a federal district court granted the defendant summary judgment on the ground of res judicata while the plaintiffs case in Ohio state court was on appeal. Id. Nonetheless, we concluded that “[t]he pendency of an appeal ... does not prohibit application of claim preclusion. The prior state court judgment remains ‘final’ for preclusion purposes, unless or until overturned by the appellate court.” Id. (citing Cully v. Lutheran Med. Ctr., 37 Ohio App.3d 64, 523 N.E.2d 531, 532 (1987)).

As with Hapgood, the fact that Relator’s state claims were on appeal when the federal district court entered its judgment does not affect the analysis under res judicata. Thus, the “final decision on the merits” element is met in this case. '

2. Second action involving the same parties

In Ohio, application of res judicata requires the parties to the first action be identical to, or privies with, those in the second (precluded) action. Johnson’s Island, Inc. v. Danbury Twp. Bd. of Trs., 69 Ohio St.2d 241, 431 N.E.2d 672, 675 (1982). Ohio courts “have applied a broad definition to determine whether the relationship between the parties is close enough to invoke the doctrine” of res judicata. Kirkhart v. Keiper, 101 Ohio St.3d 377, 805 N.E.2d 1089, 1092 (2004). “Thus, a mutuality of interest, including an identity of desired result, may create privity.”' Id. (internal quotation marks omitted). 'In this case, both the Ohio and federal actions involve Relator as plaintiff and KHN as defendant. Moreover, because the Ohio court entered judgment in Relator’s state action before the federal district court, the federal case became the second action for res judicata purposes.

'.Relator'appears to argue that the parties in her federal and state cases are different because the state case “has two additional parties (Plaintiff Vicki Sheldon’s daughter and her grandson)....” (See Pl.’s Br. at 12.) The relevant inquiry for this element, however, is whether the plaintiff and defendant in the precluded action were opposing, parties in the first action; the presence of additional plaintiffs does not affect the analysis. See, e.g., Awad v. Chrysler Grp. LLC, No. 11-14082, 2013 WL 5816505, at *7 (E.D.Mich. Oct. 29, 2013) (“There can be no question that Chrysler was a defendant in both actions. That Chrysler is the only defendant" in the subsequent federal court action does riot alter the analysis.”); Ray v. Citibank, N.A., No. 256322, 2005 WL 3179677, at *2 (Mich.Ct.App. Nov. 29, 2005) (“It is also undisputed that plaintiff and' defendant were opposing parties in the federal action. Under federal law, it is immaterial for res judicata purposes that the prior action included additional parties.”). Even if this were not the case, the “mutuality of interest, including an identity of desired result” between the parties in Relator’s federal and state actions, would be. sufficient to satisfy this element. Kirkhart, 805 N.E.2d at 1092.

Relator also argues that because res judicata applies only , to “subsequent” actions, this element is not met because her federal case was the first action filed. This misstates the rule: - the relevant inquiry for res judicata is which action resulted in judgment first, not which- action was filed first. See, e.g., Lesher v. Lavrich, 784 F.2d 193, 195 (6th Cir.1986) (“[Federal courts must give prior state court judgments the same preclusive effect they would have in the courts of that state.” (emphasis added)). Thus, because the Ohio state court issued- its final judgment first, despite being the second action filed, Relator’s federal case is the “second” or “subsequent” action for res judicata purposes.

For these reasons, the second element of res judicata is met in this case.

3. The second action arises from claims that were or could have been litigated in the first action

To apply res judicata in Ohio, it must be true that the claims in the precluded action “could have been litigated in the first action.” Hapgood, 127 F.3d at 493. As the “could have” phrasing implies, this element concerns only the legal possibility of bringing the disputed claims in the previous action. See Hapgood, 127 F.3d at 494; see also Boggs, 655 F.3d at 522-23 (holding res judicata not applicable where disputed claims were not ripe when previous action commenced); Demsey v. Demsey, 488 Fed.Appx. 1, 5-6 (6th Cir.2012) (emphasizing that the disputed claims “could have been” raised in the previous action); Doe ex rel. Doe v. Jackson Local Sch. Dist., 422 Fed. Appx. 497, 501 (6th Cir.2011) (holding plaintiff could have litigated disputed claim in previous action where state’s rules of civil procedure allowed such claims).

In this case, because the Ohio state court action was the first to reach a final adjudication on the merits, the question is whether Relator could have raised her FCA claim in that action. Below, the district court assumed that state courts have concurrent jurisdiction over FCA claims. See generally U.S. ex rel. Sheldon v. Kettering Health Network, No. 1:14-CV-345, 2015 WL 74950, at *6-7 (S.D.Ohio Jan. 6, 2015). Plaintiff did not challenge this assumption in the district court and concedes the point on appeal. (See Pl.’s Reply Br. at 11 (“concurrent jurisdiction is present”).) In a recent case involving similar circumstances, we assumed without deciding that state courts do possess concurrent jurisdiction over FCA claims. See United States v. Chrysler Grp., LLC, 571 Fed.Appx. 366, 369 (6th Cir.2014). We do the same, and therefore conclude that Relator “could have” brought her FCA claim in her state court action.

Relator argues that- bringing her FCA and state tort claims in the same action would have been tactically inconvenient because “the entire case would presumably have been under seal and languished for months, without discovery....” (Pl.’s Reply Br. at 7.) We addressed a similar argument in Wilkins v. Jakeway, 183 F.3d 528 (6th Cir.1999). In Wilkins, plaintiffs counsel argued' that splitting FCA claims and other claims “allow[ed] counsel to immediately commence discovery on those claims which were not sealed.” Id. at 535. Although we ultimately held res .judicata was inapplicable, we also stated:

Although we do not question the veracity of counsel’s intent, the fact remains that, by bringing two different suits which -present two different theories of the case arising from the same factual situation, counsel has engaged in the precise behavior the doctrine res judica-ta seeks to discourage. See generally Restatement (Second) of Judgments § 24, 25 cmt. a, d (explaining that res judicata extinguishes all claims arising out of the same transaction of [sic] series of transactions. As súch, a plaintiff is pressured to present all material relevant to the claim in one action, including any and all theories of the ease even where those theories are based on different substantive grounds.). This type of duplicity should be avoided at all costs.

Id.

We agree with Wilkins’, reasoning. Notwithstanding any inconvenience to Relator, the doctrine of res judicata commands attention to the burdens placed on defendants, courts, and the integrity of judgments by allowing similar claims with-identical facts to be re-litigated in a second forum. See Restatement (Second) of Judgments § 24 cmt. d (Am. Law Inst. 1982) (“When a defendant is. accused of successive but nearly simultaneous acts, or acts which though occurring over a period of time were substantially of the same sort and similarly motivated, fairness to the defendant as well as the public convenience may .require that they b.e dealt with in the same action.”); Wilkins, 183 F.3d at 532 n. 4 (summarily rejecting plaintiffs argument that “although both cases could have been litigated in the same action, it is questionable whether they should have been litigated in the same case”).

For these reasons, the third- element- of res judicata is met in this case.

4. Same transaction or occurrence as the previous, action

Ohio’s res judicata doctrine precludes a second action based on the same “transaction, or series of connected transactions, out of which the [first] action arose.” Grava, 653 N.E.2d at 229. Quoting the Restatement (Second) of Judgments, Grava held that the second action involves the same “transaction” if it concerns the same “common nucleus of operative facts.” Id. (quoting Restatement (Second) of Judgments § 24 cmt. b (Am. Law Inst.1982)). Although not quoted in Grava, the full text of the paragraph in the Restatement using the “common nucleus of operative facts” language states:

[i]n general, the expression [“transaction, or series of connected transactions”] connotes a natural grouping or common nucleus of operative facts. Among the factors relevant to a determination whether the facts are so woven together as to constitute a single claim are their relatedness in time, space, origin, or motivation, and whether, taken together, they form a convenient unit for trial purposes. Though no single factor is determinative, the relevance of trial convenience makes it appropriate to ask how far the witnesses or proofs in the second action would tend to overlap the witnesses or proofs relevant to the first.

Restatement (Second) of Judgments § 24 cmt. b (Am. Law Inst.1982).

Importantly, Grava held that this element does not require the claims in both actions to be identical:

[res judicata] “applies to' extinguish a claim by the plaintiff against the defendant even though the plaintiff is prepared in the second action (1) To present evidence or grounds or theories of the case not presented in the first action, or (2) To seek remedies or forms of relief not demanded in the first action.”

653 N.E.2d at 229 (quoting Restatement (Second) of Judgments § 25 (Am. Law Inst.1982)); see also id. at 382, 653 N.E.2d at 229 (“That a number of different legal theories casting liability on an actor may apply to a given episode does not create multiple transactions and hence multiple claims. This remains true although the several legal theories ... would emphasize different elements of the facts.” (quoting Restatement (Second) of Judgments § 24 cmt. e))... In sum, satisfaction of this element under Ohio law does not require that both cases involve identical causes of action, proof of identical elements, or even the presentation of exactly the same evidence. See id. at 382-83, 653 N.E.2d at 229-30.

Yet, in this case, Relator’s state and federal cases are nearly identical: the vast majority of the allegations in Relator’s state complaint involve either KHN’s failure to adequately utilize EPIC’s CLARITY reports, or KHN’s alleged violation of HIPAA based on Duane Sheldon’s improper access to Relator’s e-PHI. These allegations are mirrored in Relator’s federal complaint. In other words, the allegations underlying Relator’s state and federal claims are related “in time, space,. origin, [and] motivation.” Restatement (Second) of Judgments § 24 cmt. b (Am. Law Inst. 1982). Moreover, because both the state and federal claims are based on KHN’s alleged failure to satisfy HIPAA standards, those claims would “form a convenient unit for trial purposes,” as “the witnesses or proofs in the [federal] action would tend to overlap the witnesses or proofs relevant to the [state action].” Id.

For these reasons, we conclude that Relator’s state and federal cases share a “common nucleus of operative facts,” Grava, 653 N.E.2d at 229, and that all four elements of res judicata are therefore met in this case. Thus, res judicata provides an additional basis for our conclusion that the district court did not err by dismissing Relator’s complaint and denying her leave to amend. .

CONCLUSION

For thé foregoing reasons, we AFFIRM the district court’s order granting Defendant’s motion to dismiss and denying’ Relator’s motion to amend. 
      
      . However, the complaint does not state where or on what form KHN "checked ‘Yes’ ” to this question.
     
      
      . "Although matters outside of the pleadings - are not to be considered by a court in ruling on a 12(b)(6) motion to dismiss, documents attached to a motion to dismiss are considered part of the pleadings if they are referred to in the plaintiff's complaint and are central to the plaintiff's claim.” Seaton v. TripAdvisor LLC, 728 F.3d 592, 596 (6th Cir.2013) (internal quotation marks and brackets omitted).
     
      
      . As we noted in Chesbrough, Congress amended the FCA in 2009 in response to the Supreme Court’s decision in Allison Engine Co. v. U.S. ex rel. Sanders, 553 U.S. 662, 128 S.Ct. 2123, 170 L.Ed.2d 1030 (2008). 655 F.3d at 466 n. 2 (citing the Fraud Enforcement and Recovery Act, Pub.L. No. 111-21, (2009)). Allison held that the old language of § 3729(a)(1)(B)—at that time numbered § 3729(a)(2)—contained a specific intent requirement, such that liability under the FCA required that the defendant made her false statement "to get” the government to pay a claim. Id. (quoting the old language of § 3729(a)(1)(B)). In response, Congress struck the words “to get” from the section, thereby eliminating the specific intent requirement. Id. For this reason, the above rule statement quoted from SNAPP II, 618 F.3d at 509, omits the specific-intent element from that opinion’s summary of the elements of an FCA claim.
     
      
      . The CMS website contains numerous resources (pertaining to the incentive program) distributed by CMS over the years of HITECH Act implementation. See, e.g., CMS, Resources for Previous Years of the HER Incentive Programs (last modified Dec. 18, 2015), https://www.cms.gov/Regulations-and-Guidance/Legislation/EHRIncentive . Programs/RequirementsforPreviousYears. html. We reference this particular document because it, provides some clarity as to what the security and privacy objective required of providers during Stage 1 of HITECH Act implementation.
     
      
      . Relator’s complaint alleges that KHN violated the Act by' "failing to implement policies and procedures that allow only authorized persons to access electronic protected health information,” as required under 45 C.F.R. § 164.312(a) and (b). (See R. 4 at ¶¶26, 31.) But because the security and privacy objective references only §§ 164.312(a)(2)(iv) and 164.306(d)(3), this allegation appears to be premised on a mistaken reading of the law. 42 C.F.R. §§ 495.6(j)( 16)(ii), (Z)(15)(ii). Section 164.312(a)(2)(iv) requires KHN to "[i]mplement a mechanism to encrypt and decrypt electronic protected health information.” Relator’s complaint contains no allegations regarding data encryption, and none of the facts stated in the complaint would permit an inference that KHN failed to implement data encryption mechanisms. For these reasons, we do not discuss this issue further.
     
      
      . Tellingly, before filing her proposed amended complaint, Relator submitted a motion admitting that "[i]n order for the Relator to answer the Defendant’s Motion to Dismiss on the issue of the heightened pleading standard ... Relator needs to possess information as to the time, date, place, and person making a HiTech certification.” (R. 10, Pl/s Mot. for Discovery, Pg ID # 299.) Relator's amended complaint did not add such information.
     
      
      , This inference, however, is attenuated: Relator’s complaint contains no facts regarding KHN’s EHR infrastructure, and it does not explicitly state whether Duane Sheldon was able to access Relator's e-PHI because of network-wide flaws in KHN’s security protocols or because of -the flaws at the physical location of a particular provider. This deficiency in Relator’s complaint is exemplified by her allegation that a KHN employee impermissi-bly ran a report containing her e-PHI that "sat on an unmonitored printer for hours, allowing improper access by any employee that chose to review it.” (R. 4 at ¶ 19; R. 14-1 at ¶ 20.) Yet, Relator does not state where this printer is located.
     
      
      . The proposed amended complaint also states the names and titles of KHN employees allegedly involvéd in KHN’s attestations of Act compliance. In Bledsoe II, we held that "while such information is relevant to the inquiry of whether a relator has pled the circumstances constituting fraud with particularity, it is not mandatory.” 501 F.3d at 506. Even so, Relator’s proposed amended complaint does not state for which provider(s) in KHN’s network these employees submitted attestation.
     