Whistleblowers often face a difficult decision when they suspect fraud at their place of employment. The whistleblower knows that fraud is being committed, but he or she will never be able to prove it without keeping or retaining documents and records that might be protected by the Health Insurance Portability and Accountability Act, more commonly known as HIPAA. In broad terms, this law prevents certain businesses and people from disclosing confidential patient data to third parties.
Fortunately, HIPAA contains an exclusion for disclosures made by whistleblowers, provided certain conditions are met. Specifically, 45 CFR 164.502 (J) (1) provides that “a covered entity is not considered to have violated the requirements of this subpart if a [whistleblower] . . . discloses protected health information, provided that . . . The [whistleblower] . . . believes in good faith that the covered entity has engaged in conduct that is unlawful.” This section allows the whistleblower to make such disclosures to the government, regulators, or to “an attorney retained by or on behalf of the [whistleblower] for the purpose of determining the legal options of the [whistleblower].”
A recent case shows how the provision applies. On July 1, 2015 a federal district court judge in the Eastern District of Arkansas decided a case, Howard ex rel United States v. Arkansas Children’s Hospital, 4:13CV00310JLH. In this case, a former hospital employee filed a qui tam whistleblower action against a hospital. Upon her termination, the whistleblower retained certain protected health information which she used to help back up her lawsuit. She showed these documents to her attorneys for the purpose of seeking legal advice.
Upon learning that the whistleblower retained this HIPAA information, the hospital moved for summary judgment, arguing that the employee did not qualify as a “whistleblower’ within the meaning of the HIPAA regulations.
The District Court rejected this argument, finding that: (1) the hospital was a covered entity under HIPAA, (2) the whistleblower was a member of the hospital’s workforce within the meaning of HIPAA; (3) the whistleblower believed in good faith that the hospital had been engaged in unlawful conduct, and (4) that the whistleblower was therefore allowed to disclose the HIPAA information to her attorneys for purposes of seeking a legal opinion.
In short, HIPAA, while serving important goals of protecting patient privacy, does not stand in the way of honest employees who want to blow the whistle on healthcare fraud.