Healthcare professionals can find themselves in a quandary when they want to report fraud or other concerns within their organizations because doing so could require disclosure of protected health information (PHI). That could seem like a HIPAA violation; fortunately, there is a whistleblower exception that covers this scenario.
A major goal of the HIPAA Privacy Rule is to ensure an individual’s health information is properly protected while still allowing the normal flow of health information needed to provide and promote high-quality care, says Layna Cook Rush, CIPP/US, CIPP/C, shareholder with Baker Donelson in Baton Rouge, LA.
Many provisions in the Privacy Rule are designed to strike a balance that permits important uses of information while still protecting patient privacy. The Whistleblower Exception is one of these provisions. This exception is intended to allow the disclosure of patient information to protect patients, healthcare workers, and even the public — but there are restrictions on its application.
The Whistleblower Exception states that a covered entity, such as a physician or hospital, is not considered to have violated the HIPAA Privacy Rule if a member of its workforce or a business associate discloses patient information. This, provided the workforce member or business associate believes in good faith the covered entity has engaged in conduct that is unlawful or otherwise violates professional or clinical standards. Or, the care, service, or conditions provided by the covered entity potentially endanger patients, workers, or the public. (Read more about the exception at this link.)
“Additionally, the disclosure must be to either a health oversight agency or public health authority authorized to investigate or to an attorney retained by the workforce member or business associate to determine the legal options of the workforce member or business associate,” Rush says.
The Whistleblower Exception can be used by a workforce member, which can be an employee, volunteer, or even independent contractor, or by a business associate of a covered entity. The disclosure must be made to an oversight agency or to an attorney who is assisting the individual in determining his or her legal options.
The Whistleblower Exception allows an individual to disclose concerns about issues such as billing fraud or compliance issues by using PHI to make the case, says Christina M. Kuta, JD, an attorney with Roetzel & Andress in Chicago.
“They can disclose this to an accrediting body, an insurer, other enforcement agencies, or even an attorney they have hired to represent them if they have a good faith belief that there is an issue that needs to be explored,” Kuta says. “Once you have that good faith belief, you are allowed to gather information that you wouldn’t otherwise be able to gather from the covered entity or the business associate. This could mean printing out patient records or billing statements, things that otherwise you likely would not have a legitimate need to access and certainly wouldn’t be allowed to share with third parties.”
Under the Whistleblower Exception, the individual can provide that PHI to another party without fear that accessing and disclosing that information will be deemed a HIPAA violation, as long as the necessary requirements are met.
The biggest risk concerns the good faith belief, Kuta says, because there is no objective way of determining that. If a nurse overhears two coworkers talking about how they incorrectly billed a patient, is that enough to conclude they are overbilling many patients, obtain PHI that might prove the allegation, and send it to the government or a lawyer?
Maybe not. The nurse might have overhead discussion of one error the coworkers were correcting. That might not constitute good faith belief. Accessing and distributing PHI on that alone could be a HIPAA violation not protected by the Whistleblower Exception.
Another pitfall is obtaining and distributing too much PHI to report a concern.
“If you have a concern that the facility or practice is upcoding for one particular procedure, you can’t take all the records from the department or from that physician practice and give them to a lawyer,” Kuta says. “A lot of patient information there has nothing to do with the fraud you’re alleging. Disclosing that information is a HIPAA violation. It wouldn’t qualify for the Whistleblower Exception because it is not related to what you’re whistleblowing on.”
If patient information is used to report a covered entity to an oversight agency, the “minimum necessary” rule still should be used.
“The minimum amount of information necessary to accomplish the intended purpose should be disclosed. For instance, if the patients’ names and addresses are not necessary for the oversight agency’s investigation and the names and addresses can be redacted from the records being disclosed, then they should be,” Rush says. “If the data can be deidentified such that all patient identifiers are removed, then the data should be deidentified before it is disclosed.”
There is a good faith requirement in the Whistleblower Exception. It cannot be invoked except when there is a legitimate belief the covered entity is engaging in activity that could be detrimental to patients, workers, or the public. It should not be used as retaliation or for personal gain. For example, an employee who has been terminated cannot take patient information to use in a wrongful termination lawsuit against the covered entity.
“Also, whistleblowers should be very careful about how they disclose patient information and how much they disclose. Courts have sanctioned whistleblowers who placed patient information in the court’s public record without sealing or redacting the information,” Rush says.
The Whistleblower Exception allows a whistleblower to share information with his or her attorney for the purpose of evaluating legal options. Someone contemplating disclosing patient information as a whistleblower should consult with his or her legal counsel to determine whether a covered entity has engaged in conduct that should be reported to an oversight agency, the amount of information that needs to be disclosed to allow the oversight agency to investigate, and the appropriate agency to which the disclosure should be made.
The Whistleblower Exception protects a covered entity from being considered to have committed a breach if the whistleblower is a member of the covered entity’s workforce and is the victim of a crime, says Arielle T. Miliambro, JD, partner with Frier Levitt in Pine Brook, NJ. However, the PHI disclosed must be about the suspected perpetrator of the criminal act and is limited to the information necessary to identify and locate the perpetrator.
“For example, an employee who has been assaulted by a covered entity’s patient may evaluate, and perhaps ultimately use, this exception to report the assault to appropriate authorities without violating the patient’s privacy rights under HIPAA,” Miliambro says. “Although the requirements of the Whistleblower Exception have certain flexibility based upon a good faith standard, the requirements must be met precisely as set forth.”
Miliambro says it is important to note the covered entity remains, at all times, responsible for the use of PHI by its employees and business associates, even when those individuals attempt to disclose PHI pursuant to the Whistleblower Exception. Therefore, a covered entity may be in breach of HIPAA, and thus exposed to liability, if an employee or business associate impermissibly relies on the Whistleblower Exception to disclose PHI.
A concern for both employer and employee would be that the whistleblower would disclose PHI to either an individual or entity not covered under the Whistleblower Exception, says Paul F. Schmeltzer, JD, an attorney with Clark Hill in Los Angeles.
For example, if a whistleblower made an allegation that included PHI to the Equal Employment Opportunity Commission or a media outlet, their actions would not fall under the whistleblower exception.
“The most common scenario is a healthcare employee protected under the HIPAA whistleblower exception making allegations of fraudulent billing in the covered entity’s medical practice,” Schmeltzer says. “Healthcare employers would be wise to include information in their annual HIPAA trainings that discusses the limited nature of HIPAA’s whistleblower exception and the consequences that could follow if the employee’s disclosure does not meet the criteria of that rule.”