Whistleblowers and privacy rights: How to manage the overlap

Avoid revelation of patient data, but prepare for conflicts

A physician complained to the chief of staff and hospital management that surgical equipment was not being sterilized properly and a patient died as a result. The hospital responded by firing the physician, says Dave Scher, JD, a principal with The Employment Law Group in Washington, DC, who handled this case and specializes in representing whistleblowers.

And whistleblowing situations aren't limited to physicians. A New Hampshire hospital recently agreed to settle a lawsuit filed after a former OR/endoscopy nurse said she was fired after she complained about medical procedures in the endoscopy unit.1

Retaliation against whistleblowers in healthcare is risky, probably illegal, and simply not good strategy, say legal experts. Managers should work to formulate internal structures that minimize the chances of an employee going outside the organization to report problems, they say, and managers should be prepared with a more effective response in the event that someone does blow the whistle.

Even if so inclined, the ability to constrain a whistleblower is limited, says Scher. Firing the whistleblower rarely goes uncontested and can lead to other penalties. In the case of the physician who was fired for complaining about poor sterilization, the complaint led to a federal investigation that shut down the surgical suite for four days. Subsequently, the hospital had to settle with the physician for firing him, which is a common outcome, Scher says.

In healthcare, managers often wonder how confidentiality requirements might restrict a whistleblower's ability to reveal potentially damaging information. The overlap can be tricky, Scher says, but in most cases patient privacy concerns do not prevent the disclosure. Confidentiality agreements, often used in settlements in an attempt to keep damaging information under wraps, can provide a false sense of security, Scher says.

"Claiming that you had a confidentiality agreement and you disclosed a private agreement, therefore you can't be trusted, is almost always just a smokescreen," Scher says. "It's a weak argument, and the organization does not tend to be looked on favorably when they try to use that defense."

Whistleblowers in healthcare are protected by multiple laws, more than employees in most industries, says Kevin Troutman, JD, an attorney with the law firm of Fisher and Phillips in Houston, TX. Healthcare providers must take into account these many protections when considering how they will respond to whistleblowers, particularly the whistleblower exceptions for the Health Insurance Portability and Accountability Act (HIPAA), he says. "I've found that this really surprises managers sometimes. They are shocked that they can't discipline an employee for violating confidentiality or revealing patient information," Troutman says. "Sometimes you can inadvertently set up a whistleblower claim if you take action without really analyzing the circumstances and the protections that might apply."

Healthcare providers often use HIPAA as an excuse when trying to dissuade an employee from revealing damaging information, Scher says. HIPAA privacy concerns have been drilled into employees so effectively that many people can be convinced that it is impossible to report fraud without violating the law themselves, he says. "We see it all the time. It's very, very common," Scher says. "It's an easy hook to say, 'Sure you can expose the fraud, but you violated HIPAA so you're out.' That is completely the wrong strategy for the employer and usually will just make matters worse for you."

That advice does not mean, however, that healthcare employees can recklessly reveal protected health information (PHI) as part of their effort to report problems, Scher says. To encourage responsible reporting and avoid potential post-reporting conflicts, managers should establish internal procedures that allow employees to voice concerns while still maintaining patient confidentiality, he says. "We have them disclose information by case number, rather than by naming the individual," he says. "If you don't provide a mechanism for reporting concerns, and then you jump on the employee for violating confidentiality, you are going to be seen as trying to avoid the real issue."

It is possible to fire a whistleblowing employee and cite a reason other than reporting fraud or other misdeeds, such as blaming it on improper disclosure of patient information, but Scher says that move is a desperate one that often backfires in the form of litigation and a costly payout. A better plan, he says, is to foster a culture that results in people wanting to discuss their concerns internally and to have a procedure for responding to those concerns. (See the story on for steps to take in responding to concerned staff, and below for the dangers of staff investigating on their own. See the story, below, for federal and state protections for whistleblowers.)

Troutman advises managers to work closely with human resources to determine when whistleblower protections might apply. If you wait until human resources already has disciplined or fired the employee for a confidentiality breach, it might be too late to avoid the damage, he says.

Aside from retaliation being a bad strategy, there is another reason for healthcare providers to provide an appropriate mechanism for reporting concerns. Without guidance and a safe way for employees to speak up, the employer can be held responsible for the whistleblower's privacy breach, explains Tammy Marzigliano, JD, partner with the law firm of Outten & Golden in New York City. Marzigliano represents employees in litigation regarding employment law. "That's one reason it makes sense to give employees a constructive way to bring these concerns to you without violating HIPAA," she says. "If you don't, their next step may be to go public and blurt out a lot of information or hand over documents to the media that they shouldn't, and you as the employer are going to be held at least partly accountable for that."


  1. Haberman S. Exeter Hospital settles suit with 'whistleblower.' Exeter News-Letter. June 20, 2011. Accessed at http://www.seacoastonline.com/articles/20110620-NEWS-110629978


  • Tammy Marzigliano, JD, Partner, Outten & Golden, New York City. Telephone: (212) 245-1000. E-mail: tm@outtengolden.com.
  • Dave Scher, JD, Principal, The Employment Law Group, Washington, DC. Telephone: (202) 261-2802. E-mail: inquiry@employmentlawgroup.com.
  • Kevin Troutman, JD, Partner, Fisher & Phillips, Houston, TX. Telephone: (713) 292-0150. E-mail: ktroutman@laborlawyers.com.

The Ambulatory Surgery Center Association has an ASC Compliance Hotline, operated by National Hotline Services, that allows workers to anonymously report concerns. The employer is notified in a manner that does not disclose identity of caller. Web: http://ascassociation.org/publications/hotline.

Beware of staff probing on their own

Violations of the Health Insurance Portability and Accountability Act (HIPAA) are a growing focus for whistleblowers, says Tammy Marzigliano, JD, partner with the law firm of Outten & Golden in New York City.

Marzigliano recently spoke with a potential client who was concerned that her healthcare employer was not adequately protecting a database with PHI. The employee reported her concerns internally, but the healthcare provider did nothing, Marzigliano says.

"So she started working with IT, gathering documents and investigating herself, which is the wrong way to go about it," the attorney says. "HIPAA does provide protection for those trying to report problems, but it requires that you include the minimum amount of patient information possible. She was going way beyond that leeway."

In a situation such as that one, the employer might have a legitimate reason to terminate the employee, Marzigliano says. The employee overstepped her bounds and violated HIPAA in a way that is not protected, no matter how good her intentions, so dismissal could be justified, she says. "But the employee is going to argue that you dismissed her because she complained and you retaliated," she says. "In this case, you might be able to prove otherwise. But you still have a messy situation, some expensive litigation, and you still haven't addressed the root problem. You would have been better off listening when she first came to you with her concerns."

HIPAA does allow individual healthcare employees to copy records and provide them to their attorneys if they think some violation has occurred, says Kevin Troutman, JD, partner with Fisher & Phillips, Houston, TX. "It's not entirely clear how far that they can go with that, but there is an exception," Troutman says.

Education is key in this area, Marzigliano says. Having an employee hotline is not enough, she says. In addition to encouraging people to come forward, managers also must educate employees about where their obligations stop. Many employees will be under the impression that they cannot report potential fraud, for instance, without having the evidence to back up their claims. In trying to gather and provide that evidence, they might violate HIPAA and other regulations, which creates additional trouble for the employer and could rob the whistleblower of protections that otherwise might be available.

"They need to know that it's their job to speak up but not their job to investigate," she says. "It can be really unfortunate when you have someone who has the best intentions, and whistleblowers tend to be really righteous people, but they go overboard because they thought it was necessary. I'm horrified when they come to me with these documents."

Federal, state laws protect whistleblowers

Many states offer protection to whistleblowers, and a federal statute protect whistleblowers reporting false claims, explains Amy S. Leopard, JD, partner with the law firm of Walter & Haverfield in Cleveland, OH. If the court finds that the employer terminated the employee because of the whistleblowing, the employer will be required to reinstate the employee and provide double back pay for the period in question.

Gag orders written into settlement agreements also will be difficult or impossible to enforce when the employee is trying to report wrongdoing to the government, she says.

"All the government has to do is get wind of the false claim, and they will subpoena the person who knows about it," Leopard says. "You can't enforce any type of confidentiality agreement if the employee or former employee is subpoenaed for a government interview."

Employees' concerns about impropriety are not always well founded, of course. The employee might be mistaken about the facts or the law, Leopard says, but the provider still should take the employee seriously. It can be a costly mistake to casually dismiss the employee's concerns or even indicate annoyance that the employee is trying to stir up trouble over nothing, she cautions. That response can prompt the employee to feel righteous indignation and investigate the matter independently, then take the concerns to outside regulators.

"You always are best advised to listen to any complaint seriously and express that this is exactly what you want people to do if they are concerned something might be wrong," she says. "If you determine that, in fact, there is no problem, then you can explain that to the person without making them feel like you're blowing them off."


  • Amy S. Leopard, JD, Partner, Walter & Haverfield, Cleveland, OH. Telephone: (216) 928-2889. E-mail: aleopard@walterhav.com.

Be quick, proactive to avoid whistleblowing

When an employee has concerns about fraud or other wrongdoing within your organization, that person can take two paths: either report it internally, or report it to regulators and become a whistleblower.

You always will fare better by having the person report internally, says Dave Scher, JD, a principal with The Employment Law Group in Washington, DC, who specializes in representing whistleblowers. However, if you don't respond properly, the person still might turn into a whistleblower. Here is Scher's advice:

  1. As soon as an employee voices a concern about possible fraud or other improper activities, sit down with him or her to discuss the situation. Do not delay. Listen carefully to the employee's concerns, and indicate that you are glad he or she reported them. Tell the employee that you will research the matter further and report back with more information.
  2. Have the compliance staff conduct a thorough investigation. Do not minimize the employee's concerns or dismiss them as unfounded. Every allegation should receive a thorough investigation. Even if the conclusion is that the concerns are unfounded, the healthcare provider has performed due diligence and created a paper trail showing that it responded in a responsible way. When a legitimate problem is uncovered, the provider's actions will show regulators that it responded in a proactive way as soon as it was notified of potential trouble.
  3. If the concerns are well founded, the organization should consider publicly disclosing the problem through the media and explaining what steps are being taken to fix it.
  4. Thank the employee for bringing the issue to your attention. Most importantly, protect the employee from retaliation. Remember that the retaliation might not originate with your office or the executive suite. The employee's line level supervisor and coworkers might retaliate if they see the whistleblower as a troublemaker, so go directly to the supervisor and emphasize that any sort of retaliation is inappropriate and will not be tolerated. Consider reassigning the whistleblower, supervisor, or coworkers if necessary.