Sharing PHI with attorneys: OK under HIPAA?
The single largest group of health care whistleblowers are health care workers themselves — nurses, doctors, dentists, therapists and billing professionals — who encounter fraud on the job. Do such health care workers violate HIPAA by disclosing patient protected health information (“PHI”) when blowing the whistle? There is no need for them to do so. Naturally, it helps to work with knowledgeable legal counsel from an early stage in the process.
First, HIPAA privacy rules penalize only “covered entities” — including specified natural persons like doctors and nurses — who pass along PHI without patient authorization. Natural persons — the living, breathing kind — can be covered entities, but are not always. A whistleblower who is not a covered entity (or a business associate or attorney of a covered entity) is not subject to HIPAA rules.*
Second, for individuals who are covered entities, HIPAA rules provide disclosure “safe harbors” including the following:
(1) A covered entity is not considered to have violated [HIPAA] if a member of its workforce or a business associate discloses protected health information, provided that:
(i) The workforce member or business associate believes in good faith that the covered entity has engaged in conduct that is unlawful or otherwise violates professional or clinical standards, or that the care, services, or conditions provided by the covered entity potentially endangers one or more patients, workers, or the public; and
(ii) The disclosure is to:
(A) A health oversight agency or public health authority authorized by law to investigate or otherwise oversee the relevant conduct or conditions of the covered entity or to an appropriate health care accreditation organization for the purpose of reporting the allegation of failure to meet professional standards or misconduct by the covered entity; or
(B) An attorney retained by or on behalf of the workforce member or business associate for the purpose of determining the legal options of the workforce member or business associate with regard to the conduct described in paragraph (j)(1)(i)….
While it is possible that an individual relator could be a covered entity under HIPAA, HHS Reg. 164.502(j), specifically authorizes covered entities to share PHI (“protected healthcare information”) with their attorneys in whistleblower cases.
HHS’ Covered Entity Charts and associated regulations state that natural persons can be covered entities if they “furnish, bill or receive payment for, health care in the normal course of business and (send) any covered transactions electronically.” The question that doesn’t seem to be addressed anywhere is whether an individual employee of a healthcare provider provides healthcare “in the normal course of business” for purposes of the regulation.
For what it’s worth, we’ve never heard of a False Claims Act whistleblower being held in violation of HIPAA regulations for disclosing PHI to his or her attorneys or to law enforcement authorities. One way around the PHI-disclosure concerns is to redact PHI from medical billing records for use in court filings and disclosure statements provided to the Department of Justice.
It is important to keep in mind, however, that beyond HIPAA lurk other document-removal and -sharing traps. For example, it is becoming more common for employers to sue whistleblowers for breach of confidentiality agreements in employment contracts or company policy manuals. They may also sue for misappropriation of trade secrets. Likewise, some state computer privacy laws make it a crime for employees to access company computers or databases without authorization. Each of these potential traps must be addressed on its own terms.
It is fair to say that would-be whistleblowers are normally safest not attempting to access any company documents — in hardcopy or electronic format — which they are not authorized to access as part of their normal job responsibilities. It is also important to obtain legal advice early the process to work through evidence-related issues on the front end.
* HIPAA is not the only legal hazard for would-be whistleblowers. State-level privacy laws also lurk.
# # #
Not legal advice. For advice specific to your situation, you should contact an attorney with experience in dealing with whistleblower matters.