In this day and age, healthcare employers are quite familiar with the Health Insurance Portability and Accountability Act (HIPAA), which protects the disclosure of patients’ confidential health information. After all, in the furtherance of HIPAA’s mandated obligations, healthcare providers and institutions have been required to adopt an array of strict standard operating procedures and policies to ensure compliance. Accordingly, the importance of prohibiting the disclosure of protected health information (PHI) should be drilled into the heads of all those in the healthcare industry.

It is critical that you also take heed of an exception to HIPAA, which allows whistleblowers – usually employees – who believe their employer has engaged in unlawful conduct to disclose patient information to private lawyers. Unfortunately, this exception, which clearly impacts the potential liability for healthcare employers, runs afoul of HIPAA’s underlying public policy by destroying the sanctity of maintaining the privacy of medical health information. What do you need to know about this loophole in order to minimize your chances of landing in legal hot water?

How Can We Be Sued?

Under HIPAA’s whistleblower exception, it is legal for an employee of a covered entity to take PHI from their employer and disclose it to a lawyer so that the party can use that information to potentially bring a profitable qui tam lawsuit. A qui tam lawsuit is one brought under the False Claims Act (FCA), which allows a private litigant (i.e., the whistleblower) to bring suit on behalf of the government based on their knowledge of past or present fraud committed against the federal government. If the plaintiff prevails in the action, the whistleblower (and their attorney) receives a portion of the recovery. In part due to HIPAA’s whistleblower exception, healthcare cases under the FCA have increased significantly in recent years, and are still on the rise.

HIPAA’s Whistleblower Exception: The Ins And Outs

Under the law, an employee may disclose PHI if the individual believes their employer (1) engaged in unlawful conduct; (2) engaged in conduct violating clinical standards; or (3) provided care, services, or conditions endangering patients, workers, or the public. Specifically, the statutory language requires that the employee have a good faith belief the covered entity engaged in the prohibited conduct.

The employee’s disclosure of PHI is then warranted if made to (1) an attorney retained by the employee for the purpose of determining their legal options with respect to the alleged misconduct; (2) a health oversight agency or public health authority authorized to investigate the alleged misconduct; or (3) a healthcare accreditation organization for the purpose of reporting failure to meet professional standards.

Although an employee’s disclosure of the misconduct to health oversight and accreditation agencies threatens fines, deaccreditation, suspension, or probation, as well as reputational harm for the organization, the potential for a qui tam action carries the unique and hefty financial burden of civil litigation. Moreover, the only check on the employee’s ability to take and disclose PHI is the requirement of a “good faith belief,” which is certainly a subjective question open to any variety of ambiguity and interpretation. 

The broad drafting of HIPAA’s whistleblower exception allows the employee to disclose PHI to an attorney without first bringing the problem to the employer to attempt to resolve the issue. This is in direct contradiction with the supposed importance placed on patient privacy when the government enacted HIPAA.

The justification behind the exception follows the general reasoning of that for other whistleblower protections – employees have access to information and knowledge that the government does not, and thus are in the best position to observe and report illegal conduct. Although this objective is certainly an important one, the sweeping statutory language of HIPAA’s whistleblower exception simply fails to put appropriate weight on protecting patient privacy. Accordingly, it is essential that you are mindful of the relative ease with which a patient’s confidential medical information can fall into the hands of an attorney.

The Main Takeaway: Limiting Exposure

In addition to the continued clinical education of employees, you should have comprehensive privacy and security practices in place that protect and limit access to sensitive information to a strictly need-to-know basis. Although it seems intuitive, you should evaluate your current privacy and security protocols to ensure the basics are covered – i.e. data encryption, tracking data usage and its flow in and out of your organization, restricting access to certain information based on an employee’s clearance level, and of course, locking doors to rooms where patient data is stored.

Finally, it is important to remain transparent with employees and provide them with informational programs regarding the scope of HIPAA, including its whistleblower protection, as part of compliance training. Through the furtherance of HIPAA education and company transparency, perhaps employees will be more likely to use this open channel of communication to report misconduct to you first, allowing you to immediately investigate and resolve any issues.