Blog & News

« Back to Main Blog Page

Related Content

Health Care Fraud

Fraudulent health care schemes come in many different forms and are carried out by entities throughout the health care industry....

Whistleblower Tips

As a whistleblower or potential whistleblower, you face difficult personal and legal decisions. Often these decisions present themselves in stressful...

Whistleblowers and HIPAA: Blowing the Whistle While Respecting the Law

Prospective whistleblowers should be aware of HIPAA and its implications for establishing a viable case. Documentary proof can be helpful in...

Understanding the Health Insurance Portability and Accountability Act of 1996 or HIPAA rules is important for a prospective whistleblower.  Under...

Whistleblowers: Understanding HIPAA’s Safe Harbors When Using Patient Records To Expose Fraud

Understanding the Health Insurance Portability and Accountability Act of 1996 or HIPAA rules is important for a prospective whistleblower.  Under the False Claims Act most courts require a whistleblower to identify specific examples of bills paid by the government that have been affected by fraud.  A whistleblower, therefore, must frequently make use of information covered by HIPAA to sufficiently establish health care. For that reason, we discuss two safe harbors critical for potential whistleblowers dealing with patient-identifying information.  They are the  de-identification and whistleblower safe harbors.

We recently discussed the importance for whistleblowers of understanding the HIPAA rules.  As we explained, HIPAA established privacy and security standards for entities– including health care providers, health plans, health care clearinghouses and their business associates – preventing the release of information that could reasonably be used to identify a patient.  45 C.F.R. § 160.103.  In addition, we discussed some instances in which whistleblowers have run into trouble for perceived carelessness with HIPAA-protected information; this has led to orders to return documents and in some cases sanctions.

HIPAA Whistleblower Safe Harbor

The whistleblower safe harbor at 45 C.F.R. § 164.502 (j) protects disclosures of HIPAA-protected material both to your own attorney and to the government, so long as you believe in good faith that your employer “has engaged in conduct that is unlawful or otherwise violates professional or clinical standards” or “that the care, services, or conditions . . . potentially [endanger] one or more patients, workers, or the public.”

This safe harbor protects a whistleblower with a good faith belief that his employer engaged in unlawful or dangerous practices. That whistleblower does not violate HIPAA when she shares PHI with her attorney to evaluate potential claims.  In addition, she may use this safe harbor to provide the government with information required under the False Claims Act.

During a 2015 case concerning overbilling by the Arkansas Children’s Hospital, the defendant discovered that the relators had obtained HIPAA-protected information and shared it with their attorney.  The defendant asked the court to order the return of its documents and argued that the relator was not a “true” whistleblower because his concerns were unreasonable.  Howard ex rel. U.S. v. Arkansas Children’s Hosp., No. 4:13-cv-00310, at *3 (E.D. Ark. July 1, 2015).  The court concluded that, regardless of reasonableness, whistleblower safe harbor protected the relator, and refused to order return of the documents.

De-identification Safe Harbor

HIPAA is not concerned with every piece of information found in the records of a covered entity or a patient’s chart.  It is only concerned with “individually identifiable health information,” or “protected health information” (PHI).  45 C.F.R. § 160.103. This includes information that identifies the individual or could reasonably be used to identify the individual.  PHI includes the obvious – name, address, birth date, social security number.  But, it also includes the not so obvious – dates of treatment, medical device identifiers and serial numbers, and associated IP addresses.  45 C.F.R. § 164.514(b) 

One option to ensure compliance with HIPAA is the “de-idenfitication” safe harbor at 45 C.F.R. §164.514(a) and (b) . The U.S. Department of Health and Human Services has detailed instructions here. But, the basic idea is to redact PHI such as names, geographic units, and dates (not just birthdates, but other dates that tend to identify a patient such as dates of admission and discharge). Above all else, we suggest redacting dates of test results and appointments as well. You can either do this on paper with a big black marker (taking a copy to keep the originals first, of course) or, if you are dealing with electronic copies (usually pdfs), you can use pdf redaction software.

When using software to redact documents, placing a black bar over the words is not enough.  Instead, one must use a method that removes the underlying information from the electronic document.  Thus, if the program you are using has a redaction function, make sure that it deletes the text and doesn’t just hide it.  For example, we like and use Adobe Acrobat, Nuance Power PDF Advanced, and (for Macs) PDF Expert.

Using the HIPAA Whistleblower Safe Harbors

These safe harbors can work in concert. In a recent case regarding pharmacy overcharging for prescriptions, the relator’s complaint provided 18 specific examples needed to meet the particularity requirements of Federal Rule 9(b).  United States v. Safeway, Inc., No. 11-3406, at *4 (C.D. Ill. Dec. 1, 2016).  The defendant claimed that the examples in the complaint violated HIPAA, but the Court found that because the relator had used initials to describe the patients, he had complied with the de-identification safe harbor and even if he had given all the details to his attorneys, his disclosure was protected under the whistleblower safe harbor.  Id.

Now On Twitter