Blog & News
Understanding the Health Insurance Portability and Accountability Act of 1996 or HIPAA rules is important for a prospective whistleblower. Under the False Claims Act most courts require a whistleblower to identify specific examples of bills paid by the government that have been affected by fraud. A whistleblower, therefore, must frequently make use of information covered by HIPAA to sufficiently establish health care. For that reason, we discuss two safe harbors critical for potential whistleblowers dealing with patient-identifying information. They are the de-identification and whistleblower safe harbors.
We recently discussed the importance for whistleblowers of understanding the HIPAA rules. As we explained, HIPAA established privacy and security standards for entities– including health care providers, health plans, health care clearinghouses and their business associates – preventing the release of information that could reasonably be used to identify a patient. 45 C.F.R. § 160.103. In addition, we discussed some instances in which whistleblowers have run into trouble for perceived carelessness with HIPAA-protected information; this has led to orders to return documents and in some cases sanctions.
The whistleblower safe harbor at 45 C.F.R. § 164.502 (j) protects disclosures of HIPAA-protected material both to your own attorney and to the government, so long as you believe in good faith that your employer “has engaged in conduct that is unlawful or otherwise violates professional or clinical standards” or “that the care, services, or conditions . . . potentially [endanger] one or more patients, workers, or the public.”
This safe harbor protects a whistleblower with a good faith belief that his employer engaged in unlawful or dangerous practices. That whistleblower does not violate HIPAA when she shares PHI with her attorney to evaluate potential claims. In addition, she may use this safe harbor to provide the government with information required under the False Claims Act.
During a 2015 case concerning overbilling by the Arkansas Children’s Hospital, the defendant discovered that the relators had obtained HIPAA-protected information and shared it with their attorney. The defendant asked the court to order the return of its documents and argued that the relator was not a “true” whistleblower because his concerns were unreasonable. Howard ex rel. U.S. v. Arkansas Children’s Hosp., No. 4:13-cv-00310, at *3 (E.D. Ark. July 1, 2015). The court concluded that, regardless of reasonableness, whistleblower safe harbor protected the relator, and refused to order return of the documents.
HIPAA is not concerned with every piece of information found in the records of a covered entity or a patient’s chart. It is only concerned with “individually identifiable health information,” or “protected health information” (PHI). 45 C.F.R. § 160.103. This includes information that identifies the individual or could reasonably be used to identify the individual. PHI includes the obvious – name, address, birth date, social security number. But, it also includes the not so obvious – dates of treatment, medical device identifiers and serial numbers, and associated IP addresses. 45 C.F.R. § 164.514(b)
One option to ensure compliance with HIPAA is the “de-idenfitication” safe harbor at 45 C.F.R. §164.514(a) and (b) . The U.S. Department of Health and Human Services has detailed instructions here. But, the basic idea is to redact PHI such as names, geographic units, and dates (not just birthdates, but other dates that tend to identify a patient such as dates of admission and discharge). Above all else, we suggest redacting dates of test results and appointments as well. You can either do this on paper with a big black marker (taking a copy to keep the originals first, of course) or, if you are dealing with electronic copies (usually pdfs), you can use pdf redaction software.
When using software to redact documents, placing a black bar over the words is not enough. Instead, one must use a method that removes the underlying information from the electronic document. Thus, if the program you are using has a redaction function, make sure that it deletes the text and doesn’t just hide it. For example, we like and use Adobe Acrobat, Nuance Power PDF Advanced, and (for Macs) PDF Expert.
These safe harbors can work in concert. In a recent case regarding pharmacy overcharging for prescriptions, the relator’s complaint provided 18 specific examples needed to meet the particularity requirements of Federal Rule 9(b). United States v. Safeway, Inc., No. 11-3406, at *4 (C.D. Ill. Dec. 1, 2016). The defendant claimed that the examples in the complaint violated HIPAA, but the Court found that because the relator had used initials to describe the patients, he had complied with the de-identification safe harbor and even if he had given all the details to his attorneys, his disclosure was protected under the whistleblower safe harbor. Id.