Whistleblower News & Articles
August 11, 2020
The Health Insurance Portability and Accountability Act of 1996 or HIPAA establishes privacy and security standards for health care providers and other covered entities. These standards prevent the release of patient identifying information. Understanding HIPAA is important to a whistleblower.
Whistleblowers need to know what information HIPPA protects from publication. This is because defendants often accuse whistleblowers of violating HIPAA when they report fraud. Therefore, understanding how to comply with HIPAA and its safe harbors can prevent a whistleblower from being victimized by these threats.
Whistleblowers who understand HIPAA and its rules have several ways to report the violations. These include filing a complaint directly with the government. In addition, HIPAA violations can lead to False Claims Act violations and even health care fraud prosecutions.
HIPAA is the common name for the Health Insurance Portability and Accountability Act of 1996. HIPAA authorizes a nationwide set of privacy and security standards for health care entities. These standards prevent the publication of private information that identifies patients and their health issues.
HIPAA covers three entities: (1) health plans; (2) health care clearinghouses; and (3) certain health care providers.
Includes most group plans, HMOs, and privative insurers and government insurance plans designed primarily to provide health insurance. 45 C.F.R. § 160.103.
A public or private entity that processes or reprocesses health care transactions. This includes most billing companies, repricing companies, and health care information systems. 45 C.F.R. § 160.103
An entity that bills, or receives payment for, health care in the normal course of business. Health care includes care, services, or supplies including drugs and devices. To be covered by HIPAA, the provider must transmit “health information” in connection with certain financial or administrative transactions defined in the law. 45 C.F.R. § 160.103
If you are having trouble telling whether the entity you are looking at is a covered entity, CMS offers a great tool for figuring it out.
“Protected health information,” or PHI, is the patient-identifying information protected under HIPAA. PHI must first identify a patient. In addition, it must relate to an individual’s health or provision of, or payments for, health care. PHI includes obvious things: for example, name, address, birth date, social security number. But it also includes not so obvious things: for instance, dates of treatment, medical device identifiers, serial numbers, and associated IP addresses. 45 C.F.R. § 160.103; § 164.514(b)
Prospective whistleblowers should be aware of HIPAA and its implications for establishing a viable case. Documentary proof can help whistleblowers build a case because a it strengthens credibility. For example, under the False Claims Act, whistleblowers often must identify specific instances of fraudulent bills paid by the government. Documents are not required to plead such a claim, but they help ensure the whistleblower has the required information. Thus, a whistleblower, particularly one reporting health care fraud, must frequently use documents potentially covered by HIPAA.
We have previously discussed how privilege and other considerations provide modest limits on a whistleblower’s right to gather evidence. For instance, whistleblowers need to be careful when they copy documents or record conversations to support allegations. In addition, certain types of documents require special care. Among these “special” categories are documents that contain HIPAA protected PHI.
Whistleblowers have run into trouble due to perceived carelessness with HIPAA-protected information in the past.
As you can tell, whistleblowers risk serious trouble if they run afoul of HIPAA. Luckily, HIPAA contains important safe harbors designed to permit vital whistleblower activities. Consequently, whistleblowers and their counsel who abide by those safe harbors can report allegations without fear of running afoul of HIPAA.
The whistleblower safe harbor at 45 C.F.R. § 164.502 (j) protects disclosures of HIPAA-protected material both to a whistleblower attorney and to the government. But, the whistleblower must believe in good faith that her employer has provided unlawful, unprofessional, or dangerous care.
Such a whistleblower does not violate HIPAA when she shares PHI with her attorney to evaluate potential claims. In addition, she may use this safe harbor to provide the information to the government. For example, she could disclose the PHI as part of the information required under the False Claims Act.
For instance, in one case whistleblowers obtained HIPAA-protected information and shared it with their attorney to support claims that the Arkansas Children’s Hospital was over billing the government. The defendant asked the court to order the return of its documents and argued that the relator was not a “true” whistleblower because his concerns were unreasonable. Howard v. Ark. Children’s Hosp., No. 4:13CV00310 JLH, 3 (E.D. Ark. Jul. 1, 2015). The court concluded that, regardless of reasonableness, whistleblower safe harbor protected the relator, and refused to order return of the documents.
HIPAA is not concerned with every piece of information found in the records of a covered entity or a patient’s chart. But rather, with “individually identifiable health information,” or PHI. 45 C.F.R. § 160.103. PHI must be able to identify an individual.
As a result, a whistleblower can ensure compliance with HIPAA using “de-idenfitication” safe harbor. 45 C.F.R. §164.514(a) and (b). The U.S. Department of Health and Human Services has detailed instructions on using the safe harbor here.
The basic idea is to redact PHI such as names, geographic units, and dates, not just birthdates, but other dates that tend to identify a patient. For example dates of admission and discharge. We also suggest redacting dates of test results and appointments. You can either do this on paper with a big black marker (keeping a copy of the originals first, of course) or, if you are dealing with electronic copies (usually pdfs), you can use pdf redaction software.
When using software to redact documents, placing a black bar over the words is not enough. Instead, one must use a method that removes the underlying information from the electronic document. Thus, if the program you are using has a redaction function, make sure that it deletes the text and doesn’t just hide it. For example, we like and use Adobe Acrobat, Nuance Power PDF Advanced, and (for Macs) PDF Expert.
These safe harbors can work in concert. For example, in a recent pharmacy overcharging case, the complaint provided 18 specific examples of false claims; the defendant claimed these examples violated HIPAA. United States v. Safeway, Inc., No. 11-3406, at *4 (C.D. Ill. Dec. 1, 2016). However, the Court held that because the relator had used initials to describe the patients, he had complied with the de-identification safe harbor. Moreover, even if he had given all the details to his attorneys, his disclosure was protected under the whistleblower safe harbor. Id.
HIPAA also provides whistleblowers with protection from retaliation. Covered entities may not “threaten, intimidate, coerce, harass, discriminate against, or take any other retaliatory action” against a whistleblower who files a complaint, assists an investigation, or opposes violations of HIPAA. 45 CFR § 160.316.
HIPAA permits whistleblowers to file a complaint for HIPAA violations with the Department of Health and Human Services. These complaints must generally be filed within six months. 45 CFR § 160.306. The Health and Human Services Office of Civil Rights accepts whistleblower complaints by mail or through its online portal. HHS can investigate and prosecute these claims. As a result of these tips, enforcement activities have obtained significant results that have improved the privacy practices of covered entities. However, unfortunately, whistleblowers who use the HHS complaint procedure are not eligible for a whistleblower reward as they are under the False Claims Act.
Some courts have found that violations of HIPAA give rise to False Claims Act cases. We have previously explained how the False Claims Act pulls in violations of other statutes. This is because when an entity submits a claim to the government, it promises that has followed the government’s health care laws. In False Claims Act jargon, this is called the implied certification theory.
When health care providers join government health programs or submit claims, they certify they are in compliance with health laws. Thus if the providers are violating a health law – for example, HIPAA – they are lying to the government. Under Supreme Court guidance, a provider in such a situation violates the False Claims Act if those violations of law are material. In other words, would the violations matter to the government’s decision to pay. This theory of liability is most well established with violations of the Anti-Kickback Statute. But it applies to other material violations of the law.
It is not certain that a court would consider violation of HIPAA material. However, at least one Court has said they can be.
A whistleblower brought a False Claims Act case against a home healthcare company. One of the allegations was that the defendants “searched confidential medical charts at different facilities to collect the names of patients they could solicit for home health services.” United States ex rel. O’Donnell v. Am. at Home Healthcare & Nursing Servs., Ltd., Case No. 14-cv-1098, 14 (N.D. Ill. Jan. 8, 2018). The whistleblower argued that illegally using PHI for solicitation violated the defendants’ implied certifications that they complied with the law.
The defendants asked the court to dismiss this claim, arguing that HIPAA violations cannot give rise to False Claims Act liability. The Court sided with the whistleblower. It concluded that the allegations stated a material violation because “information that a home health agency has pilfered protected health data to solicit patients has a good probability of affecting a payment decision too.” Id. at 16.
In 2017, the US Attorney’s Office for the Southern District of New York announced that it had intervened in a whistleblower case against a cardiology and neurology clinic and its physicians. The underlying whistleblower case did not raise HIPAA violations. However, the feds also brought a related criminal case based in part on defendants “accessing, without authorization, electronic health records of patients” in violation of HIPAA to identify patients to recruit to their practice. So, while this is not exactly a False Claims Act based on HIPAA violations, it appears the HIPAA violations will be part of the government’s criminal case.
In short, HIPAA is an important law for whistleblowers to know. Failure to abide by HIPAA rules when obtaining evidence for a case can cause serious trouble. On the other hand, careful whistleblowers and counsel can take advantage of HIPAA whistleblower and de-identification safe harbors. By doing so, whistleblowers safely can report claims of HIPAA violations either directly to HHS or to DOJ as the basis for a False Claims Act case or health care fraud prosecution.
If you are aware of a covered entity violating HIPAA, we urge you to contact us for a free, confidential, consultation.