Whistleblower News & Articles

Home > Whistleblower News & Articles > Whistleblowers’ Guide To HIPAA

Related Content

Health Care Fraud

Health care fraud schemes come in many different forms and are carried out by entities throughout the health care industry....

Whistleblower Protections

Unfortunately, employees, contractors, and other agents of a company often find that they are retaliated against for bringing fraudulent behavior...

A Guide To The Federal False Claims Act

The Federal False Claims Act is the U.S. Government’s primary weapon for combatting fraud. It allows whistleblowers to sue persons...

Whistleblowers’ Guide To HIPAA

August 1, 2023

Understanding HIPAA and its implications is crucial for anyone involved in the healthcare industry. For HIPAA whistleblowers, navigating the intricacies of HIPAA while exposing healthcare fraud can be daunting, but the act does provide critical safe harbors that protect whistleblowers. This blog delves into the essential aspects of HIPAA, the two main safe harbors for HIPAA whistleblowers, and how to report HIPAA violations, including the potential for a HIPAA violation reporting reward.

What is HIPAA?

HIPAA is the common name for the Health Insurance Portability and Accountability Act of 1996. HIPAA authorized a nationwide set of privacy and security standards for health care entities preventing the dissemination of “individually identifiable health information.”  45 C.F.R. § 160.103

What is Protected by HIPAA?

“Protected health information,” or PHI, is the patient-identifying information protected under HIPAA. PHI must first identify a patient. In addition, it must relate to an individual’s health or provision of, or payments for, health care. PHI includes obvious things: for example, name, address, birth date, social security number. But it also includes not so obvious things: for instance, dates of treatment, medical device identifiers, serial numbers, and associated IP addresses. 45 C.F.R. § 160.103; § 164.514(b) 

What entities are covered by HIPAA?

HIPAA covers three entities: (1) health plans; (2) health care clearinghouses; and (3) certain health care providers.

  • Health Plan – Includes most group plans, HMOs, and privative insurers and government insurance plans designed primarily to provide health insurance.  45 C.F.R. § 160.103.
  • Health Care Clearinghouse – A public or private entity that processes or reprocesses health care transactions. This includes most billing companies, repricing companies, and health care information systems. 45 C.F.R. § 160.103
  • Health Care Provider – An entity that bills, or receives payment for, health care in the normal course of business. Health care includes care, services, or supplies including drugs and devices. To be covered by HIPAA, the provider must transmit “health information” in connection with certain financial or administrative transactions defined in the law. 45 C.F.R. § 160.103

If you are having trouble telling whether the entity you are looking at is a covered entity, CMS offers a great tool for figuring it out.


What Does A Whistleblower Need to Know About HIPAA?

Under the False Claims Act most courts require a whistleblower to provide specific examples of bills paid by the government that have been affected by fraud.  A whistleblower, therefore, must frequently make use of information covered by HIPAA to sufficiently specify the false health claims submitted. For that reason, we discuss two safe harbors critical for potential whistleblowers dealing with patient-identifying information.  They are the de-identification and whistleblower safe harbors.

We have previously discussed how privilege and other considerations provide modest limits on a whistleblower’s right to gather evidence. For instance, whistleblowers need to be careful when they copy documents or record conversations to support allegations. In addition, certain types of documents require special care. Among these “special” categories are documents that contain HIPAA protected PHI.

Safe Harbors A Whistleblower Needs to Know For HIPAA Violation Reporting

HIPAA contains important safe-harbors designed to permit vital whistleblower activities. So long as whistleblowers and their counsel know of and abide by those safe harbors, HIPAA should not stop them from reporting their allegations of fraud to the government. Protecting patient confidentiality is a complicated issue. Whistleblowers and their attorneys are not relieved of the obligation to safeguard this information. Because of the unique nature of each case, these issues highlight the importance of speaking with experienced counsel well versed in health care fraud and the issues involved when considering the decision to blow the whistle.

HIPAA Whistleblower Safe Harbor

The whistleblower safe harbor at 45 C.F.R. § 164.502 (j) protects disclosures of HIPAA-protected material both to your own attorney and to the government, so long as you believe in good faith that your employer “has engaged in conduct that is unlawful or otherwise violates professional or clinical standards” or “that the care, services, or conditions . . . potentially [endanger] one or more patients, workers, or the public.”

This safe harbor protects a whistleblower with a good faith belief that his employer engaged in unlawful or dangerous practices. That whistleblower does not violate HIPAA when she shares PHI with her attorney to evaluate potential claims.  In addition, she may use this safe harbor to provide the government with information required under the False Claims Act.

The basic idea is to redact PHI such as names, geographic units, and dates, not just birthdates, but other dates that tend to identify a patient. For example dates of admission and discharge.  We also suggest redacting dates of test results and appointments. You can either do this on paper with a big black marker (keeping a copy of the originals first) or, if you are dealing with electronic copies (usually pdfs), you can use pdf redaction software.

When using software to redact documents, placing a black bar over the words is not enough.  Instead, one must use a method that removes the underlying information from the electronic document.  Thus, if the program you are using has a redaction function, make sure that it deletes the text and doesn’t just hide it.  For example, we like and use Adobe Acrobat, Nuance Power PDF Advanced, and (for Macs) PDF Expert.

During a 2015 case concerning overbilling by the Arkansas Children’s Hospital, the defendant discovered that the relators had obtained HIPAA-protected information and shared it with their attorney.  The defendant asked the court to order the return of its documents and argued that the relator was not a “true” whistleblower because his concerns were unreasonable.  Howard ex rel. U.S. v. Arkansas Children’s Hosp., No. 4:13-cv-00310, at *3 (E.D. Ark. July 1, 2015).  The court concluded that, regardless of reasonableness, whistleblower safe harbor protected the relator, and refused to order return of the documents.

De-identification Safe Harbor

HIPAA is not concerned with every piece of information found in the records of a covered entity or a patient’s chart.  It is only concerned with “individually identifiable health information,” or “protected health information” (PHI).  45 C.F.R. § 160.103. This includes information that identifies the individual or could reasonably be used to identify the individual.

One option to ensure compliance with HIPAA is the “de-identification” safe harbor at 45 C.F.R. §164.514(a) and (b) . The U.S. Department of Health and Human Services has detailed instructions here. But, the basic idea is to redact PHI such as names, geographic units, and dates (not just birthdates, but other dates that tend to identify a patient such as dates of admission and discharge). Above all else, we suggest redacting dates of test results and appointments as well. You can either do this on paper with a big black marker (making a copy to keep the originals intact) or, if you are dealing with electronic copies (usually pdfs), you can use pdf redaction software.

When using software to redact documents, placing a black bar over the words is not enough.  Instead, one must use a method that removes the underlying information from the electronic document.  Thus, if the program you are using has a redaction function, make sure that it deletes the text and doesn’t just hide it.  For example, we like and use Adobe Acrobat, Nuance Power PDF Advanced, and (for Macs) PDF Expert.

Using the Whistleblower Safe Harbors for HIPAA Violation Reporting

These safe harbors can work in concert. In a case regarding pharmacy overcharging for prescriptions, the relator’s complaint provided 18 specific examples needed to meet the particularity requirements of Federal Rule 9(b).  United States v. Safeway, Inc., No. 11-3406, at *4 (C.D. Ill. Dec. 1, 2016).  The defendant claimed that the examples in the complaint violated HIPAA, but the Court found that because the relator had used initials to describe the patients, he had complied with the de-identification safe harbor and even if he had given all the details to his attorneys, his disclosure was protected under the whistleblower safe harbor.  Id.

HIPAA Whistleblower Protection

HIPAA also provides whistleblowers with protection from retaliation.  Covered entities may not “threaten, intimidate, coerce, harass, discriminate against, or take any other retaliatory action” against a whistleblower who files a complaint, assists an investigation, or opposes violations of HIPAA. 45 CFR § 160.316.

Courts Have Punished Some Whistleblowers For Perceived Carelessness With HIPAA Protected PHI

Whistleblowers risk serious trouble if they run afoul of HIPAA. Luckily, HIPAA contains important safe harbors designed to permit vital whistleblower activities. Consequently, whistleblowers and their counsel who abide by those safe harbors can report allegations without fear of running afoul of HIPAA.

Some whistleblowers, however, have run into trouble due to perceived carelessness with HIPAA-protected information.

  • For example, a California court concluded that HIPAA precluded a whistleblower from obtaining and sharing with his attorney documents containing PHI. As a result, it ordered all documents and notes containing HIPAA-protected information returned to the defendant.  Rutherford v. Palo Verde Health Care District., No. 13-1247, at 22-31 (C.D. Cal. Apr. 17, 2014).
  • In Florida, a Magistrate Judge recommended sanctions for a relator and his counsel who attached PHI to a complaint to compensate the defendant for its costs in notifying patients that their identifying information had been released. United States ex rel. Alvord v. Lakeland Reg’l Med. Ctr., No. 10-52-T-17EAJ, 11-14 (M.D. Fla. Sept. 14, 2012).

HIPAA Violation Reporting Options

Report HIPAA Violations Directly to Health and Human Services Office of Civil Rights

HIPAA permits whistleblowers to file a complaint for HIPAA violations with the Department of Health and Human Services. These complaints must generally be filed within six months.  45 CFR § 160.306. The Health and Human Services Office of Civil Rights accepts whistleblower complaints by mail or through its online portal.   HHS can investigate and prosecute these claims.  As a result of these tips, enforcement activities have obtained significant results that have improved the privacy practices of covered entities. However, whistleblowers who use the HHS complaint procedure are not eligible for a whistleblower HIPAA violation reporting reward.

File A False Claims Act Case Based on HIPAA Violation Reporting

In order to be eligible for a HIPAA violation reporting reward, the whistleblower must first file a False Claims Act case.  Some courts have found that violations of HIPAA give rise to False Claims Act cases. Successful False Claims Act cases may entitle the whistleblower to a HIPAA violation reporting reward, known as a relator’s share. We have previously explained how the False Claims Act pulls in violations of other statutes. This is because when an entity submits a claim to the government, it promises that has followed the government’s health care laws. In False Claims Act jargon, this is called the implied certification theory.

When health care providers join government health programs or submit claims, they certify they are following health laws. Thus if the providers are violating a health law – for example, HIPAA – they are lying to the government. Under Supreme Court guidance, a provider in such a situation violates the False Claims Act if those violations of law are material. In other words, would the violations matter to the government’s decision to pay. This theory of liability is most well established with violations of the Anti-Kickback Statute. But it applies to other material violations of the law.

It is not certain that a court would consider violation of HIPAA material. However, at least one Court has said they can be.

US ex rel. O’Donnell v. America At Home

A whistleblower brought a False Claims Act case against a home healthcare company. One of the allegations was that the defendants “searched confidential medical charts at different facilities to collect the names of patients they could solicit for home health services.” United States ex rel. O’Donnell v. Am. at Home Healthcare & Nursing Servs., Ltd., Case No. 14-cv-1098, 14 (N.D. Ill. Jan. 8, 2018). The whistleblower argued that illegally using PHI for solicitation violated the defendants’ implied certifications that they complied with the law.

The defendants asked the court to dismiss this claim, arguing that HIPAA violations cannot give rise to False Claims Act liability. The Court sided with the whistleblower. It concluded that the allegations stated a material violation because “information that a home health agency has pilfered protected health data to solicit patients has a good probability of affecting a payment decision too.” Id. at 16.

US ex rel Kelly v. City Medical Associates

In 2017, the US Attorney’s Office for the Southern District of New York announced that it had intervened in a whistleblower case against a cardiology and neurology clinic and its physicians. The underlying whistleblower case did not raise HIPAA violations. However, the feds also brought a related criminal case based in part on defendants “accessing, without authorization, electronic health records of patients” in violation of HIPAA to identify patients to recruit to their practice. So, while this is not exactly a False Claims Act based on HIPAA violations, the HIPAA violations were part of the government’s criminal case.


In short, HIPAA is an important law for whistleblowers to know. Failure to abide by HIPAA rules when obtaining evidence for a case can cause serious trouble. On the other hand, careful whistleblowers and counsel can take advantage of HIPAA whistleblower and de-identification safe harbors. By doing so, whistleblowers safely can report claims of HIPAA violations either directly to HHS or to DOJ as the basis for a False Claims Act case or health care fraud prosecution.  If the HIPAA violations are deemed material, the HIPAA violation reporting may lead to a reward.

Don’t Let HIPAA Violations Go Unchallenged

The Whistleblower Law Collaborative LLC, based in Boston, devotes its practice entirely to representing clients nationwide in bringing actions under the federal and state False Claims Acts and other whistleblower programs.  Among the firm’s many successes is the government’s $10 million settlement with BioReference Health, LLC for paying kickbacks in exchange for referrals.  If you are aware of a covered entity violating HIPAA, we urge you to contact us for a free, confidential, consultation. Successful HIPAA violation reporting may lead to a reward.