If you have ever worked in the medical field or been to a medical professional, you likely have some understanding of the term HIPAA, which refers to the Health Insurance Portability and Accountability Act. HIPAA is a ubiquitous statute that affects the healthcare industry while protecting personal medical information of patients. Healthcare providers and insurers regularly deal with HIPAA and standard operating procedures and policies which are in place to ensure compliance and to avoid disclosing protected health information (PHI). So, in layman’s terms, sharing health information belonging to other parties is a no-no.
But does this still apply to whistleblowers? What if a doctor observes that her hospital’s practices are endangering the lives of her patients and wants to talk to a government regulator? Or a nurse sees the improper administration of prescriptions to patients and wants to talk with a lawyer? Is it possible for these people to share these situations with a lawyer without violating HIPAA?
The short answer is yes, as long as specific criteria are met, thanks to HIPAA whistleblower exceptions.
HIPAA Whistleblower Exception Requirements
According to 45 C.F.R. 164.502 – Uses and Disclosures of Protected Health Information, a whistleblower exception to the general privacy rule is in effect. Under this exception, employees covered by HIPAA are permitted to legally disclose PHI if the whistleblower believes that the entity has:
- Engaged in unlawful conduct;
- Engaged in conduct that violates professional or clinical standards; or
- Provided care, services or conditions that potentially endanger patients, workers or the public.
The exception does not stop there. The rule of privacy still applies, unless the disclosing individual believes that any of the above violations have occurred. If so, the disclosure of PHI may only be made to:
- A health oversight agency or public health authority that is legally authorized to investigate such alleged violations;
- A healthcare accreditation organization, to report violations of professional or clinical obligations; or
- An attorney that the worker or business associate has retained for the purpose of determining her legal options pertaining to the observed misconduct.
So if the doctor or nurse chooses to report their concerns regarding patient safety to a state department, such as the department of mental health or an accreditor of The Joint Commission, their disclosures would not likely violate HIPAA. But there are some agencies that whistleblowers may ordinarily disclose information to that may not be covered by the HIPAA whistleblower exception., such as the Equal Employment Opportunity Commission (EEOC), as it is an employment oversight agency, not a public health agency. It’s best to be certain the agency is covered prior to disclosing PHI.
The HIPAA whistleblower exception is important for whistleblowers seeking legal advice; it makes it possible for them to obtain medical records to support allegations of fraud in the healthcare industry.