HIPAA Privacy Rule Exemptions: What Healthcare Whistleblowers Need To Know

Posted on February 10, 2021

Healthcare fraud cases require strong evidence in order to yield successful results for whistleblowers and the federal government. In most qui tam lawsuits, it is necessary to demonstrate either a specific intent to defraud the government or actual instances of fraud.

This means that whistleblowers often have to hang onto documents like Medicare invoices that prove that False Claims Act violations have occurred. Though your employer might want you to believe otherwise, providing this documentation to an attorney is not a violation of the HIPAA Privacy Rule.

HIPAA Privacy Rule Exceptions

HIPAA contains a section allowing disclosures of Protected Health Information (PHI) under very specific circumstances. Some of the exempt circumstances include:

  • Law enforcement investigations
  • Judicial and administrative proceedings
  • Serious health or safety concerns

The most important component of these exemptions is the minimum necessary standard. For whistleblowers, this requirement means that the protected health information they disclose to attorneys cannot exceed what is absolutely necessary to demonstrate the presence of fraud.

For example, if you have information about unnecessary procedures being performed on patients in order to secure higher Medicare reimbursements, you are permitted to disclose the relevant diagnostic information and correlated Medicare invoice of the patient who was mistreated.

This information can be shared confidentially with an attorney, public health authority or health oversight agency. You would not be permitted, however, to keep and disclose documents that had nothing to do with a potential healthcare fraud case.

Unsurprisingly, healthcare and pharmaceutical employers rarely publicize this HIPAA privacy exemption, but prospective whistleblowers should know that they have a right to show pertinent documents to an attorney in pursuit of a qui tam lawsuit.

Arkansas Court Upholds HIPAA Whistleblower Exemption

An Arkansas case in July 2015 brought HIPAA’s whistleblower exemption to the public’s attention. While working for Arkansas Children’s Hospital, two employees were allegedly fired for internally reporting possible False Claims Act violations.

While still employed, they retained patient records in order to demonstrate possible false bill submissions to federal healthcare programs. After being fired, the two employees then showed this information to an attorney.

In an attempt to diffuse the lawsuit, Arkansas Children’s Hospital claimed that the whistleblowers violated HIPAA by retaining PHI and showing it to a third party. Fortunately, the court ruled that the information collected was for the specific purpose of proving fraud allegations, and that the plaintiffs properly disclosed it to their legal team.

The whistleblowers were also permitted to disclose the PHI because they had collected it while still employed by Arkansas Children’s Hospital.

Your Right To Report Fraud

Healthcare fraud is a serious, growing issue, and whistleblowers are an indispensable part of the national effort to combat it. It can be intimidating to report an employer’s wrongdoing, especially when your efforts to do so internally have been ignored, or you have faced retaliation.

There is a great deal of legislation on the side of healthcare whistleblowers, however, most notably the False Claims Act. Any retaliation for retaining PHI in the pursuit of a FCA lawsuit, or for reporting fraud and misconduct in general, is against the law. Learn more about whistleblower rights and regulations here.