HIPAA Exceptions in Whistleblower Cases

Whistleblowers’ access to and disclosure of HIPAA-protected information are exceptions to rules that normally bar access to sensitive health information. People reporting healthcare fraud may need to access evidence protected under the Health Insurance Portability and Accountability Act (HIPAA), such as medical records and identifying information. Whistleblowers combatting fraud under the False Claims Act (FCA) must understand HIPAA protections and disclosure rules or risk negative consequences.

Permitted HIPAA Use and Disclosures

There are stiff penalties for violating HIPAA disclosure laws, so whistleblowers must act within the allowed exceptions when reporting a fraud scheme. HIPAA restricts the transfer of “individually identifiable health information,” which includes a person’s medical condition, name, address, date of birth, and Social Security Number. However, under 45 C.F.R. § 164.502(j), a whistleblower may access or disclose this information if they have a good faith belief that:

  • The covered entity has engaged in unlawful conduct, or
  • The covered entity’s conduct violates professional or clinical standards, or
  • The care, services, or conditions provided by the covered entity potentially endangers one or more patients, workers, or the public.

This exception is critical because whistleblowers filing a claim under the FCA must provide the government with a disclosure statement containing all material evidence of the alleged fraud, including information protected by HIPAA.

Fraud Reporting Channels for Medical Whistleblowers

To qualify for HIPAA whistleblower protection, the reporter must disclose sensitive evidence, like medical records and patient information, appropriately. Whistleblowers should always consult an attorney before acquiring or disclosing medical records or other files protected by HIPAA. Failing to use the appropriate channels when pursuing a Medicare or Medicaid fraud claim can implicate the reporter in a HIPAA violation and qualify as an employment contract breach.

To retain their HIPAA protections, whistleblowers must make disclosures to:

  • A healthcare accreditation organization when there’s a failure to meet professional standards or a belief of misconduct, or
  • A health oversight agency or public health official authorized to investigate or oversee related conduct or conditions, or
  • A whistleblower attorney who can help you determine your legal options and next steps.

The steps to filing a whistleblower claim must be precisely followed to protect your rights and your possible reward for reporting fraud. If you’ve uncovered healthcare fraud against the government, contact the whistleblower attorneys at Miller Law Group  today. We’ll review your case and protect your rights while you pursue the claim.