Healthcare whistleblower cases often involve patient records. A nurse, coder, biller, physician, compliance employee, or administrator may see Medicare or Medicaid claims that appear false, but the proof may sit inside medical charts, billing data, referral records, or electronic health record notes. That creates a difficult question: can a whistleblower use protected health information to report healthcare fraud?
The answer is careful and fact-specific. The Health Insurance Portability and Accountability Act, or HIPAA, limits the use and disclosure of protected health information. But HIPAA also contains a whistleblower provision. Under 45 C.F.R. § 164.502(j), an individual is not considered to have violated the HIPAA privacy rule when he or she discloses protected health information.
HIPAA does not create a general license to remove patient files, browse records, send charts to the media, or disclose more patient information than necessary. Healthcare whistleblowers should speak with counsel before copying, removing, or sharing patient records. This page provides general information for False Claims Act whistleblowers; it is not legal advice for a specific record or disclosure.
What Is Protected Health Information?
Protected health information, often called PHI, is individually identifiable health information held or transmitted by a medical provider subject to HIPAA, subject to the HIPAA privacy rule. PHI includes patient names, medical record numbers, diagnosis information, treatment notes, billing data, dates of service, claim information, and other identifiers tied to healthcare.
False Claims Act healthcare cases often depend on information that contains protected health information. For example, billing records showing patient names, dates of birth, and social security numbers may help prove that a physician billed for services that were never provided or patient medical records with detailed history and treatment notes may show that a facility provided medically unnecessary services The legal issue is not whether the information is useful evidence. It is whether the whistleblower may use or disclose it in a way the law permits.
The safest approach is usually to avoid unnecessary patient information. A whistleblower may be able to describe the fraudulent practice, identify sample claims, explain billing codes, or provide de-identified examples without broadly disclosing identifiable patient records. When identifiable records are necessary, the disclosure should be evaluated under HIPAA and handled carefully, for example, by redacting patient identifiers that are not needed.
The HIPAA Whistleblower Exception
HIPAA's whistleblower provision appears at 45 C.F.R. § 164.502(j)(1). It provides that an individual does not violate the HIPAA privacy rule when he or she discloses protected health information, provided that two conditions are met.
First, the individual must believe in good faith that the medical provider subject to HIPAA has engaged in conduct that is unlawful, violates professional or clinical standards, or that the care, services, or conditions provided by that provider potentially endanger patients, workers, or the public. In healthcare fraud cases, this may include a good-faith belief that the provider is submitting false Medicare or Medicaid claims, falsifying medical records, billing for unnecessary care, or using unlawful referral arrangements.
Second, the disclosure must be to one of the recipients identified in the rule. The regulation permits disclosure to
- a health oversight agency or public health authority authorized by law to investigate or oversee the relevant conduct or conditions of the medical provider subject to HIPAA, to an appropriate healthcare accreditation organization to report professional standards violations or misconduct, or
- an attorney retained by an individual to determine legal options concerning conduct that is unlawful, violates professional or clinical standards, or that the care provided by potentially endangers patients, workers, or the public.
For a potential qui tam case, the attorney-recipient provision is especially important. It allows you to consult counsel about legal options related to the suspected misconduct. The rule should still be applied carefully. The disclosure should be limited to what is needed to evaluate the suspected fraud, and the whistleblower should not assume that every chart, image, or data export is appropriate.
What the HIPAA Whistleblower Exception Does Not Do
The HIPAA whistleblower exception is not a general public-disclosure rule. It does not authorize a whistleblower to post patient records online, send charts to reporters, share records with friends, or distribute patient information to people who have no role in evaluating, investigating, or addressing the misconduct. A disclosure outside the permitted recipients can create serious problems.
The exception also does not authorize unlawful access. You should not access records outside your job duties just to search for examples. You should not exceed your authorized system access. HIPAA is only one part of the analysis; employer policies, computer access laws, confidentiality agreements, privilege rules, and court orders may also matter.
Nor does HIPAA override the False Claims Act's seal requirement. A federal qui tam complaint is filed under seal and is not served on the defendant until the court orders service. Publicizing a sealed qui tam case can create procedural problems. Healthcare whistleblowers should treat both HIPAA and the seal requirement as reasons to keep the matter confidential.
De-Identified Records and Minimum Necessary Information
HIPAA permits the use of health information that has been de-identified under 45 C.F.R. § 164.514. The regulation provides two methods for de-identification: an expert determination method and a method that removes specified identifiers, provided the medical provider subject to HIPAA does not have actual knowledge that the remaining information could identify the individual.
De-identification is more than crossing out a name. The safe-harbor method requires removal of multiple identifiers, including names, many geographic subdivisions, most date elements tied to the individual, telephone numbers, fax numbers, email addresses, Social Security numbers, medical record numbers, account numbers, certificate and license numbers, vehicle identifiers, device identifiers, URLs, IP addresses, biometric identifiers, full-face photos, and other unique identifying numbers or characteristics.
When identifiable protected health information is involved, the minimum necessary concept also matters. The HIPAA rules require medical providers subject to HIPAA to make reasonable efforts to limit certain uses and disclosures to the information reasonably necessary to accomplish the purpose. A whistleblower working with counsel should think in similar practical terms: what information is needed to evaluate and explain the fraud, and what patient information can be avoided?
Finally, it is important to understand that the rules about sharing protected health information can change if the lawsuit is brought in state court. Some states have stricter rules about protected health information, and when the rules are stricter, those rules apply in that state's court. For example, in Illinois, even redacted medical records cannot be shared in lawsuits. Northwestern Memorial Hospital v. Ashcroft, 362 F.3d 923, 925 (7th Cir. 2004) (holding that if state law has stricter medical records privileges then HIPAA, the state's laws apply in state court).
For general evidence-handling precautions before reporting, see the firm's guidance on documenting fraud lawfully.
HIPAA, Healthcare Fraud, and the False Claims Act
Many healthcare fraud cases are brought under the federal False Claims Act. The statute can apply when a person knowingly presents, or causes to be presented, a false or fraudulent claim for payment or approval, or knowingly makes or uses a false record or statement material to a false or fraudulent claim. In healthcare, that often means false claims to Medicare, Medicaid, TRICARE, or other government healthcare programs. For common fact patterns, see our page on healthcare fraud examples.
HIPAA does not prevent legitimate whistleblower reporting when the regulatory requirements are met. But healthcare cases require more care than many other fraud cases because the evidence may contain sensitive patient information. The better approach is not to guess. A potential relator should consult counsel before removing, copying, or transmitting PHI.
Healthcare whistleblowers should also consider retaliation. If a provider retaliates because an individual reported or tried to stop false claims, federal and state anti-retaliation protections may apply. The existence of those protections does not eliminate the need to handle patient records lawfully.
Frequently Asked Questions
Can a whistleblower disclose HIPAA-protected information?
Sometimes, but only under specific conditions. HIPAA's whistleblower provision permits certain disclosures by an individual when he or she has a good-faith belief about unlawful conduct, professional or clinical violations, or danger, and the disclosure is made to the permitted recipients listed in 45 C.F.R. § 164.502(j)(1).
Can I give patient records to my whistleblower lawyer?
Yes. HIPAA allow you to disclose HIPAA protected information to an attorney you retain for the purpose of determining legal options concerning conduct that is unlawful, violates professional or clinical standards, or that the care provided by potentially endangers patients, workers, or the public. That does not mean every record should be copied or sent. Speak with counsel about what information is necessary and how to handle it.
Can I send patient records to the government?
HIPAA permits disclosures to certain health oversight agencies or public health authorities authorized by law to investigate or oversee the relevant conduct. Whether a specific government agency or recipient qualifies and what information should be disclosed are fact-specific questions. Legal advice is important before transmitting PHI.
Can I share records if I remove patient names?
Removing names alone may not de-identify records under HIPAA. The safe-harbor method in 45 C.F.R. § 164.514 requires removing multiple categories of identifiers, and the entity or person disclosing the records must not have actual knowledge that the remaining information could identify the patient.
Gallagher & Lipshutz represents whistleblowers in healthcare False Claims Act matters. To discuss a potential case, contact our Las Vegas whistleblower attorneys or call (702) 381-3770. You may also reach the firm through our contact page.