The Health Insurance Portability and Accountability Act of 1996 or HIPAA establishes privacy and security standards for health care providers and other covered entities. These standards prevent the release of patient identifying information. Understanding HIPAA is important to a whistleblower.
Whistleblowers need to know what information HIPPA protects from publication. This is because defendants often accuse whistleblowers of violating HIPAA when they report fraud. Therefore, understanding how to comply with HIPAA and its safe harbors, can prevent a whistleblower from being victimized by these threats.
Whistleblowers who understand HIPAA and its rules have several ways to report the violations. These include filing a complaint directly with the government. However, violations of HIPAA can also lead to False Claims Act violations and underlie health care fraud prosecutions.
What is HIPAA And What does It Protect?
HIPAA is the common name for the Health Insurance Portability and Accountability Act of 1996. HIPAA authorizes a nationwide set of privacy and security standards for health care entities. These standards prevent the publication of private information that identifies patients and their health issues.
What entities are covered by HIPAA?
HIPAA covers three entities: (1) health plans; (2) health care clearinghouses; and (3) certain health care providers.
Includes most group plans, HMOs and privative insurers and government insurance plans designed primarily to provide health insurance. 45 C.F.R. § 160.103.
Health Care Clearinghouse
A public or private entity that processes or reprocesses health care transactions. This includes most billing companies, repricing companies, and health care information systems. 45 C.F.R. § 160.103
Health Care Provider
An entity that bills, or receives payment for, health care in the normal course of business. Health care includes care, services, or supplies including drugs and devices. To be covered by HIPAA, the provider must transmit “health information” in connection with certain financial or administrative transactions defined in the law. 45 C.F.R. § 160.103
If you are having trouble telling whether the entity you are looking at is a covered entity. CMS offers a great tool for figuring it out.
What is PHI Or Protected Health Information
“Protected health information,” or PHI, is the patient identifying information that is protected under HIPAA. PHI must first identify a patient. In addition, it must relate to an individual’s health or provision of, or payments for health care. PHI includes obvious things: for example, names, address, birth date, social security number. But it also includes not so obvious things: For instance, dates of treatment, medical device identifiers, serial numbers, and associated IP addresses. 45 C.F.R. § 160.103; § 164.514(b)
What Does A Whistleblower Need to Know About HIPAA?
Prospective whistleblowers should be aware of HIPAA and its implications for establishing a viable case. Documentary proof can help whistleblowers build a case because a it strengthens credibility. For example, under the False Claims Act, whistleblowers often must identify specific examples of fraudulent bills paid by the government. Documents are not required to plead such a claim, but they help ensure the whistleblower has the required information. A whistleblower, particularly one reporting health care fraud, therefore, must frequently make use of documents potentially covered by HIPAA.
We have previously discussed how privilege and other considerations provide modest limits on a whistleblower’s right to gather evidence. For instance, whistleblowers need to be careful when they copy documents and record conversations to support allegations. In addition, certain types of documents require special care. Among these “special” categories, are documents that contain HIPAA protected PHI.
Courts Have Punished Some Whistleblowers For Perceived Carelessness With HIPAA Protected PHI
Whistleblowers have run into trouble due to perceived carelessness with HIPAA-protected information in the past.
- For example, a California court concluded that HIPAA precluded a whistleblower from obtaining and sharing with his attorney documents containing PHI. As a result, it ordered all documents and notes containing HIPAA-protected information returned to the defendant. Rutherford v. Palo Verde Health Care District., No. 13-1247, at 22-31 (C.D. Cal. Apr. 17, 2014).
- Even more concerning, a Florida Magistrate Judge recommended sanctions for a relator and his counsel who attached PHI to a complaint to compensate the defendant for its costs in notifying patients that their identifying information had been released. United States ex rel. Alvord v. Lakeland Reg’l Med. Ctr., No. 10-52-T-17EAJ, 11-14 (M.D. Fla. Sept. 14, 2012).
The HIPAA Safe Harbors A Whistleblower Needs to Know
As you can tell, whistleblowers risk serious trouble if they run afoul of HIPAA. Luckily, HIPAA contains important safe-harbors designed to permit vital whistleblower activities. Consequently, whistleblowers and their counsel who abide by those safe harbors can report allegations without fear of running afoul of HIPAA.
HIPAA Whistleblower Safe Harbor
The whistleblower safe harbor at 45 C.F.R. § 164.502 (j) protects disclosures of HIPAA-protected material both to a whistleblower attorney and to the government. But, the whistleblower must believe in good faith that her employer has provided unlawful, unprofessional, or dangerous care.
Such a whistleblower does not violate HIPAA when she shares PHI with her attorney to evaluate potential claims. In addition, she may use this safe harbor to provide the information to the government. For example, as part of the information required under the False Claims Act.
For instance, in one case whistleblowers obtained HIPAA-protected information and shared it with their attorney to support claims that the Arkansas Children’s Hospital was over billing the government. The defendant asked the court to order the return of its documents and argued that the relator was not a “true” whistleblower because his concerns were unreasonable. Howard v. Ark. Children’s Hosp., No. 4:13CV00310 JLH, 3 (E.D. Ark. Jul. 1, 2015). The court concluded that, regardless of reasonableness, whistleblower safe harbor protected the relator, and refused to order return of the documents.
De-identification Safe Harbor
HIPAA is not concerned with every piece of information found in the records of a covered entity or a patient’s chart. But rather, with “individually identifiable health information,” or PHI. 45 C.F.R. § 160.103. PHI must be able to identify an individual.
As a result, a whistleblower can ensure compliance with HIPAA using “de-idenfitication” safe harbor. 45 C.F.R. §164.514(a) and (b). The U.S. Department of Health and Human Services has detailed instructions on using the safe harbor here.
The basic idea is to redact PHI such as names, geographic units, and dates, not just birthdates, but other dates that tend to identify a patient. For example dates of admission and discharge. We also suggest redacting dates of test results and appointments. You can either do this on paper with a big black marker (keeping a copy of the originals first, of course) or, if you are dealing with electronic copies (usually pdfs), you can use pdf redaction software.
When using software to redact documents, placing a black bar over the words is not enough. Instead, one must use a method that removes the underlying information from the electronic document. Thus, if the program you are using has a redaction function, make sure that it deletes the text and doesn’t just hide it. For example, we like and use Adobe Acrobat, Nuance Power PDF Advanced, and (for Macs) PDF Expert.
Using the HIPAA Whistleblower Safe Harbors
These safe harbors can work in concert. For example, in a recent pharmacy overcharging case, the complaint provided 18 specific examples of false claims; the defendant claimed these examples violated HIPAA. United States v. Safeway, Inc., No. 11-3406, at *4 (C.D. Ill. Dec. 1, 2016). However, the Court held that because the relator had used initials to describe the patients, he had complied with the de-identification safe harbor. Moreover, even if he had given all the details to his attorneys, his disclosure was protected under the whistleblower safe harbor. Id.
HIPAA Whistleblower Protection
HIPAA also provides whistleblowers with protection from retaliation. Covered entities may not “threaten, intimidate, coerce, harass, discriminate against, or take any other retaliatory action” against a whistleblower who files a complaint, assists an investigation, or opposes violations of HIPAA. 45 CFR § 160.316.
How A Whistleblower Can Report Violations of HIPAA
Report HIPAA Violations Directly to Health and Human Services Office of Civil Rights
HIPAA permits whistleblowers to file a complaint for HIPAA violations with the Department of Health and Human Services. These complaints must generally be filed within six months. 45 CFR § 160.306. The Health and Human Services Office of Civil Rights accepts whistleblower complaints by mail or through its online portal. HHS can investigate and prosecute these claims. As a result of these tips, enforcement activities have obtained significant results that have improved the privacy practices of covered entities. However, unfortunately, whistleblowers who use the HHS complaint procedure are not eligible for a whistleblower reward as they are under the False Claims Act.
File A False Claims Act Case Based on HIPAA Violations
Some courts have found that violations of HIPAA give rise to False Claims Act cases. We have previously explained how the False Claims Act pulls in violations of other statutes. This is because when an entity submits a claim to the government, it promises that follows all of the federal health care law. In False Claims Act jargon, this is called implied certification theory.
When health care providers join government health programs or submit claims they certify they are in compliance with health laws. Thus if the providers are violating a health law, for example, HIPAA they are lying to the government. Under Supreme Court guidance, a provider in such a situation violates the False Claims Act if those violations of law are are material. In other words, would they matter to the government’s decision to pay. This theory of liability is most well established with violations of the Anti-Kickback Statute. But it applies to other material violations of the law.
It is not certain that a court would consider violation of HIPAA material. However, at least one Court has said they can be.
US ex rel O’Donnell v. America At Home
A whistleblower brought a False Claims Act case against a home healthcare company. One of the allegations was that the defendants “searched confidential medical charts at different facilities to collect the names of patients they could solicit for home health services.” United States ex rel. O’Donnell v. Am. at Home Healthcare & Nursing Servs., Ltd., Case No. 14-cv-1098, 14 (N.D. Ill. Jan. 8, 2018). The whistleblower argued that illegally using PHI for solicitation violated the defendants’ implied certifications that they complied with the law.
The defendants asked the court to dismiss this claim arguing that HIPAA violations cannot give rise to False Claims Act liability. The Court sided with the whistleblower. It concluded that the allegations stated a material violation because “information that a home health agency has pilfered protected health data to solicit patients has a good probability of affecting a payment decision too.” Id. at 16.
US ex rel Kelly v. City Medical Associates
In 2017, the US Attorneys office for the Southern District of New York announced that it had intervened in a whistleblower case against a cardiology and neurology clinic and its physicians. The underlying whistleblower case did not raise HIPAA violations. However, the feds also brought a related criminal case based in part on defendants “accessing, without authorization, electronic health records of patients” in violation of HIPAA to identify patients to recruit to their practice. So while this is not exactly a False Claims Act based on HIPAA violations, it appears the HIPAA violations will be part of the government’s criminal case.
HIPAA is an important law for whistleblowers to know. Failure to abide by HIPAA rules when obtaining evidence for a case can cause serious trouble. Luckily careful whistleblowers and counsel can take advantage of HIPAA whistleblower and de-identification safe harbors. Finally, whistleblowers can report claims of HIPAA violations either directly to HHS, as the basis for False Claims Act violations, or to enhance a health care fraud case.
Don’t Let HIPAA Violations Go Unchallenged
If you are aware of a covered entity violating HIPAA, we urge you to contact us for a free, confidential, consultation.