The Health Insurance Portability and Accountability Act (HIPAA) is a ubiquitous statute affecting the healthcare industry. The average consumer has likely heard of HIPAA and understands that it protects their personal medical information – and almost certainly has signed away some of those privacy rights through myriad consent forms. Healthcare providers and institutions, as well as insurers, deal regularly with HIPAA and have standard operating procedures and policies intended to ensure compliance with their obligations. Indeed, the importance of not disclosing protected health information (PHI) is drilled into the heads of most individuals who deal even tangentially with the provision of healthcare.

But what if a psychiatrist observes that her hospital is endangering the lives of patients and wants to speak with a government regulator? Or what if a nurse believes that doctors in her oncology practice are improperly administering chemotherapy and wants to consult with a lawyer? Can these individuals give specific examples of what they have observed without violating HIPAA? 

The answer is yes – provided that the disclosures meet specific criteria.

What Are the HIPAA Whistleblower Exception Requirements?

The regulations interpreting HIPAA contain a whistleblower exception to the general privacy rule. See 45 C.F.R. § 164.502. Under this exception, it is legal for an employee or business associate of an entity covered by HIPAA to disclose PHI if the individual believes that the covered entity has:

  • Engaged in unlawful conduct;
  • Engaged in conduct that violates professional or clinical standards; or
  • Provided care, services or conditions that potentially endanger patients, workers or the public.

But this exception does not completely supersede the overarching rule of privacy. The disclosing individual must have a good-faith belief that one of the violations above has occurred, and the disclosure of PHI must be made to:

  • A health oversight agency or public health authority legally authorized to investigate the alleged violations;
  • A healthcare accreditation organization, for the purpose of reporting violations of professional or clinical obligations; or
  • An attorney retained by the worker or business associate for the purpose of determining her legal options with respect to the observed misconduct.

So, if a psychiatrist reported her concerns about patient safety to the state department of mental health, her disclosure likely would not violate HIPAA. The same is probably true if a nurse reported deficient cancer treatment to an accreditor like The Joint Commission. But the scope of the exception is still not entirely clear. 

How Have Agencies and Courts Interpreted the HIPAA Exception?

There are few cases interpreting the parameters of the HIPAA whistleblower exception, but they generally apply the language of the law in a straightforward way. For example, a disclosure of PHI to the Equal Employment Opportunity Commission (EEOC) is not covered by the HIPAA whistleblower exception, since it is an employment oversight agency, not a public health agency. See Vaughn v. Epworth Villa, 537 F.3d 1147, 1153 n.4 (10th Cir. 2008). Similarly, a disclosure of PHI to an attorney for a third party – as opposed to one’s own attorney – does not fall within the exception, even if it would otherwise be permissible. See Monarch Fire Prot. Dist. of St. Louis Cty., Missouri v. Freedom Consulting & Auditing Servs., Inc., 678 F. Supp. 2d 927, 936-37 (E.D. Mo. 2009) aff'd, 644 F.3d 633 (8th Cir. 2011). Conversely, the exception does apply where an employee discloses PHI to an attorney in the context of seeking legal advice regarding healthcare billing fraud that she observed. See Howard ex rel. U.S. v. Arkansas Children's Hosp., No. 4:13CV00310 JLH, 2015 WL 4042170, at *1, 3 (E.D. Ark. July 1, 2015).

In one of a few cases discussing the exception in detail, the Merit Systems Protection Board (MSPB), which adjudicates employment claims by federal government workers, concluded that a doctor’s disclosures of PHI were permissible under the HIPAA whistleblower exception. The employee, Anil Parikh, was a staff physician for the Department of Veterans Affairs (DVA), employed at the Jesse Brown Veterans Administration Medical Center (VAMC) in Chicago. Parikh v. Department of Veterans Affairs, 116 M.S.P.R. 197 (2011). In the course of his duties, Dr. Parikh observed numerous instances of conduct that he believed violated professional and clinical standards of healthcare provision and that potentially endangered patients. He disclosed this conduct internally and to, among others, individuals within the Inspector General of the DVA, the Secretary of the DVA, the heads of two university programs that oversaw medical residents at the DVA, and to then-Senator Barack Obama and Congressman Luis Gutierrez, who sat on the committees overseeing the DVA.

The MSPB reviewed each disclosure in turn, concluding that they all discussed conduct that arguably violated professional and clinical standards of care. According to the MSPB, the disclosures described:

  1. an unnecessary and improperly performed medical procedure and a patient abuse incident;
  2. a poorly supervised procedure that allegedly caused a patient's death;
  3. a resident's failure to follow instructions, allegedly causing harm to a patient;
  4. inadequate supervision and training of interns, which could potentially endanger patients; and
  5. claims of mismanagement of physicians’ workloads and resulting instances of improper or inadequate patient care.

The MSPB concluded that Dr. Parikh had made these disclosures based on a good-faith belief that violations were occurring.

The MSPB then considered recipients of the disclosures containing PHI, observing that each of Dr. Parikh’s letters was sent to an individual or entity responsible for overseeing the DVA and thus oversaw “[v]eterans’ hospitals, medical care, and treatment of veterans.” Based on this analysis, the MSPB held that Dr. Parikh’s communications fell within the HIPAA whistleblower exception.

Significance for HIPAA Whistleblowers

The HIPAA whistleblower exception not only serves the interests of patients directly but also provides some protection – and possibly a basis for legal redress – for employees who are disciplined or terminated for doing the right thing. 

Whistleblower retaliation laws generally require some sort of “protected activity,” meaning that an employee must have reported or attempted to stop a violation of the law. For example, the Whistleblower Protection Act (WPA) protects employees of most federal agencies who disclose a legal violation, gross mismanagement, a gross waste of funds, an abuse of authority, or a substantial and specific danger to public health or safety. Statutes like the WPA and others that protect employees of private companies may provide HIPAA whistleblowers with a cause of action if they are retaliated against for speaking out against HIPAA violations.

The HIPAA whistleblower exception may also form the basis of state-law wrongful termination claims. The HIPAA exception arguably creates a statutory right to report certain misconduct, and in many states, it is illegal to terminate an individual for exercising a right or public policy embodied in the law. The caveat is that states often require that the public policy or right at issue involves state law, and HIPAA is a federal law.

Even if it does not form an independent basis for a claim, the HIPAA whistleblower exception is an important protection for individuals seeking legal advice. Given how heavily HIPAA privacy protections are emphasized, employees may be confused about what they can and cannot do. The exception means that individuals are able to get advice about the legality of disclosures that they have made or intend to make to ensure that they protect themselves and the privacy of patients.

Increasing Patient Protections

The PHI protections under HIPAA are critical to safeguarding the privacy of hundreds of millions of American healthcare consumers. However, those protections are not absolute. The HIPAA whistleblower exception makes clear that the law is not meant to muzzle insiders who have knowledge of serious wrongdoing. While there are few cases interpreting the law in the employment retaliation context, courts seem to recognize that the safe harbor should provide some measure of protection to conscientious employees who speak out about unlawful and dangerous conduct. 

At the moment, however, courts have largely been constrained by the rigid confines of HIPAA’s statutory text. To more effectively protect patient health, Congress should amend HIPAA to expand the HIPAA whistleblower exception to employees who provide PHI to government agencies in support of their claims of retaliation. Separately, Congress should amend HIPAA to include a cause of action for retaliation against whistleblowers who report activity in the healthcare industry that violates professional or clinical standards or potentially endangers patients, workers or the public. Together, these changes will help to protect patients and ensure the high standards we expect from the healthcare industry are met.