Many of the whistleblower claims I see here in Mississippi involve the healthcare industry, especially referrals for unnecessary procedures and kickbacks for client referrals. Exposing this sort of fraud can be worth it to the whistleblower, but a question often arises, “how do you expose fraud involving medical patients without simultaneously violating HIPAA?” In simpler terms, how do you show that your employer defrauded a patient without violating their right to privacy regarding their medical records? Luckily, with the help of an experienced whistleblower attorney, you can find “safe harbors” in HIPAA that allow for some disclosure of patients’ records, so long as the disclosure is limited and only occurs in an effort to report fraud.
The Federal False Claims Act
The claim in this $111 million recover was brought under the Federal False Claims Act (31 U.S.C. §§ 3729-3733), a law that penalizes individuals and companies that are convicted of defrauding the government. The False Claims Act created during the Civil War and signed by Lincoln to root out companies that were taking financial advantage of the war effort.
HIPAA
Most people here know it as “HIPAA” and not it’s full name, the Health Insurance Portability and Accountability Act of 1996. HIPAA is a privacy law for entities that handle patient’s medical information, generally prohibiting using “protected health information” such as bills, medical files, or notes for anything other than treatment. Protected health information cannot be shared publicly. This is a problem in whistleblower cases, as the whistleblower often wants to use patients’ files or bills as evidence of fraud. Whistleblowers cannot move forward with a case on general allegations, specific instances of fraud must be provided, often with evidence. But patients’ bills and files normally cannot leave a medical institution and should not be shared publicly. So how does a whistleblower prove their case?
HIPAA’s “Safe Harbors”
In law, a “safe harbor” is a term describing an act that would normally violate the law but is instead allowed because of some higher purpose being achieved. Under federal regulation 45 C.F.R. sec. 164.502(j) linked below, a person may release protected health information if the person believes that his or her employer “has engaged in conduct that is unlawful or otherwise violates professional or clinical standards” or “that the care, services, or conditions . . . potentially [endanger] one or more patients, workers, or the public.” Thus, HIPAA protected health information may be shared in a False Claims Act case by an employee who believes that his or her employer is engaging in fraud.
HIPAA establishes another safe harbor at 45 C.F.R. sec. 164.514(a) & (b), also linked below, for releases of protected health information that is de-identified. To use this safe harbor, an employee must de-identify the protected health information in a way that blacks our or redacts any identifying information. This is not just names and addresses, but also information such as dates of discharge that could be used to deduce the patient’s identity.
What Should You Do if You are Considering a Whistleblower Claim?
Do you know about fraud or other serious financial misconduct occurring in a health care context like the one described above? Are you considering filing a whistleblower case? The handling of protected health information under HIPAA is only one complexity to being a healthcare industry whistleblower.
Call Barrett Law now at (601) 790-1505 if you think you may be a whistleblower.
Experienced Mississippi Whistleblower Lawyer Jonathan Barrett can provide you with the advice you will need to file a successful False Claims Act case. Having expert legal advice by your side can mean the difference between receiving your share of a whistleblower judgment and losing your career and livelihood. Call us today.