August 1, 2023
Understanding HIPAA and its implications is crucial for anyone involved in the healthcare industry. For HIPAA whistleblowers, navigating the intricacies of HIPAA while exposing healthcare fraud can be daunting, but the act does provide critical safe harbors that protect whistleblowers. This blog delves into the essential aspects of HIPAA, the two main safe harbors for HIPAA whistleblowers, and how to report HIPAA violations, including the potential for a HIPAA violation reporting reward.
HIPAA is the common name for the Health Insurance Portability and Accountability Act of 1996. HIPAA authorized a nationwide set of privacy and security standards for health care entities preventing the dissemination of “individually identifiable health information.” 45 C.F.R. § 160.103
“Protected health information,” or PHI, is the patient-identifying information protected under HIPAA. PHI must first identify a patient. In addition, it must relate to an individual’s health or provision of, or payments for, health care. PHI includes obvious things: for example, name, address, birth date, social security number. But it also includes not so obvious things: for instance, dates of treatment, medical device identifiers, serial numbers, and associated IP addresses. 45 C.F.R. § 160.103; § 164.514(b)
HIPAA covers three entities: (1) health plans; (2) health care clearinghouses; and (3) certain health care providers.
If you are having trouble telling whether the entity you are looking at is a covered entity, CMS offers a great tool for figuring it out.
CoveredEntitiesChart20160717Under the False Claims Act most courts require a whistleblower to provide specific examples of bills paid by the government that have been affected by fraud. A whistleblower, therefore, must frequently make use of information covered by HIPAA to sufficiently specify the false health claims submitted. For that reason, we discuss two safe harbors critical for potential whistleblowers dealing with patient-identifying information. They are the de-identification and whistleblower safe harbors.
We have previously discussed how privilege and other considerations provide modest limits on a whistleblower’s right to gather evidence. For instance, whistleblowers need to be careful when they copy documents or record conversations to support allegations. In addition, certain types of documents require special care. Among these “special” categories are documents that contain HIPAA protected PHI.
HIPAA contains important safe-harbors designed to permit vital whistleblower activities. So long as whistleblowers and their counsel know of and abide by those safe harbors, HIPAA should not stop them from reporting their allegations of fraud to the government. Protecting patient confidentiality is a complicated issue. Whistleblowers and their attorneys are not relieved of the obligation to safeguard this information. Because of the unique nature of each case, these issues highlight the importance of speaking with experienced counsel well versed in health care fraud and the issues involved when considering the decision to blow the whistle.
The whistleblower safe harbor at 45 C.F.R. § 164.502 (j) protects disclosures of HIPAA-protected material both to your own attorney and to the government, so long as you believe in good faith that your employer “has engaged in conduct that is unlawful or otherwise violates professional or clinical standards” or “that the care, services, or conditions . . . potentially [endanger] one or more patients, workers, or the public.”
This safe harbor protects a whistleblower with a good faith belief that his employer engaged in unlawful or dangerous practices. That whistleblower does not violate HIPAA when she shares PHI with her attorney to evaluate potential claims. In addition, she may use this safe harbor to provide the government with information required under the False Claims Act.
The basic idea is to redact PHI such as names, geographic units, and dates, not just birthdates, but other dates that tend to identify a patient. For example dates of admission and discharge. We also suggest redacting dates of test results and appointments. You can either do this on paper with a big black marker (keeping a copy of the originals first) or, if you are dealing with electronic copies (usually pdfs), you can use pdf redaction software.
When using software to redact documents, placing a black bar over the words is not enough. Instead, one must use a method that removes the underlying information from the electronic document. Thus, if the program you are using has a redaction function, make sure that it deletes the text and doesn’t just hide it. For example, we like and use Adobe Acrobat, Nuance Power PDF Advanced, and (for Macs) PDF Expert.
During a 2015 case concerning overbilling by the Arkansas Children’s Hospital, the defendant discovered that the relators had obtained HIPAA-protected information and shared it with their attorney. The defendant asked the court to order the return of its documents and argued that the relator was not a “true” whistleblower because his concerns were unreasonable. Howard ex rel. U.S. v. Arkansas Children’s Hosp., No. 4:13-cv-00310, at *3 (E.D. Ark. July 1, 2015). The court concluded that, regardless of reasonableness, whistleblower safe harbor protected the relator, and refused to order return of the documents.
HIPAA is not concerned with every piece of information found in the records of a covered entity or a patient’s chart. It is only concerned with “individually identifiable health information,” or “protected health information” (PHI). 45 C.F.R. § 160.103. This includes information that identifies the individual or could reasonably be used to identify the individual.
One option to ensure compliance with HIPAA is the “de-identification” safe harbor at 45 C.F.R. §164.514(a) and (b) . The U.S. Department of Health and Human Services has detailed instructions here. But, the basic idea is to redact PHI such as names, geographic units, and dates (not just birthdates, but other dates that tend to identify a patient such as dates of admission and discharge). Above all else, we suggest redacting dates of test results and appointments as well. You can either do this on paper with a big black marker (making a copy to keep the originals intact) or, if you are dealing with electronic copies (usually pdfs), you can use pdf redaction software.
When using software to redact documents, placing a black bar over the words is not enough. Instead, one must use a method that removes the underlying information from the electronic document. Thus, if the program you are using has a redaction function, make sure that it deletes the text and doesn’t just hide it. For example, we like and use Adobe Acrobat, Nuance Power PDF Advanced, and (for Macs) PDF Expert.
These safe harbors can work in concert. In a case regarding pharmacy overcharging for prescriptions, the relator’s complaint provided 18 specific examples needed to meet the particularity requirements of Federal Rule 9(b). United States v. Safeway, Inc., No. 11-3406, at *4 (C.D. Ill. Dec. 1, 2016). The defendant claimed that the examples in the complaint violated HIPAA, but the Court found that because the relator had used initials to describe the patients, he had complied with the de-identification safe harbor and even if he had given all the details to his attorneys, his disclosure was protected under the whistleblower safe harbor. Id.
HIPAA also provides whistleblowers with protection from retaliation. Covered entities may not “threaten, intimidate, coerce, harass, discriminate against, or take any other retaliatory action” against a whistleblower who files a complaint, assists an investigation, or opposes violations of HIPAA. 45 CFR § 160.316.
Whistleblowers risk serious trouble if they run afoul of HIPAA. Luckily, HIPAA contains important safe harbors designed to permit vital whistleblower activities. Consequently, whistleblowers and their counsel who abide by those safe harbors can report allegations without fear of running afoul of HIPAA.
Some whistleblowers, however, have run into trouble due to perceived carelessness with HIPAA-protected information.
HIPAA permits whistleblowers to file a complaint for HIPAA violations with the Department of Health and Human Services. These complaints must generally be filed within six months. 45 CFR § 160.306. The Health and Human Services Office of Civil Rights accepts whistleblower complaints by mail or through its online portal. HHS can investigate and prosecute these claims. As a result of these tips, enforcement activities have obtained significant results that have improved the privacy practices of covered entities. However, whistleblowers who use the HHS complaint procedure are not eligible for a whistleblower HIPAA violation reporting reward.
In order to be eligible for a HIPAA violation reporting reward, the whistleblower must first file a False Claims Act case. Some courts have found that violations of HIPAA give rise to False Claims Act cases. Successful False Claims Act cases may entitle the whistleblower to a HIPAA violation reporting reward, known as a relator’s share. We have previously explained how the False Claims Act pulls in violations of other statutes. This is because when an entity submits a claim to the government, it promises that has followed the government’s health care laws. In False Claims Act jargon, this is called the implied certification theory.
When health care providers join government health programs or submit claims, they certify they are following health laws. Thus if the providers are violating a health law – for example, HIPAA – they are lying to the government. Under Supreme Court guidance, a provider in such a situation violates the False Claims Act if those violations of law are material. In other words, would the violations matter to the government’s decision to pay. This theory of liability is most well established with violations of the Anti-Kickback Statute. But it applies to other material violations of the law.
It is not certain that a court would consider violation of HIPAA material. However, at least one Court has said they can be.
A whistleblower brought a False Claims Act case against a home healthcare company. One of the allegations was that the defendants “searched confidential medical charts at different facilities to collect the names of patients they could solicit for home health services.” United States ex rel. O’Donnell v. Am. at Home Healthcare & Nursing Servs., Ltd., Case No. 14-cv-1098, 14 (N.D. Ill. Jan. 8, 2018). The whistleblower argued that illegally using PHI for solicitation violated the defendants’ implied certifications that they complied with the law.
The defendants asked the court to dismiss this claim, arguing that HIPAA violations cannot give rise to False Claims Act liability. The Court sided with the whistleblower. It concluded that the allegations stated a material violation because “information that a home health agency has pilfered protected health data to solicit patients has a good probability of affecting a payment decision too.” Id. at 16.
In 2017, the US Attorney’s Office for the Southern District of New York announced that it had intervened in a whistleblower case against a cardiology and neurology clinic and its physicians. The underlying whistleblower case did not raise HIPAA violations. However, the feds also brought a related criminal case based in part on defendants “accessing, without authorization, electronic health records of patients” in violation of HIPAA to identify patients to recruit to their practice. So, while this is not exactly a False Claims Act based on HIPAA violations, the HIPAA violations were part of the government’s criminal case.
In short, HIPAA is an important law for whistleblowers to know. Failure to abide by HIPAA rules when obtaining evidence for a case can cause serious trouble. On the other hand, careful whistleblowers and counsel can take advantage of HIPAA whistleblower and de-identification safe harbors. By doing so, whistleblowers safely can report claims of HIPAA violations either directly to HHS or to DOJ as the basis for a False Claims Act case or health care fraud prosecution. If the HIPAA violations are deemed material, the HIPAA violation reporting may lead to a reward.
The Whistleblower Law Collaborative LLC, based in Boston, devotes its practice entirely to representing clients nationwide in bringing actions under the federal and state False Claims Acts and other whistleblower programs. Among the firm’s many successes is the government’s $10 million settlement with BioReference Health, LLC for paying kickbacks in exchange for referrals. If you are aware of a covered entity violating HIPAA, we urge you to contact us for a free, confidential, consultation. Successful HIPAA violation reporting may lead to a reward.