Prospective whistleblowers should be aware of HIPAA and its implications for establishing a viable case. Documentary proof can be helpful in building a case because a it strengthens credibility. This is particularly true for health care fraud cases. Most courts require a whistleblower to identify specific examples of bills paid by the government that have been affected by fraud. A whistleblower is unlikely to know invoice numbers, patient names, dates of service, etc., without some documents.
But which documents can a whistleblower rely on to help make out her claims? We have previously discussed how an employee’s duties, Attorney-Client Privilege and other considerations provide modest limits on a Whistleblower’s right to copy documents to support her allegations. In addition certain types of documents require special care. Among these “special” categories, are documents that identify patients and implicate the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).
What is HIPAA?
HIPAA authorized a nationwide set of privacy and security standards for health care entities – including health care providers, health plans, health care clearinghouses and their business associates – preventing the dissemination of “individually identifiable health information.” Referred to as “protected health information,” (PHI), includes any information that relates to an individual’s health or condition, provision of health care, or payments for health care, and identifies the individual or could reasonably be used to identify the individual. PHI includes both the obvious – Name, address, birth date, social security number- and the not so obvious – Dates of treatment, medical device identifiers and serial numbers, and associated IP addresses.
HIPAA Can Cause Trouble for Whistleblowers
Whistleblowers have run into trouble due to perceived carelessness with HIPAA-protected information in the past. For example, a California court ordered a whistleblower to return to the defendant all documents and notes containing HIPAA-protected information, concluding that HIPAA precluded the relator from obtaining and sharing with his attorney documents containing protected health information. Rutherford v. Palo Verde Health Care Dist., No. EDCV13-1247JAK(SPx), 2014 WL 12632901, at *13 (C.D. Cal. Apr. 17, 2014). Even more concerning, a Florida Magistrate Judge recommended sanctions for a relator and his counsel who had attached patient identifying information to a complaint to compensate the defendant for its costs in notifying patients that their identifying information had been released. United States ex rel. Alvord v. Lakeland Reg’l Med. Ctr., Inc., No. 8:10-CV-52-T-17EAJ, 2012 WL 12904676, at *6 (M.D. Fla. Sept. 14, 2012).
Whistleblowers and their Lawyers Should Know HIPAA Safe Harbors
However, HIPAA contains important safe-harbors designed to permit vital whistleblower activities. So long as whistleblowers and their counsel know of and abide by those safe harbors, HIPAA should not stop them from reporting their allegations of fraud to the government. These safe harbors are the topic of part two of this series. Protecting patient confidentiality is a complicated issue and whistleblowers and their attorneys are not relieved of the obligation to safeguard this information. Because of the unique nature of each case, these issues highlight the importance of speaking with experienced counsel well versed in health care fraud and the issues involved when considering the decision to blow the whistle.