ATTN Good Faith Whistleblowers – You will not Violate HIPAA by Disclosing Certain Info to Attorney

If you are a potential healthcare whistleblower (say, someone about to blow the whistle on Dr. Fraud for overfilling Medicare), it is legal for an employee of a covered entity to take PHI from their employer and disclose it to a lawyer so that the party can use that information to potentially bring a profitable qui tam lawsuit. A qui tam lawsuit is one brought under the False Claims Act (FCA), which allows a private litigant (i.e., the whistleblower) to bring suit on behalf of the government based on their knowledge of past or present fraud committed against the federal government.

Here are the requirements. The whistleblower must believe Dr. Fraud and/or others (1) engaged in unlawful conduct; (2) engaged in conduct violating clinical standards; or (3) provided care, services, or conditions endangering patients, workers, or the public. Thus, you as the potential whistleblower must have a good faith belief the employer engaged in illegal or prohibited conduct.

A potential whistleblower may disclose PHI to (1) an attorney retained by the employee for the purpose of determining their legal options with respect to the alleged misconduct; (2) a health oversight agency or public health authority authorized to investigate the alleged misconduct; or (3) a healthcare accreditation organization for the purpose of reporting failure to meet professional standards.

Although an employee’s disclosure of the misconduct to health oversight and accreditation agencies threatens fines, deaccreditation, suspension, or probation, as well as reputational harm for the organization, the potential for a qui tam action carries the unique and hefty financial burden of civil litigation. Moreover, the only check on the employee’s ability to take and disclose PHI is the requirement of a “good faith belief,” which is certainly a subjective question open to any variety of ambiguity and interpretation. 


(j) Standard: Disclosures by whistleblowers and workforce member crime victims – 

(1) Disclosures by whistleblowers. A covered entity is not considered to have violated the requirements of this subpart if a member of its  workforce or a  business associate discloses protected health information, provided that: 

(i) The workforce member or  business associate believes in good faith that the  covered entity has engaged in conduct that is unlawful or otherwise violates professional or clinical standards, or that the care, services, or conditions provided by the  covered entity potentially endangers one or more patients, workers, or the public; and

(ii) The disclosure is to: 

(A) A health oversight agency or  public health authority authorized by law to investigate or otherwise oversee the relevant conduct or conditions of the  covered entity or to an appropriate health care accreditation organization for the purpose of reporting the allegation of failure to meet professional  standards or misconduct by the  covered entity; or

(B) An attorney retained by or on behalf of the workforce member or  business associate for the purpose of determining the legal options of the  workforce member or  business associate with regard to the conduct described in paragraph (j)(1)(i) of this section.

45 C.F.R. § 164.502 (j).