Sharing PHI with Attorneys: Okay Under HIPAA?

The single largest group of healthcare whistle-blowers are healthcare personnel themselves, including, nurses, doctors, dentists, the various therapy professionals and billing professionals, who encounter fraud on the job.

The major question facing these healthcare professionals, is whether health care workers violate HIPAA by disclosing patient protected health information (“PHI”) when blowing the whistle?

First the obvious answer is, there is no need to disclose protected health information to whomever they are making the complaint.  Logically, it helps to work with knowledgeable legal counsel from an early stage in the process.

HIPAA privacy rules penalize only “covered entities” in the law which includes specified natural persons like doctors and nurses, who pass along PHI without patient authorization.  Natural persons, the living, breathing kind (not the Supreme Court kind of “corporate persons”) can be covered entities, but are not always.  A whistle-blower who is not a covered entity (or a non-medical business associate or attorney of a covered entity) is not subject to HIPAA rules.*

Second, for individuals who are covered entities, HIPAA rules provide disclosure “safe harbors” including the following:

  • A covered entity is not considered to have violated [HIPAA] if a member of its workforce or a business associate discloses protected health information, provided that:
    • The workforce member or business associate believes in good faith that the covered entity has engaged in conduct that is unlawful or otherwise violates professional or clinical standards, or that the care, services, or conditions provided by the covered entity potentially endangers one or more patients, workers, or the public; and
    • The disclosure is to:
      • A health oversight agency or public health authority authorized by law to investigate or otherwise oversee the relevant conduct or conditions of the covered entity or to an appropriate health care accreditation organization for the purpose of reporting the allegation of failure to meet professional standards or misconduct by the covered entity; or
      • An attorney retained by or on behalf of the workforce member or business associate for the purpose of determining the legal options of the workforce member or business associate with regard to the conduct described in paragraph (j)(1)(i)….

While it is possible that an individual relator could be a covered entity under HIPAA, HHS Reg. 164.502(j), specifically authorizes covered entities to share PHI (“protected healthcare information”) with their attorneys in whistle-blower cases.

HHS’ Covered Entity Charts and associated regulations state that natural persons can be covered entities if they “furnish, bill or receive payment for, health care in the normal course of business and (send) any covered transactions electronically.”   The question that doesn’t seem to be addressed anywhere is whether an individual employee of a healthcare provider provides healthcare “in the normal course of business” for purposes of the regulation.

For what it’s worth, I have never heard of a False Claims Act whistleblower being held in violation of HIPAA regulations for disclosing PHI to his or her attorneys or to law enforcement authorities, including the Office of Special Counsel or the Agency’s Office of Inspector General.   One way around the PHI-disclosure concerns is to redact PHI from medical billing records for use in court filings and disclosure statements provided to the Department of Justice.

It is important to keep in mind, however, that beyond HIPAA there are various hidden federal document-removal and document-sharing traps.  For example, it is becoming more common for employers to sue whistle-blowers for breach of confidentiality agreements in employment contracts or company policy manuals.  They may also sue for misappropriation of trade secrets.  Likewise, some state computer privacy laws make it a crime for employees to access company computers or databases without authorization. Each of these potential traps must be addressed on its own terms.

It is fair to say that would-be whistle-blowers are normally safest not attempting to access any company documents — in hard-copy or electronic format — which they are not authorized to access as part of their normal job responsibilities.  It is also important to obtain legal advice early the process to work through evidence-related issues on the front end.

In Brunotte v. Tangherlini, Civil Action No. 08-0587 (D.C.), the parties settled a Privacy Act case prior to trial. This case, in U.S. District Court for the District of Columbia, involved allegations that employees of the General Services Administration and its Office of Inspector General committed violations of the Privacy Act in an apparent attempt to interfere with a GSA employee starting a new job at the Government Printing Office. Under the settlement agreement, the government will pay $585,000 to resolve the claims.

The Brunotte case involved several allegations of violations of The Privacy Act, 5 U.S.C. §552a. This statute restricts how government agencies can collect, retain and disseminate information regarding individuals, including federal employees, and gives individuals the ability to sue the government in the cases where these restrictions are violated. Depending on the nature of the violation, remedies available can include money damages where “actual damages” have occurred (which includes relief such as back pay and out-of pocket expenses, but not emotional pain-and-suffering damages or the like), orders modifying the government records in question and reimbursement of attorneys’ fees and costs. In addition, some of the most serious violations of the Privacy Act are subject to criminal penalties.

In the Brunotte case, two of Brunotte’s claims were set for trial after the GSA’s attempts to have her claims dismissed on summary judgment were denied. The first claim alleged that GSA violated the Privacy Act when an agent of the GSA OIG contacted an agent of the GPO OIG to provide false negative information concerning Brunotte. The second claim alleged that GSA violated the Privacy Act by collecting information concerning Brunotte’s application to work at GPO without trying to get the information from Ms. Brunotte herself, as the Privacy Act requires.

Brunotte claimed that, as a result of these violations, GPO rescinded its job offer to her.

Under the January 29, 2013, settlement agreement, the government will pay $400,000 to Brunotte, plus an additional $185,000 in attorneys’ fees and costs.  Ms. Brunotte’s attorneys are Joe Kaplan and Andy Perlmutter.

This case serves as a reminder that government agencies may be just as careless in dealing with PHI as private employers.  Whether public or private employers must be careful in protecting private information concerning individuals, even if the individuals are federal employees  The Privacy Act can carry steep consequences when those restrictions are violated.

* HIPAA is not the only legal hazard for would-be whistle-blowers. State-level privacy laws also lurk.



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s