Disclosure of HIPAA Information by Whistleblowers

The Health Insurance Portability and Accountability Act was created to protect patient privacy from disclosure.  Because of the potential penalties for a violation of the law by a covered entity, any medical information must be examined to ensure that the law is not violated.  Fortunately, the law recognized that privacy might be less important than the the need for limited disclosure of information by medical professionals to stop fraud.  As a result, there are a number of exceptions within HIPAA that permit disclosure of information by health care whistleblowers.

HIPAA Only Applies to Covered Entities

If you are not a covered entity or business associate, then you do not have to comply with HIPAA. Individuals can be covered entities, however, so health care providers such as physicians, nurses, and home health care workers will need to find an exception to the law to disclose protected data.

Whistleblower Exception

An individual does not violate HIPAA when providing information to an attorney retained to determine their legal options when they have a good faith belief a covered entity is engaged in unlawful conduct. 45 C.F.R. § 164.502(j)(ii)(B). Disclosure can also be made to a “health oversight agency” or “public health authority” authorized to investigate the allegations. § 164.502(j)(ii)(A).

In a 2015 opinion from the Eastern District of Arkansas, the defendants in a False Claims Act lawsuit brought allegations that the relators had violated HIPAA by disclosing protected health information to their attorneys for evaluation.  The court denied the motion under this exception.  See Howard ex rel. United States v. Arkansas Children’s Hospital, 2015 WL 4042170 (E.D. Ark. July 1, 2015).

Exception for Reporting Crime on Premises

A covered entity may disclose protected health information to a law enforcement official when he or she believes in good faith it constitutes evidence of criminal conduct on the premises of a covered entity. 45 CFR § 164.512(f)(5). Although a violation of the civil False Claims Act does not necessarily implicate criminal law, criminal fraud statutes and the Anti-Kickback Statute could be relied upon to permit disclosure to the authorities without violating a patient’s privacy.

De-identification of Protected Data

HIPAA permits the disclosure of health documents which do not identify an individual and reasonably can not be used to identify the individual. After de-identification of protected health information, disclosure is allowed because it no longer contains individually identifiable health information. 45 C.F.R. § 164.514(a). Removal of protected health information must include specifically identified information about the individual; as well as relatives, employers or household members;and be completed by an individual with appropriate knowledge and experience of how to remove the information.


HIPAA protects the privacy of patient health information. It exposes covered health care providers and their business associates to civil and criminal liability for the disclosure of protected patient information. Fines start at $100 per violation and reach up to a maximum of $50,000 per violation, with a maximum annual liability of $1.5 million.

If you have concerns about reporting Medicare fraud or other violations of health care law, please contact an attorney at McEldrew Young Purtell Merritt to discuss the steps that can be taken to ensure you do not violate HIPAA.

Call Now ButtonCall Now