The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule, which protects individually identifiable health information, took effect in 2003. This mandate to keep individual health information confidential made HIPAA a household name in the healthcare community. Out of concern for violating HIPAA, sometimes potential whistleblowers do not come forward to divulge fraud to qui tam attorneys or to the federal government. Fortunately, HIPAA authorizes healthcare fraud whistleblowers to divulge most of such information to private attorneys or the federal government.
45 CFR sec. 164.502(j)(1) provides that an employee may disclose such individually identifiable information if the “workforce member or business associate [employee]”
… believes in good faith that the covered entity has engaged in conduct
that is unlawful or otherwise violates professional or clinical standards,
or that the care, services, or conditions provided by the covered entity potentially endangers one or more patients, workers, or the public; and
(ii) The disclosure is to:
(A) A health oversight agency or public health authority authorized by law
to investigate or otherwise oversee the relevant conduct or conditions of the covered entity or to an appropriate health care accreditation organization for the purpose of reporting the allegation of failure to meet professional standards or misconduct by the covered entity; or
(B) An attorney retained by or on behalf of the workforce member or business associate for the purpose of determining the legal options of the workforce member or business associate with regard to the conduct described in paragraph (j)(1)(i) of this section.
In addition to the statute, Medicare fraud whistleblowers can take extra precaution, by redacting individually identifiable health information until such time as their qui tam attorneys obtain a court order granting permission to divulge the records without redaction.