When a Breach Isn’t a Breach

By Matt Fisher, Esq
Twitter: @matt_r_fisher

A hospital in Arkansas recently learned the lesson of the nuances contained within the HIPAA Privacy Rule. There are many uses and disclosures identified in the Privacy Rule that permit actions that would otherwise appear to be a breach.

This issue was addressed by the United States District Court for the District of Arkansas in the vase of Howard v. Arkansas Children’s Hospital. In the case, a former employee of the hospital began to suspect that the hospital and some physicians were causing false or fraudulent claims to be submitted to Medicare. In the course of her employment, the former employee received a significant amount of personal health information, some of which related to the former employee’s concerns about improper billing.

To be able to document a case against the hospital, the former employee retained some of the protected health information, even after her employment was terminated. After being terminated, the employee brought a whistleblower action pursuant to the False Claims Act against the hospitals and some individuals in connection with the alleged improper billing. During the discovery phase of the case, it was revealed that the former employee had retained the records. The hospital moved for the court to determine that a HIPAA violation occurred.

In deciding the issue, the court first had to assess whether the former employee qualified as a whistleblower. The court did find that the former employee was a whistleblower because credible claims of improper activity were alleged. The determination that the former employee met the definition of a whistleblower was important to the determination of whether a HIPAA violation occurred. As the court noted, the HIPAA Privacy Rule specifically permits protected health information to be used and disclosed by an employee of a covered entity uses or discloses the information as a whistleblower. The rule requires that the whistleblower have a good faith belief that the covered entity engaged in conduct that is unlawful or otherwise violates standards, and the disclosure is to an attorney retained by that individual for purposes of receiving a legal opinion or to a healthcare oversight or regulatory agency (44 C.F.R. 164.502(j)(1)).

In the Howard case, the court found that the former employee used the information as permitted by the Privacy Rule.

This case is important for highlighting what may be an overlooked permitted use and disclosure of protected health information. Covered entities cannot try to suppress information of alleged improper conduct by using HIPAA. Instead, HIPAA allows this practically necessary application of information. One key from the Privacy Rule is that a good faith basis exist that a violation or other improper conduct is occurring. An employee cannot freely take information, which is a good protection.

The terms of the permitted use and disclosure help to demonstrate the practical approach that HIPAA takes to many issues. Despite popular belief, HIPAA does not unduly interfere with the ability to use or disclose protected health information. Instead, it puts protections into place that can benefit all who are connected to that information, which includes hospitals, healthcare providers, patients, family members and others. The key is understanding how HIPAA operates and not getting in the way.

About the author: Matthew Fisher is the chair of the Health Law Group at Mirick, O’Connell, DeMallie & Lougee, LLP, in Worcester, MA. Matt advises his clients in all aspects of healthcare regulatory compliance, including HIPAA, the Stark Law and the Anti-Kickback Statute. This article was originally published on Mirick O’Connell’s Health Law Blog and is republished here with permission.