Privacy Takes A Backseat To Whistleblowing Under HIPAA
Updated: Feb 20, 2018
The Health Insurance Portability and Accountability Act allows whistleblowers, who are usually employees or business associates of a covered entity, to take the very information HIPAA aims to protect and disclose it to private lawyers, without first exhausting internal reporting options, and often with the intention to bring highly lucrative qui tam lawsuits. This exception conflicts with HIPAA's stated goals of protecting patients and presents a serious risk to patient privacy. HIPAA should be amended to require that employees and others first exhaust all internal reporting options
There is no dispute about the importance of protecting patient information and health care providers are spending significant portions of their precious resources to comply with the rigorous requirements of HIPAA. But there is one group that has received a pass when it comes to protecting patient privacy — employees of covered entities who believe that their employer has engaged in unlawful conduct and want to give patient information to private lawyers. The lack of limitations on the use of patient information in this context creates far more harm than it is worth.
Remind Me Again: HIPAA Basics
HIPAA establishes federal standards to protect the privacy of patients’ protected health information (PHI) maintained by covered entities. It establishes standards for the security of electronic PHI, including administrative, technical and physical security safeguards for covered entities and their business associates to assure the integrity, availability and confidentiality of electronic PHI.
The disclosure of PHI in violation of HIPAA can result in significant penalties for the responsible party, whether that party is a covered entity (e.g., a hospital) or a business associate (e.g., a vendor). In recent years, the government has doubled down on its efforts to enforce HIPAA, bringing over 25,000 actions by requiring changes in privacy practices and corrective actions by, or providing technical assistance to HIPAA-covered entities and their business associates. The Office for Civil Rights (the agency with jurisdiction to enforce HIPAA) has investigated complaints against national pharmacy chains, major medical centers, group health plans, hospital systems and doctors’ offices, with settlements totaling $72,929,182. See, "Enforcement Highlights."