When a Breach Isn’t a Breach: Understand HIPAA Rules

pipe-5855_1280A hospital in Arkansas recently learned the lesson of the nuances contained within the HIPAA Privacy Rule.  There are many uses and disclosures identified in the Privacy Rule that permit actions that would otherwise appear to be a breach.

This issue was addressed by the United States District Court for the District of Arkansas in the vase of Howard v. Arkansas Children’s Hospital.  In the case, a former employee o the hospital began to suspect that the hospital and some physicians were causing false or fraudulent claims to be submitted to Medicare.  In the course of her employment, the former employee received a significant amount of personal health information, some of which related to the former employee’s concerns about improper billing.

To be able to document a case against the hospital, the former employee retained some of the protected health information, even after her employment was terminated.  After being terminated, the employee brought a whistleblower action pursuant to the False Claims Act against the hospitals and some individuals in connection with the alleged improper billing.  During the discovery phase of the case, it was revealed that the former employee had retained the records.  The hospital moved for the court to determine that a HIPAA violation occurred.

In deciding the issue, the court first had to assess whether the former employee qualified as a whistleblower.  The court did find that the former employee was a whistleblower because credible claims of improper activity were alleged.  The determination that the former employee met the definition of a whistleblower was important to the determination of whether a HIPAA violation occurred.  As the court noted, the HIPAA Privacy Rule specifically permits protected health information to be used and disclosed by an employee of a covered entity uses or discloses the information as a whistleblower.  The rule requires that the whistleblower have a good faith belief that the covered entity engaged in conduct that is unlawful or otherwise violates standards, and the disclosure is to an attorney retained by that individual for purposes of receiving a legal opinion or to a healthcare oversight or regulatory agency (44 C.F.R. 164.502(j)(1)).

In the Howard case, the court found that the former employee used the information as permitted by the Privacy Rule.

This case is important for highlighting what may be an overlooked permitted use and disclosure of protected health information.  Covered entities cannot try to suppress information of alleged improper conduct by using HIPAA.  Instead, HIPAA allows this practically necessary application of information.  One key from the Privacy Rule is that a good faith basis exist that a violation or other improper conduct is occurring.  An employee cannot freely take information, which is a good protection.

The terms of the permitted use and disclosure help to demonstrate the practical approach that HIPAA takes to many issues.  Despite popular belief, HIPAA does not unduly interfere with the ability to use or disclose protected health information.  Instead, it puts protections into place that can benefit all who are connected to that information, which includes hospitals, healthcare providers, patients, family members and others.  The key is understanding how HIPAA operates and not getting in the way.


About Matt Fisher

Matt is the chair of Mirick O'Connell's Health Law Group and a partner in the firm's Business Group. Matt focuses his practice on health law and all areas of corporate transactions. Matt's health law practice includes advising clients with regulatory, fraud, abuse, and compliance issues. With regard to regulatory matters, Matt advises clients to ensure that contracts, agreements and other business arrangements meet both federal and state statutory and regulatory requirements. Matt's regulatory advice focuses on complying with requirements of the Stark Law, Anti-Kickback Statute, fraud and abuse regulations, licensing requirements and HIPAA. Matt also advises clients on compliance policies to develop appropriate monitoring and oversight of operations.
This entry was posted in Compliance, HIPAA, Regulations and tagged , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s