Consistent with the specific exemption under HIPAA, the United States District Court in the Eastern District of Arkansas has ruled that healthcare whistleblowers did not violate HIPAA laws by taking personal health information regarding Arkansas Children’s Hospital. The whistleblowers in retained this information after they were terminated after raising questions about the method and manner in which Arkansas Children’s Hospital billed the federal government.

Under HIPAA:

(1) Disclsoures by whistleblowers. A covered entity is not considered to have violated the requirements of this subpart if a member of its workforce or a business associate discloses protected health information, provided that:

(i) The workforce member or business associate believes in good faith that the covered entity has engaged in conduct that is unlawful or otherwise violates professional or clinical standards, or that the care, services, or conditions provided by the covered entity potentially endangers one or more patients, workers, or the public; and

(ii) The disclosure is to:

(B) An attorney retained by or on behalf of the workforce member or business associate for the purpose of determining the legal options of the workforce member or business associate with regard to the conduct described in paragraph (j)(1)(i) of this section.

Sometimes whistleblowers are discouraged from bringing actions under the False Claims Act because they are concerned that they will be violating patient privacy under HIPAA. This case further illustrates the exemption for whistleblowers, under specific enumerated circumstances.

More information for potential whistleblowers is located at the Nolan Auerbach & White website.