HIPAA Privacy Regulations: General Rules for Uses and Disclosures of Protected Health Information -- Disclosures by Whistleblowers and Workforce Member Crime Victims - § 164.502(j)
As Contained in the HHS HIPAA Privacy Rules
HHS Regulations |
(j) Standard: Disclosures by whistleblowers and workforce member crime victims—(1) Disclosures by whistleblowers. A covered entity is not considered to have violated the requirements of this subpart if a member of its workforce or a business associate discloses protected health information, provided that:
(i) The workforce member or business associate believes in good faith that the covered entity has engaged in conduct that is unlawful or otherwise violates professional or clinical standards, or that the care, services, or conditions provided by the covered entity potentially endangers one or more patients, workers, or the public; and
(ii) The disclosure is to:
(A) A health oversight agency or public health authority authorized by law to investigate or otherwise oversee the relevant conduct or conditions of the covered entity or to an appropriate health care accreditation organization for the purpose of reporting the allegation of failure to meet professional standards or misconduct by the covered entity; or
(B) An attorney retained by or on behalf of the workforce member or business associate for the purpose of determining the legal options of the workforce member or business associate with regard to the conduct described in paragraph (j)(1)(i) of this section.
(2) Disclosures by workforce members who are victims of a crime. A covered entity is not considered to have violated the requirements of this subpart if a member of its workforce who is the victim of a criminal act discloses protected health information to a law enforcement official, provided that:
(i) The protected health information disclosed is about the suspected perpetrator of the criminal act; and
(ii) The protected health information disclosed is limited to the information listed in §164.512(f)(2)(i).
HHS Description General Rules for Uses and Disclosures of Protected Health Information -- Disclosures by Whistleblowers and Workforce Member Crime Victims |
In § 164.518(c)(4) of the NPRM we addressed the issue of whistleblowers by proposing that a covered entity not be held in violation of this rule because a member of its workforce or a person associated with a business associate of the covered entity used or disclosed protected health information that such person believed was evidence of a civil or criminal violation, and any disclosure was: (1) made to relevant oversight agencies or law enforcement or (2) made to an attorney to allow the attorney to determine whether a violation of criminal or civil law had occurred or to assess the remedies or actions at law that may be available to the person disclosing the information.
We included an extensive discussion on how whistleblower actions can further the public interest, including reference to the need in some circumstances to utilize protected health information for this purpose as well as reference to the qui tam provisions of the Federal False Claims Act.
In the final rule we retitle the provision and include it in § 164.502 to reflect the fact that these disclosures are not made by the covered entity and therefore this material does not belong in the section on safeguarding information against disclosure.
We retain the basic concept in the NPRM of providing protection to a covered entity for the good faith whistleblower action of a member of its workforce or a business associate. We clarify that a whistleblower disclosure by an employee, subcontractor, or other person associated with a business associate is considered a whistleblower disclosure of the business associate under this provision. However, in the final rule, we modify the scope of circumstances under which a covered entity is protected in whistleblower situations. A covered entity is not in violation of the requirements of this rule when a member of its workforce or a business associate of the covered entity discloses protected health information to: (i) a health oversight agency or public health authority authorized by law to investigate or otherwise oversee the relevant conduct or conditions of the covered entity; (ii) an appropriate health care accreditation organization; or (iii) an attorney, for the purpose of determining his or her legal options with respect to whistle blowing. We delete disclosures to a law enforcement official.
We expand the scope of this section to cover disclosures of protected health information to an oversight or accreditation organization for the purpose of reporting breaches of professional standards or problems with quality of care. The covered entity will not be in violation of this rule, provided that the disclosing individual believes in good faith that the covered entity has engaged in conduct which is unlawful or otherwise violates professional or clinical standards, or that the care, services or conditions provided by the covered entity potentially endanger one or more patients, workers or the public. Since these provisions only relate to whistleblower actions in relation to the covered entity, disclosure of protected health information to expose malfeasant conduct by another person, such as knowledge gained during the course of treatment about an individual's illicit drug use, would not be protected activity.
We clarify that this section only applies to protection of a covered entity, based on the whistleblower action of a member of its workforce or business associates. Since the HIPAA legislation only applies to covered entities, not their workforces, it is beyond the scope of this rule to directly regulate the whistleblower actions of members of a covered entity's workforce.
In the NPRM, we had proposed to require covered entities to apply sanctions to members of its workforce who improperly disclose protected health information. In this final rule, we retain this requirement in § 164.530(e)(1) but modify the proposed provision on sanctions to clarify that the sanctions required under this rule do not apply to workforce members of a covered entity for whistleblower disclosures.
Disclosures by Workforce Members Who Are Crime Victims
The proposed rule did not address disclosures by workforce members who are victims of a crime. In the final rule, we clarify that a covered entity is not in violation of the rule when a workforce member of a covered entity who is the victim of a crime discloses protected health information to law enforcement officials about the suspected perpetrator of the crime. We limit the amount of protected health information that may be disclosed to the limited information for identification and location described in § 164.512(f)(2).
We note that this provision is similar to the provision in § 164.512(f)(5), which permits a covered entity to disclose protected health information to law enforcement that the covered entity believes in good faith constitutes evidence of criminal conduct that occurred on the premises of the covered entity. This provision differs in that it permits the disclosure even if the crime occurred somewhere other than on the premises of the covered entity. For example, if a hospital employee is the victim of an attack outside of the hospital, but spots the perpetrator sometime later when the perpetrator seeks medical care at the hospital, the workforce member who was attacked may notify law enforcement of the perpetrator's location and other identifying information. We do not permit, however, the disclosure of protected health information other than that described in § 164.512(f)(2).
HHS Response to Comments Received General Rules for Uses and Disclosures of Protected Health Information -- Disclosures by Whistleblowers and Workforce Member Crime Victims |
Comments: Some commenters wanted to see more limitations put on the ability to whistleblow in the final rule. These commenters were concerned about how disclosed protected health information would be used during and subsequent to the whistleblowing event and felt that adding additional limitations to the ability to whistleblow would help to alleviate these concerns. Some of these commenters were concerned that there was no protection against information later being leaked to the public or re-released after the initial whistleblowing event, and that this could put covered entities in violation of the law. Many commenters wanted to see the whistleblower provision deleted entirely. According to a number of health care associations who commented on this topic, current practices already include adequate mechanisms for informing law enforcement, oversight and legal counsel of possible violations without the need for patient identifiable information; thus, the provision allowing whistleblowers to share protected health information is unnecessary. Additionally, some commenters felt that the covered entity needs to be allowed to prohibit disclosures outside of legitimate processes. Some commenters were concerned about not having any recourse if the whistleblower's suspicions were unfounded.
Response: In this rule, we do not regulate the activities of whistleblowers. Rather, we regulate the activities of covered entities, and determine when they may be held responsible under this rule for whistleblowing activities of their workforce or business associates when that whistleblowing involves the disclosure of protected health information. Similarly, we regulate when covered entities must and need not sanction their workforce who disclose protected health information in violation of the covered entity's policies and procedures, when that disclosure is for whistleblowing purposes. See § 164.530(e). This rule does not address a covered entity's recourse against a whistleblower under other applicable law.
We do not hold covered entities responsible under this rule for whistleblowing disclosures of protected health information under the circumstances described in § 164.502(j). Our purpose in including this provision is to make clear that we are not erecting a new barrier to whistleblowing, and that covered entities may not use this rule as a mechanism for sanctioning workforce members or business associates for whistleblowing activity. We do not find convincing commenters' arguments for narrowing or eliminating the scope of the whistleblowing which triggers this protection.
Congress, as well as several states, have recognized the importance of whistleblower activity to help identify fraud and mismanagement and protect the public's health and safety. Whistleblowers, by their unique insider position, have access to critical information not otherwise easily attainable by oversight and enforcement organizations.
While we recognize that in many instances, de-identified or anonymous information can be used to accomplish whistleblower objectives, there are instances, especially involving patient care and billing, where this may not be feasible. Oversight investigative agencies such as the Department of Justice rely on identifiable information in order to issue subpoenas that are enforceable. Relevant court standards require the government agency issuing the subpoena to explain why the specific records requested are relevant to the subject of the investigation, and without such an explanation the subpoena will be quashed. Issuing a subpoena for large quantities of individual records to find a few records involving fraud is cost prohibitive as well as likely being unenforceable.
We note that any subsequent inappropriate disclosure by a recipient of whistleblower information would not put the covered entity in violation of this rule, since the subsequent disclosure is not covered by this regulation.
Comments: A few commenters felt that the whistleblower should be held to a “reasonableness standard” rather than a “belief” that a violation has taken place before engaging in whistleblower activities. The commenters felt that a belief standard is too subjective. By holding the whistleblower to this higher standard, this would serve to protect protected health information from being arbitrarily released. Some commenters saw the whistleblower provision as a loophole that gives too much power to disgruntled employees to inappropriately release information in order cause problems for the employer.
On the other hand, some commenters felt that all suspicious activities should be reported. This would ease potential whistleblowers concerns over whether or not they had a legitimate concern by leaving this decision up to someone else. A number of commenters felt that employees should be encouraged to report violations of professional or clinical standards, or when a patient, employee, or the public would be put at risk. A small number of commenters felt that the whistleblower should raise the issue within the covered entity before going to the attorney, oversight agency, or law enforcement entity.
Response: We do not attempt to regulate the conduct of whistleblowers in this rule. We address uses and disclosures of protected health information by covered entities, and when a covered entity will violate this rule due to the actions of a workforce member or business associate. In the final rule, we provide that a covered entity is not in violation of the rule when a workforce member or business associate has a good faith belief that the conduct being reported is unlawful or otherwise violates professional or clinical standards, or potentially endangers patients, employees or the public. We concur that the NPRM language requiring only a “belief” was insufficient. Consequently, we have strengthened the standard to require a good faith belief that an inappropriate behavior has occurred.
Comment: A number of commenters believe that employees should be encouraged to report violations of professional or clinical standards, or report situations where patients, employees, or the public would be put at risk. Their contention is that employees, especially health care employees, may not know whether the problem they have encountered meets a legal threshold of wrongdoing, putting them at jeopardy of sanction if they are incorrect, even if the behavior did reflect violation of professional and clinical standards or put patients, employees, or the public at risk.
Response: We agree that covered entities should be protected when their employees and others engage in the conduct described by these commenters. We therefore modify the proposal to protect covered entities when the whistleblowing relates to violations of professional or clinical standards, or situations where the public may be at risk, and eliminate the reference to “evidence.”
Comments: A significant number of those commenting on the whistleblower provision felt that this provision was contrary to the rest of the rule. Whistleblowers could very easily release protected health information under this provision despite the fact that the rest of this rule works very hard to ensure privacy of protected health information in all other contexts. To this end, some commenters felt that whistleblowers should not be exempt from the minimum necessary requirement.
Response: As stated above, we do not regulate the conduct of whistleblowers. We discuss above the importance of whistleblowing, and our intention not to erect a new barrier to such activity. The minimum necessary standard applies to covered entities, not to whistleblowers.
Comments: Some commenters felt that disclosures of suspected violations should only be made to a law enforcement official or oversight agency. Other commenters said that whistleblowers should be able to disclose their concerns to long-term care ombudsmen or health care accreditation organizations, particularly because certain protected health information may contain evidence of abuse. Some commenters felt that whistleblowers should not be allowed to freely disclose information to attorneys. They felt that this may cause more lawsuits within the health care industry and be costly to providers. Furthermore, allowing whistleblowers to go to attorneys increases the number of people who have protected health information without any jurisdiction for the Secretary to do anything to protect this information.
Response: We agree with the commenters who suggested that we recognize other appropriate entities to which workforce members and business associates might reasonably make a whistleblowing disclosure. In the final rule we expand the provision to protect covered entities for disclosures of protected health information made to accreditation organizations by whistleblowers. We agree with the commenters that whistleblowers may see these organizations as appropriate recipients of health information, and do not believe that covered entities should be penalized for such conduct.
We also agree that covered entities should be protected when whistleblowers disclose protected health information to any health oversight agency authorized by law to investigate or oversee the conditions of the covered entity, including state Long-Term Care Ombudsmen appointed in accordance with the Older Americans Act. Among their mandated responsibilities is their duty to identify, investigate and resolve complaints that are made by, or on behalf of, residents related to their health, safety, welfare, or rights. Nursing home staff often bring complaints regarding substandard care or abuse to ombudsmen. Ombudsmen provide a potentially more attractive outlet for whistleblowers since resolution of problems may be handled short of legal action or formal investigation by an oversight agency.
We disagree with commenters that the provision permitting disclosures to attorneys is too broad. Workforce members or business associates may not understand their legal options or their legal exposure when they come into possession of information about unlawful or other inappropriate or dangerous conduct. Permitting potential whistleblowers to consult an attorney provides them with a better understanding of their legal options. We rephrase the provision to improve its clarity.
Comment: One commenter suggested that a notice of information practices that omits disclosure for voluntary reporting of fraud will chill internal whistleblowers who will be led to believe - falsely - that they would violate federal privacy law, and be lawfully subject to sanction by their employer, if they reported fraud to health oversight agencies.
Response: The notice of information practices describes a covered entity's information practices. A covered entity does not make whistleblower disclosures of protected health information, nor can it be expected to anticipate any such disclosures by its workforce.
Comment: One commenter suggested that the whistleblower provisions could allow covered entities to make illegal disclosures to police through the back door by having an employee who believes there is a violation of law do the disclosing. Any law could have been violated and the violator could be anyone (a patient, a member of the patient's family, etc.)
Response: We have eliminated whistleblower disclosures for law enforcement purposes from the list of circumstances in which the covered entity will be protected under this rule. This provision is intended to protect the covered entity when a member of its workforce or a business associate discloses protect health information to whistleblow on the covered entity (or its business associates); it is not intended for disclosures of conduct by the individual who is the subject of the information or third parties.