The Health Insurance Portability and Accountability Act (HIPAA) limits health care providers from sharing certain sensitive “protected health information” without the patient’s approval. However, a whistleblower can share protected health information without breaking HIPAA privacy rules in a few situations. First, a whistleblower may share protected health information to a health oversight agency, a public health authority, or a retained attorney. Second, a whistleblower can also share medical records after he or she anonymizes them by removing identifiable information.
Sharing Protected Health Information With Government Investigators and Attorneys
The first exception to HIPAA’s limit on sharing protected health information is when a health care worker acts as a whistleblower to report fraud or misconduct. For this exception to apply, two things must happen. First, the whistleblower must have a “good faith” belief that the health care provider, whose records they are sharing, broke the law, broke professional or clinical standards, or may be putting patients in danger. Second, the whistleblower must share the information with a health oversight agency, a public health authority that investigates fraud or misconduct, or an attorney the whistleblower hires to understand his or her options related to the health care provider’s fraud or misconduct. This exception generally permits whistleblowers who are pursuing a qui tam action under state or federal False Claims Acts to disclose what would otherwise be protected health information to their attorneys and to the government as part of the case – but the whistleblower’s disclosure should generally be limited to only these recipients.
Anonymizing Health Records
The second exception to HIPAA’s limit on sharing protected health information is when a whistleblower de-identifies or anonymizes the protected health information in the medical records. Medical records are “anonymized” when you cannot identity the patient and when there is no reasonable way to identify the patient with the information that is left. Federal law has directions for how to anonymize protected health information: remove all patient, patient relative, patient employer, and patient household member “identifiers”. “Identifies” include things like names, addresses, birth dates, admission dates, discharge dates, dates of death, telephone numbers, e-mails, social security numbers, medical record numbers, health insurance member numbers, driver’s license numbers, fingerprints and full face photos. A whistleblower should first consult with an attorney before undertaking the process of anonymizing health records, in order to ensure that a proper evidentiary chain is maintained and the records can be used in legal proceedings later.
Private Health Information in Lawsuits
During a lawsuit, there are other times protected health information can be shared. For example, a health care provider may share protected health information if a court orders them to. A health care provider may also share protected health information if they get a subpoena or a formal request for documents from a party in a lawsuit. If protected health information is shared after a subpoena or formal request, the person asking for the information must make reasonable efforts to tell the person whose information may be shared about the request. The other option for sharing protected health information after a subpoena or formal request, is for the person requesting the information to sign a “protective order” that bans the person from using or sharing the information outside the lawsuit and, that requires the person return or destroy the private health information after the lawsuit is over. Federal district courts regularly allow the use of subpoenas and formal requests to get protected health information. For example, in Durham v. Ankura Consulting Group, the court told health care provider to share protected health information because the person who requested the information signed a protective order.
Finally, it is important to understand that the rules about sharing protected health information can change if the lawsuit is brought in state court. Some states have stricter rules about protected health information, and when the rules are stricter, those rules apply in that state’s court. For example, in Illinois, even redacted medical records cannot be shared in lawsuits.
HIPAA’s protections are important for patients and medical care providers justifiably take those protections seriously, but HIPAA generally does not preclude a whistleblower from consulting with a lawyer, bringing a claim, or reporting to relevant government authorities. However, anyone considering blowing –the-whistle using protected health information should immediately consult with experienced whistleblower counsel, in order to avoid any pitfalls.
Kathleen Gallagher is a Partner at Gallagher & Lipshutz, PLLC
 45 C.F.R. § 164.502(a).
 45 C.F.R. § 164.502(j).
 45 C.F.R. § 164.514(a)-(b).
 45 C.F.R. § 164.512(e)(1)(i) and (ii).
 45 C.F.R. § 164.512(e)(1)(ii) and (v).
 Durham v. Ankura Consulting Group, LLC, 2:20-CV-112-KS-MTP, 2021 WL 6618644, at *2 (S.D. Miss. May 18, 2021).
 Northwestern Memorial Hospital v. Ashcroft, 362 F.3d 923, 925 (7th Cir. 2004) (holding that if state law has more strict medical records privileges then HIPAA, then the state’s laws would apply in state court).