Acting out a word or phrase in a game of charades is a perfect party activity but playing a guessing game isn’t as fun when it comes to reporting a work-related incident. Whether you’re taking part in a round of “Guess Who” or just following your practice’s policies and procedures, not everybody will play by the rules – and unfortunately, hackers and those outside your organization with malicious intent aren’t the only ones that pose a potential risk to your patients’ protected health information (PHI). It’s more common than you might think to see the biggest offenders of improper access and disclosure actually come from inside your organization. When and if you uncover an internal incident, knowing how to report the so-called rule-breaker without violating HIPAA yourself can feel like a major game of guesswork. 

So what happens if you notice Sally Sue making copies of a patients’ health records for non work-related reasons? Or catch Doctor Dan improperly administering prescriptions to patients? Given how heavily privacy and security protections emphasize proper PHI disclosure, it’s not uncommon to be wary that reporting a HIPAA violation could actually implicate you in a violation yourself. But even if you’re a pro at charades, reporting an incident without giving away the nitty-gritty details to build the case is not easy and certainly not effective. So while HIPAA does establish privacy and security standards that prevent the release of PHI, there is a caveat (if specific criteria is met) for bringing light to malicious activity happening within the practice – a.k.a the HIPAA Whistleblower Exception. 

What are the HIPAA whistleblower exception requirements? 

Despite the name, ‘whistleblower exception’ has nothing to do with whistles and everything to do with protecting staff and patients from facing any backlash if they report any unlawful conduct within a practice. Under the exception, it is not considered a violation of the HIPAA Privacy Rule if a staff member or business associate discloses PHI, as long as they believe in good faith that either: 

• The covered entity has engaged in unlawful conduct
• The covered entity has engaged in conduct that violates professional or clinical standards
• Or the care, services, or conditions provided by the covered entity potentially endanger patients, workers, or the public 

The exception is a two-part process and after determining whether the incident meets the requirements for what can be reported, the next move is knowing who you can and can’t actually make the disclosure to. We recommend first going to your HIPAA Compliance Officer (HCO) to help assist you in best handling the situation (as long as they aren’t involved in the incident themselves). But the whistleblower exception also provides additional provisions for whom the disclosure can be made to that include: 

• A health oversight agency or public health authority that is legally authorized to investigate these types of violations
• A healthcare accreditation organization if reporting a violation of professional or clinical obligations
• An attorney that you have retained for the purpose of determining the legal options pertaining to the incident. 

While we’d like to hope that everyone within your organization plays fair and square, in the case that you do happen to catch a coworker snooping through patient files – it’s important to know who you can disclose the incident to and that you can include specifics like the patient name and type of health record that was accessed. So if the requirements are met and followed properly, employees can safely report any non-compliant behavior without fearing that a HIPAA violation or termination letter will follow. Wondering whether or not you can take action to protect patients’ privacy and security should never be a guessing game and thanks to the provisions outlined in the HIPAA whistleblower exception, the cards are stacked in your favor.