CALL TOLL FREE: 855-833-3604  |  Payment Portal
Follow Zarwin Baum on Twitter Follow Zarwin Baum on Facebook Follow Zarwin Baum on YouTube Follow Zarwin Baum on LinkedIn Print Contact Us Office Locations


May 3, 2018

Many health care professionals are required by ethical standards to report suspected incidents of wrongdoing by co-workers. A number of state and federal statutes such as the False Claims Act and the Pennsylvania Whistleblower Law encourage such employees to report wrongdoing to their employer, or to regulatory bodies that govern the profession.  Another set of directives governing the actions of health care professionals, the Health Insurance Portability and Accountability Act (“HIPAA”), prohibits the unauthorized release of certain patient information.  The conflicts that can arise between these provisions can be difficult to reconcile.

HIPAA was originally enacted in the mid-1990s.  As its name suggests, its initial focus  was the protection of health insurance coverage for U.S. workers and their families when workers changed or lost jobs, and it was intended to reduce paperwork, and prevent gaps in coverage.  Today, however, most people see HIPAA as the source of the multitude of forms that they must complete during health care visits and which appear to create a flat out prohibition on the disclosure of their health care information.

Many people would be surprised to learn that HIPAA was never intended to prevent the sharing of information that could slow or prevent treatment, payment or operations for doctors, insurance companies or others involved in the provision of healthcare.  The protection of the privacy of health information became an increasingly important component of HIPPA as it underwent several amendments, which added computer security, breach notification requirements, and stronger penalties and enforcement.

In practical terms, most health care practices today  take a fairly strict approach to the sharing of patient information to  prevent a breach or disclosure of information beyond those  that HIPAA has said are entitled to receive it. Known as the “minimum necessary” rule or “role based access,” HIPAA permits a sharing of information among practice groups and administrators when that access is necessary to provide treatment or billing or administrative services for the patients.

In some applications, that test is easy to apply. For example, the surgical team looking at a celebrity or professional athlete’s medical records can share those records for treatment purposes. But the x-ray technician cannot share those same records with his bookie or a gossip magazine. Fair enough.

But what about the health professional who believes that a co-worker is committing fraud or misconduct, by treating a non-existing condition or by overstating symptoms to justify excessive treatment or a negligent result? Can that person report wrongdoing and to whom?

In many cases the answer is yes.  State and federal law generally allows such a person to report wrongdoing to the employer, or to a regulatory authority, or to his or her individual attorney.  While not directly addressing the HIPAA prohibitions on disclosure, the laws presumably would authorize the disclosure as it would be for the ultimate purpose of providing medical treatment to the patient. On the other hand, it is unclear whether a disclosure of that information for the purpose of determining if wrongdoing occurred is permitted. In other words, the health professional would be protected for reporting the suspected wrongdoing to the employer or to a medical board, but not to a third party who might ultimately conclude that there was no wrongdoing at all and nothing that need be reported. The law on the topic is still evolving. Because whistleblowing and HIPAA laws are so detailed and complex, health care professionals and practice group owners should consult with counsel before making any decisions that can carry significant civil and even criminal penalties.

David F. McComb is Chair of the Employment Law Group at Zarwin Baum, and can be reached at

Zachary A. Silverstein is an Associate in the Zarwin Baum Employment Law Group, and can be reached at



HOME CONTACT SITE MAP DISCLAIMER © 2021 Zarwin Baum DeVito Kaplan Schaer Toddy P.C.