Whistleblowers and privacy rights: How to manage the overlap
Whistleblowers and privacy rights: How to manage the overlap
Work to avoid revelation of patient data, but be prepared for conflicts
A physician complained to the chief of staff and hospital management that surgical equipment is not being sterilized properly and a patient died as a result. In another case, two doctors reported overcrowding in the emergency department that compromised patient care. In another, the physician reported an unlicensed therapy program.
The common thread? In all these cases, the hospital responded by firing the physicians, says Dave Scher, JD, a principal with The Employment Law Group in Washington, DC, who handled these cases and specializes in representing whistleblowers.
Retaliation against whistleblowers in healthcare is risky, probably illegal, and simply not good strategy, say legal experts. Risk managers should work to formulate internal structures that minimize the chances of an employee going outside the organization to report problems, they say, and risk managers should be prepared with a more effective response in the event that someone does blow the whistle.
Even if so inclined, the ability to constrain a whistleblower is limited, says Scher. Firing the whistleblower rarely goes uncontested and can lead to other penalties. In the case of the physician who was fired for complaining about poor sterilization, the complaint led to a federal investigation that shut down the surgical suite for four days. Subsequently, the hospital had to settle with the physician for firing him, which is a common outcome, Scher says.
In healthcare, risk managers often wonder how confidentiality requirements restrict a whistleblower's ability to reveal potentially damaging information. The overlap can be tricky, Scher says, but in most cases patient privacy concerns do not prevent the disclosure. Confidentiality agreements, often used in settlements in an attempt to keep damaging information under wraps, can provide a false sense of security, Scher says. (See the story on p. 4 for an example of one hospital's lawsuit against a whistleblower.)
"Claiming that you had a confidentiality agreement and you disclosed a private agreement, therefore you can't be trusted, is almost always just a smokescreen," Scher says. "It's a weak argument, and the organization does not tend to be looked on favorably when they try to use that defense."
Whistleblowers in healthcare are protected by multiple laws, more than employees in most industries, says Kevin Troutman, JD, an attorney with the law firm of Fisher and Phillips in Houston, TX. Healthcare providers must take into account the many protections when considering how they will respond to whistleblowers, particularly the whistleblower exceptions for the Health Insurance Portability and Accountability Act (HIPAA), he says.
"I've found that this really surprises managers sometimes. They are shocked that they can't discipline an employee for violating confidentiality or revealing patient information," Troutman says. "Sometimes you can inadvertently set up a whistleblower claim if you take action without really analyzing the circumstances and the protections that might apply."
Healthcare providers often use HIPAA as an excuse when trying to dissuade an employee from revealing damaging information, Scher says. HIPAA privacy concerns have been drilled into employees so effectively that many people can be convinced that it is impossible to report fraud without violating the law themselves, he says. "We see it all the time. It's very, very common," Scher says. "It's an easy hook to say, 'Sure you can expose the fraud, but you violated HIPAA so you're out.' That is completely the wrong strategy for the employer and usually will just make matters worse for you."
That does not mean, however, that healthcare employees can recklessly reveal protected health information (PHI) as part of their effort to report problems, Scher says. To encourage responsible reporting and avoid potential post-reporting conflicts, risk managers should establish internal procedures that allow employees to voice concerns while still maintaining patient confidentiality, he says.
"We have them disclose information by case number, rather than by naming the individual," he says. "If you don't provide a mechanism for reporting concerns, and then you jump on the employee for violating confidentiality, you are going to be seen as trying to avoid the real issue."
It is possible to fire a whistleblowing employee and cite a reason other than reporting fraud or other misdeeds, such as blaming it on improper disclosure of patient information, but Scher says that move is a desperate one that often backfires in the form of litigation and a costly payout. A better plan, he says, is to foster a culture that results in people wanting to discuss their concerns internally and to have a procedure for responding to those concerns. (See the story on p. 4 for steps to take in responding to whistleblowers, and below for the dangers of staff investigating on their own. See the story on p. 4 for federal and state protections for whistleblowers.)
Troutman advises risk managers to work closely with human resources to determine when whistleblower protections might apply. If you wait until human resources already has disciplined or fired the employee for a confidentiality breach, it might be too late to avoid the damage, he says.
Aside from retaliation being a bad strategy, there is another reason for healthcare providers to provide an appropriate mechanism for reporting concerns. Without guidance and a safe way for employees to speak up, the employer can be held responsible for the whistleblower's privacy breach, explains Tammy Marzigliano, JD, partner with the law firm of Outten & Golden in New York City. Marzigliano represents employees in litigation regarding employment law. "That's one reason it makes sense to give employees a constructive way to bring these concerns to you without violating HIPAA," she says. "If you don't, their next step may be to go public and blurt out a lot of information or hand over documents to the media that they shouldn't, and you as the employer are going to be held at least partly accountable for that."
Sources
Tammy Marzigliano, JD, Partner, Outten & Golden, New York City. Telephone: (212) 245-1000. E-mail: [email protected].
Dave Scher, JD, Principal, The Employment Law Group, Washington, DC. Telephone: (202) 261-2802. E-mail: [email protected].
Kevin Troutman, JD, Partner, Fisher & Phillips, Houston, TX. Telephone: (713) 292-0150. E-mail: [email protected].
A physician complained to the chief of staff and hospital management that surgical equipment is not being sterilized properly and a patient died as a result. In another case, two doctors reported overcrowding in the emergency department that compromised patient care. In another, the physician reported an unlicensed therapy program.Subscribe Now for Access
You have reached your article limit for the month. We hope you found our articles both enjoyable and insightful. For information on new subscriptions, product trials, alternative billing arrangements or group and site discounts please call 800-688-2421. We look forward to having you as a long-term member of the Relias Media community.