When an employee suffers retaliation for raising concerns to their employer about HIPAA violations, federal law generally does not provide a remedy for the employee. Although HHS regulations implementing HIPAA bar retaliation, there is no private right of action to enforce that prohibition. See 45 C.F.R. § 160.316. A recent decision from a New Hampshire district court judge in Hidalgo-Semlek v. Hansa Medical, however, demonstrates how state law can provide a remedy for health care privacy whistleblowers.
Dr. Hidalgo-Semlek’s Whistleblowing
Dr. Hidalgo-Semlek worked as a senior medical liaison at Hansa Medical, Inc. (Hansa), where she was responsible for the medical aspects of the development and trial support of an enzyme treatment for adult kidney transplant patients. This entailed working with the American Association of Kidney Patients and the American Kidney Fund to conduct a screening survey of the organizations’ membership to identify patients for a focus group. In conjunction with Hansa’s legal counsel, she developed questions for the screening survey questionnaire and a HIPAA-compliant informed consent document. The informed consent document specified that Hansa would use the data to identify a group of patients for the focus group and prepare questions for the focus group.
According to Dr. Hidalgo-Semlek, her supervisor ordered her to provide raw data from screening survey responses, which contained personally identifiable information about patients, to a patient advocacy consultant for marketing purposes. Dr. Hidalgo-Samlek also alleged that this same supervisor asked her to provide Strategic Registry of Transplant Recipients (SRTR) data for marketing purposes, in violation of the data use agreement that she committed to follow.
Dr. Hidalgo-Semlek was concerned that providing the screening survey results for marketing purposes would violate HIPAA, and that misusing the SRTR data would violate federal law. Hansa, however, contended that Dr. Hidalgo-Semlek was merely asked to provide an analysis of the survey responses, which was anonymized. Just weeks after Dr. Hidalgo-Semlek refused to provide the data to her supervisor for what she deemed an unauthorized use, Hansa terminated her employment. Dr. Hidalgo-Semlek brought a common law wrongful discharge claim and a claim under the New Hampshire Whistleblowers’ Protection Act.
Denying Hansa’s motion for summary judgment, Judge Laplante held that a jury could reasonably find that she was acting in furtherance of public policy by protecting the privacy and limited use of medical records when she refused to provide her supervisor and others with the HIPAA-protected data.
Wrongful Discharge Claim
Judge Laplante held that Dr. Hidalgo-Samlek could proceed to trial on her wrongful termination claim because a jury could find that the termination of her employment implicated the policies embodied in HIPAA and various New Hampshire state laws. In particular, HIPAA and other statutes governing medical record confidentiality reflect a “strong” policy of protecting these records. For example, sharing SRTR data for an unauthorized purpose would violate Department of Health and Human Services policy protecting human research subjects, 45 C.F.R. § 46.101.
As there was a genuine dispute of fact as to whether her supervisor asked her to share the raw data for marketing purposes (Dr. Hidalgo-Samlek insisted he had, and he denied ever doing so), Dr. Hidalgo-Samlek could proceed to trial on her wrongful termination claim.
As to the New Hampshire whistleblower statutory claim, Hansa asserted that Dr. Hidalgo-Semlek could not establish protected conduct because she did not communicate to her employer an actual violation of law. The court rejected that argument, holding that a whistleblower need not use the word “illegal” or cite a specific violation and that imposing those requirements would exclude from the statute an employee unfamiliar with the law. Instead, a court should presume that an employer is familiar with laws regulating its business and therefore an employee will be presumed to have made a potential whistleblower report if a reasonable employer would have understood that the employee was reporting a violation of law.
Further, the court held that whistleblower protection is not limited to a disclosure of an actual violation of law and instead, an employee need only have had a reasonable belief that the conduct that they are reporting is illegal. And even if Dr. Hidalgo-Semlek did not establish that she made a protected report, the New Hampshire whistleblower statute protects employees who object to or refuse to participate in conduct that they reasonably believe constitutes a violation of law. Accordingly, she could proceed to trial because she had objected to sharing the screening survey results for marketing purposes, thereby refusing to participate in what she believed to be a violation of law.
While federal law does not provide a private right of action for an employee that suffers retaliation for disclosing a HIPAA violation, state law can provide a remedy.