The HIPAA Privacy Rule restricts the ability of covered entities and business associates to use and disclose individuals’ protected health information. For example, employees of covered entities are not at liberty to disclose individual protected health information (PHI) to whomever they please. What if, however, disclosure of PHI is necessary to demonstrate that a covered entity has, say, engaged in criminal conduct, violated professional or clinical standards, or provided care, services, or conditions that potentially endangers patients? HIPAA permits disclosure of PHI under such circumstances, under what is known as the HIPAA whistleblower exception.

What Activities Can be Reported Under the HIPAA Whistleblower Exception?

Under the HIPAA whistleblower exception, a covered entity is not considered to have violated the HIPAA Privacy Rule if a member of its workforce or a business associate discloses protected health information (PHI), provided that: 

  • The workforce member believes, in good faith, that
    • The covered entity has engaged in unlawful conduct; or
    • The covered entity has engaged in conduct that otherwise violates professional or clinical standards; or
    • The care, services, or conditions provided by the covered entity potentially endanger patients, workers, or the public.

To Whom Must These Disclosures be Made?

Under the HIPAA whistleblower exception, to qualify as protected whistleblowing activity, the PHI disclosures listed above must be made to:

  • An appropriate healthcare accreditation organization for the purpose of reporting the allegation of failure to meet professional standards or misconduct by the covered entity; or 
  • A health oversight agency or public health authority that:
    • Has the authority to investigate or oversee the relevant conduct or conditions of the covered entity;


  • An attorney retained by or on behalf of the workforce member or business associate for the purpose of determining the legal options of the workforce member or business associate with regard to the conduct alleged to be improper. 

If the HIPAA whistleblower exception shielded any disclosure of PHI used in support of an allegation of improper conduct, the Privacy Rule’s goal of maintaining the privacy of PHI would be thwarted. 

However, as noted above, the HIPAA whistleblower exception does not cover any and all PHI disclosures. Disclosures can only be made if the employee has a good faith belief that improper conduct has taken place. Broadly speaking, “good faith belief” means a belief with a reasonable basis in fact. Generally, a person is not acting in good faith if he or she knows or should have known that he or she is making a malicious, false, or frivolous allegation or complaint. 

Compliancy Group Simplifies HIPAA Compliance

Compliancy Group was founded to help simplify the HIPAA compliance challenge. We give healthcare organizations everything they need to address the full extent of the HIPAA regulations.

Our ongoing support and web-based compliance app, The Guard™, gives healthcare organizations the tools to address the law so they can get back to confidently running their business.

Find out how Compliancy Group has helped thousands of organizations like yours Achieve, Illustrate, and Maintain™ their HIPAA compliance!

Third Party Verification and Validation

Need Help with HIPAA?

Let our complete HIPAA solution handle it.