Are whistleblowers protected by HIPAA?

In September 2025, CNBC revealed that a former Verily executive filed a whistleblower lawsuit alleging that Alphabet’s health-tech subsidiary misused sensitive patient data, violated HIPAA, and delayed breach notifications to covered entities. The complaint claims that Verily’s diabetes-management unit, Onduo, improperly used protected health information (PHI) from more than 25,000 patients for purposes such as marketing, research, and press engagements without sufficient consent. The executive, Ryan Sloan, further alleges that after raising concerns internally, he was terminated in early 2023. However, the question remains: Are whistleblowers protected under HIPAA?

Go deeper: Whistleblower claims Verily misused health data

HIPAA’s whistleblower provision

HIPAA does not provide a broad shield against retaliation in the same manner as employment or labor laws, but it does contain a whistleblower provision. Under 45 CFR § 164.502(j), employees of covered entities and business associates may disclose PHI without penalty if they do so in good faith and to the proper channels, such as:

• Health oversight agencies (e.g., the Department of Health and Human Services Office for Civil Rights)
• Public health authorities
• Attorneys for the purpose of determining legal options

This provision ensures that the act of reporting itself is not treated as a HIPAA violation. In other words, if an employee reveals patient data as part of exposing unlawful practices, they are not subject to HIPAA penalties so long as the disclosure follows the rules.

What HIPAA protects, and what it doesn’t

While HIPAA makes room for whistleblowing, its protections are limited:

• What is protected: The whistleblower is shielded from being accused of improperly disclosing PHI when the disclosure is made to the correct oversight bodies in good faith.
• What is not protected: HIPAA does not prevent an employer from firing, demoting, or otherwise retaliating against the whistleblower.

This gap is why many employees who come forward still face significant personal and professional risks.

Broader whistleblower protections

Since HIPAA alone does not guarantee job security, whistleblowers often rely on other federal and state laws for protection:

• False Claims Act (FCA): Protects individuals who report fraud against the government and allows them to share in any financial recovery.
• OSHA Whistleblower Statutes: Prohibit retaliation against workers who report workplace safety violations or certain types of misconduct.
• State employment laws: Some states have robust protections that shield employees from retaliation when they report violations of law or threats to public health.

Together, these laws may offer a more complete shield against retaliation, though protections vary widely depending on the circumstances and jurisdiction.

Lessons from the Verily case

The lawsuit against Verily highlights several key points:

• Business associate obligations: As a business associate, Verily was bound by business associate agreements (BAAs) that set strict rules for handling PHI. Failure to comply exposes both Verily and its covered entity partners to liability.
• Timely breach notification: HIPAA requires that covered entities and business associates notify affected patients and partners within a specific timeframe after a breach. Allegations of delayed notifications, if proven, could result in significant penalties.
• Risks for whistleblowers: Even when acting in good faith, employees may face termination or retaliation, demonstrating the limits of HIPAA’s whistleblower protections.

Why this matters for healthcare organizations

• Transparency is critical. Mishandling PHI erodes patient trust and can attract regulatory scrutiny.
• BAAs must be honored. They are not just paperwork; they carry legal weight.
• Retaliation risks reputational damage. Employers that punish whistleblowers may face lawsuits and public backlash.
• Encouraging a culture where employees feel safe raising concerns internally can help organizations address issues before they escalate into regulatory investigations or lawsuits.

See also: HIPAA Compliant Email: The Definitive Guide (2025 Update)

FAQS

Who are HIPAA violations reported to?

Whistleblowers can report violations to the U.S. Department of Health and Human Services Office for Civil Rights (OCR), a public health authority, a health oversight agency, or an attorney. Reporting to these entities is considered a protected disclosure under HIPAA.

What counts as “good faith” when reporting?

Good faith means you genuinely believe the employer is violating the law, breaching professional standards, or creating risks to patients or the public. Documentation can strengthen your case.

Can business associates blow the whistle, or is this only for covered entities?

Both covered entity and business associate employees can make protected disclosures under HIPAA’s whistleblower provision.

What happens after I report to the Office for Civil Rights (OCR)?

OCR reviews the complaint and may conduct an investigation. If violations are found, the organization could face corrective action plans, civil monetary penalties, or settlements.