Ex-HIPAA officer Darlene Morris filed a lawsuit against the Rhode Island Quality Institute (RIQI) for allegedly being fired from work for exposing its impermissible disclosures of HIE information. As a state government contractor of Rhode Island, RIQI managed the RI health information exchange (HIE) between 2021 and July 2024, even though the contract was given to a different provider.
Darlene Morris first began being employed at RIQI in 2012 as Manager of the Electronic Health Record Adoption Program. She was promoted a few times and was designated Senior Director of Programs in 2019. After two years, she began working as the HIPAA Privacy Officer of RIQI. In 2023, she became Senior Director of Risk Management & Compliance and HIPAA Compliance Officer. She reported directly to the President and CEO of RIQI, Dr. Indra Neil Sarkar. Morris kept that role until she was terminated in July 2024.
The HIE is a voluntary exchange and manages the sensitive health data of approximately 550,000 state locals, about 50% of the population of Rhode Island. RIQI must adhere to the Rhode Island Confidentiality of Health Care Communications and Information Act, which forbids the disclosure or transfer of sensitive healthcare data without first getting written authorization from patients or a representative. With that state legislation, RIQI cannot transfer or disclose sensitive patient information to a third party for research without getting patient authorization, because research is not an allowable use of patient information.
Allegedly, RIQI allowed third-party access to the HIE for research without acquiring authorization from patients. Based on the lawsuit, at the beginning of 2023, Dr. Sarker wanted to acquire HIE data for approximately 2.1 million residential addresses of Rhode Island patients and use the data for a third-party project, a research carried out at Brown University. As per RIQI procedures, Dr. Sarker ought to have sent a request to Morris to get access to the information. Instead, Dr. Sarker sent the request to the data department.
Dr. Morris was worried about the circumvention of RIQI guidelines and submitted the incident report to RIQI’s counsel. In May 2023, Dr. Sarkar presented to the Board of Directors a research study conducted at Brown University that depended on the HIE data of over 100,000 individuals. The employees of the State of Rhode Island, the Executive Office of Health and Human Services (EOHHS) attended the presentation. After the presentation, Dr. Morris talked with the IT coordinator of EOHHS State Health concerning the use of HIE information for the research study, which violated state regulations. Morris helped the state investigate the HIE data misuse.
After going over Dr. Sarkar’s contract, RIQI’s counsel stated that Dr. Sarker’s work at Brown University contradicts his job at RIQI and his use of HIE data for research at the university violated state rules. The lawsuit points out existing conflicts between Morris and Dr. Sarker concerning the research using HIE information and her conversations with EOHHS.
On July 29, 2024, Morris received her employment termination. Morris states that her termination was connected to the whistleblowing and that it violated the anti-retaliation terms of the federal False Claims Act and state laws, such as the Rhode Island Whistleblowers’ Protection Act and the Rhode Island False Claims Act. The lawsuit wants injunctive relief, litigation expenses, attorneys’ fees, compensatory damages, and back pay.
RIQI states that Morris and a few employees were terminated to cut costs as a result of the financial difficulties experienced by RIQI during the past year. Morris’ termination was not in retaliation for whistleblowing. According to RIQI, the lawsuit includes errors and confusing details. There was no exposure of protected health information (PHI) since data was first de-identified before using in research. De-identified information can’t be linked with individuals since it was removed from all personal identifiers. If de-identified, patient information is not regarded as PHI and is not governed by HIPAA law. RIQI mentioned that an independent expert certified the de-identification of data, in compliance with state and government regulations, such as HIPAA.
Image credit: logo©RIQI / Riffat; AdobeStock
