Had an interesting reply to a query I made to a HIPAA blog:
...I thought I'd give you a better response and answer the HIPAA question.Note the second to the last paragraph. A "qui tam" filing can get a piece of the pie--which could possibly be significant. In some cases of Medicare billing, fines can be hefty: $10,000 per instance. I haven't a clue as to the actual percentage...haven't put in for it. But, there are a lot of poorly paid individuals out there that could use the cash. And some are wondering if this witch hunt will affect them...
Basically, a covered entity is a covered entity, and he/she/it can't use or disclose PHI (broadly defined to include any information about the past or present health or payment for health of an individual, if it's such that you can reasonably discern the identity of the individual) except for treatment, payment or healthcare operations, as required by law (think gunshot victims or other things that must be reported), with the individual's permission (persuant to a written authorization that meets specific requirements), or in particular other circumstances (pursuant to a valid subpoena that's survived a motion to quash or has a protective order with it, to law enforcement officials in particular instances, in appropriate research studies that have appropriate human subject protections, to the secret service or military in certain situations, etc). The basic prohibition, which plenty of folks think is way too lax, is pretty draconian, actually, and there's not a "common sense" exception.
Now, if you're not a covered entity, you can't violate HIPAA. A presume you could aid and abet a HIPAA violator, but I can't see the DOJ going after somebody for such a thing unless they're engaging in good old fashioned identity theft. And the HIPAA penalty multiplier is for when the disclosure or use is done under false pretenses and with intent to sell, transfer or use for commercial advantage, personal gain, or malicious harm; I don't see commercial advantage, the only personal gain is self-satisfaction and I don't think that would be enough, and the malicious harm is surely intended to refer to harm to the individual whose PHI is disclosed, not to the hospital.
If the disclosing person is a HIPAA covered entity, and the relative didn't give a HIPAA-compliant written authorization, the disclosure is technically a HIPAA violation. Of course, the only person who would care is the relative, who probably doesn't, so it's not a violation that's ever going to go anywhere. Unless someone else wants to make a big deal out of it for completely different purposes, as may be the case here. There may be some other PHI disclosures that they're alleging from elsewhere in the blog; like I said, it's a pretty draconian prohibition.
As for the Medicare billing issues, did you consider pursuing that as a "qui tam" action? (Allow me to emphasize here that I am not your lawyer.) If there's real wrong-doing there, it seems like the US Attorney's office would likely be willing to go after it, and the qui tam relator gets a piece of the pie if there's any recovery.
I understand your desire to not censor commentators; I totally moderate those on my blog, even though I don't get very many because it's not controversial stuff.