Lawsuit Filed Against Rhode Island HIE by Whistleblower Who Alleged Impermissible Uses of HIE Data
A lawsuit has been filed against the Rhode Island Quality Institute (RIQI) by a former HIPAA officer who alleges she was terminated for blowing the whistle on impermissible disclosures of HIE data. RIQI is a Rhode Island state government contractor and was the operator of the state health information exchange (HIE) – CaseCurrent – from 2021 to July 2024, when the contract was awarded to another vendor.
Darlene Morris first started working for RIQI in 2012 in the role of Manager of the Electronic Health Record Adoption Program. Morris was promoted on several occasions and was appointed Senior Director, Programs in 2019. Two years later she started serving as RIQI’s HIPAA Privacy Officer and, in 2023, her job title was changed to Senior Director, Risk Management & Compliance/HIPAA Compliance Officer. In that role, Morris reported to RIQI’s President and CEO, Dr. Indra Neil Sarkar. Morris remained in that role until July 2024 when she was terminated.
Dr. Sarkar was appointed to the position of President and CEO of RIQI in 2020, after serving as the interim President and CEO. Dr. Sarkar was also employed by Brown University, where he was an Associate Professor and a leased employee of RIQI.
The HIE is a voluntary exchange and handles the confidential health information of around 550,000 state residents, around half the population of the state. RIQI is required to comply with the Rhode Island Confidentiality of Health Care Communications and Information Act, which prohibits the release or transfer of confidential healthcare information without first obtaining written consent from patients or their representatives. Under that state law, RIQI is not permitted to transfer or release confidential patient data to a third party for use in research without patient consent, as research is not one of the permissible uses of patient data.
RIQI is alleged to have granted external access to the HIE for research purposes without obtaining consent from patients. According to the lawsuit, in early 2023, Dr. Sarker sought to obtain HIE data for around 2.1 million home addresses of Rhode Island patients for an independent project supporting research conducted at Brown University. Under RIQI procedures, Dr. Sarker should have submitted a request to Morris for access to the data but instead submitted the request directly to the data department.
Morris was concerned about the circumvention of RIQI policies and reported the incident to RIQI’s counsel. In May of that year, Dr. Sarkar made a presentation to the Board of Directors about a research study at Brown University that relied on the HIE data of more than 100,000 patients. The presentation was attended by employees of the State of Rhode Island, Executive Office of Health and Human Services (EOHHS). Following the presentation, Morris met with an EOHHS State Health IT Coordinator regarding the use of HIE data for the research study and was advised that the use of the HIE data violated state laws. Morris assisted the state with the investigation of the misuse of HIE data.
After reviewing Dr. Sarkar’s contract, advised RIQI’s counsel that she believed Dr. Sarker’s position at Brown Univerity conflicted with his role at RIQI and that he was using HIE data to advance research at the university, in violation of state laws. The lawsuit details ongoing conflicts between Dr. Sarker and Morris regarding continuing research using HIE data and her communications with EOHHS.
On July 29, 2024, Morris was advised that her employment had been terminated. Morris maintains that she was terminated in retaliation for the whistleblowing and that her termination violated the anti-retaliation provisions of the federal False Claims Act and state laws, including the Rhode Island False Claims Act and the Rhode Island Whistleblowers’ Protection Act. The lawsuit seeks injunctive relief, attorneys’ fees, litigation expenses, back pay, and compensatory damages.
RIQI maintains Morris was terminated along with several other employees for cost-cutting reasons due to the financial challenges faced by RIQI over the past year, and that Morris was not terminated in retaliation for whistleblowing. RIQI claims the lawsuit contains inaccuracies and misleading information and protected health information (PHI) was not disclosed, as it had first been de-identified before being used for research purposes. De-identified data cannot be tied to individuals as it has been stripped of all personal identifiers. Once de-identified, patient data is not considered PHI and is no longer subject to HIPAA protections. RIQI maintains the de-identification of data was certified by an independent expert, in compliance with state and federal laws, including HIPAA.
