Skip to Main Content
 
Thought Leadership

False Claims Act Insights - Understanding HIPAA Disclosures When Responding to CIDs in FCA Investigations

 

Published:

November 18, 2025
Listen to the podcast

Related Services:

False Claims Act  Government Contracts  White Collar, Internal Investigations, & Compliance 
 
Podcast
Share on LinkedIn Share via Email Share on Facebook Share on Twitter Browser Print

     

Episode 33 | Understanding HIPAA Disclosures When Responding to CIDs in FCA Investigations

Jonathan Porter welcomes colleague Claire Postman to discuss how healthcare providers approach HIPAA when responding to civil investigative demands in False Claims Act investigations. Jonathan explains that providers often feel tension between meeting the requirements of a CID and complying with HIPAA. Claire begins by outlining HIPAA’s general prohibition on disclosing protected health information and describes the exceptions that allow disclosures in specific circumstances. She explains that HIPAA permits disclosures when required by law, including mandated reporting in situations such as abuse or neglect, and in response to court orders, grand jury subpoenas, and civil investigative demands. Claire also notes that disclosures must match the scope of the request and that de-identification may sometimes be appropriate.

Jonathan and Claire then discuss HIPAA’s provisions for allowing disclosures to health oversight agencies and situations in which questions arise about how these rules apply. Claire emphasizes the importance of reviewing the language of a CID carefully to determine whether a disclosure fits within HIPAA’s exceptions. Together, they outline factors providers should consider when assessing what information may be produced and how to ensure responses remain within HIPAA’s requirements.

They conclude by discussing the value of clear communication between counsel and investigators when questions about HIPAA compliance arise. Jonathan and Claire highlight how proactive dialogue can help clarify expectations and ensure that responses remain consistent with both HIPAA and the scope of the CID.

Jonathan Porter | Full Biography

Jonathan focuses on white collar criminal defense, federal investigations brought under the False Claims Act, and litigation against the government and whistleblowers, where he uses his experience as a former federal prosecutor to guide clients in sensitive and enterprise-threatening litigation. At the Department of Justice, Jonathan earned a reputation as a top white-collar prosecutor and trial lawyer and was a key member of multiple international healthcare fraud takedowns and high-profile financial crime prosecution teams. He serves as a vice chair of the American Health Law Association’s Fraud and Abuse Practice Group and teaches white collar crime as an adjunct professor of law at Mercer University School of Law.

Claire Postman | Full Biography

Claire Postman is a senior associate who advises healthcare clients on regulatory compliance and the application of federal and state requirements. Before attending law school, she worked as an analyst researching Medicare and Medicaid policy, which helped shape her interest in translating complex regulations for healthcare stakeholders. Claire assists clients with healthcare regulatory matters and supports organizations involved in transactions such as joint ventures, affiliations, changes of control, and mergers and acquisitions within the healthcare sector. Her background in public health and policy analysis informs her work helping clients understand how evolving regulations apply to their operations.

Read the Transcript

This transcript has been auto generated

00;00;00;00 - 00;00;24;29

Jonathan Porter

Welcome to another episode of Husch Blackwell’s False Claims Act Insights podcast. I’m your host, Jonathan Porter. The majority of FCA investigations are into the healthcare industries, and there’s a bunch of reasons for that. But mainly it’s because healthcare is a huge chunk of federal government spending. And there's so much uncertainty in healthcare on what’s okay and what’s not.

00;00;25;01 - 00;00;50;12

Jonathan Porter

And when there are investigations into healthcare, there’s often going to be patient information involved. And that’s where healthcare providers start getting very nervous about HIPAA and for good reason. The healthcare industry is well trained to care a lot about patient privacy, and so I’m never surprised when a healthcare client asks, how are we supposed to comply with both a civil investigative demand and HIPAA?

00;00;50;13 - 00;01;15;21

Jonathan Porter

And so on today’s podcast, we're digging into the two. We’re talking about a new case where a company has flat out refused to give DOJ any patient data, and that’s resulted in DOJ seeking court intervention. So we’re going to talk about all of those things. We’re talking about CIDs and HIPAA. And that case today on the podcast. Joining me to talk about these issues is my Husch Blackwell colleague, Claire Postman.

00;01;15;24 - 00;01;34;05

Jonathan Porter

Claire is one of my favorites in the firm. Claire really does care a lot about healthcare. And you can tell in her work. Claire studied public health in undergrad, and she just brings a wealth of institutional knowledge of how healthcare works when she’s counseling clients. And it’s always in a way that I personally find super valuable.

00;01;34;05 - 00;01;46;28

Jonathan Porter

And so I’m thrilled that I’ve finally convinced Claire to come on the podcast. And so, Claire, thanks for joining the podcast and telling our listeners a little bit about the intersection of FCA investigations and HIPAA.

00;01;47;00 - 00;01;51;29

Claire Postman

Thank you so much. That is such a kind introduction, Jonathan, and it’s great to be here.

00;01;52;01 - 00;02;14;12

Jonathan Porter

All right, Claire, let’s start with the basics. So I think people generally know that HIPAA gives patients certain privacy rights. You know, if you go to your doctor, your doctor can’t take a picture of you and your medical condition and then turn it into an Instagram reel, I think that’s not okay. And I think people get that. But there are some times where those covered by HIPAA can reveal protected health information.

00;02;14;12 - 00;02;22;18

Jonathan Porter

One of those times is when law enforcement serves the legal process. So, Claire, tell our listeners about why that is and just how all of this works.

00;02;22;21 - 00;02;51;08

Claire Postman

That's exactly right. Jonathan. So, HIPAA’s privacy rule is the best known part of HIPAA. It’s the rule that says that healthcare providers covered entities cannot disclose protected health information to other people. That’s the general rule. It does have some important carve outs. So, for example, most healthcare providers are very familiar with mandated reporter laws. So those are the laws that require them to report

00;02;51;10 - 00;03;16;25

Claire Postman

if they have a reasonable belief that a patient is being abused or neglected in certain instances. HIPAA obviously has an exception that's going to allow providers to make those reports, even though that technically does involve disclosing PHI to somebody outside of the provider. Another example is what you just mentioned, responding to some kind of legal process from law enforcement.

00;03;16;27 - 00;03;54;01

Claire Postman

So HIPAA does allow disclosure in responses to things like a court order, a grand jury subpoena, or as we’re very familiar with, a civil investigative demand, or what we call a CID that comes from the Department of Justice in a False Claims Act investigation. So if a healthcare provider receives a CID that says, you have to give us Fred Smith’s medical records, that’s not a real person’s name, I’m not violating HIPAA by saying that. The healthcare provider can generally do that and not worry that they're violating HIPAA, because there is an exception to responding to CIDs.

00;03;54;04 - 00;04;25;25

Claire Postman

That said, there are some limits on that exception. So the first is that you have to be responding to what is actually in the CID, or the subpoena was actually being requested by the government. So if the CID is asking for Fred Smith medical records for a healthcare visit, that happened on November 11th. HIPAA doesn't permit the provider to give up all of Fred Smith medical records, including visits that happened not on November 11th.

00;04;25;27 - 00;04;56;03

Claire Postman

This back this. The CID should be specific and limited in scope. In light of DOJ’s purpose for issuing the CID. Lastly, there are some situations where de-identified information should be produced. If DOJ purpose can be accomplished with that de-identified information, then as opposed to the protected health information itself. So it’s important, given all these exceptions, to confer with experienced counsel if you’re responding to the CID.

00;04;56;05 - 00;05;33;26

Claire Postman

But the general point is that HIPAA does allow healthcare providers to comply with these legal documents, with subpoenas with the CIDs. Last exception that I'll mention to HIPAA, there is an exception for producing information to health oversight agencies. Most providers are most familiar with that in the context of audits. So when CMS requests records as part of a you pick audit or a CPI audit, or if you get a subpoena from a board of nursing because they're looking into one of your employees.

00;05;33;28 - 00;05;50;27

Claire Postman

This exception for health oversight agencies does allow providers to respond to those requests. Some courts have also recognized and explicitly cited DOJ is a health oversight agency when it is investigating alleged Medicare fraud or alleged false claims.

00;05;51;00 - 00;06;11;23

Jonathan Porter

Thanks, Claire. That’s excellent analysis. So I think you’re 100% right. You said something that I think is really important, which is to consult with lawyers. And when you’re doing this, the last thing you want to do is violate HIPAA. I think it’d be sort of interesting if you did violate HIPAA by responding to the CID, and the DOJ comes and goes after you for violating HIPAA for complying with what they asked for.

00;06;11;23 - 00;06;29;06

Jonathan Porter

But yeah, I think it is important for you to consult people know what they’re doing. There is a special process when you’re dealing with certain types of substance abuse records. For example, being a part two, you need a special court order. I’ve had to tell DOJ before, I’m sorry, I really want to give you these documents. I also don’t want to get in trouble with part two.

00;06;29;07 - 00;06;44;10

Jonathan Porter

Congress at one point was looking into how DOJ was looking into the substance abuse records in part two without getting a court order. So there’s all these reasons why you should just consult with a good lawyer. And also like Claire said, Fred Smith, we just made that up. So I don’t want to see a Fred Smith on my caller ID

00;06;44;11 - 00;07;07;22

Jonathan Porter

trying to call and say, what do you know about me? We’re really just picking a name there. So thanks, Claire, for clarifying that. But Claire, you know, as clear to me as the law enforcement carve out to HIPAA is, I was surprised how often I heard from healthcare providers that they couldn’t respond to my subpoenas or sides because of HIPAA, and I was generally understanding of that.

00;07;07;22 - 00;07;29;06

Jonathan Porter

You know, healthcare providers, they don’t get subpoenaed all that often, and they want to protect their patients information. But once I sent them a copy of the regulation, they realized, okay, I’m allowed to do this and I’ll comply. And yet, Claire, there was recently a very public example of one healthcare provider that just flat out refused to provide patient information in response to a CID.

00;07;29;11 - 00;07;58;20

Jonathan Porter

And this healthcare provider is Kroger, the grocery store chain that I loved as a kid before Publix showed up to Georgia. But I love Kroger specifically here, Kroger Pharmacy. So Kroger received a CID from DOJ in 2022, and for three years just refused to give DOJ any patient information, resulting in what is now a very public court dispute over whether Kroger is required to respond to the CID and tell DOJ about patient information.

00;07;58;20 - 00;08;08;10

Jonathan Porter

So, Claire, tell our listeners about Kroger's CID and why there’s now litigation over Kroger’s refusal to turn over patient information.

00;08;08;13 - 00;08;32;28

Claire Postman

Yeah. So as a disclaimer here, we’re relying on representations that were made in federal court filings. We don’t have any behind the scenes insight into this case. But what happened here is so typically DOJ doesn’t announce or publicize the CIDs. So when a provider is responding to us, the CID, there’s people do’'t even know that there is an investigation going on.

00;08;33;00 - 00;09;04;06

Claire Postman

But when either DOJ or the provider is subject to this, the CID has to get a court involved. Then everything becomes public. And that’s what happened here. So DOJ served Kroger with this. The CID back in 2022. Their investigation is related to whether Kroger made false claims related to opioid prescriptions that Kroger dispensed. And Kroger started producing documents in response to the CID.

00;09;04;08 - 00;09;50;02

Claire Postman

But in those productions, it’s redacting certain information, certain patient information. DOJ then tells Kroger to reproduce everything without those redactions. And from the court filings that looks like Kroger refuse list. And their rationale for refusing was that they were worried about accidental breaches, that they started producing patient information that could result in financial liability to Kroger. They were also worried that they would be setting a precedent that if they produced this information to DOJ, they would be required to turn over patient data to other law enforcement agencies that might not have as robust security systems as DOJ has to protect patient data.

00;09;50;05 - 00;10;21;26

Claire Postman

So Kroger tells DOJ no, it’s not removing its redactions without a court order. So DOJ goes ahead and seeks that court order. And now DOJ investigation is out in the open because the court is involved. DOJ is seeking to enforce its CID and get Kroger to respond. Kroger then files another response. And this one I think is where it gets really interesting because they’re getting into those expansions that I talked about earlier.

00;10;21;29 - 00;10;49;14

Claire Postman

And so what they’re saying is that, sure, there is an exception for responding to CIDs, but it requires the CID to be limited in scope and Pacific to what DOJ is looking to address. And Kroger’s position is that this the CID is too broad. It’s asking for information for 40 Kroger pharmacies. It’s asking for data from 40 Kroger pharmacies.

00;10;49;14 - 00;11;15;06

Claire Postman

It's asking for every controlled substance prescription for each of those 40 pharmacies, regardless of who wrote the prescription. And so Kroger is saying the HIPAA carve out for the CID is only authorizes disclosure when this. The CID is limited in step when it's specific. There’s also a question of whether the health oversight agency exception applies separate from the exception.

00;11;15;06 - 00;11;48;15

Claire Postman

That specific test, the CIDs. And if it does, does it have the same limits as as the CID specific exception? Do you have to produce de-identified data if that’s feasible? Does it have to be specific and limited in scope if it’s a health oversight activity? So now a judge is going to decide whether Kroger is required to turn over the documents unredacted, including all of the patient information the DOJ wants or not, whether they are permitted to respond with these redacted records.

00;11;48;17 - 00;12;08;06

Jonathan Porter

Next, clear, excellent summary of what’s going on in this case. And I think in general, Kroger is making some valid points here. A lot of kids that I’ve seen are really brought. This one seems really, really, really broad. All control substance fills for 40 pharmacies regardless of who was prescribing them, whether it's a suspected pill mill doc or not.

00;12;08;07 - 00;12;29;25

Jonathan Porter

They’re asking for a lot. So I can see where Kroger would say, this seems like something that we’re not allowed to do given the law, and we want to comply with the law. So it seems like what they’re doing is legit to me because this is so broad. So I think this is a case worth watching, Claire, because this could change how the healthcare industry needs to approach HIPAA disclosures in kids.

00;12;29;28 - 00;12;49;09

Jonathan Porter

So this is definitely a case worth watching. So Claire, maybe sometime next year we’ll do a follow up to this with an update. Because this is something that does come up because healthcare providers do get kids a lot. And this could be a game changer depending on how this comes out. But to me, Claire, what concerns me for Kroger is that there are two big risks here.

00;12;49;09 - 00;13;10;24

Jonathan Porter

And one is that now this investigation is in the public domain. So that usually only happens if there’s a settlement or a lawsuit filed, or if the company has to disclose something for, you know, in an SEC filing, something like that. So Kroger has suffered some reputational damage here that it may not have if this never ended up in a settlement or something.

00;13;10;24 - 00;13;36;00

Jonathan Porter

So that’s one risk. The other risk that I see is that DOJ may view this as petty or meritless or borderline obstructive. And you actually do see this in some of the more recent filings from DOJ. In this case, you could tell that they’re a little frustrated in this. So, Claire, I’m a firm believer in zealously advocating for our clients, but I’m also a firm believer in picking your battles.

00;13;36;04 - 00;14;04;26

Jonathan Porter

And that’s because DOJ has a ton of power and can just wreck people and businesses when they want to. So DOJ has the ability to do our clients favors, like confirming closed investigations or offering cold comfort letters, things like that. But DOJ also has the ability to go in the other direction, like pushing OIG to exclude or imposing a CIA or pushing CMS to implement a mid-investigation payment suspension.

00;14;04;26 - 00;14;24;03

Jonathan Porter

That’s a topic that our colleague Brian Nowicki told our listeners about on this podcast a few months back. And so, Claire, working with DOJ, at least to me, working with DOJ is really important. So Claire close us out by telling our listeners about how we draw that line between zealous advocacy and also not needlessly poking the bear.

00;14;24;05 - 00;14;45;24

Claire Postman

Yeah, I think there’s kind of three points to address here. First is being candid with our clients, our legal strategies that come with the risks. You mentioned are always going to involve a conversation with our clients so that they understand what those risks are and can make an informed decision about how to proceed. So you mentioned payment suspension.

00;14;45;26 - 00;15;11;17

Claire Postman

That’s something that could literally be life or death for providers who mainly receive reimbursement from government payers. Our clients need to understand what the likelihood is of that outcome, whether that outcome has been imposed against other providers and their situation. And that’s where our experience counsel really can help and say, hey, we don't really think DOJ is going to do that in this situation or actually a provider just like you.

00;15;11;17 - 00;15;37;10

Claire Postman

And they did that. DOJ pushed CMS to impose payment suspension. In other cases, the potential benefits to our clients might be worth the risk of fighting back. So that's why having a conversation is always, always key factor in negotiation with law enforcement before getting a court involved can make a big difference. So in many cases, we can have an open dialog with the government to understand what are you really looking for here?

00;15;37;10 - 00;16;05;09

Claire Postman

And I’ve done this a lot. I mentioned those kind of board subpoenas from boards of nursing. When they're phrased quite broadly, often we can go to them and say, what are you really looking for here? We want to help you. We just want to make sure we're using our resources wisely and we’re able to come to an agreement with them about how to narrow the scope of that subpoena and that court order in a way that protects our client and their patient, but also doesn’t jeopardize our relationship with the government.

00;16;05;10 - 00;16;42;26

Claire Postman

So working things out collegiately while still accomplishing our client’s goals is best case scenario, because we get our clients what they want. But we maintain goodwill with the government, which generally, as you mentioned, benefits our clients. Given how much power the government has and these cases. And then finally, if it looks like things are heading to court, I think it can go a long way to explain your reasoning to the government to mention that you really do want to comply with the subpoena or the side, like you mentioned, when you have these part two cases saying, hey, I really want to comply, but in this case I just need a court order.

00;16;42;26 - 00;17;06;12

Claire Postman

So if you’re Kroger, you explain to DOJ that you're not asking them to seek a court order because you’re being petty or difficult or any of those kind of words you mentioned earlier. You’re not trying to slow down the process, but you have genuine concerns that producing these documents might subtract you to HIPAA risk. And in those cases, you assure the government that you want to comply.

00;17;06;12 - 00;17;27;12

Claire Postman

You’re going to comply as soon as you get a court order, and you just need some additional assurance. Now, it does seem like Kroger did maybe do that. We don’t know. And we don’t know kind of where their relationship stands with the government now. But I think that’s important so that they know that you’re not at least just trying to be difficult for the sake of being difficult.

00;17;27;15 - 00;17;53;08

Jonathan Porter

Thanks, Claire. Yeah. No, I 100% agree with everything you just said. I think these are really interesting points where we’ve got to exactly what you said earlier. Talk to our client about the risks talk line about the risks and the benefits. What might happen if we try to make sure that we're complying with HIPAA and what might happen if we just say, all right, it’s a gray area, maybe we should just give DOJ these records and read broadly the HIPAA carve out.

00;17;53;10 - 00;18;12;29

Jonathan Porter

Having that conversation with the client is going to lead to really the best outcome. I think not having the conversation with the client and just inviting all of this risk that they don't know about is not the way to go. And so, yeah, the big takeaway here is have the conversation, have the conversation with your client before you start angering DOJ and getting them to a spot where they're filing enforcement actions.

00;18;13;01 - 00;18;22;23

Jonathan Porter

DOJ really does not like filing enforcement actions. And so like I said, we should do a follow up on this. So I’m going to put you on the spot, make you agree that we’ll do a follow up on this sometime next year. Deal.

00;18;22;24 - 00;18;23;20

Claire Postman

I’m in.

00;18;23;22 - 00;18;59;01

Jonathan Porter

Excellent, excellent. To close, there’s a whole lot of interesting stuff happening with the False Claims Act right now. We’re at a bit of a watershed moment in terms of where we’re going. There’s some interesting kickback cases that are coming soon. Zafira is going to be argued before the 11th circuit in about a month. And so we’re going to continue to bring you content on this podcast about those developments, because I think a lot of our clients want to know, how are we getting ahead of risk areas, what can we be doing right now to put ourselves in a good position so that if we are investigating one day, we know what’s coming and we’ve clarified

00;18;59;03 - 00;19;15;06

Jonathan Porter

what we need to clarify right now about what we think the law is. So we’re going to continue to bring you those types of discussions on this podcast. But thanks for listening to this discussion about this new Kroger case and HIPAA. We hope you found it valuable. And as always, if you have questions, feel free to reach out to us.

00;19;15;13 - 00;19;20;18

Jonathan Porter

But short of that, thanks for listening and we’ll see you next time.

Listen to more False Claims Act Insights

Professionals:

Jonathan A. Porter

Partner

Claire Postman

Senior Associate
 
Link to Homepage
People Capabilities Locations Careers Thought Leadership Our Firm Contact Us
Firm InstagramFirm TwitterFirm LinkedInFirm FacebookFirm YouTubeFirm TikTok
 
Client Payment Portal
Terms of Use Privacy Policy Cookie Policy California Collection Notice Your Privacy Choices California Consumer Privacy Act (CCPA) Opt-Out Icon Transparency in Coverage Rule
© 2025 Husch Blackwell LLP. All rights reserved
The choice of a lawyer is an important decision and should not be based solely upon advertisements.
Past results afford no guarantee of future results. Every case is different and must be judged on its own merits.
Link to Homepage
People Capabilities Locations Careers Thought Leadership Our FirmContact Us
Firm InstagramFirm TwitterFirm LinkedInFirm FacebookFirm YouTubeFirm TikTok
Client Payment Portal
Terms of Use Privacy Policy Cookie Policy California Collection Notice Your Privacy Choices California Consumer Privacy Act (CCPA) Opt-Out Icon Transparency in Coverage Rule
© 2025 Husch Blackwell LLP. All rights reserved
The choice of a lawyer is an important decision and should not be based solely upon advertisements.
Past results afford no guarantee of future results. Every case is different and must be judged on its own merits.