Data Governance
,
Data Privacy
,
Data Security
Lawsuit Claims R.I. Health Information Exchange Retaliated Against ‘Whistleblower’
The former HIPAA compliance officer of Rhode Island’s state health information exchange is suing the organization in a federal lawsuit claiming that she was fired from her job after blowing the whistle on the HIE’s alleged unlawful disclosures of patient information for research purposes.
See Also: Enterprise Browser Supporting Healthcare, Cyber Resilience
The plaintiff, Darlene Morris, began working for the Rhode Island Quality Institute in 2012 and moved up the ranks in leadership positions over the years including being named risk management and HIPAA compliance officer in 2023, a role she held until the state agency allegedly unlawfully terminated her in July 2024, according to Morris’ lawsuit.
RIQI, launched in 2001, operates and maintains Rhode Island’s regional health information exchange, CareCurrent, which handles data for about 550,000 residents in the state. But in the spring 2025, CareCurrent is slated to undergo a technology upgrade that will be managed by another vendor, CRISP Shared Services, while RIQI will have administrative oversight of the HIE.
Morris alleges in her complaint, filed on Jan. 3 in a Rhode Island federal court, that RIQI President and CEO Neil Sakar facilitated RIQI’s unlawful release of the HIE’s patient data for the purpose of an independent project supporting research conducted at Brown University by a medical student.
In addition to his role at RIQI, Sakar is also a professor of biomedical informatics at Brown University.
“In early 2023, Dr. Sarkar sought to obtain HIE data reflecting 2.1 million home addresses of Rhode Island patients for the purpose of an independent project supporting research conducted at Brown,” Morris’ lawsuit alleges.
“Rather than request the data from Ms. Morris as was established RIQI procedure, Dr. Sarkar circumvented Ms. Morris and requested the data directly from RIQI’s data department,” the lawsuit alleges. “Troubled by this, Ms. Morris reported the incident to RIQI’s counsel.”
A few months later, around May 3, 2023, “Dr. Sarkar made a presentation to the RIQI Board of Directors regarding a research study conducted at Brown by a Brown medical student. To conduct the research, Dr. Sarkar relied on the HIE data of over 100,000 patients,” the lawsuit alleges.
The lawsuit details a long series of alleged confrontations and conflicts involving Morris, Sarkar and other RIQI staff, Brown University, and others regarding the data disclosure dispute before Morris alleges she was ultimately terminated in July 2024.
Among other claims, Morris alleged that Sarkar disclosing the Rhode Island’s HIE data to perform research studies at Brown without obtaining the consent of the state was a violation of state rules and regulations and a breach of the terms of the state contract.
Morris also alleged that RIQI retaliated against her “in violation of the anti-retaliation provisions” of several federal and state laws, including the U.S. False Claims Act, Rhode Island False Claims Act and in violation of the Rhode Island Whistleblowers’ Protection Act.
She is seeking injunctive relief, attorney’s fees and litigation expenses, back pay and compensatory damages.
RIQI, Brown University Statements
In a statement to Information Security Media Group, Scott Young, chief strategy officer at RIQI denied that Morris was terminated because of alleged whistleblowing in the data disclosure dispute.
“Because of reduced funding in 2024, the institute was forced to make difficult decisions to reduce expenses. These decisions were driven solely by the financial challenges faced by the Institute in the past year,” he said.
“A number of positions, including the one held by Ms. Morris, were eliminated as part of the Institute’s efforts to stabilize its finances. The story she has crafted in her complaint is rife with inaccuracies and misleading information and ignores the financial realities that forced the Institute to eliminate positions and lay off employees,” he said.
“Nowhere in the flawed complaint is it stated that any PHI was compromised, and there is no reference to HIPAA itself,” he said.
“This is due to the fact that any information that could be used to identify an individual person was ‘de-identified,’ meaning that it was removed or altered in a way that makes it impossible to recognize that information as being about any one person,” Young said.
“The process, which is required by state and federal law and regulations, was followed in this instance. Further, an external expert – a person not associated with RIQI or the researchers – certified that the data were de-identified and that individual privacy was protected,” he said. “No researchers ever had any access to any identifying information.”
As for Brown University, the data accessed from RIQI “at all times adhered to federal and state laws, university policies and the provisions of our contract with the institute,” a university spokesman told ISMG in a statement.
“Under strict controls and with data security safeguards and other compliance measures in place to ensure the appropriate and confidential use of protected data, use of health information exchange data has proven an important tool in biomedical and public health research at Brown that has the potential to benefit all Rhode Islanders through improved medical care, patient outcomes and solutions for pressing health challenges.”
Bigger Picture
Aside from the back-and-forth allegations in the Morris v. RIQI case, the dispute brings into the spotlight “critical questions about potential HIPAA violations and the broader implications it could have for HIEs and their participants across the country,” said regulatory attorney Helen Oscislawski of law firm Attorneys at Oscislawski in a blog post about the case.
Under HIPAA, PHI can be used and disclosed for research as long as certain conditions are met. That includes individuals providing explicit authorization for the use of their PHI for research; the research is approved by an institutional review board or privacy board; the research is conducted using a limited data set and in compliance to a data use agreement; the data is de-identified in accordance with the HIPAA Safe Harbor or expert determination methods.
Another condition is that if the disclosure is preparatory to research, and the researcher provides written or oral assurance that PHI is only used to prepare a research protocol or assess study feasibility, and that no PHI will be removed from the covered entity, and access to PHI is necessary for the research purpose, Oscislawski wrote.
Oscislawski, who is not involved in the RIQI dispute, told ISMG that Morris’ case does not directly affect other HIEs, unless they were contributing data to RIQI.
“However, HIEs across the country operate under similar data-sharing agreements and privacy laws,” she said. The case is a reminder of how important it is for HIEs to develop specific use cases and legally compliant procedures on how PHI may be accessed and used for research purposes, she said.
“It also highlights the importance of HIEs training their staff on those uses cases and procedures and not forgetting that such training must include training the HIE’s executive management, C-Suite and board members,” she said.
HIE participation in research projects involving patient information “is common enough that it deserves specific attention from HIEs,” she said.
An attorney representing Morris did not immediately respond to ISMG’s request for comment.