Data Governance,
Data Privacy,
Data Security
Lawsuit Alleges Retaliation Against Whistleblower in Rhode Island Health Information Exchange Case
A former HIPAA compliance officer has initiated a federal lawsuit against the Rhode Island Quality Institute (RIQI), accusing the organization of unjustly terminating her employment for whistleblowing on alleged illegal disclosures of patient data for research purposes. The plaintiff, Darlene Morris, who started her tenure at RIQI in 2012 and ascended to a leadership role, alleges that her firing in July 2024 came after she raised concerns about the exchange’s handling of patient information.
RIQI, established in 2001, is responsible for operating Rhode Island’s regional health information exchange, CareCurrent, which services approximately 550,000 residents. As of spring 2025, CareCurrent is expected to receive a technological upgrade managed by CRISP Shared Services, with RIQI retaining administrative control. Morris’s lawsuit, filed on January 3, claims that the exchange’s president, Neil Sakar, facilitated the illegal release of patient data for an independent research project at Brown University.
According to the lawsuit, in early 2023, Dr. Sakar sought access to a significant volume of HIE data, including the home addresses of over 2 million Rhode Island residents, for a research project led by a medical student at Brown. The complaint alleges that instead of following proper protocol to obtain this data through Morris, Dr. Sakar bypassed her and directly requested information from RIQI’s data department, prompting Morris to report the incident to the organization’s legal counsel.
The lawsuit outlines numerous conflicts arising from the data disclosure situation, culminating in Morris’s termination. Among her claims, Morris argues that the unauthorized sharing of HIE data violates both state regulations and the terms of RIQI’s contracts with the state. She also contends that RIQI retaliated against her for raising these concerns, in violation of several whistleblower protection statutes.
In response to the allegations, RIQI’s chief strategy officer, Scott Young, has denied that Morris’s termination was linked to any whistleblowing activities, attributing the layoffs to financial pressures that necessitated cost-cutting measures. Young characterized Morris’s claims as misrepresentations of the facts, asserting that no patient health information was compromised and that any data shared had been properly de-identified according to state and federal law. He emphasized that an independent expert had confirmed the de-identification of the data used in the research.
Similarly, Brown University affirmed in a statement that its data utilization from RIQI complied with federal and state regulations and contractual obligations, positioning the health information exchange as a critical tool for advancing biomedical research that ultimately benefits public health.
This legal dispute raises essential questions regarding potential HIPAA violations and their implications for health information exchanges (HIEs) nationwide. Under HIPAA, the use and disclosure of protected health information (PHI) for research purposes are permissible under specific conditions, such as obtaining patient consent, approval from ethics review boards, and adherence to data use agreements.
Helen Oscislawski, a regulatory attorney, highlights the case’s broader significance, as it showcases the necessity for HIEs to establish clear, legally compliant protocols for data sharing in research contexts. Oscislawski reiterated the importance of comprehensive training for all HIE personnel, including executives and board members, on proper procedures for handling PHI, especially when involving research projects.
Morris’s legal counsel did not immediately respond to inquiries regarding the case, which continues to unfold in the federal courts and may have lasting impacts on governance and compliance standards within the realm of health information exchanges.
