Guidance for Whistleblowers on the Chemical and Surgical Mutilation of Children

In Executive Order 14187, “Protecting Children from Chemical and Surgical Mutilation,” President Trump demonstrated his Administration’s commitment to ending the mutilation of children carried out by medical professionals in the name of radical gender ideology. Pursuant to Section 5(b) of that Order, the United States Department of Health and Human Services (HHS), including its Office for Civil Rights (OCR), in consultation with the Attorney General, issues this guidance for prospective whistleblowers.

The Executive Order recognizes that individuals may fear legal and/or professional repercussions if they wish to blow the whistle on “medical professionals [who] are maiming and sterilizing a growing number of impressionable children under the radical and false claim that adults can change a child’s sex through a series of irreversible medical interventions.”1 Indeed, there are two significant impediments that one might face. First, one may be worried that one cannot report the performance of chemical and surgical mutilation of children without violating patient privacy laws and regulations, namely, the Health Insurance Portability and Accountability Act of 1996 (HIPAA)2. Second, one may be worried that there is nothing to stop retaliation by his or her employer, i.e., one may be worried about being fired or demoted in his or her job.

We hope this guidance will allay such fears. It explains existing protections for “whistleblowers who take action related to ensuring compliance with” the Executive Order3. First, as explained further below, HIPAA does not prohibit the disclosure of information related to the chemical and surgical mutilation of children, provided certain conditions are met. Second, as explained further below, the law provides robust anti-retaliation protections for individuals who make a report in order to ensure compliance with the Executive Order.

I. The Health Insurance Portability and Accountability Act of 1996

OCR administers and enforces the HIPAA Privacy Rule4, which establishes requirements with respect to the use, disclosure, and protection of protected health information (PHI) by covered entities (health plans, health care clearinghouses, and most health care providers) and, to some extent, by their business associates5. The Privacy Rule protects PHI by limiting the circumstances under which covered entities and their business associates are permitted or required to use or disclose PHI and by requiring covered entities to have safeguards in place to protect the privacy of PHI. Since its inception, the Privacy Rule has also afforded covered entities protection from liability under HIPAA for disclosures of PHI in connection with whistleblowing actions of their workforce members or business associates.6

In many instances, information that has been de-identified7 in accordance with the Privacy Rule can be used to accomplish whistleblower objectives. But there are instances, especially involving patient care and billing, where this may not be feasible. Therefore, the whistleblower provision of the Privacy Rule provides that a covered entity is not considered to have violated the requirements of the Privacy Rule when a workforce member or business associate discloses PHI in the following circumstances:

  1. The workforce member or business associate has a good faith belief that the conduct being reported is unlawful or otherwise violates professional or clinical standards, or that the care, services, or conditions provided by the covered entity potentially endangers one or more patients, workers, or the public8, and
  2. The workforce member or business associate of the covered entity discloses PHI to any of the following:
    1. A health oversight agency9 or public health authority10 authorized by law to investigate or otherwise oversee the relevant conduct or conditions of the covered entity.
    2. An appropriate health care accreditation organization11, such as a state medical board, for the purpose of reporting the allegation of failure to meet professional standards12 or misconduct by the covered entity.
    3. An attorney retained by or on behalf of the workforce member or business associate for the purpose of determining his or her legal options with respect to whistleblowing.

Thus, the Privacy Rule protects a covered entity from liability for the good-faith whistleblower action of a member of its workforce or a business associate in some situations.  For example, where the workforce member or business associate of a covered entity:

  • Discloses PHI to a county public health department to report unsanitary conditions during a procedure based on a good faith belief that the conditions endangered a patient.
  • Discloses PHI to a state medical board to report conduct by a health care provider that the person making the report believes, in good faith, constituted professional misconduct.
  • In a state that prohibits prescribing to minors puberty blockers and cross-sex hormones, provides PHI to the state medical board based on a good faith belief that a clinician has unlawfully prescribed such medications to a minor patient.
  • Provides PHI to the state attorney general where the state attorney general is authorized by law to investigate or otherwise oversee the payment of claims by the state Medicaid program, and the workforce member or business associate disclosing the PHI has a good faith belief that the covered entity is fraudulently billing the state Medicaid program for health care that is not being provided.

In contrast, the Privacy Rule’s whistleblower provision would not protect a covered entity from liability under HIPAA where, for example, a member of its workforce or its business associate:

  • Discloses PHI to the media to publicly expose unsafe conditions in a health care facility that potentially endanger patients. Because the whistleblower protection does not cover disclosures of PHI to the media, a covered entity’s workforce member or business associate would not be permitted to disclose PHI to the media absent an applicable permission under the Privacy Rule. Generally, a disclosure of PHI to the media requires a written HIPAA authorization from the individual who is the subject of the information.13
  • Discloses PHI to law enforcement to report unlawful conduct, unless the law enforcement agency meets the definition of a health oversight agency or public health authority.14 If the agency does not meet either of those definitions, the whistleblower provision does not apply, so a disclosure to law enforcement would require an applicable Privacy Rule permission such as the provisions permitting limited uses and disclosures to a law enforcement official for law enforcement purposes.15
  • Discloses PHI to expose malfeasant conduct by another person, such as knowledge gained during the course of treatment about an individual’s illicit drug use. Such disclosure would not be a protected activity under the whistleblower provision, because the provision only relates to whistleblower actions in relation to the conduct and conditions of the covered entity.
  • Discloses PHI in response to a request from a health care accreditation organization, because the whistleblower provision applies only to a disclosure initiated by a member of a covered entity’s workforce or a business associate.16

Note that the protection from liability for covered entities under 45 C.F.R. 164.502(j)(1) applies even where a disclosure that falls within the Privacy Rule’s whistleblower provisions might otherwise violate another provision of the Privacy Rule, including the modifications made to the Privacy Rule by the “HIPAA Privacy Rule to Support Reproductive Healthcare Privacy,” 89 Fed. Reg. 32976 (Apr. 26, 2024).

II. Applicable Legal Protections

Whistleblowing activities are a critical tool to help identify health care fraud and protect the public’s health and safety. Congress and many states have recognized their importance by protecting whistleblowers from retaliation. This guidance highlights some of the most pertinent federal laws for “protecting whistleblowers who take action related to ensuring compliance with” the Executive Order. EO 14187 § 2(b).

  1. The National Defense Authorization Act of 2013

    The National Defense Authorization Act of 2013 (NDAA) contains a broad whistleblower protection for employees of federal contractors and grantees. It provides that “[a]n employee of a contractor, subcontractor, grantee, subgrantee, or personal services contractor may not be discharged, demoted, or otherwise discriminated against as a reprisal for disclosing to” certain statutorily defined officials and entities17 “information that the employee reasonably believes is evidence of gross mismanagement of a Federal contract or grant, a gross waste of Federal funds, an abuse of authority relating to a Federal contract or grant, a substantial and specific danger to public health or safety, or a violation of law, rule, or regulation related to a Federal contract (including the competition for or negotiation of a contract) or grant.” 41 U.S.C. § 4712.

    An employee may reasonably believe that the chemical or surgical mutilation of children presents a danger to public health and safety.18 As the Executive Order states: “Across the country today, medical professionals are maiming and sterilizing a growing number of impressionable children . . . .” EO 14187 § 1. “Countless children soon regret that they have been mutilated and begin to grasp the horrifying tragedy that they will never be able to conceive children of their own or nurture their children through breastfeeding. Moreover, these vulnerable youths’ medical bills may rise throughout their lifetimes, as they are often trapped with lifelong medical complications, a losing war with their own bodies, and, tragically, sterilization.” Id.

    Moreover, the performance of child-mutilation may violate current and/or future terms of federal financial assistance, including where the use of federal funds is not authorized for this purpose under applicable law, rule, or regulation. Indeed, HHS notes the potential applicability of federal criminal law to certain acts of chemical or surgical mutilation of children, including the ban on coercive sterilization relating to beneficiaries of federal programs under 42 U.S.C. § 300a-8.
  2. The False Claims Act

    The False Claims Act (FCA), 31 U.S.C. §§ 3729-3733, is a statute that empowers individuals to help combat fraud against the United States. Fraudulent claims for payment under federal healthcare programs like Medicare and Medicaid can fall within the FCA’s scope. Thus, where an individual has knowledge of a potential FCA violation, that individual can be a whistleblower. This means that if an individual has knowledge that a healthcare provider submitted a claim (or caused the submission of a claim) for payment to a federal health care program in connection with chemical or surgical mutilation in violation of the terms of any existing law, regulation, or contract provision material to federal payment, then such individual could be a whistleblower.

    The anti-retaliation provisions of the FCA protect “employee[s], contractor[s], [and] agent[s]” from discharge, demotion, suspension, or any other manner of discrimination “in the terms and conditions of employment” because of lawful acts taken by the individual in furtherance of a claim under the FCA or “other efforts to stop one or more violations of [the FCA].” 31 U.S.C. § 3730(h)(1). To be protected under § 3730(h), an individual must generally show that: (1) he or she is a covered “employee, contractor, or agent”; (2) he or she was engaged in activity protected by the statute; (3) he or she was retaliated against; and (4) the retaliation was “because of” protected activity.

    Courts have held that § 3730(h) protects not only actions taken in furtherance of a potential or actual action under the FCA but also steps taken to remedy fraud through other means, including internal reporting to a supervisor or compliance department, or refusals to participate in unlawful activity. In judging whether an individual was engaged in protected activity, most courts have adopted an “objectively reasonable” test, requiring the individual to have an objectively reasonable belief that the potential FCA defendant is violating or will soon violate the FCA.  See, e.g., U.S. ex rel. Grant v. United Airlines Inc., 912 F.3d 190, 201 (4th Cir. 2018) (“an act constitutes protected activity where it is motivated by an objectively reasonable belief that the employer is violating, or soon will violate, the FCA.”).
  3. The Church Amendments

    The Church Amendments, 42 U.S.C. § 300a-7, comprise conscience protections for healthcare personnel. As relevant here, 42 U.S.C. § 300a-7(c) prohibits entities that receive certain federal financial assistance from discriminating “in the employment, promotion, or termination of employment of any physician or other health care personnel” or discriminating “in the extension of staff or other privileges to any physician or other health care personnel” because that individual “refused to perform or assist in the performance” of a “lawful sterilization procedure” “on the grounds that his performance or assistance in the performance of the procedure . . . would be contrary to his religious beliefs or moral convictions,” or “because of his religious beliefs or moral convictions respecting sterilization procedures[.]”

    In addition, 42 U.S.C. § 300a-7(d) provides: “No individual shall be required to perform or assist in the performance of any part of a health service program or research activity funded in whole or in part under a program administered by the Secretary of Health and Human Services if his performance or assistance in the performance of such part of such program or activity would be contrary to his religious beliefs or moral convictions.”

    The Executive Order aims to end child-mutilation procedures, which procedures could include adverse healthcare consequences like sterilization. See EO 14187 §§ 1, 2(c). The Church Amendments protect employees from discrimination if, based on religious beliefs or moral convictions, they refuse to participate in child-mutilation procedures—including the use of puberty-blockers or cross-sex hormones—and/or raise an objection to a supervisor about participating in such procedures.19
  4. HIPAA Privacy Rule Prohibition on Retaliation

    In addition to protecting covered entities from liability under HIPAA for whistleblowing by their workforce members and business associates, the Privacy Rule prevents such covered entities from using the rule as a justification to retaliate against workforce members who whistleblow. Generally, the Privacy Rule requires covered entities to have and apply appropriate sanctions against members of its workforce who failed to comply with their privacy policies or procedures or with the requirements of the rule. However, the requirement explicitly excludes the application of sanctions to a member of the covered entity’s workforce for whistleblowing activity.20 The purpose of this exclusion is to make clear that covered entities may not use the Privacy Rule as a mechanism for sanctioning workforce members or business associates who disclose PHI to the appropriate authority in accordance with the whistleblower provision.21

Further guidance about the HIPAA Privacy Rule, Security Rule, and Breach Notification Rules can also be found on OCR’s website.

***

To report a tip or file a complaint. Please go to www.hhs.gov/protect-kids.

For federal crimes. Please contact the United States Department of Justice here.

View PDF

  • 1As used in this guidance, the term “chemical and surgical mutilation” has the same meaning as given in Executive Order 14187, § 2(c): “the use of puberty blockers, including GnRH agonists and other interventions, to delay the onset or progression of normally timed puberty” for purposes of treating gender dysphoria; “the use of sex hormones, such as androgen blockers, estrogen, progesterone, or testosterone, to align an individual’s physical appearance with an identity that differs from his or her sex; and surgical procedures that attempt to transform an individual’s physical appearance to align with an identity that differs from his or her sex or that attempt” for purposes of treating gender dysphoria “to alter or remove an individual’s sexual organs to minimize or destroy their natural biological functions.  This phrase sometimes is referred to as ‘gender affirming care.’”
  • 2Pub. L. 104-191, 110 Stat. 1936 (August 21, 1996).
  • 3This guidance explains protections that exist under current statutes and regulations. The guidance does not give rise to any new rights, obligations, or legal consequences.
  • 445 CFR part 160 and subparts A and E of part 164.
  • 5See 45 CFR 160.103 (definition of “Covered entity” and “Business associate”). See also OCR’s Fact Sheet on Direct Liability of Business Associates.
  • 645 CFR 164.502(j)(1). Because HIPAA applies only to covered entities and business associates, it is beyond the scope of the Privacy Rule to directly regulate the whistleblower actions of members of a covered entity’s workforce. Thus, the whistleblower provision applies only to protect a covered entity from HIPAA liability based on the whistleblower action of a member of its workforce or business associates. See “Standards for Privacy of Individually Identifiable Health Information,” 65 Fed. Reg. 82462, 82501-82502 (December 28, 2000).
  • 7See 45 CFR 164.514(a).
  • 845 CFR 164.502(j)(1)(i).
  • 945 CFR 164.501 (definition of “Health oversight agency”). An example of a health oversight agency authorized by law to investigate or oversee the conditions of a covered entity is the Long-Term Care Ombudsmen appointed in accordance with the Older Americans Act. Among the Ombudsmen’s mandated responsibilities is a duty to identify, investigate, and resolve complaints that are made by, or on behalf of, residents related to their health, safety, welfare, or rights. 65 Fed. Reg. at 82637. Additional examples of health oversight agencies that conduct oversight of the health care system include state insurance commissions, state health professional licensure agencies, Offices of Inspectors General of federal agencies, state Medicaid fraud control units, HHS OCR, and the Food and Drug Administration (FDA). Examples of health oversight agencies that conduct oversight of government benefit programs for which health information is relevant to beneficiary eligibility include the U.S. Social Security Administration and the U.S. Department of Education. See 65 Fed. Reg. at 82492. 
  • 1045 CFR 164.501 (definition of “Public health authority”). Examples of public health authorities include: the FDA, the Occupational Safety and Health Administration, the Centers for Disease Control and Prevention, and state and local public health departments. 65 Fed. Reg. at 82526.
  • 11Accreditation organizations are performing health care operations functions on behalf of health plans and covered health care providers. See 65 Fed. Reg. at 82492.
  • 12Professional standards are determined by state or other law. See 65 Fed. Reg. at 82727.
  • 1345 CFR 164.508(a). See also HHS, HIPAA FAQ #2023 (Jan. 9, 2023). 
  • 1445 CFR 164.512(b)(1)(ii).
  • 1545 CFR 164.512(f).
  • 16“Standards for Privacy of Individually Identifiable Health Information,” 64 Fed. Reg. 59918, 59990 (November 3, 1999).
  • 17For example, the statute protects whistleblowing to members of Congress, the Department of Justice, a “Federal employee responsible for contract or grant oversight or management at the relevant agency,” or a “management official or other employee of the contractor, subcontractor, grantee, subgrantee, or personal services contractor who has the responsibility to investigate, discover, or address misconduct.” 41 U.S.C. § 4712(a)(2). 
  • 18See Quality and Safety Special Alert Memo, Center for Medicare & Medicaid Services, “Protecting Children from Chemical and Surgical Mutilation” (March 5, 2025). The memo notes the “lack of medical evidence in support of these harmful treatments,” for chemical and surgical interventions on children with gender dysphoria, and warns that such interventions are “now known to cause long-term and irreparable harm to some children.” The memo also notes that the “United Kingdom, Sweden, and Finland have recently issued restrictions on the medical interventions for children, including the use of puberty blockers and hormone treatments, and now recommend exploratory psychotherapy as a first line of treatment…”
  • 19Subsection (c) of the Church Amendments is tied to, among other things, a “lawful sterilization procedure.” Subsection (d) is broader in that respect: it pertains to procedures to which an individual has religious or moral objections, even if sterilization is not implicated. In the context of the Executive Order, that could include, for example, “surgical procedures that attempt to transform an individual’s physical appearance to align with an identity that differs from his or her sex[.]” EO 14187 § 2(c).
  • 2045 CFR 164.530(e)(1).
  • 21Id.; See also 65 Fed. Reg. at 82636.
Content created by Assistant Secretary for Public Affairs (ASPA)
Content last reviewed