By Lauren Means (she/her)
The protection of patient confidentiality and sensitive medical information is a cornerstone of healthcare ethics and the law. The Health Insurance Portability and Accountability Act (HIPAA) sets stringent regulations to ensure the privacy and security of medical records. In June 2023, Vanderbilt University Medical Center (VUMC) came under scrutiny for allegedly releasing the medical health records of transgender patients to Tennessee Attorney General (AG) Jonathan Skrmetti. This incident has ignited concerns about potential HIPAA violations and the potential consequences that VUMC may face as a result.
The AG’s office said VUMC began providing relevant records in December 2022 in response to a civil investigation alleging VUMC of medical billing fraud. It wasn’t until June that VUMC finally began to notify patients about their turning over of records.
An important point to this story is that the AG was specifically looking into the billing related to transgender patients on Medicaid (TennCare).
As you may recall, there has been a lot of hostility within our state legislature to try to stop individuals from getting gender-affirming care when it’s needed.
Many LGBTQ+ individuals in Tennessee and neighboring states seek care at VUMC as they have a reputation for being forward-thinking in their care for the community and even have a center dedicated to LGBTQ+ health.
This is what makes this story especially devastating. People sought out a place where they thought they could bring their full selves and get the care they deserved without fear of discrimination. Now, it seems like they are becoming a pawn in a legal game.
Understanding HIPAA
HIPAA, enacted in 1996, is a federal law designed to protect the privacy and security of patients’ health information. It establishes national standards for safeguarding protected health information (PHI) and grants patients certain rights to privacy regarding their medical records. Covered entities, including healthcare providers like VUMC, must adhere to these standards rigorously to maintain the confidentiality and integrity of patient data.
The alleged release of patients’ medical records by VUMC has raised concerns about potential HIPAA violations, primarily under the Privacy Rule. The potential violations include:
- Unauthorized Disclosure: Releasing PHI to a third party without the patient’s consent or a valid legal basis constitutes an unauthorized disclosure under HIPAA. This action typically amounts to a breach of privacy unless mandated by law or for specific purposes, such as public health.
- Lack of Patient Consent: HIPAA regulations require covered entities to obtain explicit written consent from patients before disclosing their PHI to external parties.
- Failure to Safeguard PHI: The Security Rule demands that healthcare institutions implement stringent security measures to protect electronic and traditional methods of PHI from unauthorized access. Any failure to adequately secure these records could be deemed a HIPAA violation.
Protecting Patients?
Even if VUMC was within the scope of the law when it released the records without patient consent, it raises the question of whether VUMC should’ve fought a little harder to protect its patients’ information.
We asked Nashville attorney Abby Rubenfeld about this situation and if VUMC violated HIPAA with the record release. She said, “When any of us go to the doctor, regardless of our gender identity, we assume, and rely on that assumption, that what we tell the doctor or hospital is strictly confidential — otherwise we might not go to the doctor and/or tell them the truth. What Vanderbilt did was to violate that trust, and violate it without notice to the people damaged. They released people’s records upon a simple letter from the AG – no subpoena, no lawsuit, no court order.”
That is an important point. While there are specific instances where information can be released, there are still specific steps that must be taken. The law states information can be released in response to an order of a court or administrative tribunal but only the protected health information expressly authorized by such order can be released.
If information is to be released in response to a subpoena, discovery request, or other lawful process and isn’t accompanied by a court order, the individual whose records are being requested for release must be contacted to advise of the potential release and be given an opportunity to object to the release.
Rubenfeld explained, “They [VUMC] made no effort to write patients and ask their permission. They did not ask the attorney general how he could get whatever information he needed by a less intrusive means.” She also noted the information being requested must be relevant to a legitimate purpose and, because this AG has shown to have an anti-transgender agenda, she said his motives are definitely suspect.
“They were asked and they turned it over. Period. That is wrong and in my opinion a violation of HIPAA. Hospitals are required to use the least intrusive means if they are going to breach HIPAA, and Vanderbilt made absolutely no effort to do that. And it does not appear they were ever even going to tell the people affected — this only came out six months after the fact as a result of another lawsuit against the state,” said Rubenfeld.
It puts us all on notice that this state administration will not protect us or our private medical information if we are not part of the non-gay, white majority.”
— Abby Rubenfeld
Lawsuit and Long-Lasting Repercussions
In July of this year, VUMC was sued by two people claiming they were among the patients whose records were turned over. According to the complaint, the plaintiffs allege that VUMC turned over non-anonymized medical records to the state without the patients’ knowledge and that the state’s request for information was part of an effort “negatively targeting the transgender community.”
The suit alleges that the medical records likely included things like x-rays, medication lists, photos of genitalia as well as patients’ sexual histories. A few weeks after the suit was filed, VUMC and the AG became the target of the Department of Health and Human Services for an investigation into potential Civil Rights violations related to the records release.
The actions by VUMC will have long-lasting effects on both the individuals affected and the LGBTQ+ community as a whole. Rubenfeld said, “It puts us all on notice that this state administration will not protect us or our private medical information if we are not part of the non-gay, white majority. It makes all of us — or should make all of us — question the commitment to privacy and confidential records by other
medical providers.”
Protecting the confidentiality of patient information is paramount in healthcare, and any breach of trust in this regard can have severe repercussions. This break in privacy could take years for the community to trust in VUMC, and healthcare providers in general, again.
Rubenfeld said they are still seeking plaintiffs for the class action lawsuit they have filed against VUMC over this breach. If you or someone you know has been or may have been affected, contact Abby Rubenfeld or her co-counsel in the lawsuit, Tricia Herzfeld.
