The Vanderbilt University Medical Center's recent handover of transgender patient records to the Tennessee Attorney General's Office has sparked a heated debate on patient privacy.
Why it matters
The Vanderbilt University Medical Center (VUMC) recently handed over transgender patient records to the Tennessee Attorney General's Office as part of an investigation into medical billing for gender-affirming services. This move has raised concerns about patient privacy and the application of the Health Insurance Portability and Accountability Act (HIPAA). At the same time, the U.S. Department of Health & Human Services (HHS) is proposing new measures to protect patient-provider confidentiality in healthcare, particularly in the realm of reproductive health.
The big picture
The VUMC case and the proposed changes to HIPAA regulations highlight the ongoing struggle to balance patient privacy with the need for transparency and accountability in healthcare. These issues are particularly relevant for sensitive areas like transgender healthcare and reproductive health, where privacy concerns can have significant implications for patients' rights and wellbeing.
Between the lines
In the VUMC case, the Tennessee Attorney General's Office is investigating potential medical billing fraud. The state requested medical records dating back to January 1, 2018. VUMC complied, stating that they were meeting "all health care privacy and security requirements established under both Federal and Tennessee law, including but not limited to HIPAA." However, the release of these records has raised concerns about patient privacy and the potential misuse of sensitive health information.
In the realm of reproductive health, the overturning of Roe v. Wade in 2022 has brought increased attention to reproductive healthcare apps. These apps, which track period cycles, predict fertility windows, and provide information on reproductive health-related symptoms, are not currently protected under HIPAA. This means that data entered into these apps can legally be sold to third parties or used in legal investigations where states have banned abortion.
What's next
The HHS has released a Notice of Proposed Rulemaking on reproductive health, aiming to strengthen privacy protections for individuals' protected health information (PHI) related to reproductive health care. The proposed rule would prohibit the use or disclosure of PHI for the purpose of a criminal, civil, or administrative investigation or proceeding related to seeking, obtaining, providing, or facilitating reproductive health care in certain circumstances.
Go deeper
The proposed rulemaking by the HHS is open for public commentary until June 16, 2023. If a final rule is published, it would have an effective date of 60 days after publication. Regulated entities would then have a compliance period to establish and implement policies and practices to achieve compliance with the new or modified standards.
What they're saying
The Nashville Post reports that John Howser, chief communications officer at VUMC, said, "The Tennessee Attorney General has legal authority in an investigation to require that VUMC provide complete copies of patient medical records that are relevant to its investigation. VUMC was obligated to comply and did so."
Brandon Smith, chief of staff to the Attorney General, stated, "The Office does not publicize fraud investigations to preserve the integrity of the investigative process. The Office maintains patient records in the strictest confidence, as required by law. The investigation is focused solely on VUMC and certain related providers, not patients, as VUMC is well aware."
Be smart
Healthcare organizations would have a heightened responsibility to protect the privacy and confidentiality of individuals' reproductive health information. This may involve implementing new privacy safeguards, revising consent forms and notices of privacy practices (NPPs), and training staff on the updated requirements.
The bottom line
The ongoing debate over patient privacy in healthcare is likely to continue, with the VUMC case and the proposed changes to HIPAA regulations serving as important test cases. As healthcare becomes increasingly digital and data-driven, the need for robust privacy protections will only grow. It's crucial for healthcare providers, patients, and policymakers to stay informed about these issues and actively participate in the conversation about balancing privacy with the need for transparency and accountability in healthcare.
Related: HIPAA Compliant Email: The Definitive Guide
Dean Levitt
