VUMC Faces Lawsuit Over Disclosure of Medical Records of Transgender Patients to State AG
Vanderbilt University Medical Center (VUMC) in Nashville, TN, has confirmed that the medical records of transgender patients have been provided to Tennessee Attorney General, Jonathan Skrmetti, in connection with an investigation of medical billing fraud.
According to AG Skrmetti’s Chief of Staff, Brandon Smith, the medical records were requested as part of an investigation into medical billing fraud focused on VUMC and related healthcare providers, rather than patients. The AG’s office has not explained the nature of the fraud investigation to ensure the integrity of the investigative process.
VUMC has provided gender-affirming care to minors since 2018 and typically performs around 5 surgeries a year. VUMC said all procedures, none of which were genital procedures, were performed on minors over 16 years of age with parental consent. On Tuesday this week, VUMC confirmed that it provided patient records to the state Attorney General after receiving two civil investigative demands (CIDs); a move that has resulted in considerable backlash from the LGBTQ+ community. “The Tennessee Attorney General has legal authority in an investigation to require that VUMC provide complete copies of patient medical records that are relevant to its investigation. VUMC was obligated to comply and did so,” said VUMC spokesperson, John Howser.
Concerns have been raised about the disclosures in light of the soon-to-be-introduced ban on gender-affirming care for minors in Tennessee. The state law is due to take effect on July 1, 2023, and will prevent doctors from providing gender-affirming care to individuals under the age of 18. The law has been challenged and while the ban was partially blocked, prohibiting surgical procedures on minors but allowing puberty blockers and hormone therapies to be prescribed, the 6th Circuit Court of Appeals lifted that block, reinstating the ban on all gender-affirming care for minors.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Since the VUMC announcement, several individuals have taken to social media platforms alleging the medical record disclosures violated HIPAA and patient privacy. HIPAA places restrictions on disclosures of medical records but permits disclosures in response to “an administrative request, including an administrative subpoena or summons, a civil or an authorized investigative demand, or similar process authorized under law.” In such cases, the information provided must be relevant to the inquiry and if de-identified protected health information could not reasonably be provided. VUMC has not confirmed how many records were disclosed in response to the CIDs but said the records requested by the Attorney General dated back to 2018 and that the patients concerned had been enrolled in TennCare insurance plans. The individuals concerned were notified by VUMC that their records had been provided to the state Attorney General as part of a civil investigation.
HIPAA permits but does not require healthcare providers to disclose patient data and VUMC has been criticized for not making a stand, although refusing the request would only likely have delayed the disclosures. The affected patients are fearful that regardless of the outcome of the fraud investigation, the Attorney General’s office will still have a list of individuals who have received gender-affirming care. Brandon Smith expressed concern about the decision of VUMC to make the disclosures public knowledge, stating “We are surprised that VUMC has deliberately chosen to frighten its patients like this,” and claimed the VUMC investigation has been running since September 2022 and VUMC has been providing information pertinent to the investigation since December 2022.
The medical record disclosures have prompted a class action lawsuit by two of the affected patients who allege VUMC was aware that the state has been targeting the transgender community, yet still provided patient records to the Attorney General and violated the HIPAA Rules by doing so. The lawsuit claims VUMC disclosed the information of 106 individuals, including individuals “on the state employees’ health plan and their family members, and people who receive their health care through TennCare,” as well as the information of some individuals who were not VUMC Transgender Health Clinic patients. According to the lawsuit, an additional CID was issued for all communications between VUMC’s Dr. Melissa Ciperski and others working at Centerstone regarding or related to a potential gender dysphoria diagnosis of a person receiving mental health treatment at Centerstone.
The lawsuit, filed by the law firm Herzfeld, Suetholtz, Gastel, Leniski & Wall, and Abby Rubenfeld, takes issue with the amount of data provided, which included highly sensitive health information including photographs of genitalia, private communication with clinicians, sexual histories, and the identities of intimate partners, and the failure to provide de-identified information in response to the CIDs.
