OCR investigates VUMC for transgender patient privacy breach

When Vanderbilt University Medical Center turned over non-anonymized medical records to the state without patient consent, it pitted Tennessee state law against HIPAA and unleashed a federal investigation as well as a class action patient lawsuit.
By Andrea Fox
09:30 AM

Vanderbilt University Medical Center faces a federal investigation by the U.S. Health and Human Services Office of Civil Rights, and a legal battle with transgender patients that say unauthorized disclosure of their personal health information to Tennessee Attorney General Jonathan Skrmetti is a privacy violation.

WHY IT MATTERS

Defending his investigation of VUMC's transgender clinic, Skrmetti told local NewsChannel5 earlier this month, that although "he understands the optics," his office is lawfully investigating medical coding fraud because they were already aware of "billing issues" there. 

It's about "protecting taxpayer dollars," he said during the televised interview, adding that his office performs dozens of investigations for medical coding fraud each year. 

In a statement attributed to John Howser, chief communications officer, to CNN, VUMC said that the medical center was obligated to provide the full medical records.

"VUMC complies with all healthcare privacy and security requirements established under both federal and Tennessee law, including but not limited to HIPAA," he reportedly said of the health system's turning over of non-anonymized patient records.

In a statement provided to Healthcare IT News, VUMC provided further details of the request.

"In November 2022, VUMC received a Civil Investigative Demand or 'CID' from the Tennessee AttorneyGeneral," VUMC said. "Two additional CIDs were received by VUMC in March 2023. The CIDs requested information for an investigation into VUMC’s billing practices for people enrolled in state-sponsored insurance plans who received gender-affirming healthcare at VUMC." 

Skrmetti explained that the investigation into VUMC's trans clinic was sparked by the founder describing how she codes in a 2019 online video where she discusses documentation challenges. 

He said investigators need to match patient names to claims information.

"For the patient who gets a big bill because their insurance doesn’t cover any transgender-related codes, I usually write 'endocrine disorder – not otherwise specified' to allow me to order the labs that I want," said Dr. Shayne Sebold Taylor in the video clip aired with the NewsChannel5's Skrmetti interview.

In a Reddit post dated dated two months ago, one individual stated that the following communication was sent by VUMC through the health system's MyHealth patient portal:

"The Attorney General's Office is investigating VUMC's billing for transgender care services provided to individuals enrolled in state-sponsored insurance plans. The Attorney General has legal authority to require medical providers, including VUMC, to provide copies of documents relevant to an investigation, including patient medical records. The medical records requested from VUMC cover the period from January 1, 2018, to present."

A spokesperson for VUMC declined to comment on the contents of the Reddit post. Meanwhile, the CIDs requested further information related to VUMC’s transgender services, according to the health system's statement today.

In separate news about the federal investigation, Abby Rubenfeld, a member of the legal team representing the plaintiffs in the class action suit alleging that VUMC did not protect their HIPAA privacy rights, told the news outlet last week that she had spoken with OCR.

Rubenfeld said that although there are exceptions to federal health privacy law for civil investigations, there are guidelines and limits. She indicated that the AG's office went too far with its enforcement authority under the Tennessee False Claims Act and Tennessee Medicaid False Claims Act.

"He talks about no exceptions to the fraud laws for politics; that's garbage," she said. "There's no exception to HIPAA for his political agenda."

In previous reports, Rubenfeld told NewsChannel5 that VUMC shared these records on three separate occasions and they did not offer any resistance under HIPAA.

Healthcare IT News reached out to OCR for a statement on its investigation of VUMC, but a representative said the agency does not generally comment on open investigations.

Howser's statement confirmed for CNN that OCR contacted VUMC. Reportedly, it also said that since July 1, a new Tennessee law says that "all gender-affirming care for individuals under age 18 is now illegal."

Last year, Tennessee Republican leaders sent a letter to VUMC requesting that it halt all gender-transitioning surgeries for minors. 

In the September letter posted to the X social media platform by Jason Zachart, a Tennessee state representative for the 14th legislative district, a contingent of the state's republican leaders called it an "egregious error of judgment" to "condone (and promote) harmful irreversible procedures for minor children in the name of profit."

VUMC is an independent non-profit organization with multiple hospitals in Nashville, clinics and facilities throughout Middle Tennessee and academic affiliation with Vanderbilt University. 

The health system said it is also responsible for assessing the needs of Bedford, Coffee, Davidson, Rutherford, Williamson and Wilson counties. Its Community Health Equity team collaborates with individual community members, local health departments, non-profit organizations and external health systems "to address inequities in health among marginalized, minoritized and socially disadvantaged populations," according to its website.

THE LARGER TREND

The OCR has regularly investigated HIPAA violations for info blocking since HHS launched its Right of Access initiative in 2019 as well as for provider cybersecurity breaches that disclose protected health information

In its HIPAA guidance on disclosures of information relating to reproductive healthcare last reviewed in June 2022, HHS said: 

"The privacy rule permits but does not require covered entities to disclose PHI about an individual, without the individual’s authorization, when such disclosure is required by another law and the disclosure complies with the requirements of the other law," HHS said.

VUMC said in its statement to Healthcare IT News today that Its legal counsel is "in ongoing discussions with the attorney general’s office about what information is relevant to their investigation."

ON THE RECORD

"As one of the nation's leading academic health systems, VUMC is committed to providing welcoming and personalized care for every patient we serve, including our LGBTQIA community," the health system allegedly said in a communication attributed to its MyHealth portal. "We regret that your records have become a part of the attorney general's investigation and stand ready both to answer questions you may have and to continue to provide the care you need."

Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org

Healthcare IT News is a HIMSS Media publication.

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.