Health Data and Investigations: Between a Rock and a Hard Place

By Matt Fisher, General Counsel, Carium
Twitter: @matt_r_fisher
Twitter: @cariumcares
Host of Healthcare de Jure#HCdeJure

The increasing polarization of views around different forms of healthcare is placing the privacy of healthcare information in the spotlight. References to HIPAA are littered across social media, regardless of whether the use is accurate or not. Leaving aside the popular attempts at asserting HIPAA protections, what can actually be done with healthcare data? Who can access it and when? Those are all good questions and covered under HIPAA.

VUMC and Transgender Information

Demands for medical records can stem from a variety of investigations, which can involve a myriad of sources. The most recent example driving headlines is an investigation involving Vanderbilt University Medical Center (VUMC). VUMC disclosed records concerning treatment of transgender patients to the Tennessee Attorney General. According to the Attorney General, an investigation of alleged billing irregularities was launched. The investigation stemmed from allegations of improper coding practices that were purportedly revealed by a VUMC clinician on social media posts.

Following its receipt of the demand and production of the requested documents, VUMC apparently informed patients of the disclosure to the Attorney General’s office. The notice stated that information about transgender care had been provided in response to an investigation of individuals enrolled in state sponsored plans, namely Medicaid in Tennessee.

After VUMC revealed the investigation and response, a group of patients filed a class action against VUMC alleging a violation of privacy rights. The class apparently filed a complaint with the Office for Civil Rights asserting that HIPAA was violated as well. The complaint mirrored the allegations in the lawsuit (nevermind that HIPAA does not have a private right of action). Comments about the lawsuit indicate that concerns about a political agenda informed the filing.

With all of these actions occurring, VUMC explained its actions as a response to a civil investigative demand (CID). A CID is a tool used by the government when investigating alleged or suspected fraud and is a mechanism to force production of documents. It is a recognized and acceptable legal procedure. VUMC specifically noted that the CID asked for billing records pertaining to transgender care services rendered by VUMC.

The confluence of all of these actions is a mess, but is it a mess that violated HIPAA? Without the exact behind the scenes details that cannot be answered for sure. However, it would seem more likely that no violation occurred.

Disclosures to Law Enforcement

HIPAA lays out the steps to follow when law enforcement seeks access to protected health information. The details for law enforcement access are in the portion of the Privacy Rule where an opportunity to agree or object to the use or disclosure is not required. What does it mean for no opportunity to agree or object to occur? It means the covered entity can disclose information directly in response to a demand or investigation so long as the covered entity ensures that the appropriate process has been followed. Further, once the appropriate process is confirmed, then it is unlikely that a violation occurred.

What qualifies as a permissible disclosure to law enforcement? Compliance with a civil investigative demand is clearly identified in the rule, which seems to align with the VUMC example. Beyond a CID being a valid basis for disclosing information, it is also necessary to confirm that the CID meets these requirements:

  1. The requested information is relevant and material to a legitimate inquiry;
  2. The request is specific and limited as much as possible to the purpose that the information is requested; and
  3. De-identified information could not reasonably be used.

How does the law enforcement exception work in practice? The language of the rule demonstrates that law enforcement can end up with a broad ability to get at health information. That means information about individuals can be accessed in a number of instances without awareness on the part of the individual.

Using the VUMC case as an example, an Attorney General often investigates alleged fraud, especially of state run programs. Medicaid falls under that purview and alleged billing fraud is often the subject of an investigation. Could VUMC have provided de-identified information or could it have challenged the relevance of the CID? Yes, and it is possible that those actions occurred, but were not revealed. Taking an assumption that a challenge was made, a covered entity subject to an investigation by a branch of the government can only do so much. Further, ignoring a demand is usually not an option as that can lead to consequence that worse and even more disruptive. Again, without more details, the path taken by VUMC was one of the very few that it likely could have taken.

Is Change Coming?

Unfortunately, but also likely true, the disclosure by VUMC is receiving more attention that similar disclosures because it involves transgender care in a state taking steps to block the delivery of such healthcare services. Absent the politically charged atmosphere, would the disclosure for an alleged billing misconduct receive the same attention? Likely not, but it is a reality that cannot be ignored either.

A proposed change to HIPAA disclosure requirements for reproductive healthcare information could offer insight into where HIPAA might go in the future. The proposed rule tries to make it harder for law enforcement to get at records, but the proposed rule is limited to reproductive healthcare information. Arguably transgender services could fit within that definition, though absent the rule setting parameters on the definition, I would expect states to limit the scope of what qualifies as reproductive healthcare.

If the rule is finalized and limitations are identified, will more similar restrictions be put into place? It is a possibility, but arguably more of a patch on the larger issue. The bigger questions focus more on: (i) should privacy be restructured, (ii) should different forms of healthcare be denied for non-medical reasons, and (iii) should disparities on a state by state basis be allowed? Those are just a few of the questions to ask with a whole host more possible.

The likely reality going forward is that more disruptive requests and investigations will occur that expose sensitive information. Individuals, as so often happens, will be caught in the middle of swirling currents.

This article was originally published on The Pulse blog and is republished here with permission.