Vanderbilt University Medical Center is being accused of violating the privacy of its transgender clinic patients by turning their records over to Tennsessee’s attorney general
While I don’t think it was done maliciously against them specifically, this is of course a fail in ensuring the privacy of the patients that specifically requested for their privacy to be respected. Is it known if between the other 98 cases there weren’t any other requests for privacy?
But in all honesty, why is privacy a request and not a right given to all?
this is likely a HIPAA violation. The thing conservatives crowed about back during vaccine requirements for jobs (and were entirely wrong about being related to HIPAA). The hospital would explicitly require patients to approve providing the records to the government. The government is a covered entity in HIPAA.
I started to look at this, as I had read the whole HIPAA once upon a time. And I think its not so much HIPAA as it relies on the Privacy Act of 1974, but Im not a lawyer so I not making any argument either way. What I will say is that Tennessee is fucked if one of those 100 people is a resident of another state.
HIPAA explicitly allows the release of records for law enforcement investigations. However, the plaintiffs will argue this was a malicious case and done without warrants.
Permitted disclosure must meet certain requirements. The amount of PHI provided must be the minimum amount possible to meet the required activity. Nothing here seems to meet the requirement provided. Tbh, auditing/billing isn’t even listed as a permitted disclosure.
Edit: I take it back. Supported fraud programs is a permitted disclosure. However, it needs to be the minimum amount of PHI disclosed to meet that goal.
Yeah, it really might be. This should be making the sending of the entire batch of documents illegal, unless they all signed a void at the very start that their info would be sent if requested regardless.
HIPPA makes it not a request, I’d be surprised if this wasn’t considered a MASSIVE HIPPA violation as this is the kind of reason it exists: so patients can receive help without worrying about the consequences of doing so.
Yeah, like I thought. As said in another comment there might be some ground where the hospital makes you sign a document to void your rights under that law unless requested. Unless there is a protection from that, anyone can just invert the default choice.
While I don’t think it was done maliciously against them specifically, this is of course a fail in ensuring the privacy of the patients that specifically requested for their privacy to be respected. Is it known if between the other 98 cases there weren’t any other requests for privacy?
But in all honesty, why is privacy a request and not a right given to all?
this is likely a HIPAA violation. The thing conservatives crowed about back during vaccine requirements for jobs (and were entirely wrong about being related to HIPAA). The hospital would explicitly require patients to approve providing the records to the government. The government is a covered entity in HIPAA.
I started to look at this, as I had read the whole HIPAA once upon a time. And I think its not so much HIPAA as it relies on the Privacy Act of 1974, but Im not a lawyer so I not making any argument either way. What I will say is that Tennessee is fucked if one of those 100 people is a resident of another state.
HIPAA explicitly allows the release of records for law enforcement investigations. However, the plaintiffs will argue this was a malicious case and done without warrants.
Permitted disclosure must meet certain requirements. The amount of PHI provided must be the minimum amount possible to meet the required activity. Nothing here seems to meet the requirement provided. Tbh, auditing/billing isn’t even listed as a permitted disclosure.
Edit: I take it back. Supported fraud programs is a permitted disclosure. However, it needs to be the minimum amount of PHI disclosed to meet that goal.
Yeah, it really might be. This should be making the sending of the entire batch of documents illegal, unless they all signed a void at the very start that their info would be sent if requested regardless.
Still, this is fucked up.
HIPPA makes it not a request, I’d be surprised if this wasn’t considered a MASSIVE HIPPA violation as this is the kind of reason it exists: so patients can receive help without worrying about the consequences of doing so.
Yeah, like I thought. As said in another comment there might be some ground where the hospital makes you sign a document to void your rights under that law unless requested. Unless there is a protection from that, anyone can just invert the default choice.
While I’m sure lawyers have looked at it (and I’m not one), my understanding is that you cannot sign away your statutory rights in most cases.