Vanderbilt University Medical Center did not do enough to protect the privacy of its transgender patients when Tennessee’s attorney general requested copies of their medical records, a U.S. Senate Finance Committee report found.
The review investigated requests for trans health records from attorneys general in Tennessee, Indiana, Missouri and Texas. Of the providers who received a demand for records, the report singled out VUMC for handing over 65,000 pages of documents to Tennessee AG Jonathan Skrmetti. Those files included the medical records of 82 transgender patients. The AG requested the records as part of an ongoing investigation into the medical center’s gender-affirming care services.
“While some hospitals have admirably resisted these overbroad fishing expeditions, Vanderbilt University Medical Center failed its responsibility to protect their patients’ privacy,” said Committee Chair Ron Wyden, D-Oregon.
A Seattle hospital sued to block a request from the Texas attorney general for trans patients’ information, and a provider in St. Louis refused to share patient records, citing patient privacy concerns.
VUMC leadership told WPLN News that the hospital had sent a letter to the Senate Finance Committee, outlining concerns with the findings before it published in mid-April.
“We made every effort to both protect our patients and follow the law. At no point did we violate privacy laws, and we strongly disagree with any suggestion that we did,” said VUMC’s general counsel, Michael Regier.
Health privacy laws, like HIPAA, make exceptions for law enforcement, and VUMC officials have said the hospital had to comply with the attorney general. The medical center’s handling of the request has become the subject of a lawsuit and a federal investigation by the Department of Health and Human Services and its Office of Civil Rights.
The AG’s request said that “(d)e-identified data cannot be used for this inquiry, as (the office) need(s) to request certain patient treatment records to reconcile such records against the billing data,” according to the report.
The office of Tennessee’s attorney general also requested and obtained other records, including employment contracts for physicians, volunteer agreements for the VUMC Trans Buddy Program, and messages received and sent by a general LGBTQ email address.
The Senate Finance Committee said that it still doesn’t know everything that was turned over to the AG. Citing court documents shared with the committee, it noted that when the VUMC investigation became public, many patients experienced a spike in suicidal ideation, severe depression and intense anxiety.
“Put yourselves in our shoes,” Jack, a trans VUMC patient, told WPLN News last year. “You’re a marginalized group. You’ve seen piece of legislation after piece of legislation that is targeting you and people like you. And then all of a sudden, the attorney general has the most intimate details of your medical history … Even if that’s the end of it, that is still terrifying.”
The Rainbow Youth Project, an organization that provides emergency behavioral health care, responded to 376 acute mental health crises from queer youth in the area in a single day — more than 100 times the project’s average call volume.
Transgender patients learned that the AG had their records after documents related to the investigation were submitted in an ongoing ACLU lawsuit. Under HIPAA, providers are allowed to alert patients that their health records were disclosed, unless a judge issues a “gag” order.
That was not the case for the AG’s request, the committee noted.
“VUMC made an active decision to keep patients in the dark and only notify them about the investigation after the ACLU had exposed its existence. Further, once VUMC was publicly shamed into notifying patients, it failed to inform the correct patients,” the report said.
On Air - 90.3 WPLN-FM