Washington University (WU) is seeking confirmation from the court about whether Missouri Attorney General Andrew Bailey has the legal authority to obtain the electronic health records of patients of the WU Transgender Center. AG Bailey issued civil investigative demands to WU on February 23, 2023, requesting documents and electronic health records of patients of the Transgender Center be provided as part of an investigation into the practices of the center.

The investigation was initiated after a whistleblower, Jamie Reed, provided a signed affidavit to the Attorney General about her employment as a case worker at the WU Transgender Center at St. Louis Children’s Hospital. Reed claimed that the Transgender Center had caused permanent harm to many of its patients through prescribed treatments. She claimed healthcare providers at the Transgender Center lied to the public and patients about treatment or lack of treatment and the effects treatment would have. She alleged staff at the center prescribed puberty blockers and cross-sex hormones after two hour-long visits, without complete, informed parental consent or an appropriate and accurate assessment of the needs of the child. She claimed that children had experienced “shocking injuries” from the medications, and there was no attempt or effort to track adverse outcomes. Reed also claimed that the Transgender Center had used incorrect treatment codes to get public and private insurance plans to pay for treatments. The families of several patients of the Transgender Center disputed the claims of Reed, as did another former employee, Jess Jones, who maintained her experience working at the center was different from that of Reed and many patients were told they had to wait for years before they could have treatments.

AG Bailey launched an investigation, with assistance provided by the Missouri Department of Social Services and Division of Professional Registration, and issued civil investigative demands for documentation. AG Bailey claimed that the Missouri Merchandising Practice Act (MMPA) gave him the authority to demand access to the electronic medical records of patients of the WU Transgender Center as part of the investigation. The MMPA is a consumer protection law that pertains to false advertising.  WU partially complied with the civil investigative demand and has handed over documents that relate to advertising but has taken legal action over the demand for electronic medical records, which WU claims is outside the scope of the MMPA.

“Certain statements have been made by the attorney general that have caused Washington University to further question whether all of the requests (including those at issue now) are properly within the scope of the MMPA,” said WU attorney, James Bennett. “The statements suggested that the investigation was directed at medical decision making as much if not more than it was directed to sales or advertising.” The disclosure of patient records has caused anxiety in some patients who do not want their records to be provided to the Attorney General and potentially the public. The lawsuit requests clarification from Judge Jason Sengheiser about whether AG Bailey’s investigative demands are legal, and if so to what extent, to allow WU to modify the request.

The post Lawsuit Seeks Clarification on Legality of Missouri AG Request for Medical Records of Transgender Patients appeared first on HIPAA Journal.

On December 5, 2023, the Joint Commission launched the Responsible Use of Health Data (RUHD) Certification program for U.S. hospitals and critical access hospitals. The voluntary program will provide an objective evaluation of how well hospitals are maintaining privacy best practices for transferring health data to third parties – Known as secondary use of health data.

Hospitals often transfer health data for reasons other than clinical care, such as to support the development of artificial intelligence systems and for quality and operations improvement purposes. The HHS’ Office of the National Coordinator for Health Information Technology (ONC) reports that 85% of hospitals in the United States have the capability to export patient data for reporting and analysis purposes. While the HIPAA Privacy Rule stipulates the methods that should be used when de-identifying protected health information, currently there is no standard approach for using de-identified data nor validating best practices.

The certification program includes an evaluation of whether a hospital is committed to using privacy and security best practices in its secondary use of data and will promote the responsible use of data by demonstrating established protocols for transparency, limitations on use, and patient engagement. The RUHD Certification program is based on principles adopted from the Health Evolution Forum’s “The Trust Framework for Accelerating Responsible Use of De-identified Data in Algorithm and Product Development” framework. Under the program, a hospital will receive an objective evaluation of whether they are de-identifying protected health information in accordance with HIPAA, whether they have established a governance structure for the use of the data, and how the organization communicates with patients about the secondary use of de-identified data. The certification program also assesses data controls, limitations on use, and algorithm variation. Hospitals that achieve RUHD Certification will be recognized publicly for establishing an objective and rigorous process for meeting the necessary privacy requirements.

“As more healthcare organizations are leveraging clinical data for secondary purposes, there have been increased calls to assure responsible data stewardship,” says Jonathan B. Perlin, MD, PhD, MSHA, MACP, FACMI, president and chief executive officer, The Joint Commission Enterprise. “The Joint Commission recognizes it can play an important role in validating that robust policies and procedures are in place to help protect, govern and accountably use secondary data. We believe our Responsible Use of Health Data Certification will help healthcare organizations use data responsibly to improve the safety, quality and equity of care, develop new technologies, and discover new therapies benefitting all patients.”

The program will officially commence on January 1, 2024, when applications will be accepted; however, hospitals can begin working toward RUHD Certification immediately.

The post Joint Commission Launches Certification Program for Responsible Secondary Use of Health Data appeared first on HIPAA Journal.