For years, the US’s LGBTQ community has raised concerns about the privacy and security of sensitive personal identifying data collected throughout their healthcare visits. There are laws that address privacy and security in some fashion for this patient population. The laws provide a floor for managing protected health information (PHI) and personally identifiable information. Collection of this information is no different than when healthcare organizations started collecting HIV information. Consideration can be given to additional protections if it is determined that operationally, it is appropriate within the individual healthcare organization.
The HIPAA Privacy Rule states:
- SO/GI or history of transition-related procedures may constitute PHI.
- Hospitals and other covered entities should provide training to physicians, employees and contractors to ensure compliance.
- A covered entity must have in place and apply appropriate sanctions against members of its workforce who violate the entity’s policies and procedures and the HIPAA Privacy Rule.
- Hospitals may use or disclose a patient’s PHI to a family member, other relative, close friend or any other person the patient identifies.
- The law respects the patient’s wishes on matters of privacy and confidentiality.
The Office of Civil Rights (OCR) has explicitly stated that this prohibition extends to claims of discrimination based on gender identity. It prohibits the denial of healthcare or health coverage based on an individual’s sex, including discrimination based on pregnancy, gender identity and sex stereotyping. Section 1557 of the Patient Protection and Affordable Care Act of 2010 builds on prior federal civil rights laws to prohibit sex discrimination in health care. The final rule also requires covered health programs and activities to treat individuals consistent with their gender identity.
The Joint Commission standard R1.01.01.01, EP 29 also protects LBGTQ individuals. EP 29 prohibits hospital discrimination based on age, race ethnicity, religion, culture, language, physical or mental disability, socioeconomic status, sex sexual orientation and gender identity or expression.
In 2016, Federal Rule 45 CFR 170 under the HITECH Act provided the following as a guideline to “improve health care quality, safety and efficiency through the promotion of health IT and electronic health information exchange.” It particularly refers to “reducing health disparities” by:
- Ensuring that each patient’s health information is secure and protected, in accordance with applicable law
- Improving health care quality, reducing medical errors, reducing health disparities and advancing the delivery of patient-centered medical care.
- Reducing healthcare costs resulting from inefficiency, medical errors, inappropriate care, duplicative care, and incomplete information
- Providing appropriate information to help guide medical decisions at the time and place of care.
Some organizations have discussed placing additional security on patient records that contain sensitive sexual orientation and gender identity-similar to “break the glass” technology or protections that are currently used with behavioral health records and substance use disorder records today. There are no clear industry guidelines or standards.
Another area of concern is that some are calling “special security access” for the LGBTQ population. For example, a patient has undergone reassignment surgery. Questions have arisen about going to the extent of masking or placing increased EHR security on prereassignment surgery or clinical records such as Male to Female (MTF) or Female to Male (FTM). This practice is not recommended as it would change the clinical picture of the patient and would not allow the caregiver to have a comprehensive, historical patient story. Many questions remain unanswered and HIM professionals , in particular are being challenged to answer these questions as the need for privacy is balanced with the expectations for high quality care provision and data usage and reporting.
Some of the larger EHR vendors have been working on the creation of LGBTQ modules where patient identity and preferred name can be captured and displayed in the patient header.
In summary, special consideration should be given for addressing SO/GI data in the following areas privacy/security, population health, physician engagement and patient/consumer engagement. HIM professionals have a unique opportunity to assist in the design , implementation and execution of technology and operational processes that ensure LGBTQ patients can receive quality, inclusive and safe health care. HIM can also ensure data is sound and available to foster population health that is managed safely, securely and privately-- an expectation of all healthcare consumers.