Is Gender Identity Protected by HIPAA?

The rights of transgender individuals have taken their own spotlight in national news as the federal government moves to enhance protection based on gender identity and certain states move to protect their status quo. Much of the debate revolves around locker-room, restroom, and sports team issues. But few people are talking about the health care implications for the transgender population. One interesting issue, for example, is how HIPAA applies to transgender issues. More specifically, is the fact that a person identifies as transgender considered Protected Health Information (PHI) under HIPAA as defined by the Privacy Rule?

Answering the question of what type of information is protected under HIPAA is a three step process because the law offers three definitions that must be applied to determine whether a particular piece of information is Protected Health Information. First, HIPAA defines "health information" as any information whether oral or recorded in any form or medium that:

 (A) is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and

(B) relates to the past, present, or future physical or mental health or condition of any individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual.

The second step in defining PHI is determining whether the health information is "individually identifiable." Individually identifiable health information is health information that "identifies the individual" or "with respect to which there is a reasonable basis to believe the information can be used to identify the individual.” Note here that the information need not include the individual's name to meet the definition of "individually identifiable." Any information that can be used to identify the individual is sufficient to meet this requirement.

Finally, HIPAA defines "Protected Health Information" as individually identifiable health information that is:

(i)    Transmitted by electronic media;

(ii)   Maintained in electronic media; or

(iii)  Transmitted or maintained in any other form or medium.

Although transgenderism is a gender identity issue rather than a medical issue, there are usually medical treatments and considerations that are incidental to such identity. For example, transgender individuals may be receiving hormone replacement therapy, psychological therapy, undergoing gender reassignment surgery, or may be at risk for certain medical conditions based on the person's biological sex regardless of gender identity. Under such circumstances, is a person's overall gender identity protected by HIPAA?

The first step in the analysis is to determine whether gender identity is information created or received by a health care provider. In most instances, a health care provider will receive information from the patient regarding his or her gender identity, especially where the services sought by the patient are related to gender identity. The second part of the test is to determine whether the information received "relates to the past, present, or future physical or mental health or condition of any individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual." With respect to the second test, one can easily imagine that prior psychological counseling, current hormone therapy, or contemplation of future gender reassignment surgery could all relate to a person's underlying gender identity. Thus, based on a plain reading of the statute, transgenderism could fit this definition.

The next part of the analysis - individually identifiable information - would be fact specific based on the particular information disclosed.

Finally, the Privacy Rule requires that the information at issue be transmitted or maintained in an electronic or other form. In other words, this category encompasses all information found in the patient's medical records including, but not limited to, demographic information contained on a face sheet. Although somewhat dependent on the situation, the fact that a person is transgender would likely be disclosed and possibly maintained in some form during a provider encounter. Based on the application of the definitions set forth in the Privacy Rule, therefore, the gender identity of a transgender individual could be construed as protected under HIPAA.

 

Why does it matter? The purpose of this analysis is not to couch transgenderism into a medical condition or to scare providers out of discussing the issue with their patients; rather, the analysis is made to caution providers against being cavalier with such information at the expense of the patient. Remember, there is no "public knowledge" exception to the Privacy Rule. A patient who openly discusses his gender identity to friends or even in a public forum such a social media page is still entitled to protection under HIPAA. If a provider innocently discusses the patient's gender identity to a third party, even where the patient's gender identity has already been publicly disclosed, such disclosure by the provider could violate HIPAA. Providers should obtain consent from transgender patients before disclosing their gender identity and use the same element of caution used when discussing other forms of PHI.