Indiana Case Threatens Youth Confidentiality Rights for Health Care
By Rebecca Gudeman
Confidentiality, a cornerstone of adolescent health care, may be threatened nationwide by a case now winding its way through Indiana’s courts.
Early this year, the Indiana Attorney General demanded access to the complete medical records of more than 80 minors under 14 years who sought care at Indiana Planned Parenthood clinics.1 The Attorney General argued that Medicaid rules allow the state’s Medicaid Fraud Control Unit to review the full records on all minor patients of Medicaid providers to insure that the providers are reporting child abuse as required by state law. Planned Parenthood went to court to stop the seizure of their records, arguing that Medicaid law does not give the Fraud Control Unit any such investigative authority.
The Rights of Parents and Adolescents
The case threatens the careful balance that many states have maintained between protection of adolescents’ health care confidentiality and protection of minors from child abuse.
Parents of adolescents have the right to make most decisions on their behalf, including the right to consent for medical care and the concomitant right to receive information about that care. But state and federal laws do contain exceptions to this rule. Minors seeking services funded through certain federal programs, such as Title X of the Public Health Services Act, have a right to consent to their own care and an absolute right to control the release of related medical records.2 Similarly, every state has laws that allow minors to consent for certain care on their own behalf, and many give minors the right to confidentiality of those records.3
Regardless of who controls access, federal law and many state laws require written consent before a provider may disclose to others any information related to a patient’s medical treatment.4 This often includes any oral or written information that could identify an individual as a patient. The laws are intended to insure that patients feel in control and secure when seeking sensitive services.
A few exceptions do allow disclosure without written consent. For example, in many states, providers may share information with other providers for treatment purposes.5 And in 49 states, health care providers must report suspected child abuse and neglect to the appropriate state authorities, irrespective of consent.6
However, the child abuse reporting systems are carefully crafted to limit unnecessary breaches of confidentiality. Often there are three levels of safeguards in place. Typically, a minor’s record is unavailable to the authorities until a provider suspects abuse. At that point, the provider must make a report and share information about the abuse with the appropriate authorities. However, the authorities do not have unfettered access to a minor’s complete file, and providers often must limit sharing to only information that is relevant to the abuse investigation. The remainder of the minor’s record stays protected and unavailable. These safeguards are an attempt to balance the dual goals of protecting confidentiality and protecting children.
The Planned Parenthood case in Indiana, however, could change this balance.7 The Control Unit stated that the purpose of its request for minors’ complete records was to assess whether Planned Parenthood providers were meeting their statutory obligation to report child sexual abuse.8 In Indiana, sexual intercourse with a minor under 14 is deemed child abuse, irrespective of consent or the age of the minor’s partner.9
Planned Parenthood immediately sought a preliminary injunction in state court to block the seizure of their records, arguing, in part, that the Control Unit had no authority to request files for the purpose stated.10
The state Attorney General, on behalf of the Control Unit, responded with a novel argument. Federal Medicaid law gives states the authority to establish Medicaid Fraud Control Units to investigate and prosecute “violations of all applicable State law regarding any and all aspects of fraud in connection with…the provision of medical assistance” under Medicaid.11 The Control Units must also “review complaints alleging abuse or neglect of patients in health care facilities receiving” Medicaid funds.12 Under state law, Indiana’s Medicaid Fraud Control Unit is charged with investigating: (1) Medicaid fraud; (2) the misappropriation of a Medicaid patient’s funds; (3) the abuse or neglect of a Medicaid patient; and (4) the abuse or neglect of any patient in a nursing home or other board and care facility.13 A Medicaid provider that “fails to grant immediate access upon reasonable request” to a Medicaid Fraud Control Unit conducting authorized investigations may be excluded from the Medicaid program by the federal Department of Health and Human Services.14
The Attorney General argued that the Control Unit’s request for records is part of an “authorized investigation” because it is inquiring about any “neglect” of patients by their providers. The Control Unit technically is seeking records that document abuse or neglect by third parties—something it does not have authority to investigate. However, the Control Unit argued that these documents will demonstrate whether providers are meeting their obligations to report abuse, that a provider’s failure to report abuse or neglect by third parties is itself neglect, and that, therefore, the request is within the scope of the Unit’s investigative authority. Planned Parenthood challenged the State’s interpretation of the Fraud Control Unit’s authority, arguing that the intent of the federal law is to give Fraud Control Units authority to investigate acts by providers that cause proximate harm, such as the failure of care facilities to provide patients proper nutrition—and not to investigate whether providers are complying with their state duty to report child abuse.
Whether or not the Control Unit has authority to investigate Medicaid providers’ compliance with child abuse reporting rules turns on the meaning of “neglect” under the federal law. In its analysis of the issue, the court began with the fact that the term “patient neglect” is not defined under the Medicaid Act or Indiana law.15 In such cases, the court stated, “courts are to use the plain, ordinary meaning of … terms” to assess their scope.16 After reviewing multiple dictionary definitions of neglect, the court held that the Indiana Fraud Control Unit “reasonably interprets ‘neglect’ of a patient to include a health care provider’s failure to report the suspected sexual abuse of the patient when it has a duty to do so under state law.”17
Noting that courts are to give “‘great weight’ to an agency’s reasonable interpretation of a statute the agency is responsible for enforcing,” the court ruled that the Fraud Control Unit’s investigation of the possible failure of providers to report child abuse “fits squarely within the parameters of [its] authority.”18
The court ultimately denied Planned Parenthood’s request for a preliminary injunction,19 and Planned Parenthood immediately appealed to the Indiana Court of Appeals.
Impact on Confidentiality and Access to Care
If the district court decision is upheld, it will create an entirely new, alternate screening system for child abuse—one that applies only to Medicaid providers and recipients. The purpose of any investigations by the Control Unit would be to identify and possibly prosecute provider failure to report abuse, not to prosecute the underlying abuse itself. But, by definition, the Unit will need to prove abuse reports were warranted in some cases in order to demonstrate provider culpability. In this way, the Fraud Unit investigations will become a child abuse investigation system.
The current child abuse reporting system will still exist with its limits on unnecessary exposure of medical information. However, the alternate screening system will contain no such safeguards. Through the Medicaid Fraud Control Unit, the state Attorney General will be able to demand access to the files of any and all minors seen by Medicaid providers, whether or not there is reason to believe the minors are victims of abuse; and the Unit will be able to access each minor’s complete file.
This distinction may not seem significant, since the records on abused minors ultimately will be accessible to authorities either way. But the safeguards against unfettered access to records in the current system are actually critical to get teens into care in the first place.
One of the biggest concerns about unfettered access to records by law enforcement is the risk that minors will forgo care for fear of exposure. While current abuse reporting rules may scare some teens from seeking care, minors currently at risk for abuse reporting nevertheless know that most of their records will remain private. This will not be the case if a secondary screening system exists within the state Attorney General’s office, as the following example illuminates: “Jane” is physically abused by a parent. Her medical record contains a notation that she is receiving treatment for marijuana abuse. Under the current system, Jane’s drug use probably will not be revealed to Child Protective Services or the police when her provider reports the physical abuse. Under a Fraud Control Unit investigation, however, the state would have access to all of Jane’s medical information, including information about her drug use. Jane suddenly could find herself subject to criminal prosecution.
Such a scenario is particularly worrisome to minors and providers because many teens are involved in illegal activity that jeopardizes their health, and their medical files contain much detail about their illegal acts. Of course, providers do not want to encourage illegal activity, but if dangerous behavior is taking place, providers need to be able to provide care to minimize the damage. Medicaid rules do limit what the Medicaid Fraud Control Unit can do with the information it receives during a fraud investigation, but that may be little comfort to a teenager trying to decide whether or not to seek care for drug use, HIV testing, or birth control.20
Not Just Indiana
While this case will only directly impact Indiana, every state that receives Medicaid funds has a Medicaid Fraud Control Unit. Forty-nine states mandate that medical professionals report suspected child abuse. An interpretation of federal authority that grants Indiana’s Fraud Control Unit the discretion to investigate providers for the possible failure to comply with reporting rules will likely influence how Fraud Control Units in other states practice. Therefore, a decision in favor of the Indiana Attorney General may impact the way adolescent medicine is practiced in that state and elsewhere. Some Indiana providers are already discussing the option of withdrawing from the Medicaid program as a way to protect their patients and files.21
How individual providers respond if the decision is upheld will no doubt vary by state, type of provider, and client mix, but a reduction in the number of available Medicaid providers in any state will have a serious impact on access to care. One thing is certain. If the courts agree that attorneys general can access the medical records of all patients through their state Medicaid Fraud Control Units, the right to medical privacy for adolescents will take on a different meaning nationwide.
Rebecca Gudeman is a staff attorney at NCYL, specializing in adolescent health law.
1 Ken Kusmer, Judge Says State Can See Planned Parenthood Records on Minors, South Bend Trib., June 20, 2005, www.southbendtribune.com/breakingnews/posts/3412.html.
2 42 U.S.C. § 300 et seq. . 42 C.F.R. §§ 59.5(a)(4), 59.11.
3 E.g., Mich. Comp. Laws §§ 333.5127, 333.26263; Cal. Fam. Code § 6925; Cal. Health & Safety Code §§ 123110(a), 123115(a); Cal. Civ. Code §§ 56.10, 56.11.
4 E.g. 45 C.F.R. §§ 164.502(a)(1), 164.508; Minn. Stat. § 144.335, Ariz. Rev. Stat. § 12-2292(A).
5 E.g. 45 C.F.R. §§ 164.502(a)(1), 164.506; Ind. Code § 16-39-5-1.
6 U.S. Dep’t of Health and Human Services, National Study of Child Protective Services Systems and Reform Efforts: Review of State CPS Policy, April 2003, aspe.hhs.gov/hsp/CPS-status03/state-policy03/chapter3.htm.
7 Jason Schossler, Planned Parenthood Sues Ind. Attorney General to Protect Client Files, Andrews Publications, May 3, 2005, news.findlaw.com/andrews/h/hea/20050503/20050503carter.html.
8 Planned Parenthood of Indiana v. s. Carter et al., No. 49D11 0503 PL 09631 slip op. at 5 (D. Ind. May 31, 2005.)
9 Ind. Code §§ 31-34-1-3, 35-42-4-3, 35-42-4-9.
10 Planned Parenthood at 16.
11 42 USC § 1396(q)(3).
12 42 CFR 1007.11.
13 Ind. Code § 4-6-10-1-5.
14 42 USC § 1320a-7(b)(12).
15 Planned Parenthood at 12.
16 Id. at 13.
17 Id. at 12.
19 The court stated that it denied Planned Parenthood’s request for two reasons: because the court “should exercise restraint in exercising jurisdiction over this case” and because “the IMFCU is within its investigatory powers in requesting
PPI’s patient records.” Planned Parenthood at 7.
20 42 C.F.R. § 1007.11 (mandating Fraud Control Units to safeguard the privacy of information and prevent its misuse.).
21 Personal Conversation with Indiana reproductive health providers (June 15, 2005).