The Oklahoma Fraternal Order of the Police is suing the Oklahoma Health Care Authority, claiming its Health Information Exchange is unconstitutional because it requires providers serving Medicaid patients to report patient information into the exchange.
Travis Vernier, one of the lead lawyers in the litigation, said in the lawsuit’s fact sheet the exchange is “the most dangerous attack on Oklahomans’ privacy in the history of the state.” The lawsuit was filed on Thursday, and the Oklahoma Health Care Authority responded in a statement:
“OHCA generally does not comment on potential or pending litigation. OHCA remains committed to carrying out our mission to improve overall health outcomes for Oklahomans,” Emily Long, the authority’s public information officer, wrote in an email statement.
The Oklahoma Health Care Authorityunanimously adopted permanent agency rules in March to help implement the exchange, and it required all health care providers to join it by July 1. Oklahoma Gov. Kevin Stitt rejected the rule because he believed the proposal was unconstitutional.
The Oklahoma Health Care Authority issued emergency rules approved July 17, saying all providers who register for an exemption will receive one and won’t be subject to subscription or connection fees. But according to the lawsuit, the Legislature amended the Ensuring Access to Medicaid Act in 2022, requiring every state medical service provider serving SoonerCare recipients to submit data to the exchange.
Now, the Oklahoma Fraternal Order of the Police is filing for a temporary injunction to prevent the exchange’s implementation.
How it started
The exchange was first created in 2021 through SB 574. The program exchanges health information between authorized individuals and state health care organizations.
Health information exchanges aim to streamline care for patients seeing multiple providers by creating a means for those providers to securely communicate and share data about a patient so they can provide the best care. For example, if an emergency room physician needs to request X-ray information or a current medication list for an unfamiliar patient.
While whoever provides the information and data retains the property right to it, the exchange also grants other participants or subscribers a nonexclusive license to retrieve and use that information or data under relevant state or federal privacy laws, like HIPAA.
Oklahoma passed the final requirements for the exchange through SB 1369. The exchange is managed by the private third party MyHealth Access Network Inc., where providers report patient health records accessible to other providers.
In weeks leading up to the Oklahoma Health Care Authorities' finalization of the exchange, mental and behavioral health providersraised concerns that being required to participate in the exchange could compromise sensitive client information. One example came from a counselor in Tulsa, who said she feared medical doctors would treat patients differently if they knew their mental health diagnosis.
But Oklahoma Health Care Authority’s CEO Kevin Corbett said the exchange is a patient-driven initiative taking the “whole person” into account.
How could the exchange be unconstitutional?
Since August, 75,001 medical service providers have contracted with the Oklahoma Health Care Authority to serve SoonerCare patients. The lawsuit argues that because the Oklahoma Health Care Authority requires these providers to access the exchange, it violates the Oklahoma Constitution.
Article 2 Section 37 was an amendment approved by over 64% of voters in a 2010 state question, and it says:
“A law or rule shall not compel, directly or indirectly, any person, employer or health care provider to participate in any health care system.”
A health care system is defined as any public or private entity whose function or purpose is to manage health care data or information. Vernier told StateImpact this is the first time this argument is being made in Oklahoma courts.
According to the lawsuit, providers in the exchange have to maintain an active participation agreement with MyHealth, execute an annual order form to select minimum core services and pay a subscription fee, and upload “priority health information” regarding patients to MyHealth.
Priority health information includes:
- Names of physicians and healthcare providers providing the patient’s care
- Diagnoses
- Current patient medications
- Lab and x-ray results
- Past procedures
- Known allergies
- Immunization records
- Hospital discharge records
- Basic personal information
Policy Nine in the MyHealth network policies states the exchange may use the information it gathers for research and purposes of public health. An expansion of their use can occur with the approval of the MyHealth board of directors if their request is “consistent with applicable agreements, laws and regulations.”
Bob Burke, one of the lawyers in the suit, is representing several doctors who have been ordered by law to upload their patients’ private medical records. This includes Alison Dancer, a Stillwater psychiatrist; John Munneke, an Oklahoma City occupational medicine specialist; Ryan Gallagher, an Altus orthopedic surgeon; and Damon White, an Edmond optometrist.
In the lawsuit’s fact sheet, Burke referred to voters’ approval of the 2010 state question to limit the legislature from compelling Oklahomans to provide private medical information to any group.
“It is clear from the constitutional amendment that people in Oklahoma did not want to be forced to provide their information to a private corporation such as MyHealth Access Network, Inc.,” Burke said in the fact sheet. “It is frightening because the private corporation has the right to sell the information to others.”
Vernier said he fears that, once MyHealth de-identifies personal data, health information can be sold on a national or state market. “Maybe (a) health insurance company may want this information to try to gauge premiums or something. We have a lot of issues with that,” Vernier said. “One, it puts a lot of trust and confidence in the state, in the health care providers, frankly, because there's some information the health care providers are supposed to redact. It also puts a lot of faith and trust and confidence in this private company, that they're going to redact the information that is necessary.”
A public service with an impermissible tax
MyHealth also determines fees charged to medical service providers, and it may change schedules related to existing services and fees at any time with 30 days written notice to participants, according to the lawsuit. It also states the Oklahoma Health Care Authority cannot levy any tax or fee to implement the exchange.
The suit argues the payments, which include an estimated $5,000 connection fee and an annual service fee, are an impermissible tax under Article 5 Section 33of the Oklahoma Constitution. It says the payments restrict the Legislature’s ability to enact revenue-raising measures.
“Medical service providers are charged thousands of dollars to join the HIE [Health Information Exchange]. The fees are not for regulatory purposes,” the lawsuit reads. “They are fees to offset the costs of the HIE to MyHealth because the Legislature has failed to appropriate money to fund the HIE. Thus, the charges constitute an impermissible tax.”
The exchange is promoted by the Oklahoma Health Care Authority and the Office of the State Coordinator for Health Information Exchange as a means to improve health care. The lawsuit argues they are promoting MyHealth as a public service, and therefore, the exchange violates Article 18 Section 7 of the Oklahoma Constitution, which says:
“Nor shall the power to regulate the charges for public services be surrendered; and no exclusive franchise shall ever be granted.”
The lawsuit includes additional declarations, which are available in the full text.
Why the FOP joined the suit
The lawsuit states the Oklahoma Fraternal Order of the Police fears the exchange will allow the state to “collect otherwise private health information and use it against its members in a range of contexts without the knowledge or consent of its members.”
The order is particularly worried about personal information being doxxed and it believes the exchange exposes officers to “leaks, hacks, harassment, stalking and extortion.” It cited examples of incidents across the U.S.
One example included in the lawsuit refers to the Washington D.C. Metropolitan Police Department and the Tulsa Police Department being subject to ransomware attacks. The lawsuit claims over 18,000 files containing personal and identifiable information were stolen from TPD.
The order expects that if the exchange is implemented, it will be forced to devote resources to defending and representing its members in litigation over privacy breaches, according to the lawsuit. It believes the exchange will increase the likelihood of labor disputes between its members and governmental entities.
“Because officers are often forced into high-profile incidents which attract national or even international attention, the FOP believes that, as written, the HIE exposes its members to a substantial likelihood of harm,” the lawsuit reads.
Vernier told StateImpact he looks forward to standing up for the constitutional rights of not only the Oklahoma Fraternal Order of the Police but also everyday Oklahomans.
“If this information is uploaded, it just gives one more avenue for somebody to use their personal information against them, because keep in mind, this information will be shared with every provider in the state,” Vernier said. “And, in no way shape or form do we want to impute ill will on any health care provider. That's not our goal. But you are giving a huge number of people access to what is otherwise very private, sensitive information.”
The hearing will be held at 9 a.m. Nov. 30 at the Oklahoma County Courthouse.