Opinion
Record No. 0790-15-2
02-02-2016
Lynne R. Fleming, Associate General Counsel, for appellant. Janice L. Redinger (Janice L. Redinger, P.L.C., on brief), for appellee.
UNPUBLISHED
Present: Judges McCullough, Chafin and Russell
Argued at Richmond, Virginia MEMORANDUM OPINION BY JUDGE STEPHEN R. McCULLOUGH FROM THE CIRCUIT COURT OF ALBEMARLE COUNTY
Cheryl V. Higgins, Judge Lynne R. Fleming, Associate General Counsel, for appellant. Janice L. Redinger (Janice L. Redinger, P.L.C., on brief), for appellee.
Pursuant to Code § 17.1-413, this opinion is not designated for publication.
The University of Virginia Medical Center sought to fire Susan Jordan, a nurse at the hospital, based on allegations that she improperly gained access to her gravely ill ex-husband's medical records. Jordan had obtained these records not for personal curiosity or for some nefarious purpose, but at her ex-husband's request and to help him better understand his treatment. The hearing officer reinstated Jordan and awarded back pay. The circuit court upheld the hearing officer's decision. The Medical Center challenges these holdings. For the reasons noted below, we affirm.
BACKGROUND
Jordan worked as a registered nurse in neurointerventional radiology at the University of Virginia's Medical Center. Her ex-husband, Kurt Jordan, whom we will refer to as Kurt to avoid confusion, also worked at the hospital as a tech in the emergency room. Despite the divorce, the two remain close. Kurt suffered from an advanced stage of multiple myeloma, for which he was being treated at the Medical Center. This cancer made him very ill.
Kurt had executed a number of documents to provide Jordan with the authority to gain access to his medical records, including a durable power of attorney and an advanced medical directive. He also completed a Medical Center authorization form sometime around April 2013, which authorized Jordan to obtain his medical records. He averred that Jordan had "[his] full authority to speak with [his] health care providers, obtain [his] records, and act as [his] agent in every respect." Jordan assisted him with various aspects of his treatment, including attending doctors' appointments, seeing him through his hospitalization and stem cell transplant, speaking with heath care providers, reminding him of what the doctors advised, and otherwise helping him with his care.
The Medical Center lost that form, so he later completed a new one after the events in question.
At one point, Kurt became confused about aspects of his treatment, such as the significance of certain lab results. He asked for Jordan's help to gain a better understanding. He also suffered from weakness, tremors, and impaired vision. He testified that Jordan types better than he does and she has a greater familiarity with the Medical Center's computer system. For all those reasons, he asked Jordan to pull up his electronic medical record on a Medical Center computer terminal.
She pulled up his medical record on four occasions: December 9, 2013, December 24, 2013, January 28, 2014, and February 25, 2014. Each employee has a particular access code or password. Jordan used her own access code to pull up Kurt's medical record. The evidence was undisputed that it was Kurt who asked Jordan to access the records and that she did so for the exclusive purpose of helping him. He testified that "she has been a huge help to me during this difficult time."
An internal computer audit revealed that Jordan had gained access to Kurt's medical records on four occasions. Jordan acknowledged that she had done so, but explained that it was because Kurt had asked her to do so. In response, the Medical Center sought to fire Jordan on the basis of "serious misconduct" for multiple violations of policy, which it alleged precluded this kind of access. A representative of the Medical Center explained that the hospital is "big" on protecting personal health information.
Jordan filed a grievance to challenge the Medical Center's action. The hearing officer ruled in her favor. The Medical Center appealed the hearing officer's conclusions on matters of policy to the Department of Human Resources Management. The DHRM ruled in Jordan's favor, finding that her conduct did not violate the Medical Center's policies. The Medical Center then appealed to the circuit court. The circuit court again ruled in Jordan's favor. The Medical Center then appealed to this Court.
ANALYSIS
The General Assembly has created a "tripartite review procedure" for state employee grievances. Virginia Dep't of State Police v. Barton, 39 Va. App. 439, 445, 573 S.E.2d 319, 322 (2002). "[T]he hearing officer is to act as fact finder and the Director of the Department of Human Resource Management is to determine whether the hearing officer's decision is consistent with policy. . . . [N]either of these determinations is subject to judicial review . . . ." Id. "[T]he only grounds of appeal of the hearing officer's decision [to the circuit court] is 'that the determination is contradictory to law.'" Id. (quoting former Code § 2.1-116.07:1(B), currently codified at Code § 2.2-3006(B)) (emphasis in original). The appealing party must "identify [a] constitutional provision, statute, regulation or judicial decision which the [hearing officer's] decision contradicted." Tatum v. Virginia Dep't of Agric. & Consumer Servs., 41 Va. App. 110, 122, 582 S.E.2d 452, 458 (2003) (alterations in original) (quoting Barton, 39 Va. App. at 446, 573 S.E.2d at 323). We review questions of law, including questions of statutory construction, de novo. Louis Latour, Inc. v. Virginia Alcoholic Beverage Control Bd., 49 Va. App. 758, 766, 645 S.E.2d 318, 322 (2007).
I. UNDER PRINCIPLES OF AGENCY LAW, JORDAN'S ACCESS TO MEDICAL RECORDS AT HER EX-HUSBAND'S REQUEST WAS ATTRIBUTABLE TO HIM.
The Medical Center faults the circuit court for upholding the hearing officer's finding that Kurt accessed his own medical record. It argues that the court below "failed to consider Jordan's stipulation that she accessed those electronic medical records, electronic proof of such access and the testimony of witnesses that Jordan used her own access code to access her ex-husband's record." As a matter of basic agency law, "[a]gency is the fiduciary relation which results from the manifestation of consent by one person to another that the other shall act on his behalf and subject to his control, and consent by the other so to act." Restatement (Second) of Agency § 1 (1957) (emphasis added). Under agency law, "[t]he one for whom action is to be taken is the principal." Id.; see also Raney v. Barnes Lumber Corp., 195 Va. 956, 966, 81 S.E.2d 578, 584 (1954) (defining agency as "the relationship which results from the manifestation of consent by one person to another that the other shall act on his behalf and subject to his control, and the agreement by the other so to act"). Jordan was plainly acting as an agent on Kurt's behalf when she pulled up his medical record for his benefit. As a matter of law, as opposed to Medical Center policy governing passwords and access codes, both the hearing officer and the circuit court committed no error in concluding that the access was attributable to Kurt, because Kurt obtained access to his medical record through his agent.
II. WE DECLINE TO REVISIT THE DHRM'S REVIEW OF THE HEARING OFFICER'S DECISIONS CONCERNING MEDICAL CENTER POLICIES.
Again and again throughout its brief, the Medical Center cites its policies and argues that Jordan violated them. For example, the Medical Center argues in the opening sentence of its brief that
The fundamental questions on appeal are whether the Medical Center may develop and enforce policies containing rules that limit employee access to an electronic medical record which it owns and is its property under Virginia law and whether any employee of the Medical Center can authorize another employee to intentionally violate prohibitions and rules established in those policies.As another example, the Medical Center's sixth assignment of error reads as follows:
The Circuit Court's ruling that the Hearing Officer did not substitute his own version of Medical Center policies for wording of the actual policies and upholding his decision that the Medical Center did not follow its own policy is not supported by the Hearing Officer's factual findings.
We have no authority to second-guess the DHRM's conclusion on whether the hearing officer correctly interpreted applicable agency policies. Barton, 39 Va. App. at 445, 573 S.E.2d at 322. Accordingly, we must decline the Medical Center's invitation to address whether a hearing officer's decision is consistent with Medical Center policy. See, e.g., Burke v. Catawba Hosp., 59 Va. App. 828, 834-35, 722 S.E.2d 684, 687-88 (2012).
The Medical Center argues that "Grievances concerning the content of policies do not qualify for a hearing. See Va. Code § 2.2-3004(C)(iii)." Code § 2.2-3004(C)(iii) provides that "Complaints relating solely to the following issues shall not proceed to a hearing . . . contents of ordinances, statutes or established personnel policies, procedures, and rules and regulations." The content of the policies was not in dispute, but rather their application. Therefore, Code § 2.2-3004(C)(iii) has no relevance to this appeal.
III. FEDERAL LAW
The Medical Center contends that federal law, and specifically the Health Insurance Portability and Accountability Act, commonly known by its HIPAA acronym, "requires the Medical Center to develop policies to protect" patient health information. Although the Medical Center does not appear to contend that Jordan violated HIPAA, that statute's "privacy rule" expressly authorizes disclosures to a patient. See 45 C.F.R. § 164.502(a)(1)(i) (expressly permitting a covered entity like the Medical Center to disclose protected health information "[t]o the individual"). As noted above, under agency law, it was the patient who was seeking his own information and it was on his behalf that Jordan obtained it.
Moreover, 45 C.F.R. § 164.508(a)(1) provides that "[e]xcept as otherwise permitted or required by this subchapter, a covered entity may not use or disclose protected health information without an authorization that is valid under this section" - but, as noted above, 45 C.F.R. § 164.502(a)(1)(i) permits disclosure of a patient's protected health information to the patient.
We also note that Kurt testified that he completed the Medical Center's authorization form to allow disclosures to Jordan. The Medical Center complains that this authorization came after the events in question. Kurt testified, however, that he filled out a second form only after the Medical Center lost the form he submitted approximately one year earlier - and, because the hearing officer credited this testimony, we must accept it as true. Barton, 39 Va. App. at 445, 573 S.E.2d at 322.
Finally, the Department of Health and Human Services' website, in response to the question "Does the HIPAA Privacy Rule change the way in which a person can grant another person health care power of attorney?" answers as follows:
No. Nothing in the Privacy Rule changes the way in which an individual grants another person power of attorney for health care decisions. State law (or other law) regarding health care powers of attorney continue to apply. The intent of the provisions regarding personal representatives was to complement, not interfere with or change, current practice regarding health care powers of attorney or the designation of other personal representatives. Such designations are formal, legal actions which give others the ability
to exercise the rights of, or make treatment decisions related to, an individual. The Privacy Rule provisions regarding personal representatives generally grant persons, who have authority to make health care decisions for an individual under other law, the ability to exercise the rights of that individual with respect to health information.Therefore, Jordan's access was authorized for purposes of HIPAA.
Office for Civil Rights, Does the HIPAA Privacy Rule change the way in which a person can grant another person health care power of attorney?, HHS.gov (Dec. 19, 2002), http://www.hhs.gov/hipaa/for-professionals/faq/219/does-hipaa-privacy-rule-change-how-person-grants-power-of-attorney/index.html.
The Medical Center also contends that it can be audited for compliance with HIPAA, and to allow the sort of disclosure that Jordan made here would make compliance "impossible." As to the contention that Jordan's actions would render audits "impossible," that word does not mean what the Medical Center thinks it means, because an audit, in fact, discovered Jordan's access of her ex-husband's record. Beyond this basic factual point, the Medical Center cites 45 C.F.R. § 164.528 in support of its argument:
Accounting of disclosures of protected health information.(Emphasis added). This HIPAA regulation expressly authorizes the disclosure of information to the patient and exempts such disclosures from the accounting under 45 C.F.R. § 164.528. This makes perfect sense, because the point of this regulation is for an individual to receive an accounting of disclosures made about him to others-not to audit and account for disclosures of information made to him.
(a) Standard: Right to an accounting of disclosures of protected health information.
(1) An individual has a right to receive an accounting of disclosures of protected health information made by a covered entity in the six years prior to the date on which the accounting is requested, except for disclosures:
(i) To carry out treatment, payment and health care operations as provided in § 164.506;
(ii) To individuals of protected health information about them as provided in § 164.502;
(iii) Incident to a use or disclosure otherwise permitted or required by this subpart, as provided in § 164.502[.]
The Medical Center argues that "[f]ederal law does not require or permit direct access to the [electronic medical record] of one individual by another individual who does not have a legitimate work-related reason for such access." But nothing in federal law forbids the type of access by Jordan either - access at the patient's request, with multiple written authorizations, for the patient's own benefit. Although claiming that Jordan's access to her ex-husband's information is "contrary to law," the Medical Center has cited to no federal statute or regulation that forbids Jordan from doing what she did. If anything, the regulations the Medical Center cites show that Jordan's actions are consistent with the letter and the spirit of federal law.
The Medical Center also relies on 45 C.F.R. § 164.306:
Security standards: General rules.
(a) General requirements. Covered entities and business associates must do the following:
(1) Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity or business associate creates, receives, maintains, or transmits.
(2) Protect against any reasonably anticipated threats or hazards to the security or integrity of such information.
(3) Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under subpart E of this part.
(4) Ensure compliance with this subpart by its workforce.
(b) Flexibility of approach.
(1) Covered entities and business associates may use any security measures that allow the covered entity or business associate to reasonably and appropriately implement the standards and implementation specifications as specified in this subpart.
Finally, the Medical Center cites 45 C.F.R. § 164.308, which provides as follows:
Administrative safeguards.The Medical Center argues that it complied with 45 C.F.R. § 164.306 and 45 C.F.R. § 164.308 by writing certain policies and that Jordan violated those policies. This is nothing more than a backdoor attempt to have this Court revisit DHRM's final ruling regarding whether Jordan violated the Medical Center's policies. As noted above, we have no authority to second-guess the DHRM's conclusion with respect to whether the hearing officer's decision correctly interpreted applicable agency policies. Barton, 39 Va. App. at 445, 573 S.E.2d at 322. The cited federal regulations do not prohibit the types of disclosures at issue here. The Medical Center has failed to show that the hearing officer's decision and the circuit court's affirmance of that decision are contrary to federal law.
(a) A covered entity or business associate must, in accordance with § 164.306:
(1)(i) Standard: Security management process. Implement policies and procedures to prevent, detect, contain, and correct security violations.
(ii) Implementation specifications:
(A) Risk analysis (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.
(B) Risk management (Required). Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with § 164.306(a).
(C) Sanction policy (Required). Apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity or business associate.
(D) Information system activity review (Required). Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.
IV. VIRGINIA LAW
Relying on Code § 32.1-127.1:03(A), the Medical Center argues that this statute "does not permit an employee of the health care entity to access records independently and outside the rules established by the health care entity that owns the records." Code § 32.1-127.1:03(A) provides in relevant part:
Health records are the property of the health care entity maintaining them, and, except when permitted or required by this section or by other provisions of state law, no health care entity, or other person working in a health care setting, may disclose an individual's health records.(Emphasis added). The language "except when permitted or required by this section or by other provisions of state law" is significant. The statute goes on to specify (although the Medical Center does not cite these provisions) that
Pursuant to this subsection:
1. Health care entities shall disclose health records to the individual who is the subject of the health record, except as provided in subsections E and F and subsection B of § 8.01-413.
. . . .
D. Health care entities may, and, when required by other provisions of state law, shall, disclose health records:
. . . .
Code § 32.1-127.1:03(A)(1), (D)(16). Code § 32.1-127.1:03 clearly specifies that the Medical Center is required to disclose Kurt Jordan's health records to him and that it may do so to an agent appointed under his power of attorney. How the Medical Center makes those disclosures, the statute does not say. Even if the manner of access and disclosure violated Medical Center policies, a point on which we express no view, the hearing officer's and DHRM's decision on that point is not one this Court can review. As to the statutes cited by the Medical Center, they are either silent on the subject or support the legal propriety of Jordan's actions.
16. To an agent appointed under an individual's power of attorney or to an agent or decision maker designated in an individual's advance directive for health care or for decisions on anatomical gifts and organ, tissue or eye donation or to any other person consistent with the provisions of the Health Care Decisions Act.
Next, the Medical Center argues that the advance medical directive and the durable power of attorney did not authorize Jordan to gain access to her ex-husband's medical information. The advance medical directive statute, Code § 54.1-2983, provides as follows
Any adult capable of making an informed decision may, at any time, make a written advance directive to address any or all forms of health care in the event the declarant is later determined to be incapable of making an informed decision.The Medical Center correctly points out that Kurt was not found to be incapable of making an informed decision, and, therefore, the advance medical directive did not apply. Under the terms of the advance medical directive itself, as well as the plain language of the statute, the advance medical directive did not authorize Jordan to obtain medical information on Kurt's behalf.
The Medical Center further contends that the power of attorney Jordan relied on did not apply. The Medical Center cites two provisions of Code § 64.2-1601. This statute broadly provides that "[t]his chapter applies to all powers of attorney" but then carves out some exceptions to this general rule:
1. A power to the extent it is coupled with an interest in the subject of the power, including a power given to or for the benefit of a creditor in connection with a credit transaction;
2. A power to make health care decisions;
3. A proxy or other delegation to exercise voting rights or management rights with respect to an entity;The Medical Center relies on exceptions 2 and 4 above to argue that Jordan could not invoke the power of attorney to gain access to Kurt's medical records. With respect to exception 2, the "power to make health care decisions," the Medical Center reads this provision too broadly. Gaining access to information to help a patient understand treatment and make informed decisions is not the same thing as the power to make health care decisions on behalf of someone else. Jordan did not decide whether Kurt should be treated and what type of treatment he should undertake. Therefore, this subsection is inapplicable.
4. A power created on a form prescribed by a government or governmental subdivision, agency, or instrumentality for a governmental purpose; and
5. A power to make arrangements for burial or disposition of remains pursuant to § 54.1-2825.
The Medical Center also argues that it is a governmental agency and it has created certain specific forms to allow patients to access their own information, and, therefore, Jordan could not obtain her ex-husband's medical records as a matter of law except through those forms. First, it is doubtful whether assisting a patient to obtain their own health records is a "governmental purpose" within the intendment of Code § 64.2-1601. The statute does not define the term. See Code § 64.2-1600. The Internal Revenue Service, for example, requires a separate form, currently form 2848, to create a specific power of attorney with respect to the filing of federal taxes. Virginia has developed a similar requirement. See Code § 58.1-1834. The filing of taxes is more obviously a "governmental purpose" than obtaining one's own health information. But even assuming that Jordan was engaged in a "governmental purpose" when she pulled up Kurt's medical records, we think the Medical Center's interpretation of Code § 64.2-1601(4) is still wrong. Code § 32.1-127.1:03(D)(16) specifically authorizes the disclosure of health records based on a power of attorney. The Medical Center's broad reading of Code § 64.2-1601 creates unnecessary tension with Code § 32.1-127.1:03(D)(16). "[W]hen certain statutes address a subject in a general manner and other statutes address part of the same subject in a more specific manner, the differing statutes should be harmonized, if possible, and when they conflict, the more specific statutes prevail." Gilman v. Commonwealth, 275 Va. 222, 230, 657 S.E.2d 474, 477 (2008). Although we are not convinced that there is any tension between Code § 64.2-1601 and Code § 32.1-127.1:03(D)(16), because obtaining one's own health records is not likely a "governmental purpose," we conclude that if there is such tension, Code § 32.1-127.1:03(D)(16), which specifically authorizes disclosures of medical records to the person holding a durable power of attorney, controls over the more general provisions of Code § 64.2-1601. In short, Jordan did nothing illegal.
The hearing officer also concluded that termination was unjustified on the grounds that Jordan was subject to disparate treatment because of the difference in the discipline she received compared with the discipline her supervisor received. The Medical Center challenges these findings. In light of our disposition, we need not address the issues that relate to this aspect of the case. --------
CONCLUSION
We affirm the decision of the circuit court and remand for a determination of Jordan's attorney's fees, including appellate attorney's fees.
Affirmed.