Avoiding Liability Bulletin – June 2016
The Health Insurance Portability and Accountability Act (HIPAA) has been the subject of much confusion since its passage in 1966. For health care providers, the Privacy Rule is the focus of much of this confusion. In the following case1, the Virginia Appellate Court clarified for the parties to this suit the issue of accessing a former husband’s medical record by his former wife. The ex-husband was receiving care at the facility where both he and his ex-wife were employed.
S.J., a registered nurse, worked in the neurointerventional radiology department at a Virginia medical center. Her ex-husband, K.J., was a tech in the ED. The two remained close after their divorce. K.J. suffered with an advanced stage of multiple myeloma and was admitted to the medical center for treatment.
K.J. executed several documents that provided S.J. with the authority to gain access to his medical records, including a durable power of attorney, an advanced medical directive, and the medical center’s form for S.J. to gain access to his medical records.2 S.J. also helped him with many aspects of his treatment regimen, including attending doctor appointments and speaking with health care providers about his treatment regimen.
K.J. also expressed his grant of authority for his ex-wife to speak with his health care providers, obtain his records, and act as his agent “in every respect”.
Due to difficulties J.K. had in understanding his treatment, he asked S.J. to check his EMR on a medical center computer in order to better understand what was happening. S.J. did so four times for him, each time using her own access code.
An internal audit showed that S.J. had accessed her ex-husband’s EMR. When confronted with this, S.J. acknowledged that she had done so, but at the request of her husband. The medical center then sought to fire her for “serious misconduct” for multiple violations of policy.
S.J. filed a grievance to contest the medical center’s decision, which she won. The medical center appealed the hearing officer’s decision to the medical center’s human resources department, pursuant to its grievance policy. The human resources department agreed with the hearing officer’s decision, so the medical center filed an action in the circuit court. The circuit court ruled in S.J.’s favor. The medical center then appealed that decision to the appellate court.
The appellate court carefully reviewed the applicable law. In its Memorandum Opinion, it affirmed the decision of the circuit court, holding that : (1) under the principles of agency law, S.J.’s access to her ex-husband’s EMR was at his request; (2) the hearing officer’s decision would not be re-visited and evaluated as to its correctness, since the appellate court had no authority to “second guess” the decision; (3) HIPAA allows a patient access to his or her own health information, which was the basis of the request in this instance; (4) authorizations required under HIPAA, state law, and the medical center’s own policy existed and were not violated when S.J. accessed her ex-husband’s medical records. In short, no violation of HIPAA or other applicable laws occurred.
The appellate court also remanded the case back to the circuit court to determine the amount to be paid to S.J. for her attorney fees, including fees for the appellate action.
The case has been designated as an unpublished opinion, meaning that the decision is binding only on those parties to the suit and cannot be cited as authority for future cases. Even so, it does provide general assistance in regard to HIPAA’s Privacy Rule.
The Privacy Rule prohibits access to another’s medical record when that access is not work related. As a result, you would not be able to access a family member’s medical record simply because you worked in the same facility where that family member was receiving treatment. Such conduct would most probably result in a termination due to a clear violation of HIPAA and other applicable laws and facility policies.
As an R.N., APRN, or certified nurse’s aide, then, you should proceed cautiously with any request you receive from a family member to access his or her medical records and particularly when working in the facility where the family member is being treated.
Such a request from a non-family member must also be warily considered. Reported cases have held that a nurse accessing medical records when not work related is in violation of HIPAA, state privacy and confidentiality laws, and facility policy.
Seek specific advice from a nurse attorney or attorney before doing either request. Because state laws differ, it is essential that you are in compliance with those laws in addition to following HIPAA’s requirements.
Although your intentions may be admirable in complying with a request from a family member or friend to access medical records—and understandable that you would want to comply– remember that first and foremost, you must maintain both your professional legal and ethical obligations.
You can read the entire unpublished opinion at: www.law.justia.com/cases/virginia/court-of-appeals-unpublished/2016/0790-15-2.html .
1. University of Virginia Medical Center v. Susan Jordan , Record Number 0790-15-2, Court of Appeals of Virginia, February 2, 2016.
THIS BULLETIN IS FOR EDUCATIONAL PURPOSES ONLY AND IS NOT TO BE TAKEN AS SPECIFIC LEGAL OR ANY OTHER ADVICE BY THE READER. IF LEGAL OR OTHER ADVICE IS NEEDED, THE READER IS ENCOURAGED TO SEEK SUCH ADVICE FROM A COMPETENT PROFESSIONAL.