DEPARTMENT OF HEALTH HUMAN SERVICES OFFICE OF THE SECRETARY
vain r214; rat?4415s, {sun} ans?lulu 1130? {214) ire?suit: Of?ce for Civil Rights, Region v1
{214] will 1432 - -  my ?n n" 1301 Young Street, Suite 1169

Dallas, TX. r5202

   

 

{bli?libliilicl

HAYIBM

 

 

 

Carol Farer

VHA Privacy Specialist, RHIA, CIPPIG, 

Information Access and Privacy Of?ce- 10P2C1

Department of Veterans Affairs-Veterans Health Administration
810 Vermont Ave, NW

Washington, DC 20420

Our Reference Number: 1 1-131085

Dear {blmjibmicl and Ms. Farer:

The Department of Health and Human Services (HHS), Of?ce for Civil Rights (OCR) received a
complaint on August 10, 2011, alleging that the Michael E. DeBakey VA Medical Center (VA)
was not in compliance with the Federal Standards for Privacy of Individually Identi?able Health
Information (45 CPR. Parts 160 and 164, Subparts A and E, the Privacy Rule).

The complainant, alleges that on July 3, 2011, entered his
hospital room at the VA and began discussing his lab results after acknowledging the complainant
and his guest. According to the complainant, {WWan also informed the complainant, in the
presence of the complainant?s guest, that someone tom the infectious disease team should be
coming in before the end of the day. Additionally, the complainant alleges that in resonse to the
complainant?s expressed concern that he had not yet seen his primary care team,
disclosed a medical condition that the complainant had not shared with his guest. These
allegations could re?ect a violation of 45 C.F.R. and
164.530(e)

{bli?liblillicl

OCR enforces Federal civil rights laws that prohibit discrimination in the delivery of health and
human services because of race, color, national origin, disability, age, and, under certain
circumstances, sex and religion. OCR is also responsible for enforcing the Privacy and Security
Rules as they apply to ?covered entities.? Covered entities include health care clearinghouses,
health plans, and health care providers that transmit health information in electronic form in
connection with a transaction for which HHS has adopted standards. See 45 C.F.R. Part 162.

OCR noti?ed the VA of the complainant?s allegations and conducted an investigation to
determine whether the actions of the VA violated the Privacy Rule. A covered entity may
disclose protected health information only as permitted or required by the Privacy Rule. 45
C.F.R. The Privacy Rule permits a covered entity to disclose to a relative or ?iend
of the individual, the protected health information directly relevant to such person?s involvement
with the individual?s care or payment related to the individual?s health care. 45 C.F.R. 


However, when the individual is present and has the capacity to make health care decisions, the
Privacy Rule allows a disclosure of the individual?s protected health information to a relative or
?iend of the individual only if the covered entity: obtains the individual?s agreement; (ii)
provides the individual with the opportunity to object to the disclosure, and the individual does
not express an objection; or reasonably infers from the circumstances, based on the exercise
of professional jud gment, that the individual does not object to the disclosure. 4S C-.F.R. 


According to the written response dated October 7, 2011, asked the complainant
about the visitor in the room before she began the conversation. Further according to the response,
said the visitor introduced himself as a ?end and remembered that the
complainant gave permission to discuss his medical condition with his ?iend present in the room.

OCR spoke with the persons present in the complainant?s room during the conversation that
occurred on July 3, 2011. During her discussion with OCR, stated she entered the
complainant's hospital room and acknowledged the complainant and his guest after being
informed by a nurse that the complainant was planning on leaving the hospital with the guest.

The Doctor stated that due to her concern for the complainant?s premature departure from the
hospital, she asked whether it was okay to include his friend in the conversation about his
condition and to assist her with convincing the complainant not to leave the hospital. The Doctor
further asserted that the complainant said ?yes? in response to her asking to include his friend in
the conversation. According to the complainant did not object at any time during the
conversation. 
However, according to the complainant, walked into the hospital room containing him and
his guest and immediately began to tell the complainant that the purpose she was there was to attend
to his renal needs without asking for his permission to begin discussing his health information. The
complainant ?thher stated that he objected to the disclosure of certain information by informing the
Doctor that she did not need to discuss anything other than his "nephrology."

The complainant also disputes the version of events in the response. According to complainant,
the Doctor never asked permission to discuss his protected health information nor did he give her
permission. Complainant further stated that the doctor and his guest never spoke to one another, less
alone the guest stating that he was a friend of the complainant. In fact, according to the complainant,
his visitor never said anything during the entire time the Doctor was present in the room.

 

OCR also spoke with the complainant?s guest, liblmiibmm who was visiting with the
complainant when the Doctor entered the hospital room. According to Ithe
Doctor may have inquired who he was. He speci?cally recalled the complainant making the following

statement to the Doctor, "this is my ?at brother," in regards to informing the Doctor of the identity of
I .

 

 

 

 

 

Ifurther stated that that he did not introduce himself as the complainant's

friend as the was response states. Instead, he recalled saying "hey?1 or nodding his head in
response to the complainant introduction of him as his ?at brother. Imll?ilimm'icl lalso
stated that he did not recall the Doctor requesting permission from the complainant to discuss the
complainant's medical information before she began to do so, nor, did he recall the complainant
giving permission to the Doctor to discuss the complainant's medical information in dent of him.

 

He also stated that he did not recall whether the objected at anytime during the
discussion.  also informed OCR that he was not initially there to pick up the
complainant but simply to visit him after coming from church. Per the
complainant did not request to go home until . evealed the complainant?s previously
undisclosed medical condition. The complainant concurred that he did not attempt to leave the
hospital until after the doctor revealed his medical condition.

 

 

 

After speaking with all the parties present during the conversation on July 3, 201 1, it is clear that
introduced herself, but it is unclear when or if the Doctor obtained the complainant?s
agreement to discuss the complainant?s protected health information in the presence of the
complainant?s guest.

While it is also clear that at some point during the conversation, the complainant asked the Doctor
about his ?primary care team,? it is not clear if the complainant posed the inquiry prior to or after the
Doctor began discussing the complainant?s protected health information. It is also unclear whether
the complainant expressed any objections prior to isclosing a certain medical
condition of the complainant.

 

Lastly, it is unclear whether using her professional judgment, could reasonably infer ?'om
the circumstances of the complainant inquiring about his primary care team that the complainant
would not object to a disclosure of a medical condition that the complainant had not mentioned while
in the presence of his guest. In sum, based on discussion with the parties present during the
conversation, OCR is unable to substantiate that the VA is in violation of of the
Privacy Rule.

OCR also reviewed the written policy of Michael E. DeBakey VA Medical Center regarding the
disclosure of protected health information to a patient when the patient is in the presence of others.
The written policy provides that a workforce member may only disclose individually identi?able
health information to a person in the presence of the patient if the person is ??rext-of-kin or a family
rnem 

According to  she understood the guest in the complainant?s hospital room to be the
complainant?s friend. Consequently, OCR con?rmed that the complainant?s guest is not related to the
complainant. Hence, the Doctor?s disclosure of protected health information in the presence of a
non-related guest appears to violate this policy. The Privacy Rule requires a health care
provider to apply appropriate sanctions against members of its workforce who fails to comply with
the privacy policies and procedures of the provider. See 45 C.F.R. 

However, a health care provider must train workforce members to understand the provider?s
expectations and understand the consequences of any violation of its policies and procedures. See 45
C.F.R. 1645306)) and 65 FR 82747 (2000-12-28). Hence, OCR inquired into the nature of the
Doctor?s training regarding disclosure of health information when others are present. The VA
provided documentation of training regarding the Privacy and Security Rules and
Baylor?s privacy policy. 

However, it was not apparent that had received training concerning the privac
policy. Accordingly, to address the issue raised by the complainant, the VA agreed to train 
speci?cally on the Michael E. DeBakey VA Medical Center?s policy regarding disclosures
when other persons are present. also received retraining regarding the Privacy Rule?s
provisions concerning disclosures when other persons are present with the patient.

Thus, fan?liarized herself with the policy of only disclosing protected health
information to next-of?kin and family members when the patient is present to agree or object.
Moreover, (?alibi?) acknowledged in writing that she will abide by this policy. Because the Michael
E. DeBakey VA Medical Center has addressed the issues raised in the complaint, OCR is closing this
matter. detennination as stated in this letter applies only to the allegations in the complaint
that were reviewed by OCR.

Under the Freedom of lnfonnation Act, we may be required to release this letter and other
information about this case upon request by the public. In the event OCR receives such a request,
we will make every effort, as permitted by law, to protect information that identi?es individuals or
that, if released, could constitute a clearly unwarranted invasion of personal privacy.

If you have any questions regarding this matter, please contact Betty Robinson, Investigator, at
(214) 767-4073.

Sincerely,



D. Rouse
Regional Manager, Region VI