TMS Info
38 U.S.C. § 5705 Confidentiality of Healthcare Quality Assurance Review Records
38 U.S.C. 5705 Confidentiality of Healthcare Quality Assurance Review Records makes information and records generated by VA's medical quality assurance program confidential and privileged and exempt from disclosure under the FOIA.
38 U.S.C. § 5701 VA Claims Confidentiality Statute
38 U.S.C. Section 5701 makes VA benefits records and the names and home addresses of present and former armed forces personnel and their dependents confidential.
38 U.S.C.§ 7332 Confidentiality of Certain Medical Records
38 U.S.C. Section 7332 makes strictly confidential all VA records that contain the identity, diagnosis, prognosis or treatment of VA patients or subjects for drug abuse, alcoholism or alcohol abuse, infection with human immunodeficiency virus (HIV/AIDS), or Sickle Cell Anemia. Disclosures can only be made with patient authorization or as explicitly authorized by the Act. On June 6, 2018, Title 38 U.S.C 7332 was amended to allow for the release of this information for treatment and billing purposes without a specific authorization.
Health Information Technology for Economic and Clinical Health (HITECH) Act
Addresses the privacy and security concerns associated with the electronic transmission of health information.
What are your responsibilities as a federal employee when dealing with a FOIA request?
Cooperate in the handling of FOIA requests as directed by the local FOIA Officer. Once you receive a FOIA request, you should promptly forward the request to the appropriate FOIA Officer in the VA administration that maintains the responsive records.
You work in contracting and receive a request from a company that wants to make a bid on the next ambulance contract; the requestor wants to know who the current companies are and how much they charge for various services. You know that your friend handles that contract and could easily send the information. What do you do?
Do nothing and forward the request to your facility FOIA Officer. Once you receive a FOIA request, you should promptly forward the request to the appropriate FOIA Officer in the VA administration that maintains the responsive records.
You work in a very busy clinic and support numerous clinicians. Some of the clinicians want to place reminders on their Outlook Calendars of upcoming appointments. They want to simply have the patient's last name entered on the date and time of the appointment. For example "Smith, 01/01/2019 at 2:30." Is this acceptable?
No, Microsoft Outlook Calendar is not considered secure. Microsoft Outlook Calendar controls were not designed to secure Personally Identifiable Information or Protected Health Information.
One of your employees receives care at the VA but you believe they aren't entering the time they use for their appointments into the time and leave (T&L) tracking system. You access their Veteran health record to check their scheduled appointments so you can verify they've been taking leave appropriately. You discover that the employee failed to enter time-off for five appointments and you give them a written warning. Is the supervisor's access to the health record permissible?
No, supervisors may not view the Veteran health records of their employees to look at their clinic appointments or other health information for employment-related or disciplinary purposes.
The chaplains' service at a facility wants to have a tribute for all of the patients who passed away during the year. They plan to hold an event and invite family members, caregivers and employees involved in the patients' care. They are creating a slide show with information from VA records that will display the patient's photograph, name and a brief biography. Can the chaplains host a tribute and display the deceased Veterans' photographs and names in a slideshow without requesting permission from the deceased's next of kin?
No, the deceased Veteran's health information continues to be protected even after death and they must secure written authorization from the next of kin to display the photographs and names.
A patient requests a copy of his health record notes, specifically ones regarding his mental health visits. The clinician treating the individual calls the release of information department and wants them to refuse to give the patient the records unless they're with them in an appointment. Can we refuse to give the patient their records?
No. Individuals have a first party right of access to information contained in their health record and we cannot deny their request or refuse to release their request to release their records to them.
Susan was recently divorced and wants to ensure that her ex-husband doesn't receive any of her health information. She tells her provider that her ex-husband is no longer involved in her care and she does not want any PHI released to him. What should the provider do?
Susan needs to submit a written request for restriction to the facility Privacy Officer.
The Freedom of Information Act (FOIA), 5 U.S.C. 552
The FOIA requires Federal departments and agencies, such as VA, to release their records unless FOIA specifically exempts the information or record from disclosure.
Health Insurance Portability and Accountability Act (HIPAA) and its implementing regulation the HIPAA Privacy Rule
The HIPAA Privacy Rule provides federal protections for personal health information held by covered entities and gives patients an array of rights with respect to that information. At the same time, the Privacy Rule is balanced so that it permits the disclosure of personal health information needed for patient care and other important purposes.
The Privacy Act (PA), 5 U.S.C. 552a
The Privacy Act of 1974 (PA), makes records about a living Individual who is a United States citizen or an alien lawfully admitted to US residence confidential.
You work in the Public Affairs office and the local newspaper calls you and requests information, under the FOIA, about a Veteran who saved a child from a burning building. They are a friend of yours and you tell them you will send the information. What is wrong with this request?
The request isn't valid because it's not in writing. A valid FOIA request must be in writing, may be received by mail, by email, by hand or fax and should be processed by the FOIA Officer.
An employee knowingly violates the Privacy Act by entering an individual's record to obtain and sell their Social Security Number. What are the possible consequences that can be imposed on the employee?
They could be ordered to pay a fine of no more than $5,000. Individuals who are convicted of knowingly and willfully violating the penalty provisions of the Privacy Act shall be guilty of a misdemeanor and fined not more than $5,000.
Your co-worker, who is also a Veteran, is late for an appointment and asks you to quickly check her health record to determine what clinic she is supposed to go to. What do you do?
VHA employees who collect, access or view PII/PHI on Veterans or employees for purposes other than those for official VA duties, including curiosity, are subject to disciplinary action. Even if the VHA employee had good intentions in accessing or viewing the Veteran or employee information, such as to look up a home address to send a sympathy card, it is a privacy breach and disciplinary action may result.
You just completed new hire orientation and the trainers decide to give you a pop quiz. They ask you to name some of the privacy and confidentiality statutes that VHA is required to follow.
VHA is required to follow - The Privacy Act (PA), 5 U.S.C. 552a, HIPAA, 38 U.S.C. 5701, 38 U.S.C. 5705, 38 U.S.C.§ 7332 and The Freedom of Information Act (FOIA), 5 U.S.C. 552.
You are the new Patient Advocate for your facility, and it is time to update the wall that contains all the people who are considered front office staff. You are requested to go to the media room to get your picture taken. Does the facility need to get your consent prior to taking your picture?
Yes, the photograph is for an official purpose and your consent is required. The photograph is for an official purpose and a consent is required. The consent should be obtained in writing using VAF 10-3203.
Nursing Home staff are unable to locate a patient who has a diagnosis of dementia. They are concerned that he may be lost and unable to find his way back to his living area. The staff wants to use the patient's picture from his Veteran Health Identification Card (VHIC) photograph and a brief physical description to send an e-mail to hospital staff in an effort to locate him. In addition, the staff wants to provide the picture to VA Police and local law enforcement. Is this an acceptable use of the patient's information?
Yes, this information can be shared with hospital staff under treatment as well as with VA Police and local law enforcement to assist with identification and location of missing patients for health and safety reasons.
You are a VA provider and have a patient that was treated in the past five years by VA for opioid abuse and dependency that now has extreme pain due to several recent disc compression fractures. You want to contact the patient's Non-VA provider who is also treating your patient for the disc compression fractures to share the past medical history, determine what medications he has prescribed and to coordinate care. Is this acceptable?
Yes, you can now share 38 U.S.C. 7332-protected information with a non-VA provider for treatment purposes. VA may disclose health information, including 38 U.S.C. 7332-protected information with a non-VA entity for the purpose of treatment of a patient. The VA provider is seeking to share health information with the non-VA provider to coordinate care and treat the patient.
Dave was in the emergency room and he overheard a clinician discussing a diagnosis with another patient. He noticed that the ER had curtains around each bed and, in an effort to protect the patient's privacy, the health care providers lowered their voices when speaking with the patients. Were appropriate precautions and safeguards in place to safeguard patients' auditory privacy?
Yes. Incidental disclosures are permitted as long as reasonable safeguards to protect the privacy of the information are followed.
George was in the elevator when several physicians got on. The doctors were discussing a patient's diagnosis and mentioned the patient's name. The patient happened to be a friend of George and George felt the doctors should be spoken to for violating his friend's privacy. Can George file a complaint regarding his concern for his friend's privacy?
Yes. Patients and employees have a right to file a complaint if they believe that VHA has violated their (or someone else's) privacy rights or committed another violation of the HIPAA Privacy or Security Rule. It does not matter that the violation was related to another individual. The fact is that the patient or employee witnessed the privacy violation and can report based on firsthand knowledge.