                                             COURT OF APPEALS OF VIRGINIA


              Present: Judges McCullough, Chafin and Russell
UNPUBLISHED


              Argued at Richmond, Virginia


              UNIVERSITY OF VIRGINIA MEDICAL CENTER
                                                                             MEMORANDUM OPINION* BY
              v.     Record No. 0790-15-2                                  JUDGE STEPHEN R. McCULLOUGH
                                                                                  FEBRUARY 2, 2016
              SUSAN JORDAN


                                  FROM THE CIRCUIT COURT OF ALBEMARLE COUNTY
                                               Cheryl V. Higgins, Judge

                               Lynne R. Fleming, Associate General Counsel, for appellant.

                               Janice L. Redinger (Janice L. Redinger, P.L.C., on brief), for
                               appellee.


                     The University of Virginia Medical Center sought to fire Susan Jordan, a nurse at the

              hospital, based on allegations that she improperly gained access to her gravely ill ex-husband’s

              medical records. Jordan had obtained these records not for personal curiosity or for some

              nefarious purpose, but at her ex-husband’s request and to help him better understand his

              treatment. The hearing officer reinstated Jordan and awarded back pay. The circuit court upheld

              the hearing officer’s decision. The Medical Center challenges these holdings. For the reasons

              noted below, we affirm.

                                                         BACKGROUND

                     Jordan worked as a registered nurse in neurointerventional radiology at the University of

              Virginia’s Medical Center. Her ex-husband, Kurt Jordan, whom we will refer to as Kurt to avoid

              confusion, also worked at the hospital as a tech in the emergency room. Despite the divorce, the


                     *
                         Pursuant to Code § 17.1-413, this opinion is not designated for publication.
two remain close. Kurt suffered from an advanced stage of multiple myeloma, for which he was

being treated at the Medical Center. This cancer made him very ill.

       Kurt had executed a number of documents to provide Jordan with the authority to gain

access to his medical records, including a durable power of attorney and an advanced medical

directive. He also completed a Medical Center authorization form sometime around April 2013,

which authorized Jordan to obtain his medical records.1 He averred that Jordan had “[his] full

authority to speak with [his] health care providers, obtain [his] records, and act as [his] agent in

every respect.” Jordan assisted him with various aspects of his treatment, including attending

doctors’ appointments, seeing him through his hospitalization and stem cell transplant, speaking

with heath care providers, reminding him of what the doctors advised, and otherwise helping him

with his care.

       At one point, Kurt became confused about aspects of his treatment, such as the

significance of certain lab results. He asked for Jordan’s help to gain a better understanding. He

also suffered from weakness, tremors, and impaired vision. He testified that Jordan types better

than he does and she has a greater familiarity with the Medical Center’s computer system. For

all those reasons, he asked Jordan to pull up his electronic medical record on a Medical Center

computer terminal.

       She pulled up his medical record on four occasions: December 9, 2013, December 24,

2013, January 28, 2014, and February 25, 2014. Each employee has a particular access code or

password. Jordan used her own access code to pull up Kurt’s medical record. The evidence was

undisputed that it was Kurt who asked Jordan to access the records and that she did so for the




       1
         The Medical Center lost that form, so he later completed a new one after the events in
question.

                                                -2-
exclusive purpose of helping him. He testified that “she has been a huge help to me during this

difficult time.”

        An internal computer audit revealed that Jordan had gained access to Kurt’s medical

records on four occasions. Jordan acknowledged that she had done so, but explained that it was

because Kurt had asked her to do so. In response, the Medical Center sought to fire Jordan on

the basis of “serious misconduct” for multiple violations of policy, which it alleged precluded

this kind of access. A representative of the Medical Center explained that the hospital is “big”

on protecting personal health information.

        Jordan filed a grievance to challenge the Medical Center’s action. The hearing officer

ruled in her favor. The Medical Center appealed the hearing officer’s conclusions on matters of

policy to the Department of Human Resources Management. The DHRM ruled in Jordan’s

favor, finding that her conduct did not violate the Medical Center’s policies. The Medical Center

then appealed to the circuit court. The circuit court again ruled in Jordan’s favor. The Medical

Center then appealed to this Court.

                                             ANALYSIS

        The General Assembly has created a “tripartite review procedure” for state employee

grievances. Virginia Dep’t of State Police v. Barton, 39 Va. App. 439, 445, 573 S.E.2d 319, 322

(2002). “[T]he hearing officer is to act as fact finder and the Director of the Department of

Human Resource Management is to determine whether the hearing officer’s decision is

consistent with policy. . . . [N]either of these determinations is subject to judicial review . . . .”

Id. “[T]he only grounds of appeal of the hearing officer’s decision [to the circuit court] is ‘that

the determination is contradictory to law.’” Id. (quoting former Code § 2.1-116.07:1(B),

currently codified at Code § 2.2-3006(B)) (emphasis in original). The appealing party must

“identify [a] constitutional provision, statute, regulation or judicial decision which the [hearing

                                                  -3-
officer’s] decision contradicted.” Tatum v. Virginia Dep’t of Agric. & Consumer Servs., 41

Va. App. 110, 122, 582 S.E.2d 452, 458 (2003) (alterations in original) (quoting Barton, 39

Va. App. at 446, 573 S.E.2d at 323). We review questions of law, including questions of

statutory construction, de novo. Louis Latour, Inc. v. Virginia Alcoholic Beverage Control Bd.,

49 Va. App. 758, 766, 645 S.E.2d 318, 322 (2007).

               I. UNDER PRINCIPLES OF AGENCY LAW, JORDAN’S ACCESS TO MEDICAL RECORDS AT
                  HER EX-HUSBAND’S REQUEST WAS ATTRIBUTABLE TO HIM.

       The Medical Center faults the circuit court for upholding the hearing officer’s finding

that Kurt accessed his own medical record. It argues that the court below “failed to consider

Jordan’s stipulation that she accessed those electronic medical records, electronic proof of such

access and the testimony of witnesses that Jordan used her own access code to access her

ex-husband’s record.” As a matter of basic agency law, “[a]gency is the fiduciary relation which

results from the manifestation of consent by one person to another that the other shall act on his

behalf and subject to his control, and consent by the other so to act.” Restatement (Second) of

Agency § 1 (1957) (emphasis added). Under agency law, “[t]he one for whom action is to be

taken is the principal.” Id.; see also Raney v. Barnes Lumber Corp., 195 Va. 956, 966, 81 S.E.2d

578, 584 (1954) (defining agency as “the relationship which results from the manifestation of

consent by one person to another that the other shall act on his behalf and subject to his control,

and the agreement by the other so to act”). Jordan was plainly acting as an agent on Kurt’s

behalf when she pulled up his medical record for his benefit. As a matter of law, as opposed to

Medical Center policy governing passwords and access codes, both the hearing officer and the

circuit court committed no error in concluding that the access was attributable to Kurt, because

Kurt obtained access to his medical record through his agent.




                                                -4-
               II. WE DECLINE TO REVISIT THE DHRM’S REVIEW OF THE HEARING OFFICER’S
                   DECISIONS CONCERNING MEDICAL CENTER POLICIES.

        Again and again throughout its brief, the Medical Center cites its policies and argues that

Jordan violated them. For example, the Medical Center argues in the opening sentence of its

brief that

                       The fundamental questions on appeal are whether the
               Medical Center may develop and enforce policies containing rules
               that limit employee access to an electronic medical record which it
               owns and is its property under Virginia law and whether any
               employee of the Medical Center can authorize another employee to
               intentionally violate prohibitions and rules established in those
               policies.

As another example, the Medical Center’s sixth assignment of error reads as follows:

               The Circuit Court’s ruling that the Hearing Officer did not
               substitute his own version of Medical Center policies for wording
               of the actual policies and upholding his decision that the Medical
               Center did not follow its own policy is not supported by the
               Hearing Officer’s factual findings.

        We have no authority to second-guess the DHRM’s conclusion on whether the hearing

officer correctly interpreted applicable agency policies. Barton, 39 Va. App. at 445, 573 S.E.2d

at 322. Accordingly, we must decline the Medical Center’s invitation to address whether a

hearing officer’s decision is consistent with Medical Center policy. See, e.g., Burke v. Catawba

Hosp., 59 Va. App. 828, 834-35, 722 S.E.2d 684, 687-88 (2012).2

               III. FEDERAL LAW

        The Medical Center contends that federal law, and specifically the Health Insurance

Portability and Accountability Act, commonly known by its HIPAA acronym, “requires the


        2
         The Medical Center argues that “Grievances concerning the content of policies do not
qualify for a hearing. See Va. Code § 2.2-3004(C)(iii).” Code § 2.2-3004(C)(iii) provides that
“Complaints relating solely to the following issues shall not proceed to a hearing . . . contents of
ordinances, statutes or established personnel policies, procedures, and rules and regulations.”
The content of the policies was not in dispute, but rather their application. Therefore, Code
§ 2.2-3004(C)(iii) has no relevance to this appeal.
                                                -5-
Medical Center to develop policies to protect” patient health information. Although the Medical

Center does not appear to contend that Jordan violated HIPAA, that statute’s “privacy rule”

expressly authorizes disclosures to a patient. See 45 C.F.R. § 164.502(a)(1)(i) (expressly

permitting a covered entity like the Medical Center to disclose protected health information “[t]o

the individual”). As noted above, under agency law, it was the patient who was seeking his own

information and it was on his behalf that Jordan obtained it.

           Moreover, 45 C.F.R. § 164.508(a)(1) provides that “[e]xcept as otherwise permitted or

required by this subchapter, a covered entity may not use or disclose protected health

information without an authorization that is valid under this section” – but, as noted above, 45

C.F.R. § 164.502(a)(1)(i) permits disclosure of a patient’s protected health information to the

patient.

           We also note that Kurt testified that he completed the Medical Center’s authorization

form to allow disclosures to Jordan. The Medical Center complains that this authorization came

after the events in question. Kurt testified, however, that he filled out a second form only after

the Medical Center lost the form he submitted approximately one year earlier – and, because the

hearing officer credited this testimony, we must accept it as true. Barton, 39 Va. App. at 445,

573 S.E.2d at 322.

           Finally, the Department of Health and Human Services’ website, in response to the

question “Does the HIPAA Privacy Rule change the way in which a person can grant another

person health care power of attorney?” answers as follows:

                  No. Nothing in the Privacy Rule changes the way in which an
                  individual grants another person power of attorney for health care
                  decisions. State law (or other law) regarding health care powers of
                  attorney continue to apply. The intent of the provisions regarding
                  personal representatives was to complement, not interfere with or
                  change, current practice regarding health care powers of attorney
                  or the designation of other personal representatives. Such
                  designations are formal, legal actions which give others the ability
                                                  -6-
               to exercise the rights of, or make treatment decisions related to, an
               individual. The Privacy Rule provisions regarding personal
               representatives generally grant persons, who have authority to
               make health care decisions for an individual under other law, the
               ability to exercise the rights of that individual with respect to
               health information.3

Therefore, Jordan’s access was authorized for purposes of HIPAA.

       The Medical Center also contends that it can be audited for compliance with HIPAA, and

to allow the sort of disclosure that Jordan made here would make compliance “impossible.” As

to the contention that Jordan’s actions would render audits “impossible,” that word does not

mean what the Medical Center thinks it means, because an audit, in fact, discovered Jordan’s

access of her ex-husband’s record. Beyond this basic factual point, the Medical Center cites 45

C.F.R. § 164.528 in support of its argument:

               Accounting of disclosures of protected health information.

               (a) Standard: Right to an accounting of disclosures of protected
               health information.

               (1) An individual has a right to receive an accounting of
               disclosures of protected health information made by a covered
               entity in the six years prior to the date on which the accounting is
               requested, except for disclosures:

               (i) To carry out treatment, payment and health care operations as
               provided in § 164.506;

               (ii) To individuals of protected health information about them as
               provided in § 164.502;

               (iii) Incident to a use or disclosure otherwise permitted or required
               by this subpart, as provided in § 164.502[.]




       3
         Office for Civil Rights, Does the HIPAA Privacy Rule change the way in which a
person can grant another person health care power of attorney?, HHS.gov (Dec. 19, 2002),
http://www.hhs.gov/hipaa/for-professionals/faq/219/does-hipaa-privacy-rule-change-how-
person-grants-power-of-attorney/index.html.
                                              -7-
(Emphasis added). This HIPAA regulation expressly authorizes the disclosure of information to

the patient and exempts such disclosures from the accounting under 45 C.F.R. § 164.528. This

makes perfect sense, because the point of this regulation is for an individual to receive an

accounting of disclosures made about him to others–not to audit and account for disclosures of

information made to him.

       The Medical Center argues that “[f]ederal law does not require or permit direct access to

the [electronic medical record] of one individual by another individual who does not have a

legitimate work-related reason for such access.” But nothing in federal law forbids the type of

access by Jordan either – access at the patient’s request, with multiple written authorizations, for

the patient’s own benefit. Although claiming that Jordan’s access to her ex-husband’s

information is “contrary to law,” the Medical Center has cited to no federal statute or regulation

that forbids Jordan from doing what she did. If anything, the regulations the Medical Center

cites show that Jordan’s actions are consistent with the letter and the spirit of federal law.

       The Medical Center also relies on 45 C.F.R. § 164.306:

               Security standards: General rules.

               (a) General requirements. Covered entities and business associates
               must do the following:

               (1) Ensure the confidentiality, integrity, and availability of all
               electronic protected health information the covered entity or
               business associate creates, receives, maintains, or transmits.

               (2) Protect against any reasonably anticipated threats or hazards to
               the security or integrity of such information.

               (3) Protect against any reasonably anticipated uses or disclosures
               of such information that are not permitted or required under
               subpart E of this part.

               (4) Ensure compliance with this subpart by its workforce.

               (b) Flexibility of approach.

                                                 -8-
               (1) Covered entities and business associates may use any security
               measures that allow the covered entity or business associate to
               reasonably and appropriately implement the standards and
               implementation specifications as specified in this subpart.

       Finally, the Medical Center cites 45 C.F.R. § 164.308, which provides as follows:

               Administrative safeguards.

               (a) A covered entity or business associate must, in accordance with
               § 164.306:

               (1)(i) Standard: Security management process. Implement
               policies and procedures to prevent, detect, contain, and correct
               security violations.

               (ii) Implementation specifications:

               (A) Risk analysis (Required). Conduct an accurate and thorough
               assessment of the potential risks and vulnerabilities to the
               confidentiality, integrity, and availability of electronic protected
               health information held by the covered entity or business associate.

               (B) Risk management (Required). Implement security measures
               sufficient to reduce risks and vulnerabilities to a reasonable and
               appropriate level to comply with § 164.306(a).

               (C) Sanction policy (Required). Apply appropriate sanctions
               against workforce members who fail to comply with the security
               policies and procedures of the covered entity or business associate.

               (D) Information system activity review (Required). Implement
               procedures to regularly review records of information system
               activity, such as audit logs, access reports, and security incident
               tracking reports.

The Medical Center argues that it complied with 45 C.F.R. § 164.306 and 45 C.F.R. § 164.308

by writing certain policies and that Jordan violated those policies. This is nothing more than a

backdoor attempt to have this Court revisit DHRM’s final ruling regarding whether Jordan

violated the Medical Center’s policies. As noted above, we have no authority to second-guess

the DHRM’s conclusion with respect to whether the hearing officer’s decision correctly

interpreted applicable agency policies. Barton, 39 Va. App. at 445, 573 S.E.2d at 322. The cited

                                                -9-
federal regulations do not prohibit the types of disclosures at issue here. The Medical Center has

failed to show that the hearing officer’s decision and the circuit court’s affirmance of that

decision are contrary to federal law.

               IV. VIRGINIA LAW

       Relying on Code § 32.1-127.1:03(A), the Medical Center argues that this statute “does

not permit an employee of the health care entity to access records independently and outside the

rules established by the health care entity that owns the records.” Code § 32.1-127.1:03(A)

provides in relevant part:

                       Health records are the property of the health care entity
               maintaining them, and, except when permitted or required by this
               section or by other provisions of state law, no health care entity, or
               other person working in a health care setting, may disclose an
               individual’s health records.

(Emphasis added). The language “except when permitted or required by this section or by other

provisions of state law” is significant. The statute goes on to specify (although the Medical

Center does not cite these provisions) that

               Pursuant to this subsection:

               1. Health care entities shall disclose health records to
               the individual who is the subject of the health record, except as
               provided in subsections E and F and subsection B of § 8.01-413.

                       ....

               D. Health care entities may, and, when required by other
               provisions of state law, shall, disclose health records:

                       ....

               16. To an agent appointed under an individual’s power of
               attorney or to an agent or decision maker designated in
               an individual’s advance directive for health care or for decisions
               on anatomical gifts and organ, tissue or eye donation or to any
               other person consistent with the provisions of the Health Care
               Decisions Act.

                                               - 10 -
Code § 32.1-127.1:03(A)(1), (D)(16). Code § 32.1-127.1:03 clearly specifies that the Medical

Center is required to disclose Kurt Jordan’s health records to him and that it may do so to an

agent appointed under his power of attorney. How the Medical Center makes those disclosures,

the statute does not say. Even if the manner of access and disclosure violated Medical Center

policies, a point on which we express no view, the hearing officer’s and DHRM’s decision on

that point is not one this Court can review. As to the statutes cited by the Medical Center, they

are either silent on the subject or support the legal propriety of Jordan’s actions.

       Next, the Medical Center argues that the advance medical directive and the durable

power of attorney did not authorize Jordan to gain access to her ex-husband’s medical

information. The advance medical directive statute, Code § 54.1-2983, provides as follows

               Any adult capable of making an informed decision may, at any
               time, make a written advance directive to address any or all forms
               of health care in the event the declarant is later determined to be
               incapable of making an informed decision.

The Medical Center correctly points out that Kurt was not found to be incapable of making an

informed decision, and, therefore, the advance medical directive did not apply. Under the terms

of the advance medical directive itself, as well as the plain language of the statute, the advance

medical directive did not authorize Jordan to obtain medical information on Kurt’s behalf.

       The Medical Center further contends that the power of attorney Jordan relied on did not

apply. The Medical Center cites two provisions of Code § 64.2-1601. This statute broadly

provides that “[t]his chapter applies to all powers of attorney” but then carves out some

exceptions to this general rule:

               1. A power to the extent it is coupled with an interest in the subject
               of the power, including a power given to or for the benefit of a
               creditor in connection with a credit transaction;

               2. A power to make health care decisions;



                                                - 11 -
               3. A proxy or other delegation to exercise voting rights or
               management rights with respect to an entity;

               4. A power created on a form prescribed by a government or
               governmental subdivision, agency, or instrumentality for a
               governmental purpose; and

               5. A power to make arrangements for burial or disposition of
               remains pursuant to § 54.1-2825.

The Medical Center relies on exceptions 2 and 4 above to argue that Jordan could not invoke the

power of attorney to gain access to Kurt’s medical records. With respect to exception 2, the

“power to make health care decisions,” the Medical Center reads this provision too broadly.

Gaining access to information to help a patient understand treatment and make informed

decisions is not the same thing as the power to make health care decisions on behalf of someone

else. Jordan did not decide whether Kurt should be treated and what type of treatment he should

undertake. Therefore, this subsection is inapplicable.

       The Medical Center also argues that it is a governmental agency and it has created certain

specific forms to allow patients to access their own information, and, therefore, Jordan could not

obtain her ex-husband’s medical records as a matter of law except through those forms. First, it

is doubtful whether assisting a patient to obtain their own health records is a “governmental

purpose” within the intendment of Code § 64.2-1601. The statute does not define the term. See

Code § 64.2-1600. The Internal Revenue Service, for example, requires a separate form,

currently form 2848, to create a specific power of attorney with respect to the filing of federal

taxes. Virginia has developed a similar requirement. See Code § 58.1-1834. The filing of taxes

is more obviously a “governmental purpose” than obtaining one’s own health information. But

even assuming that Jordan was engaged in a “governmental purpose” when she pulled up Kurt’s

medical records, we think the Medical Center’s interpretation of Code § 64.2-1601(4) is still

wrong. Code § 32.1-127.1:03(D)(16) specifically authorizes the disclosure of health records

                                               - 12 -
based on a power of attorney. The Medical Center’s broad reading of Code § 64.2-1601 creates

unnecessary tension with Code § 32.1-127.1:03(D)(16). “[W]hen certain statutes address a

subject in a general manner and other statutes address part of the same subject in a more specific

manner, the differing statutes should be harmonized, if possible, and when they conflict, the

more specific statutes prevail.” Gilman v. Commonwealth, 275 Va. 222, 230, 657 S.E.2d 474,

477 (2008). Although we are not convinced that there is any tension between Code § 64.2-1601

and Code § 32.1-127.1:03(D)(16), because obtaining one’s own health records is not likely a

“governmental purpose,” we conclude that if there is such tension, Code § 32.1-127.1:03(D)(16),

which specifically authorizes disclosures of medical records to the person holding a durable

power of attorney, controls over the more general provisions of Code § 64.2-1601. In short,

Jordan did nothing illegal.4

                                          CONCLUSION

       We affirm the decision of the circuit court and remand for a determination of Jordan’s

attorney’s fees, including appellate attorney’s fees.

                                                                                         Affirmed.




       4
          The hearing officer also concluded that termination was unjustified on the grounds that
Jordan was subject to disparate treatment because of the difference in the discipline she received
compared with the discipline her supervisor received. The Medical Center challenges these
findings. In light of our disposition, we need not address the issues that relate to this aspect of
the case.
                                               - 13 -
