Department of Veterans Affairs Medical Center, Oklahoma City, Oklahoma Today, the Department of Veterans Affairs (VA) operates the nation's largest healthcare system through the Veterans Health Administration (VHA), including 152 medical centers (VAMCs), 800 community-based outpatient clinics and numerous state-based domiciliaries and nursing home care units (About VA, 2016). As the second-largest cabinet agency in the federal government, the VA's budget exceeds the State Department, USAID, and the whole of the intelligence community combined) with more than $60 billion budgeted for VHA healthcare (Carter, 2016). One of the VHA's largest medical centers that provides tertiary healthcare services to eligible veteran patients is the Oklahoma City VA Medical Center (OKC VAMC) in Oklahoma City, Oklahoma. Like several other VAMCs, the OKC VAMC has recently been implicated in a system-wide scandal concerning inordinately lengthy patient waiting times and misdiagnoses which may have contributed to the deaths of some veteran patients and jeopardized others. In addition, the VA has recorded the highest number of patient privacy violations of any healthcare provider in the country since 2011 (Westwood, 2016). To determine the facts from a risk management perspective, this paper provides an overview of the OKC VAMC and an analysis of the challenges that are involved in ensuring patient confidentiality while still maintaining accessibility to patient information, followed by a summary of the research and important findings concerning these issues in the conclusion.

Overview of Oklahoma City VA Medical Center

The OKC VAMC is located at 921 NE 13th Street in Oklahoma City, Oklahoma and provides a wide range of tertiary healthcare services, including psychiatry, physical medicine and rehabilitation, medical-surgical units as well as numerous specialty clinics (i.e., Mental Health Intensive Case Management (MHICM), Reaching Out to Educate and Assist Health Care Families (REACH), Homeless Program/Compensated Work Therapy, regional referral center for Open-Heart surgery, Telehealth Care Coordination, Center for Alzheimer and Neurodegenerative Diseases, Animal Assisted Therapy and a High Risk Foot Program) and various social services (About the Oklahoma City VA Medical Center, 2016). At present, the OKC VAMC features 192 beds, serves 48 counties in Oklahoma and two north central Texas counties, and operates an annex clinic in north Oklahoma City (About the Oklahoma City VA Medical Center, 2016). This medical center has recently been implicated in a VA-wide scandal concerning lengthy waiting times and the provision of suboptimal medical care that may have jeopardized the lives of dozens if not hundreds of veteran patients. For instance, a high-profile report by Donovan Slack (2015) in USA Today cites the specific cases of two veterans, Charles Hand and George Washington Purifoy, who are patients at the OKC VAMC. According to Slack, "Both sought care at Veterans' Affairs medical facilities in Oklahoma. And in their cases and others, medical professionals missed or misdiagnosed their conditions resulting in life-altering consequences" (2015, para. 2)

Analysis of the challenges of providing patient confidentiality vs. accessing necessary patient information for effective and efficient treatment with consideration for the different ways confidentiality can be violated

Like other VA medical centers, the OKC VAMC uses an electronic healthcare record (EHR) system to facilitate access to patient data for healthcare providers (What is VistA?, 2016). The ready accessibility of electronic protected health information (ePHI) through the EHR system, combined with frequent VA employee incompetence, have resulted in thousands of violations of the Health Insurance Portability and Accountability Act (HIPAA) since its passage in 1996 (Westwood, 2016). According to Lawley (2012), "ePHI is defined as any Protected Health Information (PHI) that is stored on any form of electronic media, or which is transmitted in any electronic form (e.g., fax or Internet). This would include scanned records or correspondence that is written on a computer and then printed" (p. 19). Indeed, the HIPAA agency has recorded more ePHI and other patient privacy complaint violations by the VA than any other healthcare provider in the country (Waldman & Orstein, 2015). This point is also made by Westwood (2016) who emphasizes, "Department of Veterans Affairs officials have racked up more than 10,000 privacy breaches since 2011, making the VA the nation's most prolific violator of laws protecting patients' personal medical information" (p. 3).

Despite the flagrant nature of many of these violations which were determined by investigators to be intentional and malicious, there has been no official sanction of the VA to date (Westwood, 2016). Therefore, the challenges of providing patient confidentiality pursuant to HIPAA and professional codes of conduct involve both accidental and intentional privacy violations (Westwood, 2016), with...

For instance, many privacy violations involved veterans who were also employees of the VA whose ePHI were accessed by spouses or their co-workers for use in divorce proceedings, by VA management investigating whisteblowing activities by these veteran employees or just "out of curiosity" following suicides or suicide attempts by veteran employees (Waldman & Ornstein, 2015, para. 6). Some salient examples of these abuses and violations include the following:
In September 2011, after a veteran committed suicide on the grounds of a VA facility in Biloxi, Miss., more than 40 employees accessed his medical records;

In September 2013, a VA employee who worked at the same facility in Biloxi committed suicide and, again, several co-workers inappropriately accessed the employee's medical records;

In January 2015, a veteran who works at C.W. Bill Young VA Medical Center attempted suicide. Afterward, many co-workers who had no direct involvement in his medical care seemed to know about his attempt and asked how he was doing. Following an investigation, the VA's incident response team found that an employee had indeed inappropriately accessed the veteran's medical records "out of curiosity" (Waldman & Ornstein, 2015, para. 7).

Unfortunately, these privacy violations are just a few of the thousands of such violations that have been reported to HIPAA in recent years despite VA's efforts to provide ongoing training to its employees concerning the proper handling of patient information (Waldman & Ornstein, 2015).

Comparison of the rights and responsibilities that physicians have toward patients in context to informed vs. implied consent situations

Informed consent involves formally providing patients with the information they need to make an informed decision concerned the type of medical care they want or do not want, even if clinicians do not agree with this course of action (Curran, 2012). For instance, Curran reports that, "Once a patient is properly informed, it is the patient's right to choose among the various alternatives rather than a physician's right to prescribe the 'best' treatment, even when that choice may be the more dangerous treatment" (p. 134). Pursuant to the reasonable care provider standard, clinicians are generally responsible for providing patients with information concerning (a) the purpose of the proposed treatment, (b) its risks and benefits, (c) available alternatives (including risks and benefits of alternative treatments), and (d) the effect of no treatment whatsoever (Curran, 2012).

By contrast, the term "implied consent" refers to situations in which patients are presumed to give their consent to medical treatment when they are otherwise unable to do so in an express manner such as with informed consent (Breen & Plueckhahn, 2002). Implied consent also extends to the sharing of patient information among healthcare providers, even if this has not been expressly consented to by the patient. For example, Breen and Plueckhahn (2002) report that, "In many health care situations, consent for sharing confidential information between members of the 'health care team' is implied and it is presumed that patients know and accept that this will happen" (2002, p. 39). The overarching factors to be taken into account in both informed and implied consent situations are the best interests of the patient (Breen & Plueckhahn, 2002).

Summary of the risk of malpractice and liability in the Oklahoma City VA Medical Center

Although many veterans may be unaware of their legal rights, the OKC VAMC is at high risk of being targeted for malpractice lawsuits. Pursuant to the Federal Torts Claims Act (FTCA), veterans and/or their families can seek compensation from the U.S. government in cases of negligence on the part of an employee of the VA (Veteran medical malpractice, 2016). In fact, the VA has paid about $100 million a year since 2003 to settle more than 3,000 medical malpractice suits filed by veterans (Veteran medical malpractice, 2016). Moreover, U.S. Treasury records indicate that $200 million more has been paid out since that time to settle almost one thousand wrongful death lawsuits (Veteran medical malpractice, 2016).

Summary of recommended practical measures to minimize risk of malpractice and liability

Complex problems usually require complex solutions and this is certainly the case with mitigating the risk of malpractice and liability at the OKC VAMC. In fact, the very same attributes that make the VA's EHR a valuable resource in delivering high quality healthcare services are the same attributes that provide opportunities for their abuse and misuse. The ease of access to veteran healthcare records that is enjoyed by most VA employees -- irrespective of their need for such…