The settlement highlights the importance of safeguarding the privacy of PHI, including reproductive health information.
Today, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a settlement with Holy Redeemer Family Medicine (Holy Redeemer), a Pennsylvania hospital, regarding an alleged violation of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule. The violation involved the impermissible disclosure of a female patient’s protected health information, including details related to reproductive health care. OCR enforces the HIPAA Privacy, Security, and Breach Notification Rules, which set the standards that covered entities (such as health plans, health care clearinghouses, and most health care providers) and business associates must adhere to for the privacy and security of protected health information. The HIPAA Privacy Rule establishes national standards to protect individuals’ medical records, mandates appropriate safeguards to protect the privacy of protected health information, and sets limits and conditions on the uses and disclosures that can be made without an individual’s authorization, such as for health oversight activities or law enforcement purposes. It also grants individuals rights like the ability to access their medical records.
“Healthcare providers must take their duty to protect patient privacy seriously and follow the law,” said OCR Director Melanie Fontes Rainer. “Patients must be able to trust that sensitive health information in their files is protected to preserve their trust in the patient-doctor relationship and ensure they get the care they need. This is particularly true for reproductive health privacy.”
In September 2023, OCR received a complaint alleging that Holy Redeemer had impermissibly disclosed a female patient’s protected health information to her prospective employer, including her surgical history, gynecological history, obstetric history, and other sensitive reproductive health information. OCR’s investigation revealed that Holy Redeemer had disclosed the patient’s full medical record, including protected health information about her reproductive health care, without the patient’s authorization. There was no applicable requirement or permission under the Privacy Rule for such a broad release of her medical records. The complainant stated that she had requested Holy Redeemer to send one specific test result, unrelated to her reproductive health, to a prospective employer.
Under the terms of the resolution agreement, Holy Redeemer paid $35,581 and agreed to implement a corrective action plan outlining specific steps to comply with the HIPAA Rules and protect patient privacy to prevent future occurrences. OCR will monitor the implementation of this corrective action plan for two years:
- Submit a breach notification report to HHS regarding this incident;
- Review, develop, or revise its policies and procedures to ensure compliance with the Privacy Rule, and submit all such policies and procedures to HHS for approval;
- Distribute all HHS-approved policies and procedures to its workforce and ensure that each member of the workforce certifies receipt and understanding of the policies and procedures;
- Train your workforce members with HIPAA Compliance Training on its HHS-approved policies and procedures, including all workforce members of its affiliated entities;
- Submit a written report to HHS within 120 days after the approval of Holy Redeemer’s policies and procedures, detailing the status of its implementation of the corrective action plan;
- Provide a report to OCR regarding any non-compliance with its policies and procedures by any workforce members;
- Provide annual reports to OCR regarding Holy Redeemer’s compliance with the corrective action plan.
The resolution agreement and corrective action plan may be found at: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/holy-redeemer-hospital-ra-cap/index.html