OCR Settles Alleged Impermissible Disclosure of Reproductive Health Information
The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has announced its first enforcement action against a healthcare provider over an impermissible disclosure of an individual’s reproductive health information. In September 2023, OCR received a complaint from a female patient who alleged that the Pennsylvania medical practice, Holy Redeemer Family Medicine, had disclosed her protected health information to a prospective employer without authorization.
According to the complaint, the information disclosed included her surgical history, obstetric history, gynecological history, and other sensitive reproductive health information. The patient said she had authorized the disclosure of one specific test result to the prospective employer, and that the test result had nothing to do with her reproductive health. OCR launched an investigation and determined that Holy Redeemer had disclosed the patient’s full medical record to the prospective employer; however, the patient had not given authorization for such a broad disclosure and there was no applicable requirement under the HIPAA Privacy Rule for such a broad release of her medical records.
OCR determined that the disclosure of the records without first obtaining valid consent was a violation of the General Rules of the HIPAA Privacy Rule concerning uses and disclosures of protected health information – 45 C.F.R. § 164.502(a). OCR notified Holy Redeemer Family Medicine about the intention to impose a financial penalty and offered to settle the matter informally. Holy Redeemer Family Medicine agreed to pay a $35,581 penalty and adopt a corrective action plan. OCR will monitor Holy Redeemer for compliance with the corrective action plan for 2 years.
The corrective action plan requires Holy Redeemer to review its policies and procedures and develop, maintain, and revise its written privacy policies and procedures to ensure compliance with the HIPAA Rules. The revised policies must be distributed to the workforce and workforce members must be trained on those policies. Holy Redeemer is also required to promptly investigate potential violations of those policies by employees and report privacy breaches to OCR.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
“It is imperative that health care providers take their duty to protect patient privacy seriously and follow the law,” said OCR Director Melanie Fontes Rainer. “Patients must be able to trust that sensitive, health information in their files is protected to preserve their trust in the patient-doctor relationship and ensure they get the care they need. This is particularly true for reproductive health privacy.”
In April 2023, OCR implemented a Final Rule to strengthen privacy protections for reproductive health information. The final rule takes effect on December 23, 2024.
