On December 2, 2024, the US Department of Health and Human Services (HHS), Office for Civil Rights (OCR) published a settlement with Holy Redeemer Family Medicine (Holy Redeemer) regarding an impermissible disclosure of a patient’s protected health information (PHI), including reproductive health care information. The Pennsylvania hospital paid $35,581 and agreed to a two-year corrective action plan (CAP). While this settlement did not allege violations of the new HIPAA regulations governing reproductive health care information, it serves as a reminder to HIPAA-regulated entities of the imminent compliance deadline under those regulations.
Hospital settles HIPAA alleged violation
Following a complaint that the hospital impermissibly disclosed a patient’s PHI to the patient’s prospective employer, which included obstetric and gynecological history and other sensitive reproductive health care information, OCR determined that Holy Redeemer disclosed more PHI than it was authorized to disclose. The patient at issue authorized the disclosure of one test result, unrelated to reproductive health care, and the hospital disclosed her entire medical record.
As part of the two-year CAP, the hospital is required to update its HIPAA Privacy Rule policies, distribute them to its workforce, and ensure that all workforce members are trained on the policies and certify receipt and understanding of the same.
HIPAA Privacy Rule compliance deadline approaching fast
On April 22, 2024, OCR issued a final rule modifying the HIPAA Privacy Rule (the Final Rule). The new regulations took effect in June 2024, and covered entities and business associates have until December 23, 2024, to comply with most of the requirements (covered entities have until February 16, 2026, to update their Notice of Privacy Practices to address both the Final Rule’s requirements, as well as the recent changes to the substance use disorder regulations under 42 CFR Part 2).
The Final Rule alters certain uses and disclosures that previously were permissible for hospitals, physician practices, FQHCs, pharmacies, or other health care providers or health plans, as well as vendors handling medical record functions on behalf of these entities, with respect to information that contains, or may contain, reproductive health care information. The Final Rule requires a new attestation form and process for certain disclosures of reproductive health information. OCR designed the Final Rule to protect information about legally obtained reproductive care from being used to prosecute a clinician, relative, or patient. These regulations also clarify uses and disclosure that can be made for public health purposes, clarify that facilitating reproductive health care cannot be used as a basis to report abuse or deny personal representative status, and clarify that all disclosures in response to a law enforcement officer’s administrative request, related to reproductive care or not, must only be in response to a process that legally compels disclosure.
HIPAA-regulated entities should note the breadth of the definition of “reproductive health care,” as the Final Rule impacts far more than clinicians providing obstetrics and gynecology services. It includes any PHI that references an individual’s reproductive health: including the provision of birth control, pregnancy, and sterilization, that are contained in a clinician’s records or a health plan’s documentation, regardless as to whether the organization provided or is providing that care. While the Final Rule’s requirements are somewhat discrete, they likely require a wide range of health care providers and health plans to update their policies and processes, and many should ensure that they have an attestation form for applicable disclosures of reproductive health care information.
As evidenced by the recent OCR enforcement, HIPAA-regulated entities should use the weeks leading up to the Final Rule’s compliance deadline to review policies, procedures, and processes to ensure compliance. In addition, health care providers and health plans should ensure that their workforce members are trained on the new requirements and reminded of their ongoing obligation to safeguard PHI. If an entity relies on a vendor for fulfillment of medical records requests, the covered entity should confirm that its vendor understands the new Final Rule requirements and has processes in place to comply accordingly.
For more information on the content of this alert, please contact your Nixon Peabody attorney or the author of this alert.