The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) reported its first enforcement action issued against a healthcare organization because of an impermissible disclosure of the reproductive health data of an individual. In September 2023, a female patient filed a complaint with OCR regarding an alleged disclosure of her protected health information (PHI) by Holy Redeemer Family Medicine in Pennsylvania. The medical practice allegedly disclosed her PHI to a potential employer with no authorization.
Based on the complaint, the data disclosed contained her surgical records, obstetric records, gynecological background, and other sensitive reproductive health data. The patient mentioned she gave authorization for the sharing of one particular test result to the potential employer. That test result is not related to her reproductive health. Upon investigation, OCR confirmed that Holy Redeemer exposed all the patient’s health data to the potential employer without the patient’s authorization. Such a release of health records has no applicable requirement allowed by the HIPAA Privacy Rule.
According to OCR, the disclosure of medical records without first acquiring appropriate authorization violated the General Policies of the HIPAA Privacy Rule 45 C.F.R. § 164.502(a) concerning the uses and disclosures of PHI. OCR informed Holy Redeemer Family Medicine concerning the intent to enforce a financial penalty and agreed to resolve the issue informally. Holy Redeemer Family Medicine consented to paying $35,581 as a penalty and implementing a corrective action plan. Holy Redeemer will be under the supervision of OCR for two years to ensure compliance with the corrective action plan.
The corrective action plan calls for Holy Redeemer to examine its guidelines and procedures and create, maintain, and change its written privacy guidelines and procedures to ensure HIPAA Rules compliance. The workforce must be made aware of the revised policies and undergo HIPAA training concerning those policies. Holy Redeemer likewise needs to immediately look into possible violations of those guidelines by workers and report privacy violations to OCR.
Healthcare organizations need to be serious about their duty to safeguard patient privacy and observe the law. OCR Director Melanie Fontes Rainer mentioned that patients should have confidence that their sensitive health data (including reproductive health data) is protected, be able to trust the patient-doctor relationship and get the treatment and care they need.
In April 2023, OCR applied a Final Rule to improve privacy security for reproductive health data. The final rule will become effective starting December 23, 2024.