Healthcare , HIPAA/HITECH , Industry Specific
Catholic Health Group Fined for Releasing Reproductive Info
Feds Say Pennsylvania Group's Impermissible Disclosure Violates HIPAA Privacy RegsFederal regulators have fined a Catholic healthcare system $35,581 for HIPAA violations requiring a corrective action plan after the Pennsylvania provider disclosed a female patient's reproductive health and other sensitive information to a prospective employer without the patient's permission.
See Also: The Healthcare CISO’s Guide to Medical IoT Security
Under the settlement, Holy Redeemer Family Medicine must pay the penalty and take specific steps to better protect patient privacy to prevent this type of incident from happening again, HHS OCR said in a statement Tuesday.
"It is imperative that healthcare providers take their duty to protect patient privacy seriously and follow the law," said Melanie Fontes Rainer, HHS OCR director. "Patients must be able to trust that sensitive health information in their files is protected to preserve their trust in the patient-doctor relationship and ensure they get the care they need. This is particularly true for reproductive health privacy."
The settlement with Holy Redeemer centers on a complaint HHS OCR received in Sept. 2023 alleging that the healthcare provider disclosed a female patient's surgical history, gynecological history, obstetric history and other sensitive health information to a prospective employer.
"OCR's investigation found that Holy Redeemer disclosed the patient's full medical record, including PHI concerning her reproductive healthcare, that it did not have the patient's authorization for the broad disclosure of her protected health information, and that there otherwise was no applicable requirement or permission under the Privacy Rule for such a broad release of her medical records," HHS OCR said.
The patient's complaint stated that she had requested Holy Redeemer to send one specific test result, unrelated to her reproductive health, to a prospective employer, HHS OCR said.
HHS OCR's settlement with Holy Redeemer comes as the agency in recent months has beefed up HIPAA privacy protections over reproductive health information.
In June, HHS OCR issued a final rule updating the HIPAA Privacy Rule to limit the circumstances that permit the use or disclosure of an individual's PHI about reproductive healthcare for certain non-healthcare purposes, including to law enforcement in states where procedures such as abortions are legal. The rule is designed to protect women who cross state lines seeking an abortion and their providers.
But those changes to the HIPAA Privacy Rule are already facing legal challenges. A federal lawsuit filed in September by Texas State Attorney General Ken Paxton against HHS Secretary Xavier Becerra and HHS OCR's Fontes Rainer seeks to vacate the Biden administration's 2024 update to the HIPAA Privacy Rule to enhance privacy protections for reproductive health data (see: Texas AG Hopes to Upend HIPAA Rules to Investigate Abortions).
Also, once new HHS leadership takes over in January under Donald Trump's next administration, some regulatory experts expect that HHS OCR will either not enforce the recent HIPAA Privacy Rule update or perhaps even revoke it (see: Trump's Return: Impact on Health Sector Cyber, HIPAA Regs).
As for the resolution agreement with Holy Redeemer, for now, OCR said it will monitor the implementation of the corrective action plan for two years, requiring Holy Redeemer to:
- Submit a breach notification report to HHS about the incident;
- Develop or revise its policies and procedures to ensure compliance with the Privacy Rule and submit all such policies and procedures to HHS for approval;
- Distribute all HHS-approved policies and procedures to the healthcare provider's workforce;
- Train all members of its workforce on its HHS-approved policies and procedures, including all workforce members of its affiliated entities.
Holy Redeemer did not immediately respond to Information Security Media Group's request for comment on the settlement and the incident.