Last week, HHS Office of Civil Rights (OCR) announced a settlement with a Pennsylvania provider (the Provider) concerning an alleged violation of the HIPAA Privacy Rule. Specifically, the Provider impermissibly disclosed a female patient’s protected health information (PHI)—which included information related to reproductive healthcare—to the patient’s prospective employer. The settlement comes ahead of an impending December 23, 2024, deadline for providers to comply with the HIPAA Privacy Rule to Support Reproductive Health Care Privacy Final Rule (Final Rule). Both the settlement and the Final Rule are described in more detail below.
Provider Settlement
In September 2023, OCR received a complaint alleging that the Provider impermissibly disclosed a female patient’s PHI to the patient’s prospective employer. This information included her surgical, gynecological, and obstetric histories, as well as other sensitive health information concerning reproductive healthcare. Following an investigation, OCR found (1) that the Provider disclosed the patient’s full medical record, which included PHI concerning her reproductive health care; (2) the Provider did not have the patient’s authorization for the broad disclosure of her PHI; and (3) there was no applicable requirement or permission under the HIPAA Privacy Rule for such a broad release of her medical records.
The Provider paid $35,581 to HHS under the Resolution Agreement, and the Provider agreed to implement a corrective action plan (CAP). The CAP includes, but is not limited to, the following actions:
- Submitting a breach notification report to HHS regarding this incident;
- Reviewing, developing, or revising the Provider’s policies and procedures to ensure compliance with the HIPAA Privacy Rule, and submitting all such policies and procedures to HHS for approval;
- Distributing all HHS-approved policies and procedures to the Provider’s workforce and ensuring that each member of the workforce certifies receipt and understanding of the policies and procedures; and
- Training all members of the Provider’s workforce on its HHS-approved policies and procedures, including all workforce members of its affiliated entities.
The Resolution Agreement and CAP is available here.
Final Rule
Earlier this year, OCR published a final rule titled HIPAA Privacy Rule To Support Reproductive Health Care Privacy, which prohibits the disclosure PHI related to lawful reproductive healthcare in certain circumstances. 82 Fed. Reg. 22,976 (Apr. 26, 2024). More information on the Final Rule is available in the King & Spalding Client Alert dated Nov. 27, 2024.
By December 23, 2024, healthcare providers, health plans and healthcare clearinghouses (collectively, Covered Entities) and their business associates are prohibiting from using or disclosing PHI relating to reproductive healthcare—meaning, affecting the health of an individual in all matters relating to the reproductive system and to its functions and processes—for any of the following:
- Conducting a criminal, civil, or administrative investigation into any person for the mere act of seeking, obtaining, providing, or facilitating reproductive healthcare;
- Imposing criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive healthcare; or
- Identifying any person for either of the above purposes (collectively, Prohibited Purposes).
For certain requested uses or disclosures, the Final Rule requires Covered Entities or their business associates to obtain a written attestation that the PHI is not for a Prohibited Purpose before the PHI potentially related to reproductive healthcare can be used or disclosed.
The Final Rule is available here, and the HHS fact sheet is available here.
