HHS Fines Holy Redeemer Family Medicine and Imposes Extensive 2-Year Corrective Action Program for Disclosing Patient’s PHI to Prospective Employer Without Authorization
On November 26, 2024, the Department of Health and Human Services, Office for Civil Rights (collectively “OCR”), announced its settlement with Holy Redeemer Family Medicine (Holy Redeemer),1 a family practice apparently affiliated in 2023 with Holy Redeemer Hospital in Pennsylvania for violation of the HIPAA Privacy Rule. OCR concluded that Holy Redeemer had impermissibly disclosed a female patient’s complete medical record to a prospective employer, including her gynecological and obstetric history and other sensitive health information related to the patient’s reproductive health care.2 As part of the September 24, 2024 Settlement, OCR imposed a fine of $35,581 and a comprehensive 2-year Corrective Action Plan (“CAP”) on Holy Redeemer.
Brief Summary of Facts, Agency Conclusions, Fine, and Detailed CAP:
In September 2023, OCR received a Complaint from a female patient of Holy Redeemer, alleging that it had exceeded her authorization requesting disclosure of a single test result unrelated to her reproductive health care to a prospective employer in violation of her HIPAA privacy rights. According to the patient’s Complaint, Holy Redeemer had released a broad swath of her PHI without her authorization, including what OCR called “sensitive” reproductive health care information.
Following its investigation of the Complaint, OCR and Holy Redeemer entered into a Resolution Agreement and Corrective Action Plan on September 24, 2024. Paragraph I.2 of the Resolution Agreement describes OCR’s investigative finding and related covered conduct underlying the settlement as follows:
OCR’s investigation found that on September 27, 2023, [Holy Redeemer] impermissibly disclosed the protected health information (“PHI”) of Complainant including highly sensitive reproductive health information. The disclosure was not made pursuant to a permissible purpose under or as required by the Privacy Rule and was made without first obtaining a valid authorization from Complainant.
The Resolution by HHS and OCR applies to the following “Covered Conduct”: “[Holy Redeemer] impermissibly disclosed the protected health information to a prospective employer of Complainant without first obtaining a valid authorization. See C.F.R. § 164.502(a).” While the Resolution Agreement is not an admission of liability by Holy Redeemer, its implications for healthcare professionals, particularly as it relates to the protection of reproductive health care, is informative, since the Final HIPAA RHC Rule was not in effect at the time of the Covered Conduct. Of significant interest to health care professionals, the detailed 13-page CAP imposes extensive obligations on Holy Redeemer and provides a potential model for HIPAA compliance, including, in particular, the new protections afforded reproductive health care records under the Final HIPAA RHC Rule.
The terms of the CAP require Holy Redeemer to:
- Submit a breach notification report to HHS within 15 days regarding the subject incident;
- Review, develop or revise its policies and procedures to ensure compliance with the Privacy Rule, and submit all such policies and procedures to HHS for approval;
- Distribute all HHS-approved policies and procedures to its workforce and ensure that each member of the workforce certifies receipt and understanding of the policies and procedures;
- Train all members of its workforce on its HHS-approved policies and procedures, including all workforce members of its affiliated entities;
- Within 120 days after HHS approval of Holy Redeemers policies and procedures, Holy Redeemer must submit a written report to HHS detailing the status of its implementation of the corrective action plan;
- Provide a report to OCR regarding any non-compliance with its policies and procedures by any members of its workforce; and
- Provide annual reports to OCR regarding Holy Redeemer’s compliance with the [CAP].
As discussed in a previous Client Alert, the 2024 Final HIPAA RHC Rule took effect on June 25, 2024, with the effective date for the revision of HIPAA Policies and Procedure on December 23, 2024. Covered Entities and Business Associates must ensure that any disclosures related to RHC are not for impermissible purposes, and they should revise their policies to ensure that any requests to disclose reproductive health care comply with the 2024 Final HIPAA RHC Rule and train their workforce on what they must do before responding to any request.
For our more extensive analysis of the Resolution Agreement and CAP, please click here.
Other Considerations – the Texas challenge, the change in administration, & the EEOC Guidance to Health Care Providers regarding the PWFA:
The Holy Redeemer case sheds a little light on OCR’s enforcement agenda related to the 2024 Final HIPAA RHC Rule, and Covered Entities and Business Associates should take advantage of the information provided in the Resolution Agreement and CAP to revise their HIPAA Policies and Procedures to ensure compliance with the Final Rule. However, consideration should be given to additional issues relevant to HIPAA compliance, which include the following:
- The Texas Challenge to 2024 Final Rule: At this writing, in the leading case challenging the 2024 Final HIPAA RHC Privacy Rule, as well as a challenge to the 2000 HIPAA Privacy Rule, brought by Texas Attorney General Ken Paxton in the Northern District of Texas, the court has set a briefing schedule in January-February 2025. The Rule thus remains in effect, with no stay pending final appeal in the Texas case yet imposed.
- The change in administration: Like other Final Rules of the Biden administration, the 2024 Final HIPAA RHC Privacy Rule may not survive Congressional Review Act review (if joint disapproval procedures are invoked) or executive order or other agency action.
- The EEOC Guidance on the PWFA for Health Care Professionals: Yesterday, the Equal Employment Opportunity Commission released essentially Question and Answer guidance to health care professionals relating to the reasonable accommodation requests that they may expect if pregnant workers experience temporary limitations related to pregnancy or childbirth (before or after childbirth) and need accommodations from restrictions at work.
Although EEOC guidance does not have the force of law, the EEOC may indicate in guidance the issues and concerns that it will address in handling charges, investigations, or litigation as a public litigant.
Entitled “Helping Patients Deal with Pregnancy- and Childbirth-Related Limitations and Restrictions at Work under the Pregnant Workers Fairness Act” (the PWFA Guidance), and apropos to the above discussion of the Holy Redeemer Resolution Agreement and CAP, the PWFA Guidance expressly cautions that the health care professional “should not simply provide your patient’s medical records, because they will likely contain information that is unnecessary for the employer to have” (Q&A 6).
The PWFA poses a probable question from a health care professional regarding the patient’s medical record and then indicates that the PWFA Guidance does not alter the health care provider’s obligations:
The PWFA does not alter a health care provider’s ethical or legal obligations regarding the disclosure of patient information.
Employers are required to keep all medical information related to an accommodation request confidential. (Q&A 8)
For our more extensive analysis of the PWFA Guidance, please click here.
For additional information regarding the September 24, 2024 Resolution Agreement and CAP and PWCA Guidance or any other issues discussed in this Client Alert, please feel free to contact the authors of this Client Alert.
Debra A. Geroux
248.258.2603
geroux@butzel.com
Diane M. Soubly
734.213.3625
soubly@butzel.com
[1] Holy Redeemer has self-identified on-line as a “modern health care facility [that] offers exceptional primary care, women’s health, breast care, reconstructive surgery and diagnostic testing services.”
[2] OCR is tasked with responsible for investigating complaints alleging alleged violations of the standards relating to individually identifiable health information used or maintained by health care providers in the HIPAA Privacy and HITECH Security Rules, including the April 26, 2024 Final HIPAA Privacy Rule to Support Reproductive Health Care Privacy (the 2024 Final HIPAA RHC Privacy Rule) (collectively, the HIPAA Rules).