Unauthorized PHI Disclosure Settlement

In late November of 2024, the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) announced that it had entered into a Resolution Agreement (settlement) with Holy Redeemer Family Medicine, over the latter’s having impermissibly disclosed a patient’s protected health information (PHI) to a prospective employer without first obtaining a valid HIPAA authorization. Details of the settlement are provided below.

HIPAA Unauthorized PHI Disclosure Settlement: A Test, Not a History

Holy Redeemer Family Medicine (HRFM) is a Pennsylvania hospital located in the Philadelphia metro area. 

In September of 2023, OCR received a complaint that alleged Holy Redeemer impermissibly (without authorization) disclosed a female patient’s PHI to her prospective employer. The patient/Complainant alleged that, although she had requested HRFM send one specific test result (not related to reproductive health care) to the employer, Holy Redeemer instead disclosed the patient’s surgical history, gynecological history, obstetric history, and other sensitive health information concerning reproductive health care.

OCR’s subsequent investigation of the complaint found that on September 27, 2023, HRFM impermissibly disclosed the protected health information (“PHI”) of Complainant, including highly sensitive reproductive health information. The disclosure, OCR concluded, was not made for a permissible or required legal purpose, and was also made without HRFM having first obtained the Complainant’s valid authorization to disclose the information.

On November 1, 2023, HHS notified HRFM of HHS’ conclusion.

In late September of 2024, OCR and HRFM agreed to settle the complaint. Under the terms of the settlement (resolution agreement), Holy Redeemer paid $35,581 to OCR, and agreed to implement a two-year corrective action plan (CAP). 

HIPAA Unauthorized PHI Disclosure Settlement: The Case CAPper

Under the terms of the CAP of the unauthorized PHI disclosure settlement,  HRFM is required to:

1. Submit a breach notification report to HHS regarding this incident;

  1. Review, develop or revise its policies and procedures to ensure compliance with the Privacy Rule, and submit all such policies and procedures to HHS for approval;
  2. Distribute all HHS-approved policies and procedures to its workforce and ensure that each member of the workforce certifies receipt and understanding of the policies and procedures;
  3. Train all members of its workforce on its HHS-approved policies and procedures, including all workforce members of its affiliated entities;
  4. Within 120 days after HHS approval of Holy Redeemers policies and procedures, Holy Redeemer must submit a written report to HHS detailing the status of its implementation of the corrective action plan;
  5. Provide a report to OCR regarding any non-compliance with its policies and procedures by any members of its workforce;
  6. Provide annual reports to OCR regarding Holy Redeemer’s compliance with the corrective action plan.

OCR will monitor the implementation of this corrective action plan of the unauthorized PHI disclosure settlement for two years.

HIPAA Unauthorized PHI Disclosure Settlement: The Quotable OCR

In a press release announcing the settlement, OCR Director Melanie Fontes Rainer noted,

“It is imperative that health care providers take their duty to protect patient privacy seriously and follow the law,” said OCR Director Melanie Fontes Rainer. “Patients must be able to trust that sensitive, health information in their files is protected to preserve their trust in the patient-doctor relationship and ensure they get the care they need. This is particularly true for reproductive health privacy.”