The U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) will start to enforce compliance later this month with new special protections for individuals’ reproductive health information as required by a recently finalized HIPAA Privacy Rule, as we noted in an earlier blog post. While the incoming Trump Administration may change enforcement priorities or even rescind that rule, a settlement from OCR that pre-dated implementation of that rule indicates that OCR already affords this information protection.
The settlement marks OCR’s first enforcement action and settlement against a health care provider centered around, and specific to, an impermissible disclosure of an individual’s reproductive health information under the existing Privacy Rule standards. In other words, regardless of whether the incoming administration rescinds or revises the new protections for reproductive health information, OCR has demonstrated that it considers reproductive health information as highly sensitive and will take enforcement action accordingly under the HIPAA Privacy Rule as it is today.
Organizations would be well advised to take the remaining time before the December 23 compliance date to update existing policies to define the scope of reproductive health care-related protected health information (PHI) within the organization and set forth standards and procedures for how the organization will implement compliance with the new requirements including, for example, how the organization will assess and respond to third-party requests for reproductive health care-related PHI, including situations in which an attestation is required.
Details of the Settlement
In September 2023, OCR received a complaint alleging that a Pennsylvania hospital disclosed a female patient’s PHI, including information related to reproductive health care, to the patient’s prospective employer without her authorization. The information disclosed included, among other things, the patient’s surgical history, gynecological history, and obstetric history. In a complaint to OCR, the patient alleged that she had requested that the hospital send one specific test result, unrelated to her reproductive health, to a prospective employer. However, OCR’s investigation determined that the hospital (1) disclosed the patient’s full medical record, including reproductive health information, to the patient’s prospective employer; (2) did not have the patient’s authorization to disclose her full medical record; and (3) did not meet any applicable requirement or permission under the Privacy Rule that would permit such a broad disclosure.
As a result of its investigation, OCR reached a $35,581 settlement with the hospital, which requires the hospital to implement a corrective action plan that will be monitored by OCR for two years. The corrective action plan includes specific steps that the hospital must take to comply with HIPAA (such as developing and revising policies and procedures, training all personnel) and protect patient privacy to prevent this from happening again.
What it Means
As this settlement predates the new HIPAA protections for reproductive health information, it reinforces the importance for organizations to ensure that it is in compliance both with currently existing HIPAA rules as well as the new protections for reproductive health information.
Be cautious when reviewing “all records” requests to ensure compliance with the new reproductive health information standards.
Reed Smith will continue to follow developments with regard to reproductive health care and privacy. If you have any questions about how the updated Privacy Rule applies to your business, please reach out to the authors of this article or the health care lawyers at Reed Smith