Pennsylvania Hospital Settles HIPAA Impermissible Disclosure Investigation with OCR
A Hospital in Pennsylvania has agreed to settle an alleged violation of the HIPAA Privacy Rule with the HHS’ Office for Civil Rights (OCR) for $35,581. The settlement agreement includes a corrective action plan and compliance monitoring by OCR for 2 years.
OCR launched an investigation following a September 2023 complaint from a patient of Holy Redeemer Family Medicine who alleged her medical records had been disclosed to a prospective employer without her consent. The female patient had given authorization to Holy Redeemer to send a single test result to the prospective employer; however, Holy Redeemer sent her full medical record. The information sent included her gynecological, obstetric, and surgical history and other sensitive information regarding her reproductive healthcare. The test result she had authorized to disclose was not connected to her reproductive health.
OCR confirmed that the patient had not provided consent for such a broad disclosure of her health information and the disclosure was not made pursuant to a permissible purpose under or as required by the Privacy Rule. As such, there was an impermissible disclosure of protected health information in violation of the 45 C.F.R. § 164.502(a) standard of the HIPAA Privacy Rule.
The settlement is not an admission of liability or wrongdoing, only an informal resolution to the investigation. In addition to the financial penalty, Holy Redeemer has agreed to adopt a corrective action plan (CAP) to ensure future compliance with the HIPAA Rules. The CAP requires a breach notice to be submitted to OCR, a review and revision of policies and procedures, distribution of those policies and procedures to the workforce, and the provision of appropriate HIPAA training.
Specifically, the policies must prohibit uses and disclosures of protected health information unless there is a valid patient authorization or the use or disclosure is permitted by the HIPAA Privacy Rule; the development and implementation of a process for evaluating and approving patient authorizations; the establishment of internal reporting procedures that require all workforce members to report violations of the HIPAA Rules; procedures requiring Holy Redeemer to promptly investigate and address those reports in a timely manner and to report any HIPAA violations to OCR in the allowed time frame.
This is the thirteenth financial penalty imposed by OCR this year. Through those civil monetary penalties and settlements, OCR collected $2,525,781 this year. There is no private cause of action in HIPAA, which means individuals affected by HIPAA violations cannot sue HIPAA-regulated entities for violations of the HIPAA Rules. The HITECH Act of 2009 – Section 13410(c)(3) – requires OCR to establish a methodology for sharing a portion of the funds collected from enforcement actions with victims of those violations. OCR sought feedback from stakeholders on such a methodology in 2018; however, a notice of proposed rulemaking has yet to be issued.