In ‘Holy Redeemer’ Settlement Agreement, OCR Continues to Prioritize Privacy Protections for Reproductive Health Information

On November 26, 2024, the Office of Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) announced a resolution agreement and corrective plan with Pennsylvania’s Holy Redeemer Hospital (Holy Redeemer). The agreement settles OCR’s claim that Holy Redeemer disclosed a patient’s protected health information (PHI)—including intimate reproductive health details—without a permissible purpose or valid authorization from the patient in violation of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule.  

The patient had requested that a single lab result—unrelated to her reproductive health—be sent to the potential employer. OCR asserts that this disclosure exceeded the scope of the patient’s authorization and was not made another permissible purpose. 

The agreement comes as covered entities and their business associates prepare to comply with OCR’s new Privacy Rule To Support Reproductive Health Care Privacy by December 23, 2024. OCR’s focus on the disclosure of reproductive health information in this settlement agreement signals the Office’s commitment to enforcing the rule. 

To settle these allegations, Holy Redeemer has agreed to pay HHS $35,581.00 (USD) to enter and comply with the requirements of a two-year “Corrective Action Plan” (CAP). This proscriptive CAP requires Holy Redeemer to: 

  • Submit a breach notification report to HHS about the alleged unauthorized disclosure described above that meets the requirements of 45 C.F.R. § 164.408

  • Review, revise, and maintain written “policies and procedures” (a protocol) that meet the requirements of HIPAA and include:  

    • a description of Privacy Rule’s prohibition on unauthorized use/disclosure of PHI, 

    • a policy for evaluating authorization for the use / disclosure of PHI,  

    • internal procedures for the reporting of HIPAA or protocol violations,  

    • a mandate of timely investigation and remediation of protocol violations and sanctions for non-compliance,  

    • clear definitions of and standards for risk assessments and defining breaches, and requirements for compliance with the HIPAA Breach Notification Rule

  • Provide this protocol to HHS, implement any HHS-requested revisions to it, and distribute the finalized protocol to all staff; 

  • Train all staff on compliance with this protocol using HHS-approved training materials and report any non-compliance with the protocol to HHS; 

  • Submit an “Implementation Report” to HHS that attests to describes its compliance with the CAP and renew this report annually for two years. 

Hintze Law PLLC is a Chambers-ranked and Legal 500-recognized, boutique law firm that provides counseling exclusively on privacy, data security, and AI law. Its attorneys and data consultants support technology, ecommerce, advertising, media, retail, healthcare, and mobile companies, organizations, and industry associations in all aspects of privacy, data security, and AI law. 

Felicity Slater is an Associate at Hintze Law PLLC with experience in global data protection issues, data breach notification laws, privacy impact assessments, GDPR, and privacy statements.

Kate Black is a Partner at Hintze Law PLLC and is chair of the firm’s Health and Biotech Privacy Group, and co-chair of the Regulatory Defense Group, and Artificial Intelligence and Machine Learning Group.

A Last-Minute Push for a Reproductive Health Privacy Law in Michigan

A Last-Minute Push for a Reproductive Health Privacy Law in Michigan

By Mike Hintze and Felicity Slater 

On November 7, 2024, the Michigan legislature introduced Senate Bill 1082 / House Bill 6077, the Reproductive Data Privacy Act (the “RDPA” or the “act”). The act was introduced in the aftermath of the 2024 election cycle as Michigan Democrats brace to lose control of the House in 2025. At a hearing in the Senate Committee on Housing and Human Services, lawmakers backing the RDPA expressed a hope to pass the act before the year’s end. 

Read More

Hintze Law PLLC Recognized in 2025’s Best Law Firm Rankings

Hintze Law PLLC Recognized in 2025’s Best Law Firm Rankings

We are pleased to share that Hintze Law has been recognized for excellence in Information Technology Law and Technology Law in the 2025 edition Best Law Firms® rankings. The firm has been ranked in these areas both nationally and in the Seattle area.  

Read More

California Enacts "genAI" Laws That Introduce New Privacy and Transparency Requirements, Amongst Others 

California Enacts "genAI" Laws That Introduce New Privacy and Transparency Requirements, Amongst Others 

By Emily Litka

In September 2024, California Governor Gavin Newsome signed a number of new generative AI (“genAI”) bills into law. These laws address risks associated with deepfakes, training dataset transparency, use of genAI in healthcare settings, privacy, and AI literacy in schools. California is the first US state to enact such sweeping genAI regulations.

Read More

FTC Introduces Novel Ban in Its Settlement with NGL Labs and Scrutinizes AI Representations

By Emily Litka

On July 9, 2024, The Federal Trade Commission (FTC) and the Los Angeles District Attorney’s Office (LA DA) reached a settlement with NGL Labs, the maker of the “NGL: ask me anything” app and its co-founders. The complaint alleged violations of the Federal Trade Commission Act (FTC Act), the Children’s Online Privacy Protection Act (COPPA), the Restore Online Shoppers’ Confidence Act (ROSCA), and similar California state laws. In the complaint, the FTC and LA DA also brought claims against NGL’s cofounders individually. 

Read More

The Federal Trade Commission’s Revised Health Breach Notification Rule to Take Effect

By Felicity Slater 

In one month’s time, on July 29, 2024, the Federal Trade Commission’s (“FTC”) revised Health Breach Notification Rule (“HBNR”) will take effect. The rule obliges regulated entities to disclose breaches of personally identifying health information to consumers, the FTC, and, in some cases, the press. The revisions establish that a broad range of entities operating in the consumer health and wellness space are covered by the rule, and that unauthorized disclosures of personally identifying health information, along with data breaches as traditionally conceived of, trigger the rule’s notification obligations. Violators risk substantial fines. 

Read More

Regulator Insights into the HIPAA Privacy Rule to Support Reproductive Health Privacy

Regulator Insights into the HIPAA Privacy Rule to Support Reproductive Health Privacy

By Cameron Cantrell and Sheila Sokolowski

On Thursday, June 20, 2024, the Department of Health and Human Services’ Office of Civil Rights and Office of Health Information Technology (collectively, “HHS”) jointly presented a webinar on the HIPAA Privacy Rule to Support Reproductive Health Privacy (the “Reproductive Health Privacy Rule” or “Rule”). HHS published the final Reproductive Health Privacy Rule on April 26, 2024, and provided the webinar as part of building out the agency’s guidance on the Rule’s novel requirements.

Read More

New CCPA Enforcement Action: Lessons for Tracking Technologies and Child Users

New CCPA Enforcement Action: Lessons for Tracking Technologies and Child Users

By Cameron Cantrell and Sam Castic

This week the California Attorney General and Los Angeles City Attorney announced a proposed $500,000 settlement to a complaint against mobile app game developer and publisher Tilting Point Media LLC for  alleged violations of the California Consumer Privacy Act (“CCPA”), unfair competition law, and federal Children’s Online Privacy Protection Act (“COPPA”). This post summarizes the alleged practices that led to the enforcement action, how it fits with regulatory enforcement priorities including on data sales via tracking technologies and children’s privacy, and steps for companies to consider to reduce risk.

Read More

Hintze Law and Attorneys Recognized in Chambers USA Guide 2024 Rankings

We’re pleased to share that Hintze Law and attorneys at the firm have been recognized once again by Chambers & Partners for expertise in a number of Privacy and Data Security areas in the 2024 Chambers USA Guide. These recognitions include Hintze Law’s fourth year being ranked as an Elite Law Firm for Privacy and Data Security – USA Nationwide. One of Hintze Law’s clients that Chambers interviewed shared that "Hintze's team has unique experience that allows them to dig into complex issues and provide practical, actionable advice."

Read More

New York Legislature Considers Dramatically Restrictive Health Data Privacy Bill

By Mike Hintze and Felicity Slater

With just six days left in the state’s 2024 legislative session, the New York Legislature is considering a health data privacy bill that would dramatically impact companies that handle data related to health or wellness. Companies and other organizations should watch this bill carefully and understand its highly disruptive and costly implications should it pass the legislature and be signed by the governor.

Read More

Washington My Health My Data Act - Part 10: The Purchase of Medication

By Mike Hintze

Last week, the Washington State Office of the Attorney General (OAG) updated its guidance on the Washington My Health My Data Act (MHMDA). Specifically, the OAG added an eighth question and answer addressing whether information about a consumer purchasing non-prescription medication would be considered “consumer health data” subject to the law. 

This post explains the shortcomings of this new guidance. And in doing so, it takes a long overdue deep dive into how MHMDA treats personal information related to prescription and over-the-counter medications. It concludes that while this guidance may provide some comfort to entities regulated under MHMDA that process information about the purchase of non-prescription medications like aspirin or vitamins, it is only part of a bigger picture that should be considered along with the statutory text and other factors in determining an appropriately risk-based approach to complaince with this challenging law.

Read More