HIPAA

In ‘Holy Redeemer’ Settlement Agreement, OCR Continues to Prioritize Privacy Protections for Reproductive Health Information

On November 26, 2024, the Office of Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) announced a resolution agreement and corrective plan with Pennsylvania’s Holy Redeemer Hospital (Holy Redeemer). The agreement settles OCR’s claim that Holy Redeemer disclosed a patient’s protected health information (PHI)—including intimate reproductive health details—without a permissible purpose or valid authorization from the patient in violation of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule.  

The patient had requested that a single lab result—unrelated to her reproductive health—be sent to the potential employer. OCR asserts that this disclosure exceeded the scope of the patient’s authorization and was not made another permissible purpose. 

The agreement comes as covered entities and their business associates prepare to comply with OCR’s new Privacy Rule To Support Reproductive Health Care Privacy by December 23, 2024. OCR’s focus on the disclosure of reproductive health information in this settlement agreement signals the Office’s commitment to enforcing the rule. 

To settle these allegations, Holy Redeemer has agreed to pay HHS $35,581.00 (USD) to enter and comply with the requirements of a two-year “Corrective Action Plan” (CAP). This proscriptive CAP requires Holy Redeemer to: 

  • Submit a breach notification report to HHS about the alleged unauthorized disclosure described above that meets the requirements of 45 C.F.R. § 164.408

  • Review, revise, and maintain written “policies and procedures” (a protocol) that meet the requirements of HIPAA and include:  

    • a description of Privacy Rule’s prohibition on unauthorized use/disclosure of PHI, 

    • a policy for evaluating authorization for the use / disclosure of PHI,  

    • internal procedures for the reporting of HIPAA or protocol violations,  

    • a mandate of timely investigation and remediation of protocol violations and sanctions for non-compliance,  

    • clear definitions of and standards for risk assessments and defining breaches, and requirements for compliance with the HIPAA Breach Notification Rule

  • Provide this protocol to HHS, implement any HHS-requested revisions to it, and distribute the finalized protocol to all staff; 

  • Train all staff on compliance with this protocol using HHS-approved training materials and report any non-compliance with the protocol to HHS; 

  • Submit an “Implementation Report” to HHS that attests to describes its compliance with the CAP and renew this report annually for two years. 

Hintze Law PLLC is a Chambers-ranked and Legal 500-recognized, boutique law firm that provides counseling exclusively on privacy, data security, and AI law. Its attorneys and data consultants support technology, ecommerce, advertising, media, retail, healthcare, and mobile companies, organizations, and industry associations in all aspects of privacy, data security, and AI law. 

Felicity Slater is an Associate at Hintze Law PLLC with experience in global data protection issues, data breach notification laws, privacy impact assessments, GDPR, and privacy statements.

Kate Black is a Partner at Hintze Law PLLC and is chair of the firm’s Health and Biotech Privacy Group, and co-chair of the Regulatory Defense Group, and Artificial Intelligence and Machine Learning Group.

FTC and HHS Warn Healthcare Providers about Risk of Tracking Technologies

By Sheila Sokolowski and Kate Black

In a joint letter sent to 130 hospital systems and telehealth providers, the Federal Trade Commission (FTC) and the U.S. Department of Health and Human Services (HHS) warned health care providers, both those covered by HIPAA and those not, about their potential to violate the HIPAA Rules, FTC Act and FTC Health Breach Notification Rule (HBNR) when they use technology that tracks users’ activities on their websites and apps. 

Read More

Give a Mouse a Cookie, Get a BAA: OCR Bulletin on Tracking Raises HIPAA Risks for HIPAA-Regulated Entities and Online Tracking Vendors

By Mason Fitch

The U.S. Department of Health & Human Services Office for Civil Rights (OCR) issued a new bulletin last week that may have significant implications for online activities of Covered Entities and Business Associates. The bulletin, “Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates,” explains how HIPAA’s reach extends to information collected on websites or mobile apps, including information collected from a user who visits a HIPAA-regulated entity’s website but has no further interaction with that entity.  While HIPAA-regulated entities have long understood that their ‘internal tools’ (ex: EHR’s, practice management, and clinical support software) must comply with HIPAA, the new bulletin makes it clear that information that is routinely collected by vendors on public-facing websites, apps, and web-based assets may be PHI as well. 

Read More

Abortion Care Privacy Protection & Gaps Amplified Following Roe Reversal   

By Mason Fitch

The Supreme Court’s reversal of Roe v. Wade amplifies attention to concerns around the privacy of abortion-related services, including the provision of healthcare, period tracking apps, and even payment methods and mobile location data. In a direct response to Roe’s reversal, the Department of Health and Human Services (HHS) released guidance underscoring the protections applicable to protected health information (PHI) relating to abortion and other reproductive care under the Health Insurance Portability & Accountability Act (HIPAA), which we outline below. HIPAA, however, is limited in scope and does not protect a vast swath of information relating to abortion care.  

Read More