In ‘Holy Redeemer’ Settlement Agreement, OCR Continues to Prioritize Privacy Protections for Reproductive Health Information

December 05, 2024 in Health + Biotech, Health Privacy, HIPAA, State Legislation

On November 26, 2024, the Office of Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) announced a resolution agreement and corrective plan with Pennsylvania’s Holy Redeemer Hospital (Holy Redeemer). The agreement settles OCR’s claim that Holy Redeemer disclosed a patient’s protected health information (PHI)—including intimate reproductive health details—without a permissible purpose or valid authorization from the patient in violation of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule.

The patient had requested that a single lab result—unrelated to her reproductive health—be sent to the potential employer. OCR asserts that this disclosure exceeded the scope of the patient’s authorization and was not made another permissible purpose.

The agreement comes as covered entities and their business associates prepare to comply with OCR’s new Privacy Rule To Support Reproductive Health Care Privacy by December 23, 2024. OCR’s focus on the disclosure of reproductive health information in this settlement agreement signals the Office’s commitment to enforcing the rule.

To settle these allegations, Holy Redeemer has agreed to pay HHS $35,581.00 (USD) to enter and comply with the requirements of a two-year “Corrective Action Plan” (CAP). This proscriptive CAP requires Holy Redeemer to:

Submit a breach notification report to HHS about the alleged unauthorized disclosure described above that meets the requirements of 45 C.F.R. § 164.408;

Review, revise, and maintain written “policies and procedures” (a protocol) that meet the requirements of HIPAA and include:
- a description of Privacy Rule’s prohibition on unauthorized use/disclosure of PHI,
- a policy for evaluating authorization for the use / disclosure of PHI,
- internal procedures for the reporting of HIPAA or protocol violations,
- a mandate of timely investigation and remediation of protocol violations and sanctions for non-compliance,
- clear definitions of and standards for risk assessments and defining breaches, and requirements for compliance with the HIPAA Breach Notification Rule;

Provide this protocol to HHS, implement any HHS-requested revisions to it, and distribute the finalized protocol to all staff;

Train all staff on compliance with this protocol using HHS-approved training materials and report any non-compliance with the protocol to HHS;

Submit an “Implementation Report” to HHS that attests to describes its compliance with the CAP and renew this report annually for two years.

Hintze Law PLLC is a Chambers-ranked and Legal 500-recognized, boutique law firm that provides counseling exclusively on privacy, data security, and AI law. Its attorneys and data consultants support technology, ecommerce, advertising, media, retail, healthcare, and mobile companies, organizations, and industry associations in all aspects of privacy, data security, and AI law.

Felicity Slater is an Associate at Hintze Law PLLC with experience in global data protection issues, data breach notification laws, privacy impact assessments, GDPR, and privacy statements.

Kate Black is a Partner at Hintze Law PLLC and is chair of the firm’s Health and Biotech Privacy Group, and co-chair of the Regulatory Defense Group, and Artificial Intelligence and Machine Learning Group.

A Last-Minute Push for a Reproductive Health Privacy Law in Michigan

November 19, 2024 in Health + Biotech, Health and Biotech, Hintze Law, Privacy, Health Privacy

By Mike Hintze and Felicity Slater

On November 7, 2024, the Michigan legislature introduced Senate Bill 1082 / House Bill 6077, the Reproductive Data Privacy Act (the “RDPA” or the “act”). The act was introduced in the aftermath of the 2024 election cycle as Michigan Democrats brace to lose control of the House in 2025. At a hearing in the Senate Committee on Housing and Human Services, lawmakers backing the RDPA expressed a hope to pass the act before the year’s end.

Hintze Law PLLC Recognized in 2025’s Best Law Firm Rankings

November 07, 2024 in Hintze Law, Awards, Best Lawyers, Best Law Firms, Technology Law, Information Technology La

We are pleased to share that Hintze Law has been recognized for excellence in Information Technology Law and Technology Law in the 2025 edition Best Law Firms® rankings. The firm has been ranked in these areas both nationally and in the Seattle area.

California Enacts "genAI" Laws That Introduce New Privacy and Transparency Requirements, Amongst Others

October 08, 2024 in CCPA, Cybersecurity, Hintze Law, Privacy

By Emily Litka

In September 2024, California Governor Gavin Newsome signed a number of new generative AI (“genAI”) bills into law. These laws address risks associated with deepfakes, training dataset transparency, use of genAI in healthcare settings, privacy, and AI literacy in schools. California is the first US state to enact such sweeping genAI regulations.

FTC Introduces Novel Ban in Its Settlement with NGL Labs and Scrutinizes AI Representations

August 19, 2024 in FTC, COPPA, Global Privacy & Security, Online Advertising

By Emily Litka

On July 9, 2024, The Federal Trade Commission (FTC) and the Los Angeles District Attorney’s Office (LA DA) reached a settlement with NGL Labs, the maker of the “NGL: ask me anything” app and its co-founders. The complaint alleged violations of the Federal Trade Commission Act (FTC Act), the Children’s Online Privacy Protection Act (COPPA), the Restore Online Shoppers’ Confidence Act (ROSCA), and similar California state laws. In the complaint, the FTC and LA DA also brought claims against NGL’s cofounders individually.