Office of Civil Rights

In ‘Holy Redeemer’ Settlement Agreement, OCR Continues to Prioritize Privacy Protections for Reproductive Health Information

On November 26, 2024, the Office of Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) announced a resolution agreement and corrective plan with Pennsylvania’s Holy Redeemer Hospital (Holy Redeemer). The agreement settles OCR’s claim that Holy Redeemer disclosed a patient’s protected health information (PHI)—including intimate reproductive health details—without a permissible purpose or valid authorization from the patient in violation of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule.  

The patient had requested that a single lab result—unrelated to her reproductive health—be sent to the potential employer. OCR asserts that this disclosure exceeded the scope of the patient’s authorization and was not made another permissible purpose. 

The agreement comes as covered entities and their business associates prepare to comply with OCR’s new Privacy Rule To Support Reproductive Health Care Privacy by December 23, 2024. OCR’s focus on the disclosure of reproductive health information in this settlement agreement signals the Office’s commitment to enforcing the rule. 

To settle these allegations, Holy Redeemer has agreed to pay HHS $35,581.00 (USD) to enter and comply with the requirements of a two-year “Corrective Action Plan” (CAP). This proscriptive CAP requires Holy Redeemer to: 

  • Submit a breach notification report to HHS about the alleged unauthorized disclosure described above that meets the requirements of 45 C.F.R. § 164.408

  • Review, revise, and maintain written “policies and procedures” (a protocol) that meet the requirements of HIPAA and include:  

    • a description of Privacy Rule’s prohibition on unauthorized use/disclosure of PHI, 

    • a policy for evaluating authorization for the use / disclosure of PHI,  

    • internal procedures for the reporting of HIPAA or protocol violations,  

    • a mandate of timely investigation and remediation of protocol violations and sanctions for non-compliance,  

    • clear definitions of and standards for risk assessments and defining breaches, and requirements for compliance with the HIPAA Breach Notification Rule

  • Provide this protocol to HHS, implement any HHS-requested revisions to it, and distribute the finalized protocol to all staff; 

  • Train all staff on compliance with this protocol using HHS-approved training materials and report any non-compliance with the protocol to HHS; 

  • Submit an “Implementation Report” to HHS that attests to describes its compliance with the CAP and renew this report annually for two years. 

Hintze Law PLLC is a Chambers-ranked and Legal 500-recognized, boutique law firm that provides counseling exclusively on privacy, data security, and AI law. Its attorneys and data consultants support technology, ecommerce, advertising, media, retail, healthcare, and mobile companies, organizations, and industry associations in all aspects of privacy, data security, and AI law. 

Felicity Slater is an Associate at Hintze Law PLLC with experience in global data protection issues, data breach notification laws, privacy impact assessments, GDPR, and privacy statements.

Kate Black is a Partner at Hintze Law PLLC and is chair of the firm’s Health and Biotech Privacy Group, and co-chair of the Regulatory Defense Group, and Artificial Intelligence and Machine Learning Group.