Continue reading on DataGuidance with:
Free Member
Limited ArticlesCreate an account to continue accessing select articles, resources, and guidance notes.
Already have an account? Log in
Create an account
Join our community for free to access exclusive whitepapers, reports, and regulatory information.
USA: HHS reaches a settlement with Holy Redeemer Family Hospital over alleged violation of HIPAA
On November 26, 2024, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced that it reached a settlement with Holy Redeemer Family Hospital concerning an alleged violation of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule.
Background to the settlement
The OCR outlined that it received a complaint in September 2023, alleging that the hospital impermissibly disclosed a female patient's protected health information to the patient's prospective employer, including their surgical history, gynecological history, obstetric history, and other sensitive health information concerning reproductive healthcare.
Moreover, the OCR highlighted that, according to the complainant, they asked the hospital to share only one specific test result unrelated to their reproductive health with a prospective employer.
Findings of the OCR
The OCR explained that during its investigation, it found that the hospital disclosed the patient's protected health information concerning their reproductive healthcare without:
- the patient's authorization for the broad disclosure of their protected health information; and
- any applicable requirement or permission under the HIPAA Privacy Rule.
Outcomes
The OCR stated that following the above, it concluded a resolution agreement with the hospital, under which the hospital paid $35,581 and agreed to implement corrective actions, including:
- submitting a breach notification report to HHS;
- reviewing, developing, or revising its policies and procedures to ensure compliance with HIPAA and submitting them for HHS approval;
- distributing all HHS-approved policies and procedures to its workforce and ensuring their understanding;
- training all members of its workforce on its HHS-approved policies and procedures, including all those of affiliated entities;
- within 120 days after HHS approval of policies and procedures, submitting a written report to HHS detailing the status of its implementation of the corrective action plan;
- providing a report to the OCR regarding any non-compliance with its policies and procedures by any members of its workforce; and
- providing annual reports to the OCR regarding its compliance with the corrective action plan.
You can read the press release here and the resolution agreement and corrective plan here.
Send us your Feedback!
Please let us know what you think of DataGuidance! It will only take 60 seconds and help us make the site better for you.
