On November 26, 2024, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced a $35,581 settlement with Holy Redeemer Family Medicine in Pennsylvania over an alleged HIPAA Privacy Rule violation involving the impermissible disclosure of a female patient’s sensitive reproductive health details.
In September 2023, OCR received a complaint that Holy Redeemer had disclosed a patient’s full medical record, including surgical, gynecological, obstetric, and reproductive health histories, to a prospective employer. The patient had requested only one specific test result unrelated to reproductive health be shared. OCR’s investigation confirmed that this disclosure lacked the patient’s authorization and did not meet permissible exceptions under HIPAA.
As part of the settlement, Holy Redeemer will implement a two-year corrective action plan, including revising policies, workforce training, and compliance reporting. The OCR will also monitor Holy Redeemer’s adherence to protecting patient privacy.
“It is imperative that health care providers take their duty to protect patient privacy seriously and follow the law,” said OCR Director Melanie Fontes Rainer. “Patients must be able to trust that sensitive health information in their files is protected to preserve their trust in the patient-doctor relationship and ensure they get the care they need. This is particularly true for reproductive health privacy.”
Adhering to HIPAA Rules helps maintain patient trust, especially for sensitive details like reproductive health information. Improper disclosures undermine patient trust and violate federal laws, leading to financial penalties and reputational harm for healthcare providers.
Healthcare providers must improve their privacy practices and staff training to protect sensitive data and uphold patient confidence.
Learn more: The role of the Office for Civil Rights (OCR) in HIPAA compliance
When providers are HIPAA compliant, they demonstrate a commitment to safeguarding patient privacy and improve trust in the patient-provider relationship.
Providers must implement administrative, physical, and technical safeguards (like using Paubox), conduct regular risk assessments, and offer regular staff training to maintain HIPAA compliance.
Violating HIPAA Rules can result in penalties, fines, and disciplinary actions against the mental health professional. HIPAA fines range from $100 to $50,000 per violation, with a maximum annual penalty of $1.5 million. Willful neglect cases can also lead to criminal charges and imprisonment.