OCR Reaches Settlement with Medical Provider After Improper Disclosure of Reproductive Health Information

The Office of Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS) has reached a settlement with a medical provider concerning a Health Insurance Portability and Accountability Act (HIPAA) violation. The violation at issue, which resulted in a fine of more than $35,000, involved improper disclosure of protected health information (PHI). OCR initiated an investigation after a patient reported that the covered entity had improperly disclosed information related to her reproductive health to a prospective employer. The PHI disclosure occurred when the patient asked the provider to send a copy of a specific test result to the prospective employer. Instead, the provider disclosed her entire medical record without authorization. The covered entity agreed to a two-year corrective action plan and a monetary fine. The plan requires the covered entity to:

• Submit a breach notification report to HHS concerning any such incidents.
• Review, develop, or revise privacy policies and procedures to be approved by OCR and distributed to all employees with certification they have received the documents.
• Train all employees on policies and procedures, including any employees of affiliated entities.
• Submit a written report updating HHS on implementing the corrective action plan.
• Provide OCR annual reports regarding noncompliance with the approved policies and procedures.

OCR reiterated its dedication to protecting patients’ private reproductive healthcare information as part of its announcement. The agency emphasized that maintaining the privacy of reproductive PHI is necessary for patients to trust the patient-doctor relationship and encourage them to get the healthcare they need. The OCR finalized the Final Rule to Protect Reproductive Health Care, which supports privacy for reproductive Health care information, in April 2024. Covered entities had to comply with the Rule’s requirements no later than December 31, 2024. One major requirement of the Rule includes implementing an attestation process for requests for patients’ PHI related to reproductive healthcare from various agencies, including law enforcement agencies and coroners or medical examiners. HBL has experience in all areas of benefits and employment law, offering a comprehensive solution to all your business benefits and HR/employment needs. We help ensure you are in compliance with the complex requirements of ERISA and the IRS code, as well as those laws that impact you and your employees. Together, we reduce your exposure to potential legal or financial penalties. Learn more by calling 470-571-1007.