The US Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a settlement with Holy Redeemer Family Medicine (Holy Redeemer), a Pennsylvania hospital, concerning an alleged violation of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule due to an impermissible disclosure of a female patient’s protected health information (PHI), including information related to reproductive healthcare. In September of 2023, OCR received a complaint alleging that Holy Redeemer impermissibly disclosed a female patient’s PHI to the patient’s prospective employer, including her surgical history, gynecological history, obstetric history, and other sensitive health information concerning reproductive healthcare.
OCR’s investigation found that Holy Redeemer disclosed the patient’s full medical record, including PHI concerning her reproductive healthcare, that it did not have the patient’s authorization for the broad disclosure of her PHI, and that there otherwise was no applicable requirement or permission under the Privacy Rule for such a broad release of her medical records. The complainant stated that she had requested that Holy Redeemer send one specific test result, unrelated to her reproductive health, to a prospective employer.
