On November 26, 2024, the US Department of Health and Human Services (HHS), Office for Civil Rights (OCR), announced a settlement with a Pennsylvania hospital over an alleged violation of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule. The violation involved the impermissible disclosure of a female patient’s protected health information (PHI), including sensitive medical information.
In September 2023, OCR received a complaint stating that the hospital had disclosed the patient’s PHI, including her surgical history and other sensitive health information, to the patient’s prospective employer. OCR’s investigation found that the hospital disclosed the patient’s full medical record without the patient’s authorization, and no applicable requirement or permission under the HIPAA Privacy Rule allowed such a broad release of her medical records. The complainant had only requested that the hospital send a specific test result to the prospective employer.
As part of the resolution agreement, the hospital agreed to pay $35,581 and implement a corrective action plan to ensure compliance with HIPAA rules and protect patient privacy. OCR will monitor the implementation of the corrective action plan over two years, which includes the following steps:
- Submit a breach notification report to HHS regarding this incident.
- Review, develop, or revise policies and procedures to ensure compliance with the Privacy Rule, and submit them to HHS for approval.
- Distribute HHS-approved policies and procedures to the hospital’s workforce, ensuring each member certifies receipt and understanding.
- Train all workforce members, including those from affiliated entities, on the approved policies and procedures.
- Within 120 days of HHS approval, submit a report detailing the status of the corrective action plan’s implementation.
- Provide a report to OCR if any workforce members fail to comply with the policies and procedures.
- Submit annual reports to OCR regarding ongoing compliance with the corrective action plan.
Compliance Perspective
Issue
OCR enforces the HIPAA Privacy, Security, and Breach Notification Rules, which set forth requirements for covered entities (health plans, healthcare clearinghouses, and most healthcare providers) and business associates regarding the privacy and security of PHI. In this case, the hospital’s disclosure of sensitive patient information without authorization violated the HIPAA Privacy Rule, which establishes national standards to protect individuals’ medical records. The Privacy Rule limits and conditions the uses and disclosures of PHI without an individual’s authorization, such as for health oversight activities or law enforcement purposes, and grants individuals rights, including access to their own medical records.
Discussion Points
- Regularly review and update policies and procedures related to the use, disclosure, and protection of PHI, ensuring they align with HIPAA requirements. Update these policies as needed to prevent unauthorized disclosures and safeguard patient privacy.
- Provide training on HIPAA and PHI handling for all staff at the time of hire, annually, and whenever updates or issues arise. Ensure that training includes proper procedures for disclosing PHI and handling sensitive patient information, emphasizing the importance of patient authorization for disclosures. Document all training sessions, including dates and attendees.
- Periodically audit procedures to ensure that PHI is being properly handled and that the policies governing its disclosure are being followed. Ensure compliance with HIPAA regulations, particularly regarding unauthorized disclosures, and address any identified issues promptly.
*This news alert has been prepared by Med-Net Concepts, Inc. for informational purposes only and is not intended to provide legal advice.*
