OCR Settles With Holy Redeemer on Alleged HIPAA Violation

On November 26, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a settlement with Meadowbrook, Pennsylvania-based Holy Redeemer Family Medicine concerning an alleged violation of HIPAA.

In September of 2023, OCR received a complaint alleging that Holy Redeemer impermissibly disclosed a female patient’s health information to the patient’s prospective employer. This included her surgical, gynecological, and obstetric history and information concerning reproductive healthcare.

An investigation by OCR concluded that Holy Redeemer disclosed the patient’s complete medical record without the patient’s authorization. OCR noted that there was no requirement or permission under the Privacy Rule for such a broad release of medical records. The complainant had requested for Holy Redeemer to send one test result, unrelated to reproductive health, to a potential employer.

“It is imperative that health care providers take their duty to protect patient privacy seriously and follow the law,” said OCR director Melanie Fontes Rainer in a statement. “Patients must be able to trust that sensitive, health information in their files is protected to preserve their trust in the patient-doctor relationship and ensure they get the care they need. This is particularly true for reproductive health privacy.”

Holy Redeemer paid $35,581 and agreed to implement a corrective action plan identifying steps to comply with the HIPAA Rules. OCR will monitor the implementation of the action plan for two years.