HHS Office for Civil Rights Reaffirms Interest in Enforcement Related to Reproductive Health Information

Newsletter

On December 2, 2024, the U.S. Department of Health and Human Services Office for Civil Rights (HHS OCR) announced a settlement with Holy Redeemer Family Medicine, a Pennsylvania covered entity, regarding an alleged violation of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule. According to HHS OCR, Holy Redeemer violated HIPAA by disclosing a female patient’s protected health information (“PHI”) to the patient’s prospective employer without proper authorization from the patient. The patient requested that Holy Redeemer send information about the results of a specific test to the prospective employer; however, Holy Redeemer sent the patient’s entire medical record, including “highly sensitive reproductive health information” without obtaining the patient’s written and signed authorization to do so.

In previous publications and webinars, we’ve shared recent updates to the HIPAA Privacy Rule to protect reproductive health information. This includes a Final Rule amending the HIPAA Privacy Rule issued in April 2024, which prohibits the disclosures of PHI relating to reproductive health care in certain circumstances, including for the mere purpose of identifying a patient who had received or a professional that had provided reproductive care that was otherwise lawful in the state where the care was administered. With the December 23, 2024 compliance date for certain changes under the 2024 Final Rule (including the requirement to obtain a written attestation from requestors of reproductive PHI) following in just a few weeks, OCR’s specific call-out of reproductive health information in this resolution agreement sends a strong signal that OCR is committed to enforcing the new rules to protect the privacy of reproductive health information.

TL;DR – Be careful when reviewing “all records” requests and keep moving with your HIPAA Reproductive Health Care Privacy Rule implementation until you hear otherwise. We’ll keep you updated on the Texas case and any actions the new administration takes regarding the rule.

Have questions about your organization’s readiness for the December 23, 2024 Final Rule compliance date, or other privacy and security questions? Contact your Quarles attorney or:

Follow Quarles

Subscribe Media Contact
Back to Main Content

We use cookies to provide you with the best user experience on our website and to analyze statistics related to our website. To understand more about how we use cookies, or for instructions to change your preference and browser settings, please see our Privacy Notice. Please note that if you choose to reject cookies, doing so may impair some of our website's functionality.