A just-announced settlement warns health care providers, health plans, healthcare clearinghouses and their business associates (“Covered Entities”) to fulfill their responsibility to ensure the privacy of patient reproductive health and other personally identifiable health care information (“PHI”) under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) HIPAA Privacy, Security, and Breach Notification Rules (the “Privacy Rules”). Covered Entities should ensure they have updated their policies, privacy notices, training and practices to comply with changes with the Privacy Rules made by the HIPAA Privacy Rule to Support Reproductive Health Care Privacy Final Rule (the “Reproductive Privacy Rule”) adopted in April.
Covered Entities Required To Update Policies To Comply With New Reproductive Privacy
The HIPAA Privacy Rule enforced by Department of Health and Human Rights Office for Civil Rights (“OCR”) establishes national standards to protect individuals’ medical records, requires appropriate safeguards to protect the privacy of protected health information and sets limits and conditions on the uses and disclosures that may be made of such information without an individual’s authorization, (such as disclosures for health oversight activities or for law enforcement purposes), and gives individuals rights such as the ability to access their own medical records.
On April 22, 2024, OCR adopted the Reproductive Privacy Rule to expand protections for reproductive health care privacy and other reproductive rights following the Supreme Court’s landmark abortion decision in Dobbs v. Jackson. The Reproductive Privacy Rule:
- Requires Covered Entities to modify their Notice of Privacy Practices to support reproductive health care privacy;
- Prohibits the use or disclosure of PHI when it is sought to investigate or impose liability on individuals, health care providers, or others who seek, obtain, provide, or facilitate reproductive health care that is lawful under the circumstances in which such health care is provided, or to identify persons for such activities;
- Requires a regulated health care provider, health plan, clearinghouse, or their business associates, to obtain a signed attestation that certain requests for PHI potentially related to reproductive health care are not for these prohibited purposes.
Covered Entities that have not already done so should review and update their policies, privacy notices, procedures and practices to ensure their compliance with these updated requirements.
New Holy Redeemer Reproductive Privacy Settlement
The new settlement with Pennsylvania hospital Holy Redeemer Family Medicine (“Holy Redeemer”) announced December 2, 2024, resolves charges that Holy Redeemer violated HIPAA by impermissibly disclosing reproductive health care and other PHI about a female patient. The settlement arose from a September 2023 complaint received by OCR that Holy Redeemer impermissibly disclosed surgical history, gynecological history, obstetric history, and other sensitive health information concerning reproductive health care of a female patient to the patient’s prospective employer when the patient only authorized Holy Redeemer to send one specific test result unrelated to her reproductive health to that prospective employer. OCR’s investigation found that Holy Redeemer disclosed the patient’s full medical record, including information concerning her reproductive health care without the patient’s authorization for the broad disclosure of her PHI. OCR also found that the disclosure was not otherwise permitted under the Privacy Rule.
Under the terms of the resolution agreement, Holy Redeemer paid $35,581 and agreed to implement a corrective action plan that identifies specific steps it will take to comply with the HIPAA Rules and protect patient privacy to prevent this from happening again. OCR will monitor the implementation of this corrective action plan for two years.
The Holy Redeemer Settlement demonstrates the advisability for each Covered Entity to ensure that its policies, privacy notices, training, practices and other controls for protecting the wrongful use, access or disclosure of reproductive and other sensitive health care information are up to date and defensible. The author of this update, Cynthia Marcotte Stamer has worked extensively with covered entities and business associates on these and other HIPAA and other compliance and risk management.
Along with their exposure to civil monetary penalties under HIPAA, improper sharing of reproductive health or other personal health care information also could expose health care providers to ethical or licensing discipline, malpractice invasion of privacy or other civil suits and other liabilities. While the preemption provisions of the Employee Retirement Income Security Act (“ERISA”) generally insulate employment-based insured and self-insured health plans and their fiduciaries against state law invasion of privacy and other state tort claims, employment-based health plans, their fiduciaries, insurers and administrators breaching the Privacy Rule risk liability under HIPAA as well as ERISA breach of fiduciary duty. Where ERISA preemption does not apply, insurers, brokers or other insurance industry businesses violating these rules likewise also can face licensing or other regulatory discipline as well as potential damage liability for invasion of privacy and other tort claims.
If you have questions or need advice or help evaluating or addressing your HIPAA compliance or other concerns, contact her.
For More Information
We hope this update is helpful. For more information about the or other health or other employee benefits, human resources, or health care developments, please contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452-8297.
Solutions Law Press, Inc. invites you receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations Group, HR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy.
About the Author
Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for her more than 35 years of health industry and other management work, public policy leadership and advocacy, coaching, teachings, and publications including leading edge work on PBM, pharmacy and pharmaceutical and other health care, managed care, insurance, and insured and self-insured contracting, design, administration and regulation..
Author of numerous highly regarded works on PBM and other health plan contracting and design, Immediate Past Chair of the ABA International Section Life Sciences Committee and the Tort Trial and Insurance Practice Section Medicine and Law Committee, past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group and past Group Chair and current Welfare Benefit Committee Co-Chair of the ABA RPTE Employee Benefits & Other Compensation Group, Ms. Stamer is most widely recognized for her decades of pragmatic, leading edge work, scholarship and thought leadership on health and other privacy and data security and other health industry legal, public policy and operational concerns.
Ms. Stamer’s work throughout her career has focused heavily on working with health care and managed care, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with HIPAA and other legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns.
As a part of this work, she has continuously and extensively worked with domestic and international health plans, their sponsors, fiduciaries, administrators, and insurers; managed care and insurance organizations; third party administrators and other health benefit service providers; hospitals, health care systems and other health care providers, accreditation, peer review and quality committees and organizations; billing, utilization management, management services organizations, group purchasing organizations; pharmaceutical, pharmacy, and prescription benefit management and organizations; consultants; investors; EMR, claims, payroll and other technology, billing and reimbursement and other services and product vendors; products and solutions consultants and developers; investors; managed care organizations, self-insured health and other employee benefit plans, their sponsors, fiduciaries, administrators and service providers, insurers and other payers, health industry advocacy and other service providers and groups and other health and managed care industry clients as well as federal and state legislative, regulatory, investigatory and enforcement bodies and agencies.
Author of many highly regarded compliance, training and other resources on HIPAA and other risk management and compliance, Ms. Stamer is widely recognized for her thought leadership on HIPAA and many other health care, health plan and other health industry matters.
In addition, Ms. Stamer serves as a Scribe for the American Bar Association (“ABA”) Joint Committee on Employee Benefits annual agency meetings with OCR and shares her thought leadership as International Section Life Sciences Committee Vice Chair, and a former Council Representative, Past Chair of the ABA Managed Care & Insurance Interest Group, former Vice President and Executive Director of the North Texas Health Care Compliance Professionals Association, past Board President of Richardson Development Center (now Warren Center) for Children Early Childhood Intervention Agency, past North Texas United Way Long Range Planning Committee Member, and past Board Member and Compliance Chair of the National Kidney Foundation of North Texas, and a Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares her extensive publications and thought leadership as well as leadership involvement in a broad range of other professional and civic organizations.
For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.
About Solutions Law Press, Inc.™
Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources.
If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.
NOTICE: These statements and materials are for general information and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation considering the specific facts and circumstances presented in their unique circumstance at the particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law constantly and often rapidly evolves, subsequent developments that could impact the currency and completeness of this discussion are likely. The author and Solutions Law Press, Inc. disclaim and have no responsibility to provide any update or otherwise notify anyone of any fact or law specific nuance, change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.
Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.
©2024 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press, Inc.™ For information about republication, please contact the author directly. All other rights reserved.
slphealthcareupdate.com 