Disclosure of Full Record to Employer Results in $35K Fine, Broad CAP; Echoes of 2017 HIV Case

Health Care Compliance Association (HCCA)
Contact

Health Care Compliance Association (HCCA)

Report on Patient Privacy 24, no. 12 (December, 2024)

It’s not immediately obvious why someone would want to disclose a health care test result as part of a job application. But one such request spurred a Pennsylvania entity to provide a lot more than that: it sent her whole medical record—including highly sensitive reproductive health information—to the prospective employer.

What should be immediately obvious is that this is a big no-no. The patient complained to the HHS Office for Civil Rights (OCR) in September 2023, and a little more than a year later, the agency announced that an entity called Holy Redeemer Family Medicine (HRFM)—which it alternately described as a hospital and later a family medicine practice—paid $35,581 and agreed to implement a two-year corrective action plan (CAP).[1]

Although the penalty is comparatively small, the list of requirements in the CAP is not. Compliance costs will undoubtedly exceed the penalty amount, and OCR is requiring HRFM to retrain all of parent organization Redeemer Health’s workforce and affiliated entities, including its physician group.

Although OCR cited a single HIPAA infraction—failure to obtain an authorization (as required under 45 C.F.R. § 164.502(a)), resulting in an impermissible disclosure—it appears HRFM also violated the Breach Notification Rule. HRFM’s first obligation in the CAP is to “submit a breach notification report regarding this incident to HHS” within 15 days of the effective date of the agreement.[2]

Sharon Glogowski, Redeemer Health’s chief compliance officer, signed the agreement on Sept. 23. Neither Glogowski nor Rich Leonowitz, director of corporate communications, responded to RPP’s requests for comment on the settlement. As is customary, the settlement agreement indicates that Redeemer did not admit wrongdoing.

The circumstances are similar to a 2017 settlement agreement involving what was then called St. Luke’s-Roosevelt Hospital Center, now known as Mount Sinai Morningside. An employee of a program that provided comprehensive health services to persons living with HIV or AIDS and other chronic diseases inappropriately faxed medical records to a patient’s employer instead of sending them, presumably by mail or other delivery method, “to the requested personal post office box,” OCR said of the September 2014 incident.[3]

A previous inappropriate disclosure of sensitive information also via fax that occurred several months prior, which did not result in better safeguards, figured in the $387,000 payment and accompanying three-year CAP.

[View source.]

Written by:

Health Care Compliance Association (HCCA)
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Health Care Compliance Association (HCCA) on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide