Report on Patient Privacy 24, no. 12 (December, 2024)
It’s not immediately obvious why someone would want to disclose a health care test result as part of a job application. But one such request spurred a Pennsylvania entity to provide a lot more than that: it sent her whole medical record—including highly sensitive reproductive health information—to the prospective employer.
What should be immediately obvious is that this is a big no-no. The patient complained to the HHS Office for Civil Rights (OCR) in September 2023, and a little more than a year later, the agency announced that an entity called Holy Redeemer Family Medicine (HRFM)—which it alternately described as a hospital and later a family medicine practice—paid $35,581 and agreed to implement a two-year corrective action plan (CAP).[1]
Although the penalty is comparatively small, the list of requirements in the CAP is not. Compliance costs will undoubtedly exceed the penalty amount, and OCR is requiring HRFM to retrain all of parent organization Redeemer Health’s workforce and affiliated entities, including its physician group.
Although OCR cited a single HIPAA infraction—failure to obtain an authorization (as required under 45 C.F.R. § 164.502(a)), resulting in an impermissible disclosure—it appears HRFM also violated the Breach Notification Rule. HRFM’s first obligation in the CAP is to “submit a breach notification report regarding this incident to HHS” within 15 days of the effective date of the agreement.[2]
Sharon Glogowski, Redeemer Health’s chief compliance officer, signed the agreement on Sept. 23. Neither Glogowski nor Rich Leonowitz, director of corporate communications, responded to RPP’s requests for comment on the settlement. As is customary, the settlement agreement indicates that Redeemer did not admit wrongdoing.
The circumstances are similar to a 2017 settlement agreement involving what was then called St. Luke’s-Roosevelt Hospital Center, now known as Mount Sinai Morningside. An employee of a program that provided comprehensive health services to persons living with HIV or AIDS and other chronic diseases inappropriately faxed medical records to a patient’s employer instead of sending them, presumably by mail or other delivery method, “to the requested personal post office box,” OCR said of the September 2014 incident.[3]
A previous inappropriate disclosure of sensitive information also via fax that occurred several months prior, which did not result in better safeguards, figured in the $387,000 payment and accompanying three-year CAP.
Patient Hadn’t Signed an Authorization
According to Redeemer Health’s website, a practice called Redeemer Family Medicine is based in Bensalem, Pa.; just one physician is listed. OCR did not give the address of the practice that allegedly sent the records.
As noted earlier, a patient complained to OCR that HRFM shared with her prospective employer more protected health information (PHI) than she had requested. Her request was confined to “one specific test result, unrelated to her reproductive health,” according to OCR’s announcement. Instead, OCR confirmed her allegation that the practice shared “her surgical history, gynecological history, obstetric history, and other sensitive health information concerning reproductive health care.”
HRFM lacked “the patient’s authorization for the broad disclosure” of her PHI, and “there otherwise was no applicable requirement or permission under the Privacy Rule for such a broad release of her medical records,” OCR said. HRFM’s CAP “identifies specific steps it will take to comply with the HIPAA Rules and protect patient privacy to prevent this from happening again,” OCR said.
It is worth noting that OCR acted on this complaint under long-standing Privacy Rule protections—not its April reproductive health rule. HHS is facing two suits challenging that rule, which goes into effect for most provisions later this month.[4]
As is typical with OCR settlements, the agency did not explain the basis for the $35,581, which is an oddly specific amount. Among the factors OCR considers when formulating a penalty is the organization’s financial condition. A recent media report said that 239-bed Holy Redeemer Hospital “reported a $27.7 million operating loss, while its physician services division posted a $20.7 million loss in fiscal 2024” and that Redeemer Health “last reported a profit, of $2.3 million, in 2019. Its accumulated losses during the past five years are in excess of $140 million.”[5]
Training Certifications Required
After notifying OCR of the inappropriate disclosure at issue, the CAP requires HRFM to take a number of other steps, beginning with reviewing “and, to the extent necessary,” developing, maintaining and revising its policies and procedures to ensure compliance with the Privacy Rule. It has 90 days to submit the policies to HHS for review and approval.
Within 60 days of approval, the policies are to be distributed, and workers will receive training on them using materials that HHS approved. The CAP also calls for HRFM to annually send HHS “a copy of all training materials used for the training required by this CAP, a description of the training, including a summary of the topics covered, the length of the session(s) and a schedule of when the training session(s) were held.”
The CAP identifies HR Physician Services d/b/a Holy Redeemer Physician Services and Ambulatory Services, Holy Redeemer Health System and Redeemer Health as whose workforce members must be trained. New members are to receive training within 60 days of beginning employment.
Workforce members must sign a written or electronic “initial compliance certification from all members of the workforce, stating that the workforce members have read, understand, and shall abide by such Policies and Procedures.” HRFM also must review its policies annually and submit any revisions to HHS for approval.
CAP Activities: From Specific to Basic
Two of the requirements in the CAP deal specifically with the problem that led to the settlement. OCR is requiring HRFM to develop:
-
“A policy to describe the Privacy Rule’s specific prohibition on the use or disclosure” of PHI “unless required or permitted by the Privacy Rule” by HRFM “workforce members, agents, and business associates, including when written authorization of the patient who is the subject of the PHI sought to be disclosed is required, or of the personal representative of said patient.” The policy must include “a requirement that any such written authorization shall be signed by the patient who is the subject of the PHI sought to be disclosed, or of the personal representative of said patient.”
-
“A process for evaluating and approving authorizations requesting the use or disclosure of PHI by HRFM before allowing third parties to have access to patients’ PHI.”
Beyond these, OCR is requiring HRFM to engage in a number of additional activities that more resemble basic HIPAA compliance tasks. HRFM must create:
-
“Internal reporting procedures requiring HRFM workforce members to report any violations of the Privacy or Security Rules or HRFM’s privacy and security policies and procedures to the designated Privacy Officer, at the earliest possible Such procedures shall require HRFM to promptly investigate and address all reports received in a timely manner.
-
“Identification of HRFM’s personnel or representatives who workforce members, agents, or business associates may contact in the event of any inquiry or concern regarding compliance with HIPAA in relation to these activities.
-
“A policy stating that upon receiving information that a member of its workforce may have violated these policies and procedures, HRFM shall promptly investigate and address the violation in an appropriate and timely manner.
-
“Application of appropriate sanctions (which may include re-training or other instructive corrective action, depending on the circumstances) against members of HRFM’s workforce, including supervisors and managers, who fail to comply with HRFM’s Policies and Procedures.
-
“Policies and procedures related to risk assessments and the definition of a breach, pursuant to 45 C.F.R. § 164.402.2.
-
“Policies and procedures to comply with the Breach Notification Rule; including HRFM’s internal reporting procedures which will require all workforce members to report to the designated person or office at the earliest possible time any potential violations of the Privacy, Security or Breach Notification Rules or of HRFM’s privacy and security policies and procedures. Such reporting procedures shall require HRFM to promptly investigate and address all received reports in a timely manner. (45 C.F.R. § 164.400, et. seq.)”
The CAP also includes elements common in other agreements, including submitting attestations of compliance and providing annual reports to OCR.
1 U.S. Department of Health and Human Services, “HHS Office for Civil Rights Settles with Holy Redeemer Hospital Over Disclosure of Patient’s Protected Health Information, Including Reproductive Health Information,” news release, November 26, 2024, https://bit.ly/49eXMoK.
2 U.S. Department of Health and Human Services, Office for Civil Rights, “Holy Redeemer Hospital Resolution Agreement and Corrective Action Plan,” content last reviewed November 26, 2024, https://bit.ly/3ZczhnF.
3 Theresa Defino, “Rebuke for Errant Fax Provides Opportunity to Review Safeguards,” Report on Patient Privacy 17, no. 6 (June 2017), https://bit.ly/4eYGYmZ.
4 Jane Anderson, “As Reproductive Health Rule Effective Date Looms, TX Lawsuits Seek a Halt,” Report on Patient Privacy 24, no. 12 (December 2024).
5 Ryan Genova, “Redeemer Health, which owns Holy Redeemer Hospital in Abington, has accrued an operating deficit of $53M,” Glenside Local, November 9, 2024, https://bit.ly/3AViKfM.
[View source.]