Skip to main content

Nixon Peabody LLP

  • People
  • Capabilities
  • Insights
  • About
Trending Topics
    • People
    • Capabilities
    • Insights
    • About
    • Locations
    • Events
    • Careers
    • Alumni
    Practices

    View All

    • Affordable Housing
    • Community Development Finance
    • Corporate & Finance
    • Cybersecurity & Privacy
    • Entertainment & Media
    • Environmental
    • Franchising & Distribution
    • Government Investigations & White Collar Defense
    • Healthcare
    • Intellectual Property
    • International Services
    • Labor, Employment, and Benefits
    • Litigation
    • Private Wealth & Advisory
    • Project Finance
    • Public Finance
    • Real Estate
    • Regulatory & Government Relations
    Industries

    View All

    • Aviation
    • Cannabis
    • Consumer
    • Energy
    • Financial Services
    • Healthcare
    • Higher Education
    • Infrastructure
    • Manufacturing
    • Nonprofit Organizations
    • Real Estate
    • Sports & Stadiums
    • Technology
    Value-Added Services

    View All

    • Alternative Fee Arrangements

      Developing innovative pricing structures and alternative fee agreement models that deliver additional value for our clients.

    • Continuing Education

      Advancing professional knowledge and offering credits for attorneys, staff and other professionals.

    • Crisis Advisory

      Helping clients respond correctly when a crisis occurs.

    • DEI Strategic Services

      Providing our clients with legal, strategic, and practical advice to make transformational changes in their organizations.

    • eDiscovery

      Leveraging law and technology to deliver sound solutions.

    • Environmental, Social, and Governance (ESG)

      We help clients create positive return on investments in people, products, and the planet.

    • Global Services

      Delivering seamless service through partnerships across the globe.

    • Innovation

      Leveraging leading-edge technology to guide change and create seamless, collaborative experiences for clients and attorneys.

    • IPED

      Industry-leading conferences focused on affordable housing, tax credits, and more.

    • Legal Project Management

      Providing actionable information to support strategic decision-making.

    • Legally Green

      Teaming with clients to advance sustainable projects, mitigate the effects of climate change, and protect our planet.

    • Nixon Peabody Trust Company

      Offering a range of investment management and fiduciary services.

    • NP Capital Connector

      Bringing together companies and investors for tomorrow’s new deals.

    • NP Second Opinion

      Offering fresh insights on cases that are delayed, over budget, or off-target from the desired resolution.

    • NP Trial

      Courtroom-ready lawyers who can resolve disputes early on clients’ terms or prevail at trial before a judge or jury.

    • Social Impact

      Creating positive impact in our communities through increasing equity, access, and opportunity.

    • Women in Dealmaking

      We provide strategic counsel on complex corporate transactions and unite dynamic women in the dealmaking arena.

    1. Home
    2. Insights
    3. Alerts
    4. OCR enforcement ahead of HIPAA Privacy Rule compliance deadline

      Alerts

    Alert / Healthcare

    OCR enforcement ahead of HIPAA Privacy Rule compliance deadline

    Dec 6, 2024

    LinkedInX (Twitter)EmailCopy URL

    By Valerie Montague

    Settlement emphasizes the need for HIPAA-regulated entities to protect data privacy, including for reproductive health information.

    What’s the impact?

    • Health care providers, health plans, and applicable business associate vendors have until December 23, 2024, to be in compliance with most aspects of the updated HIPAA Privacy Rule.
    • HIPAA-regulated entities should use the coming weeks to ensure that workforce members are trained on the new HIPAA requirements and any resulting process changes related to the provision of protected health information.

    DOWNLOAD

    OCR enforcement ahead of HIPAA Privacy Rule compliance deadline (PDF)

    On December 2, 2024, the US Department of Health and Human Services (HHS), Office for Civil Rights (OCR) published a settlement with Holy Redeemer Family Medicine (Holy Redeemer) regarding an impermissible disclosure of a patient’s protected health information (PHI), including reproductive health care information. The Pennsylvania hospital paid $35,581 and agreed to a two-year corrective action plan (CAP). While this settlement did not allege violations of the new HIPAA regulations governing reproductive health care information, it serves as a reminder to HIPAA-regulated entities of the imminent compliance deadline under those regulations.

    Hospital settles HIPAA alleged violation

    Following a complaint that the hospital impermissibly disclosed a patient’s PHI to the patient’s prospective employer, which included obstetric and gynecological history and other sensitive reproductive health care information, OCR determined that Holy Redeemer disclosed more PHI than it was authorized to disclose. The patient at issue authorized the disclosure of one test result, unrelated to reproductive health care, and the hospital disclosed her entire medical record.

    As part of the two-year CAP, the hospital is required to update its HIPAA Privacy Rule policies, distribute them to its workforce, and ensure that all workforce members are trained on the policies and certify receipt and understanding of the same.

    HIPAA Privacy Rule compliance deadline approaching fast

    On April 22, 2024, OCR issued a final rule modifying the HIPAA Privacy Rule (the Final Rule). The new regulations took effect in June 2024, and covered entities and business associates have until December 23, 2024, to comply with most of the requirements (covered entities have until February 16, 2026, to update their Notice of Privacy Practices to address both the Final Rule’s requirements, as well as the recent changes to the substance use disorder regulations under 42 CFR Part 2).

    The Final Rule alters certain uses and disclosures that previously were permissible for hospitals, physician practices, FQHCs, pharmacies, or other health care providers or health plans, as well as vendors handling medical record functions on behalf of these entities, with respect to information that contains, or may contain, reproductive health care information. The Final Rule requires a new attestation form and process for certain disclosures of reproductive health information. OCR designed the Final Rule to protect information about legally obtained reproductive care from being used to prosecute a clinician, relative, or patient. These regulations also clarify uses and disclosure that can be made for public health purposes, clarify that facilitating reproductive health care cannot be used as a basis to report abuse or deny personal representative status, and clarify that all disclosures in response to a law enforcement officer’s administrative request, related to reproductive care or not, must only be in response to a process that legally compels disclosure.

    HIPAA-regulated entities should note the breadth of the definition of “reproductive health care,” as the Final Rule impacts far more than clinicians providing obstetrics and gynecology services. It includes any PHI that references an individual’s reproductive health: including the provision of birth control, pregnancy, and sterilization, that are contained in a clinician’s records or a health plan’s documentation, regardless as to whether the organization provided or is providing that care. While the Final Rule’s requirements are somewhat discrete, they likely require a wide range of health care providers and health plans to update their policies and processes, and many should ensure that they have an attestation form for applicable disclosures of reproductive health care information.

    As evidenced by the recent OCR enforcement, HIPAA-regulated entities should use the weeks leading up to the Final Rule’s compliance deadline to review policies, procedures, and processes to ensure compliance. In addition, health care providers and health plans should ensure that their workforce members are trained on the new requirements and reminded of their ongoing obligation to safeguard PHI. If an entity relies on a vendor for fulfillment of medical records requests, the covered entity should confirm that its vendor understands the new Final Rule requirements and has processes in place to comply accordingly.

    For more information on the content of this alert, please contact your Nixon Peabody attorney or the author of this alert.

    OCR Action

    Locations

    Chicago

    Practices

    HealthcareCybersecurity & PrivacyHealth Information - Privacy, Security & Data SharingFertility, Reproductive Medicine, Sexual Health & WellnessHealthcare Regulatory & Compliance

    Insights And Happenings

    • Alert

      Summary of select health-related provisions in the State Fiscal 2025–26 Executive Budget

      Jan 24, 2025
    • Press Release

      Nixon Peabody expands Healthcare practice with transactional and regulatory partner

      Jan 21, 2025
    • Article

      HIPAA security risk analysis failures lead to financial settlements with OCR

      Jan 13, 2025
    The foregoing has been prepared for the general information of clients and friends of the firm. It is not meant to provide legal advice with respect to any specific matter and should not be acted upon without professional counsel. If you have any questions or require any further information regarding these or other related matters, please contact your regular Nixon Peabody LLP representative. This material may be considered advertising under certain rules of professional conduct.

    Subscribe to stay informed of the latest legal news, alerts, and business trends.Subscribe

    • People
    • Capabilities
    • Insights
    • About
    • Locations
    • Events
    • Careers
    • Alumni
    • Cookie Preferences
    • Privacy Policy
    • Terms of Use
    • Accessibility Statement
    • Statement of Client Rights
    • Purchase Order Terms & Conditions
    • Nixon Peabody International LLC
    • PAL
    © 2025 Nixon Peabody. All rights reserved