HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Physical Therapy Provider Agrees to 25K HIPAA Violation Settlement

OCR has announced it has arrived at a settlement with a Los Angeles-based provider of physical therapy services after the discovery of HIPAA Privacy Rule violations in 2012.

Complete P.T., Pool & Land Physical Therapy, Inc., (CPT) has agreed to pay a fine of $25,000 to the Department of Health and Human Services after the company posted photographs and names of patients on the client testimonial section of its website without first having obtained HIPAA-compliant authorizations from the patients in question.

Potential HIPAA Privacy Rule violations were reported to OCR on August 8, 2012 and an investigation into the complaint was launched. OCR concluded its investigation on January 15, 2013.

OCR found that a number of patients had had their protected health information posted online, yet valid, HIPAA-compliant prior authorizations had not been obtained in writing from the patients before names and full-face photographs were uploaded to the website.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

OCR determined this to be a clear violation of the Privacy Rule, with CPT found to have violated HIPAA by failing to reasonably safeguard PHI – a violation of 45 C.F.R. § 164.530(c)(1); Impermissibly disclosed PHI to unauthorized individuals – a violation of 45 C.F.R. § 164.502(a); and had failed to implement policies and procedures to ensure written authorizations were obtained from patients prior to their PHI being disclosed – a violation of 45 C.F.R. § 164.530(i)(1).

In addition to covering the $25,000 HIPAA fine, Complete P.T., Pool & Land Physical Therapy, Inc. has agreed to adopt a corrective action plan (CAP) that requires the PHI to be removed from the company website. The CAP also requires CPT to provide additional training to all members of staff on the allowable uses and disclosures of PHI under HIPAA Rules. CPT must also submit documentation to OCR demonstrating that all elements of the CAP have been completed and annual compliance reports must also be provided to OCR.

The Privacy Rule exists to ensure that patients privacy is protected at all times. Healthcare providers and other HIPAA-covered entities are prohibited from sharing PHI without first obtaining permission from patients. Covered entities should ensure that written authorization is obtained from patients before any PHI is shared or used for marketing or promotional purposes.

Even if authorization to use patient PHI is obtained from patients verbally, covered entities must ensure they also obtain authorization in writing before any PHI is disclosed. That includes obtaining a valid authorization form before patient data is posted on a website or social media page.

The full resolution agreement can be viewed here.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.