OCR has announced it has arrived at a settlement with a Los Angeles-based provider of physical therapy services after the discovery of HIPAA Privacy Rule violations in 2012.
Complete P.T., Pool & Land Physical Therapy, Inc., (CPT) has agreed to pay a fine of $25,000 to the Department of Health and Human Services after the company posted photographs and names of patients on the client testimonial section of its website without first having obtained HIPAA-compliant authorizations from the patients in question.
Potential HIPAA Privacy Rule violations were reported to OCR on August 8, 2012 and an investigation into the complaint was launched. OCR concluded its investigation on January 15, 2013.
OCR found that a number of patients had their protected health information posted online, yet valid, HIPAA-compliant prior authorizations had not been obtained in writing from the patients before names and full-face photographs were uploaded to the website.
OCR determined this to be a clear violation of the Privacy Rule, with CPT found to have violated HIPAA by failing to reasonably safeguard PHI – a violation of 45 C.F.R. § 164.530(c)(1); Impermissibly disclosed PHI to unauthorized individuals – a violation of 45 C.F.R. § 164.502(a); and had failed to implement policies and procedures to ensure written authorizations were obtained from patients prior to their PHI being disclosed – a violation of 45 C.F.R. § 164.530(i)(1).
In addition to covering the $25,000 HIPAA fine, Complete P.T., Pool & Land Physical Therapy, Inc. has agreed to adopt a corrective action plan (CAP) that requires the PHI to be removed from the company website. The CAP also requires CPT to provide additional training to all members of staff on the allowable uses and disclosures of PHI under HIPAA Rules. CPT must also submit documentation to OCR demonstrating that all elements of the CAP have been completed and annual compliance reports must also be provided to OCR.
The Privacy Rule exists to ensure that patients privacy is protected at all times. Healthcare providers and other HIPAA-covered entities are prohibited from sharing PHI without first obtaining permission from patients. Covered entities should ensure that written authorization is obtained from patients before any PHI is shared or used for marketing or promotional purposes.
Even if authorization to use patient PHI is obtained from patients verbally, covered entities must ensure they also obtain authorization in writing before any PHI is disclosed. That includes obtaining a valid authorization form before patient data is posted on a website or social media page.
The full resolution agreement can be viewed here.