Physical rehabilitation provider’s patient testimonials result in $25,000 OCR settlement and admission of civil liability

On Feb 16, 2016, the U.S. Department of Health & Human Services Office for Civil Legal rights (OCR) introduced it had joined into a contract with Complete P.T., Pool & Land Physical Rehabilitation, Corporation. (CPT), an actual therapy practice situated in California, to solve HIPAA violations developing from CPT’s impermissible disclosure of protected health information (PHI) on its website by means of patient testimonials.

OCR started an analysis this year and figured that CPT had impermissibly revealed PHI on its website without acquiring HIPAA-compliant authorizations. Particularly, CPT published patient testimonials, including full names and full face photographs, without acquiring valid authorizations in the people recognized within the testimonials. OCR came to the conclusion that CPT violated the HIPAA’s Privacy Rule by neglecting to reasonably safeguard PHI, impermissibly disclosing PHI, and neglecting to implement guidelines and methods made to ensure compliance using the Privacy Rule’s authorization needs.

Included in the resolution agreement, CPT accepted civil liability for breaking the Privacy Rule, decided to pay $25,000, and joined right into a three-year corrective plan of action (CAP) with OCR. The CAP requires CPT to build up and implement written guidelines and methods to make sure Privacy Rule compliance which include, but aren’t restricted to, measures that address (i) allowable uses and disclosures of PHI, and (ii) individual authorization needs. The CAP also requires CPT to supply workforce training on its HIPAA guidelines and methods subjects CPT to increased confirming needs associated with HIPAA violations and obligates CPT to submit annual CAP-compliance reviews. Additionally to individuals conditions-that are standard in OCR corrective action plans-the CAP also requires CPT to get rid of all PHI from the website that it doesn’t possess a valid HIPAA-compliant authorization by Feb 12, 2016.

For medical service providers and providers susceptible to HIPAA, OCR’s resolution agreement with CPT is especially significant for 2 reasons:

  1. CPT’s failure to obtain valid authorizations from patients before posting their names and faces on its website represents a straightforward violation of a basic HIPAA requirement that HIPAA-covered entities must be aware of, and comply with, especially in connection with marketing activities that utilize PHI; and
  2. CPT was required to admit civil liability for violating the Privacy Rule, a departure from previous OCR resolution agreements that customarily contain “No Admission” provisions explicitly rejecting any admission of liability. This appears to be the first time a covered entity has been required to admit civil liability as part of a resolution agreement, and may portend a new approach by OCR to investigating and resolving HIPAA complaints.

[View source.]