HIPAA Rules on Website Testimonials: 25K Fine for Privacy Breach

A physical therapy provider has reached a settlement with the Department of Health and Human Services’ Office for Civil Rights to resolve HIPAA privacy violations dating back to 2012, when PHI was posted on the company website without prior authorization having been obtained from patients.

HIPAA Rules on Website Testimonials: Obtain Authorization Before Disclosing PHI

Complete P.T., Pool & Land Physical Therapy, Inc., (CPT) had posted client testimonials on its website; however, prior to posting patient names and photographs the covered entity had not obtained authorizations from patients in writing, as required by HIPAA Rules. HIPAA Rules on website testimonials are not specifically mentioned, but the disclosure of protected health information without obtaining prior authorization from patients is clearly stated in the HIPAA Privacy Rule.

Patient names and photographs are included in the HIPAA definition of Protected Health Information. Covered entities are not permitted to disclose these data without first receiving written authorization from the patient in question. By posting those data on the company website, CPT violated the HIPAA Privacy Rule.

The Privacy Rule violation was reported to OCR on August 8, 2012. A complaint was received by OCR alleging the company had been posting information protected under HIPAA Rules on the Internet without first receiving consent from patients.

An investigation into the potential Privacy Rule violation was launched, with OCR concluding that investigation on January 15, 2013. OCR investigators determined that there had indeed been a breach of the HIPAA Privacy Rule and CPT had impermissibly disclosed PHI via its website, breaching 45 C.F.R. § 164.502(a). CPT also failed to take sufficient steps to safeguard PHI as required by 45 C.F.R. § 164.530(c)(1) and the company breached 45 C.F.R. § 164.530(i)(1) by failing to implement policies and procedures with respect to obtaining patient authorization prior to the disclosure of PHI.

CPT has accepted it violated HIPAA Rules and has admitted to civil liability. A settlement of $25,000 has been reached and will be paid to the Department of Health and Human Services. CPT has also agreed to adopt a corrective action plan (CAP) to ensure compliance with HIPAA Rules.

CPT will be revising its policies and procedures and has agreed to ensure that the PHI of patients is protected in future and is not impermissibly disclosed to individuals unauthorized to view that information. CPT has been ordered to remove PHI from its website, and must provide further training to all members of staff on HIPAA Rules with respect to the use and disclosure of patient PHI.

CPT is also required to submit documents to OCR to demonstrate compliance with the CAP, and additionally, will be required to submit annual compliance reports to OCR.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news