OCR has revealed it has come at a settlement with a Los Angeles-based provider of physical therapy services after the discovery of HIPAA Privacy Rule breaches in 2012.
Complete P.T., Pool & Land Physical Therapy, Inc., (CPT) has said they will pay a fine of $25,000 to the Department of Health and Human Services after the company broadcast photographs and names of patients on the client testimonial section of its website without first having recieved HIPAA-compliant authorizations from the patients in question.
Potential HIPAA Privacy Rule violations were made known to OCR on August 8, 2012 and an investigation into the complaint was initiated. OCR finished its investigation on January 15, 2013.
OCR discovered that a number of patients had had their protected health information posted online, yet valid, HIPAA-compliant prior authorizations had not been officially obtained in writing from the patients before names and full-face photographs were published to the website.
OCR ruled this constituted a clear violation of the Privacy Rule, with CPT found to have breached HIPAA by failing to reasonably safeguard PHI – a violation of 45 C.F.R. § 164.530(c)(1); Impermissibly released PHI to unauthorized individuals – a violation of 45 C.F.R. § 164.502(a); and had failed to put in place policies and procedures to ensure written authorizations were received from patients prior to their PHI being disclosed – a violation of 45 C.F.R. § 164.530(i)(1).
In addition to paying the $25,000 HIPAA fine, Complete P.T., Pool & Land Physical Therapy, Inc. has agreed to implement a corrective action plan (CAP) that requires the PHI to be taken down from the company website. The CAP also requires CPT to provide additional training to all employees in relation to the allowable uses and disclosures of PHI under HIPAA Rules. CPT must also submit documentation to OCR demonstrating that all elements of the CAP have been finished and annual compliance reports must also be submitted to OCR.
The Privacy Rule is in place to ensure that patients privacy is protected. Healthcare providers and other HIPAA-covered bodies are prohibited from sharing PHI without first obtaining permission from patients. Covered bodies should ensure that written authorization is obtained from patients before any PHI is shared or used for marketing or promotional campaigns.
Even if authorization to use patient PHI is received from patients verbally, covered bodies must ensure they also obtain official authorization in writing before any PHI is disclosed. That includes obtaining a valid authorization form before patient data is published on a website or social media page.
The full resolution agreement can be see here.