25K HIPAA Violation Settlement Agreed to by Physical Therapy Provider

by | Feb 20, 2016

OCR has revealed it has come at a settlement with a Los Angeles-based provider of physical therapy services after the discovery of HIPAA Privacy Rule breaches in 2012.

Complete P.T., Pool & Land Physical Therapy, Inc., (CPT) has said they will pay a fine of $25,000 to the Department of Health and Human Services after the company broadcast photographs and names of patients on the client testimonial section of its website without first having recieved HIPAA-compliant authorizations from the patients in question.

Potential HIPAA Privacy Rule violations were made known to OCR on August 8, 2012 and an investigation into the complaint was initiated. OCR finished its investigation on January 15, 2013.

OCR discovered that a number of patients had had their protected health information posted online, yet valid, HIPAA-compliant prior authorizations had not been officially obtained in writing from the patients before names and full-face photographs were published to the website.

OCR ruled this constituted a clear violation of the Privacy Rule, with CPT found to have breached HIPAA by failing to reasonably safeguard PHI – a violation of 45 C.F.R. § 164.530(c)(1); Impermissibly released PHI to unauthorized individuals – a violation of 45 C.F.R. § 164.502(a); and had failed to put in place policies and procedures to ensure written authorizations were received from patients prior to their PHI being disclosed – a violation of 45 C.F.R. § 164.530(i)(1).

In addition to paying the $25,000 HIPAA fine, Complete P.T., Pool & Land Physical Therapy, Inc. has agreed to implement a corrective action plan (CAP) that requires the PHI to be taken down from the company website. The CAP also requires CPT to provide additional training to all employees in relation to the allowable uses and disclosures of PHI under HIPAA Rules. CPT must also submit documentation to OCR demonstrating that all elements of the CAP have been finished and annual compliance reports must also be submitted to OCR.

The Privacy Rule is in place to ensure that patients privacy is protected. Healthcare providers and other HIPAA-covered bodies are prohibited from sharing PHI without first obtaining permission from patients. Covered bodies should ensure that written authorization is obtained from patients before any PHI is shared or used for marketing or promotional campaigns.

Even if authorization to use patient PHI is received from patients verbally, covered bodies must ensure they also obtain official authorization in writing before any PHI is disclosed. That includes obtaining a valid authorization form before patient data is published on a website or social media page.

The full resolution agreement can be see here.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy