Patient testimonials lead to HIPAA breach

HCPRO Website, March 4, 2016

Complete P.T., Pool & Land Physical Therapy, Inc. (CPT), a California-based physical therapy practice, agreed to a corrective action plan and a $25,000 resolution amount to settle allegations that it disclosed protected health information (PHI) as part of a video testimonial campaign, HHS says.

The settlement is the result of a complaint lodged with Office for Civil Rights (OCR) in August 2012. The complainant alleged that CPT posted patient testimonials to its website without legal, HIPAA-compliant authorization. The testimonials included patients’ names and full face photographs. OCR launched an investigation and determined that not only had CPT disclosed PHI without permission, the organization did not have reasonable safeguards to protect PHI or effective policies and procedures to obtain HIPAA-compliant authorization to disclose PHI.

OCR Director Jocelyn Samuels stressed that HIPAA applies to all providers that fall under the definition of covered entity, including physical therapy providers. Covered entities must obtain permission before using a patient’s PHI for marketing purposes, which includes posting on social media or websites, and all disclosure authorizations must meet requirements outlined in HIPAA.

As part of the settlement, CPT agreed to adopt a corrective action plan and report their compliance efforts to OCR for one year. According to the terms of the corrective action plan, CPT must:

  • Develop HIPAA-compliant policies and procedures to protect PHI
  • Distribute these policies and procedures to its staff and require a written or electronic signature documenting that the signatory read and understands the policies and procedures
  • Assess and update policies and procedures at least annually

CPT agreed to submit a draft of its revised policies and procedures to HHS for approval. HHS will, if necessary, recommend changes and CPT will resubmit the draft until HHS gives it final approval. CPT will then have 30 days to implement the policies and procedures, including distributing them and educating staff and obtaining signed compliance certification from staff.

HHS placed particular emphasis on CPT developing policies governing the disclosure of PHI and directing staff to create and obtain valid authorization from patients before PHI is disclosed.

CPT also agreed to train staff on HIPAA and CPT’s updated policies. Staff will be required to sign a training certification document, acknowledging that they have received and completed the training. CPT will keep all course materials and review and update them annually.