California employers in the healthcare industry must be ever-vigilant when it comes to Health Insurance Portability and Accountability Act (HIPAA) regulations. A simple matter of testimonials accompanied by photographs got one business into hot water.
Complete P.T., Pool & Land Physical Therapy, Inc., has agreed to settle violations of HIPAA Privacy Rules with the U.S. Department of Health and Human Services Office for Civil Rights (OCR).
Complete P.T. is a physical therapy practice located in the Los Angeles, California, area. The settlement agreement is an admission of civil liability by Complete P.T., requiring payment of $25,000, adoption and implementation of a corrective action plan, and annual reporting of compliance efforts for a 1-year period.
On August 8, 2012, OCR received a complaint alleging that Complete P.T. had impermissibly disclosed numerous individuals’ protected health information (PHI) when it posted patient testimonials—including complete patient names and full-face photos—to its website without obtaining valid, HIPAA-compliant authorizations. OCR’s investigation revealed that Complete P.T.:
- Failed to reasonably safeguard PHI;
- Impermissibly disclosed PHI without an authorization; and
- Failed to implement policies and procedures with respect to PHI that were designed to comply with HIPAA’s requirements with regard to authorization.
The resolution agreement and corrective action plan may be found here.