On February 16, 2016, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced it had reached a settlement with Complete P.T., Pool & Land Physical Therapy, Inc. (CPT) after the organization exposed the protected health information (PHI) of a number of its patients. CPT, a California-based physical therapy practice, posted patient testimonials on its website and included patients’ full names and photographs without first acquiring the mandated HIPAA-compliant authorization from their patients.
After an investigation that began in 2012, OCR found that CPT failed to reasonably safeguard PHI, that it disclosed PHI without HIPAA-compliant authorization, and that it failed to create and follow policies and procedures that would ensure compliance with HIPAA authorization requirements.
The settlement requires that CPT admit civil liability for this violation–which is particularly uncharacteristic given that previous OCR agreements have typically included provisions that reject liability admissions. The settlement also requires that CPT pay $25,000 and begin a three-year corrective action plan (CAP) with OCR, which will require CPT to take action to ensure that it’s fully compliant with the HIPAA Privacy Rule in the future. The CAP also requires that CPT fully train its workforce on its policies and procedures with proper, documented attestation, and that CPT remove all unauthorized testimonials from its website.
In addition, CPT will need to submit a report of its compliance efforts annually to OCR, and will face stricter reporting requirements going forward.
This settlement is just another example of the stricter enforcement and reporting requirements that OCR is pursuing in the case of PHI breaches. With the growing importance of maintaining a robust online presence, health care organizations need to begin exercising extreme caution when disclosing personally identifiable information (PII) and PHI such as full names and photos on their websites or in promotional materials. Cases like the CPT breach illustrate just how avoidable OCR fines and litigation can be if the proper steps are taken to ensure that PHI is kept safe and secure.