Physical therapy provider settles violations that it impermissibly disclosed patient information — Corrective action / RA

Full description

Navigate to: HIPAA for Professionals Regulatory Initiatives Privacy Summary of the Privacy Rule Guidance Combined Text of All Rules HIPAA Related Links Security Security Rule NPRM Summary of the Security Rule Security Guidance Cyber Security Guidance Breach Notification Breach Reporting Guidance Reports to Congress Regulation History Compliance & Enforcement Enforcement Rule Enforcement Process Enforcement Data Resolution Agreements Case Examples Audit Reports to Congress State Attorneys General Special Topics Parental Access Mental and Behavioral Health Change Healthcare Cybersecurity Incident FAQs HIPAA and COVID-19 HIPAA and Reproductive Health HIPAA and Final Rule Notice HIPAA and Telehealth HIPAA and FERPA Research Public Health Emergency Response Health Information Technology Health Apps Patient Safety Covered Entities & Business Associates Business Associate Contracts Business Associates Training & Resources FAQs for Professionals Other Administrative Simplification Rules Substance Use Disorder Confidentiality Physical therapy provider settles violations that it impermissibly disclosed patient information Complete P.T., Pool & Land Physical Therapy, Inc. has agreed to settle violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rules with the U.S. Department of Health and Human Services Office for Civil Rights (OCR). Complete P.T. is a physical therapy practice located in the Los Angeles area. The settlement agreement is an admission of civil liability by Complete P.T., requiring payment of $25,000, adoption and implementation of a corrective action plan, and annual reporting of compliance efforts for a one year period. On August 8, 2012, OCR received a complaint alleging that Complete P.T. had impermissibly disclosed numerous individuals’ protected health information (PHI), when it posted patient testimonials, including full names and full face photographic images, to its website without obtaining valid, HIPAA-compliant authorizations. OCR’s investigation revealed that Complete P.T.: Failed to reasonably safeguard PHI; Impermissibly disclosed PHI without an authorization; and Failed to implement policies and procedures with respect to PHI that were designed to comply with HIPAA’s requirements with regard to authorization. “The HIPAA Privacy Rule gives individuals important controls over whether and how their protected health information is used and disclosed for marketing purposes. With limited exceptions, the Rule requires an individual’s written authorization before a use or disclosure of his or her protected health information can be made for marketing.” said OCR Director Jocelyn Samuels. “All covered entities, including physical therapy providers, must ensure that they have adequate policies and procedures to obtain an individual’s authorization for such purposes, including for posting on a website and/or social media pages, and a valid authorization form.” The resolution agreement and corrective action plan may be found here. Content last reviewed February 12, 2016