Testimonials are found just about everywhere you look online. In most cases, no harm comes from posting a testimonial on a website. Other times, however, it can be a costly mistake, such as the case involving the Los Angeles-based physical therapy practice Complete P.T., Pool & Land Physical Therapy Inc.
Last month, the United States Department of Health and Human Services (HHS) Office for Civil Rights (OCR) revealed that it negotiated a settlement with the practice over an incident that resulted in the disclosure of Protected Health Information (PHI). OCR officials say that Complete P.T., Pool & Land Physical Therapy Inc. had posted testimonials of its patients online, complete with their full names and photos. This alone isn't necessarily a violation, but covered entities must first obtain authorization forms before they can legally post or otherwise disclosure this information.
The actual incident involving the physical therapy practice occurred back in 2012, during which the OCR received a complaint about the impermissible use of patients' PHI in the form of online testimonials. This prompted the OCR to launch an investigation into the incident, after which it had concluded that Complete P.T. Failed to reasonably safeguard PHI from disclosure; it impermissibly disclosed PHI without proper authorization from patients; and it failed to implement the necessary policies and procedures associated with the Health Insurance Portability and Accountability Act (HIPAA).
OCR Director Jocelyn Samuels explained that the HIPAA Privacy Rule grants healthcare patients “controls” over the disclosure of their personal information. And while there are always exceptions, in most cases the healthcare practice must obtain the patient's written consent in the form of an authorization before it can disclose his or her PHI – something that Complete P.T. failed to do.
“The HIPAA Privacy Rule gives individuals important controls over whether and how their protected health information is used and disclosed for marketing purposes. With limited exceptions, the Rule requires an individual’s written authorization before a use or disclosure of his or her protected health information can be made for marketing.” said OCR Director Jocelyn Samuels.
In addition to agreeing to pay a $250,000 fine, Complete P.T. has also agreed to implement corrective actions, as well as provide a report to the OCR on its compliance.
You can access the complete agreement and resolution by visiting http://www.hhs.gov/sites/default/files/cpt-res-agreement.pdf.