After more than three years, a physical therapy provider’s HIPAA-breach case lands the covered entity with a $25,000 OCR fine, and demands they create and implement a corrective action plan.

Recently on the U.S. Department of Health & Human Services website, the breach case settlement details were provided in regards to a complaint that started August 8 2012.  The complaint alleged that the California physical therapy provider, Complete P.T., had disclosed multiple patients’ health information without written authorization.  The provider posted testimonials to its website, which included the full names and images of the patients. Full names and images of patients in connection to a health provider is considered Protected Health Information (PHI), and sharing it in the way that Complete P.T. did is a direct violation of the Health Insurance Portability and Accountability Act (HIPAA).

As stated in the HHS agreement release, the “OCR’s investigation revealed that Complete P.T.:

  • Failed to reasonably safeguard PHI;
  • Impermissibly disclosed PHI without an authorization; and
  • Failed to implement policies and procedures with respect to PHI that were designed to comply with HIPAA’s requirements with regard to authorization.”

Complete P.T. will settle with OCR to the tune of $25,000, and will adopt a corrective action plan, as well as report to OCR in one year on their corrective efforts.

What can be learned from this?

First, all health care organizations should have an understanding of how PHI can be used and released.  In this case, the organization released PHI without patient authorization.  Written authorization is integral to releasing any PHI, regardless of how it is being used.

Second, because they thought it was okay to make such a blatant breach of PHI, the organization probably needs HIPAA training, maybe re-training.  To be able to post testimonials on the website, the information had to go through at least a couple of people.  Any one of those people should have questioned if this was the proper course of action.

Third, once information is shared on the internet, there isn’t much you can do to protect it.  The testimonials weren’t printed in a flyer; they were posted on the website.  That significantly increases the number of potential viewers.  It’s said often in regards to social media, but you should always think twice about what you post on the web when it comes to PHI.

Finally, recognize that human error comes with a cost.  Even if someone was ignorant of the requirement for patient authorization in order to post these testimonials, the Office for Civil Rights will not be lenient.  After all this time, everyone should be trained on HIPAA and the many requirements to protect health information.

If you’d like to get your organization on the right track to avoiding these kind of HIPAA mistakes, try out the HIPAAgps system for free today.