Los Angeles physical therapy provider settles HHS charges that it impermissibly disclosed patient information

An announcement by HHS on Feb. 16 seems to have flown under most media radar. It seems that Complete P.T. used patient images and testimonials on their web site without patient consent, generating a complaint to HHS that HHS investigated and confirmed. Complete P.T. has admitted liability, agreed to pay $25,000, and has agreed to a corrective action plan. As of today, they still use patient testimonials on their site, but with patients’ initials and no images. There is no statement on their site about this settlement.

Here is HHS’s announcement, below:

Complete P.T., Pool & Land Physical Therapy, Inc. has agreed to settle violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rules with the U.S. Department of Health and Human Services Office for Civil Rights (OCR). Complete P.T. is a physical therapy practice located in the Los Angeles area.  The settlement agreement is an admission of civil liability by Complete P.T., requiring payment of $25,000, adoption and implementation of a corrective action plan, and annual reporting of compliance efforts for a one year period.

On August 8, 2012, OCR received a complaint alleging that Complete P.T. had impermissibly disclosed numerous individuals’ protected health information (PHI), when it posted patient testimonials, including full names and full face photographic images, to its website without obtaining valid, HIPAA-compliant authorizations.  OCR’s investigation revealed that Complete P.T.:

  • Failed to reasonably safeguard PHI;
  • Impermissibly disclosed PHI without an authorization; and
  • Failed to implement policies and procedures with respect to PHI that were designed to comply with HIPAA’s requirements with regard to authorization.

“The HIPAA Privacy Rule gives individuals important controls over whether and how their protected health information is used and disclosed for marketing purposes. With limited exceptions, the Rule requires an individual’s written authorization before a use or disclosure of his or her protected health information can be made for marketing.” said OCR Director Jocelyn Samuels.  “All covered entities, including physical therapy providers, must ensure that they have adequate policies and procedures to obtain an individual’s authorization for such purposes, including for posting on a website and/or social media pages, and a valid authorization form.”

The resolution agreement and corrective action plan may be found here.

About the author: Dissent