Watch out: The HHS Office for Civil Rights (OCR) is enforcing the HIPAA Privacy Rule requirements for obtaining valid authorization before using protected health information (PHI) for marketing purposes.
Case in point: On Feb. 16, OCR announced a resolution agreement with Los Angeles-based Complete P.T., Pool & Land Physical Therapy (Complete P.T.) for alleged HIPAA violations stemming from patient photographs the provider posted on its website without authorization.
In August 2012, OCR received a complaint alleging that Complete P.T. posted patient testimonials, including full names and full-face photographic images, on its website without first obtaining HIPAA-compliant authorizations to do so. OCR’s subsequent investigation revealed that Complete P.T. failed to reasonably safeguard PHI, impermissibly disclosed PHI without authorization, and failed to implement appropriate policies and procedures regarding the use of PHI and obtaining HIPAA-required authorizations.
Pay attention: This particular case highlights the HIPAA Privacy Rule’s protections for individuals concerning the use of their PHI for marketing purposes. With limited exceptions, the Privacy Rule requires that you obtain an individual’s written authorization before using or disclosing PHI for marketing purposes.
“All covered entities, including physical therapy providers, must ensure that they have adequate policies and procedures to obtain an individual’s authorization for such purposes, including for posting on a website and/or social media pages, and a valid authorization form,” OCR Director Jocelyn Samuels said in the Feb. 16 announcement.
Under the resolution agreement, Complete P.T. must pay $25,000, adopt and implement a corrective action plan (CAP), and provide annual reporting of its compliance efforts for one year. The settlement agreement is effectively an admission of civil liability by Complete P.T.
To read the resolution agreement and CAP, go to http://www.hhs.gov/sites/default/files/cpt-res-agreement.pdf.