Common Marketing Tactics Violate HIPAA Privacy Rules
It’s common practice for providers to market their services on the Internet. But if you’re going to include patient testimonials, you’d better read up on HIPAA Privacy regulations. Complete PT, Pool & Land Physical Therapy, Inc., of Los Angeles, learned that lesson the hard way.
PHI Includes Identity
According to reports, the provider has agreed to settle violations of HIPAA Privacy Rules with the U.S. Department of Health and Human Services Office for Civil Rights (OCR) for disclosing numerous individuals’ protected health information when it posted patient testimonials, including full names and full-face photographic images, to its website. Complete PT failed to obtain valid, HIPAA-compliant authorizations from these individuals.
The company was ordered to pay $25,000, adopt and implement a corrective action plan, and annually report compliance efforts for one year.
“The HIPAA Privacy Rule gives individuals important controls over whether and how their protected health information is used and disclosed for marketing purposes. With limited exceptions, the Rule requires an individual’s written authorization before a use or disclosure of his or her protected health information can be made for marketing,” said OCR Director Jocelyn Samuels. “All covered entities, including physical therapy providers, must ensure that they have adequate policies and procedures to obtain an individual’s authorization for such purposes, including for posting on a website and/or social media pages, and a valid authorization form.”
The resolution agreement and corrective action plan may be found here.