On February 16, 2016, the U.S. Department of Health & Human Services Office for Civil Rights (OCR) announced that it had entered into an agreement with Complete P.T., Pool & Land Physical Therapy, Inc. (CPT), a physical therapy practice located in California, to resolve HIPAA violations arising from CPT’s impermissible disclosure of protected health information (PHI) on its website in the form of patient testimonials.

OCR initiated an investigation in 2012 and determined that CPT had impermissibly disclosed PHI on its website without obtaining HIPAA-compliant authorizations. Specifically, CPT posted patient testimonials, including full names and full face photographs, without obtaining valid authorizations from the individuals identified in the testimonials. OCR concluded that CPT violated the HIPAA’s Privacy Rule by failing to reasonably safeguard PHI, impermissibly disclosing PHI, and failing to implement policies and procedures designed to ensure compliance with the Privacy Rule’s authorization requirements.

As part of the resolution agreement, CPT admitted civil liability for violating the Privacy Rule, agreed to pay $25,000, and entered into a three-year corrective action plan (CAP) with OCR. The CAP requires CPT to develop and implement written policies and procedures to ensure Privacy Rule compliance that include, but are not limited to, measures that address (i) permissible uses and disclosures of PHI, and (ii) individual authorization requirements. The CAP also requires CPT to provide workforce training on its HIPAA policies and procedures; subjects CPT to heightened reporting requirements related to HIPAA violations; and obligates CPT to submit annual CAP-compliance reports.  In addition to those conditions—which are standard in OCR corrective action plans—the CAP also requires CPT to remove all PHI from its website for which it does not have a valid HIPAA-compliant authorization by February 12, 2016.

For health care providers and suppliers subject to HIPAA, OCR’s resolution agreement with CPT is particularly noteworthy for two reasons:

1. CPT’s failure to obtain valid authorizations from patients before posting their names and faces on its website represents a straightforward violation of a basic HIPAA requirement that HIPAA-covered entities must be aware of, and comply with, especially in connection with marketing activities that utilize PHI; and
2. CPT was required to admit civil liability for violating the Privacy Rule, a departure from previous OCR resolution agreements that customarily contain “No Admission” provisions explicitly rejecting any admission of liability. This appears to be the first time a covered entity has been required to admit civil liability as part of a resolution agreement, and may portend a new approach by OCR to investigating and resolving HIPAA complaints.