Case Shines Spotlight on HIPAA's Marketing RulesPhysical Therapy Provider Gets $25,000 Penalty for Using PHI Without Permission
Federal authorities have slapped a Los Angeles-based physical therapy provider with a financial penalty in a HIPAA case that provides a wake-up call about the requirement to obtain patients' permission before using their personal information for marketing purposes.
The Department of Health and Human Services says a $25,000 settlement and resolution agreement with Complete P.T., Pool & Land Physical Therapy Inc., comes after an investigation following an August 2012 complaint alleging that CPT was impermissibly disclosing protected health information on its website.
Without receiving patient permission as required under HIPAA, the organization posted patient testimonials on its website that included individuals' full names and full face photographs, HHS' Office for Civil Rights says in its resolution agreement with the company.
Marketing Poses Challenges
Some privacy and security experts say the case highlights confusion that many covered entities often face when making decisions about the use of patient information for marketing purposes.
"From my experience, many organizations have challenges with marketing and HIPAA," says privacy attorney Adam Greene of the law firm Davis Wright Tremaine. "Training marketing staff on how HIPAA specifically applies to them, including how broadly HHS interprets what constitutes 'protected health information,' is very important."
OCR says it launched its investigation of the physical therapy provider after receiving a complaint about the testimonials, which impermissibly disclosed "numerous" individuals' PHI. But OCR did not specify how many patients were affected.
In January 2013, OCR notified CPT of its investigation regarding its compliance with the HIPAA Privacy Rule. OCR's investigation found that the organization failed to reasonably safeguard PHI; impermissibly disclosed PHI; and failed to implement policies and procedures with regard to obtaining patient authorization for use of PHI in marketing campaigns.
What HIPAA Says
The HIPAA Privacy Rule gives individuals important controls over whether and how their PHI is used and disclosed for marketing purposes, OCR Director Jocelyn Samuels says in a statement. "With limited exceptions, the rule requires an individual's written authorization before a use or disclosure of his or her protected health information can be made for marketing."
All covered entities, including physical therapy providers, must ensure that they have adequate policies and procedures to obtain an individual's authorization for such purposes, including for posting on a website and/or social media pages, and a valid authorization form, she says.
"The lesson to be learned from this incident is that, just like any other PHI, you must obtain a patient's written HIPAA compliant authorization prior to disclosing their photograph or letter of appreciation in any marketing materials or on an Internet website," says privacy attorney David Holtzman, vice president of compliance at security consulting firm CynergisTek.
Privacy and security expert Kate Borten of the consulting firm The Marblehead Group notes: "HIPAA's Privacy Rule made it clear in 2001, over a decade before this breach, that use of PHI for marketing requires patient authorization. It is very appropriate that this unambiguous case resulted in the provider acknowledging fault."
Still, OCR enforcement action involving the impermissible use of PHI for marketing under the HIPAA privacy rule is rare, Greene notes.
"In over 30 OCR settlements, most have involved information security issues," Greene notes. "In comparison, only a small number have involved issues that strictly involve the HIPAA Privacy Rule, such as using protected health information for marketing purposes. I expect this trend to continue, with most enforcement actions focused on large information security matters, and an occasional headline-grabbing case about an organization intentionally using or disclosing protected health information in a manner that OCR considers to violate the Privacy Rule."
Under the resolution agreement, the physical therapy provider has agreed to take several corrective actions. Those include:
- Developing, maintaining and revising written policies and procedures to comply with HIPAA standards that govern the privacy of PHI;
- Distributing those policies and procedures to all members of its workforce, and to new members of the workforce within 30 days of their beginning of service;
- Providing training on CPT's policies and procedures to its workforce;
- Removing from its website, and all its affiliated Web domains, any PHI for which it has not obtained a valid authorization;
- Reporting of HIPAA compliance efforts to OCR for a one-year period.
Neither OCR nor CPT immediately responded to Information Security Media Group's request for comment.
Second Enforcement Action This Year
The resolution agreement with CPT is the second HIPAA enforcement action that OCR has disclosed so far in 2016.
Earlier this month, OCR said an HHS administrative law judge granted a summary judgment requiring Lincare Inc., a provider of respiratory care, medical equipment and other services to in-home patients, to pay a $239,800 civil monetary penalty.
That case stemmed from an individual who complained in December 2008 that a Lincare employee left behind documents containing the PHI of 278 patients after moving to a new residence. "Evidence established that this employee removed patients' information from the company's office, left the information exposed in places where an unauthorized person had access and then abandoned the information altogether," OCR said.