OCR has announced several recent settlement agreements to resolve violations of the Health Insurance Portability and Accountability Act (“HIPAA”). These settlement amounts range from $25,000 to $3.9 million dollars and illustrate a range of mistakes that health care providers make with respect to their HIPAA compliance. This post briefly summarizes OCR’s findings with respect to each settlement agreement. Based on OCR’s findings, the Health Law Gurus provide steps that your organization can take to reduce its risk of a HIPAA breach.

Physical Therapy Provider – Impermissible Disclosure of PHI

Complete P.T., Pool & Land Physical Therapy, Inc. (“PT”), a physical therapy practice located in Los Angeles, agreed to pay $25,000 and enter into a corrective action plan as a result of an impermissible disclosure of protected health information (“PHI”). PT posted patient testimonials on its website without obtaining valid authorizations as required by HIPAA. The patient authorizations included full names and full facial images of the patients. OCR discovered through its investigation that PT had not reasonably safeguarded PHI, had disclosed PHI without valid HIPAA authorizations, and had failed to implement policies and procedures for PHI regarding authorization. Continue Reading