The testimonials included the patients' names and photos.

Federal regulators have announced a privacy investigation settlement that could affect how any entity that collects protected health information (PHI) uses consumer testimonials.

The U.S. Department of Health and Human Services Office for Civil Rights (OCR) says it has negotiated the settlement with Complete P.T., Pool & Land Physical Therapy Inc., a Los Angeles physical therapy practice.

In 2012, the practice posted testimonials from happy patients, including full names and photos, on the Web without getting what OCR classifies as valid authorizations, according to an OCR settlement announcement and a copy of the settlement agreement posted on the OCR website.

OCR officials say the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule requires covered entities in a situation like that to get authorization forms from consumers before using their protected health information for marketing purposes.

The practice has agreed to pay a $25,000 fine, adopt and implement a corrective action plan, and give OCR a report on its compliance efforts.

See also: 

Will you top the HIPAA audit candidate list?

Home care provider faces $239,800 HIPAA penalty

Data security gurus to corporate lawyers: Get to know the FBI

     

Have you followed us on Facebook?