Case Study – Not Having a HIPAA compliant website costs practice $25,000

Sometimes it easy to forget just how expansive HIPAA regulations really are. Often we think it’s limited to paper records or electronic medical records (EMR). However, HIPAA covers all places that Protected Health Information (PHI) exists under a Covered Entity (CE) or Business Associate’s (BA) care. One place that often goes unnoticed is websites. CEs and BAs must both maintain HIPAA compliant websites. This week’s case study shows how easily unintentional acts can result in expensive HIPAA violations.

What happened?

Complete P.T., Pool & Land Physical Therapy, Inc. was posting patient testimonials about their services onto their website.

In 2012, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) received a complaint that Complete P.T. had disclosed the PHI of numerous patients. They had not received prior authorization to post these testimonials and this resulted in numerous violations of HIPAA regulations. These patient testimonials including patient names and full face photographs. They did this without first obtaining HIPAA compliant authorizations from the patients. Posting this information confirms that the patients are patients of that practice and resulted in an unauthorized disclosure of PHI.

What was the result?

OCR found that Compete P.T. had (quoted from OCR’s press release):

  • Failed to reasonably safeguard PHI;
  • Impermissibly disclosed PHI without authorization; and
  • Failed to implement policies and procedures with respect to PHI that was designed to comply with HIPAA’s requirements with regard to authorization.

This resulted in a $25,000 fine and a corrective action plan for a period of one year. This fine was a result of not maintaining a HIPAA compliant website.

You can read OCR’s press release here.

These types of violations are usually quite unintentional so it makes paying a fine for that all the more difficult. We usually associate HIPAA violations with more obvious things such as a hacked network or a stolen device. But in this case, it was something the practice never intended to do.

How do you have a HIPAA compliant website?

Many physicians use pictures and patient testimonials to market their practice. This is perfectly acceptable if HIPAA compliant authorization has been obtained from the patient before they are posted. This is standard practice for many plastic surgeons, OBGYNs and pediatricians. Before and after shots are very common.

The authorization must detail how and where the data will be used by the practice for marketing. HHS has a guideline on abiding by marketing for CEs and BAs. It can be found here.

Make sure you get a Business Associate Agreement (BAA) for any company that hosts your PHI. The company that you use to host your website has indirect access to patient data. As a result, they will need to sign a BAA with your practice. If they don’t, then both your practice and their company are not HIPAA compliant. If your hosting company won’t sign a BAA, it’s time to look for a new hosting company. Often vendors will say they aren’t actually touching the PHI or don’t have access, but that isn’t how the regulations were designed. Therefore data that resides on hosting company servers must be protected.

One more point you will want to consider is to post your Notice of Privacy Practices (NPP) on your website. This gives your patients all of the required information they need concerning your practice’s HIPAA policies.

Having a HIPAA compliant website isn’t difficult but it does require planning to ensure that you follow the HIPAA regulations. This should give you a good start on what it takes to make sure you don’t fall on the wrong side of the law and protect your patient’s data.

Summary

Using patient testimonials in physician marketing is a good way to attract new business. However, HHS strict guidelines on what must be done to protect patient PHI. To maintain a HIPAA compliant website, be sure that you have written authorizations from patients before posting anything. Failure to do so can result in costly fines for unintended HIPAA violations.

For companies that host your website, make sure you have a BAA in place if the site contains any PHI on it processes any through it. If your hosting company won’t sign one, move to a new hosting company. If that isn’t practical in your specific circumstances, document this in your practice’s own HIPAA documentation.

HIPAA is about protecting patient data. That includes their testimonials.