HIPAA Breach Case Studies
by ClinicNerds

Precipitating Event:  Patient testimonials without HIPAA-compliant authorizations.

Quote From The Legal Agreement
real name changed to XYZ Physical Therapy Practice

minor modifications for readibility

Interpreting the HIPAA Police

Quote that sends a message:

This case started in the summer of 2012. The Resolution Agreement was signed on February 01, 2016. The HIPAA Probation lasts an additional 3 years to February 2019.

Ask Yourself: Do you want the HIPAA Police in your business for nearly 7 years?

Quote that sends a message:

ClinicNerds estimates that over 200,000 small healthcare practices in the USA have this same HIPAA violation.

Ask Yourself: Does your website have patient testimonials with proper HIPAA-compliant authorizations?

Additional Comments

These HIPAA investigations and probations drag on for years. Most last over 5 year. Plus the healthcare organization pays its own legal fees.

Have a look at those first 3 obligations during HIPAA probation. HHS is making them try to erase something from the internet, which does not forget. This means asking search engines like Google, Yahoo, AOL, etc to remove content. Guessing that this small PT practice has no idea how to accomplish these tasks.

It would still be a violation if there were just full face photographs, without the names. Facial images are one of those 18 identifiers that turn regular information into Protected Health Information.

Obligations During HIPAA Probation
  • Removal of PHI from XYZ Physical Therapy Practice Website. 1. Within 10 days of the Effective Date of this Agreement, XYZ Physical Therapy Practice shall remove from its website, and all its affiliated web domains, any PHI for which it has not obtained a valid authorization from the individual who is the subject of the PHI, or their personal representative.
  • Within 10 days of the Effective Date of this Agreement, XYZ Physical Therapy Practice shall also use its best efforts to remove all cached versions of its website from the Internet that contain this PHI. If XYZ Physical Therapy Practice is unable to remove all cached versions within 30 days of the Effective Date of this Agreement, XYZ Physical Therapy Practice shall provide HHS with documentation explaining its “best efforts” and the reason that the PHI remains accessible on the Internet.
  • XYZ Physical Therapy Practice’s compliance with this corrective action will be based on HHS’ review and approval of the documentation explaining its “best efforts” and the reason that this PHI remains accessible.
  • Within 60 days of the Effective Date of this Agreement, XYZ Physical Therapy Practice shall notify any individual, or the individual’s personal representative, whose PHI was disclosed by XYZ Physical Therapy Practice on the website without a valid authorization, that their PHI has been breached.
  • Within 30 days, conduct a risk assessment and send to HHS.
  • Within 30 days, document policies and procedures to safeguard PHI.
  • Policies and procedures should include: A description of uses and disclosures for which XYZ Physical Therapy Practice is required to obtain an individual’s authorization, including for posting on CPT’s website and/or social media pages.
  • Wait for review and approval from HHS.
  • Within 30 days of response from HHS, implement all policies and procedures via training sessions.
  • During training, all employees must sign and date a form that states that they understand and will follow all of the policies and procedures.

Legally called a 'Corrective Action Plan' or CAP, HIPAA Probation is a legal agreement where the HIPAA Police monitor the organziation for 3 years. During probation, there are specific to dos, milestones, deliverables, etc.

Tools From ClinicNerds

To fix these issues before the trouble starts, ClinicNerds offer these tools:

The HIPAA Lifeguard App is a guided, do-it-yourself risk assessment. Includes unlimited assistance encrypting computers.

CCC - the Clinic Collaboration Community - is for sharing polices, procedures and best practices.

Case Study Factsheet

XYZ Physical Therapy Practice in California

Case ID

Fine Amount

Corrective Action Plan (CAP) ?
Yes, 3 Years

Precipitating Event
Patient testimonials without HIPAA-compliant authorizations.

HIPAA Police Office
HHS Pacific Region San Francisco

{ end case study CS-2016-02-01 }