Do They Put Your Healthcare Organization At Risk?

Drive traffic, increase sales, create actionable insights...or not!?

Does your healthcare organization’s new patient development rely on online reviews? Of course, a great review can boost your reputation and encourage others to consider your services. And, in the world of online advertising, posting the testimonial to your website or social media account may be the first step toward promoting the great services your organization provides.


Have you gotten a signed authorization from the patient to use their information for a testimonial? Earlier in 2016, a $25,000 HIPAA enforcement penalty was levied against a physical therapy organization for failing to secure the appropriate client authorization before using protected health information for client testimonials posted on their website. Violations from posting patient names with full face photography without written authorization included:

  • Failing to safeguard protected health information
  • Impermissible disclosure of protected health information
  • Failure to implement policies and procedures regarding patient information use and disclosure with appropriate authorizations

While there was no malicious intent behind the posting, failing to have proper authorization to disclose patient information was the reason for the fine. In addition to the fine, the clinic also has to:

  • Create policies and procedures for all aspects of HIPAA and have them APPROVED by The Department of Health and Human Services (HHS)
  • Distribute all policies and procedures to their workforce within 30 days of approval from the HHS
  • Secure written certification from EACH employee that they have read, understand and shall comply with those policies and procedures
  • Create policies that address: 
  1. Use and disclosures of PHI for the websites and social media pages;
  2. Description of the process for obtaining the authorization; and
  3. Create a valid authorization form
  • Provide annual training to all workforce members
  • Report ANY workforce violations of the policies and procedures to HHS within 30 days
  • Remove all protected health information from its website and social media accounts!!!

Oh, almost forgot…this will be required of the clinic FOR THE NEXT 3 YEARS!!!!

Missed or omitted steps in the process of authorization for disclosure of protected health information can not only cost your organization money, but also time and energy complying with the resolution agreement. If you are going to consider using client testimonials on your website or social media pages, it is critical that your organization creates a policy and procedure that addresses the process for securing legal authorization from any patients prior to posting that information. #weshouldtalk