Los Angeles-based Complete P.T. Pool & Land Physical Therapy will pay $25,000 to settle HIPAA violations for allegedly posting patient testimonials, including full names and photos, on its website without obtaining authorization.

The Department of Health and Human Services Office for Civil Rights announced the settlement terms on its website on Feb. 16. The settlement also requires Complete P.T. to adopt and implement a corrective action plan, and annual reporting of compliance efforts for one year.

[Also: 8 out of 10 mobile health apps open to HIPAA violations]

The complaint filed with the OCR on Aug. 8, 2012 said Complete P.T. was required by HIPAA to seek authorization for the testimonials.

OCR’s investigation revealed that Complete P.T failed to reasonably safeguard protected health information, disclosed PHI without authorization,and failed to implement policies and procedures with respect to PHI that were designed to comply with HIPAA’s requirements.

"The HIPAA Privacy Rule gives individuals important controls over whether and how their protected health information is used and disclosed for marketing purposes," said OCR Director Jocelyn Samuels in a statement posted on the OCR website. "With limited exceptions, the Rule requires an individual’s written authorization before a use or disclosure of his or her protected health information can be made for marketing."

Twitter: @HealthITNews