HIPAA Fine Violation Spotlight

HIPAA Fines Charged For Security and Privacy Rule Violation

Does your practice have reviews posted on Yelp, Google, or Facebook? Most do these days. Those reviews are vital for attracting new customers, as many people check online reviews before committing to a new product, restaurant, or service. Of course, misunderstandings can lead to undeserved poor reviews, but keeping a professional demeanor when responding is the best way to turn that perception around.

Unfortunately, with medical practices, there is an added layer that must be considered when responding to reviews – PHI, and how to protect it. It may be tempting to address a patient’s concern directly, but if the patient’s protected health information is mentioned in that response it is a violation of the HIPAA Privacy Rules.

This was highlighted in a recent OCR settlement. Elite Dental Associates of Dallas, TX, (Elite) agreed to pay $10,000 to settle its potential violation. The complaint, received on June 5, 2016, alleged that Elite disclosed a patient’s last name and health condition details while responding to an online review. The subsequent investigation revealed that Elite had disclosed the PHI of several patients while responding to reviews on the practice’s Yelp review page. Elite also had no policy in place regarding disclosure of PHI as it related to social media.

Elite is a privately-owned dental practice that provides general, implant, and cosmetic dentistry. Their settlement agreement included adopting a corrective action plan. While the settlement amount may seem smaller than most, it should be noted that “OCR accepted a substantially reduced settlement amount in consideration of Elite’s size, financial circumstances, and cooperation with OCR’s investigation.”

“Social media is not the place for providers to discuss a patient’s care,” said OCR Director, Roger Severino.  “Doctors and dentists must think carefully about patient privacy before responding to online reviews.”