Last week, the Office for Civil Rights (OCR) announced a settlement related to allegations that a dental practice disclosed protected health information on its Yelp review page. The original complaint, filed in 2016, alleged that the practice impermissibly disclosed a patient’s last name, details of her treatment plan, insurance, and cost information when responding to the patient’s negative review. An OCR investigation revealed that this was not the only instance in which the practice impermissibly disclosed patient protected health information when responding to reviews on its Yelp page. Furthermore, OCR determined that the practice did not have a compliant Notice of Privacy Practices and failed to implement proper policies and procedures regarding disclosures of protected health information.
The dental practice agreed to pay a $10,000 fine and adopt a corrective action plan to settle the potential violations of the Health Insurance Portability and Accountability Act (HIPAA). The substantially reduced settlement amount is not indicative of the severity of the breach, but rather reflects OCR’s consideration of the practice’s size, financial circumstances, and cooperation with the OCR investigation. Among other obligations, the corrective action plan requires the dental practice to (i) undergo two years of monitoring by OCR; (ii) revise its policies and procedures to comply with federal law; and (iii) submit annual reports to HHS providing the status of, and findings regarding, its compliance with the corrective action plan.
Social media use, including review-based websites, is ubiquitous across most industries. However, health care providers who utilize these platforms to interact with patients face unique challenges and must ensure their compliance with all applicable federal and state laws. Contact Frier Levitt today for guidance in navigating social media, and for a complete review of your practice’s HIPAA Compliance Plan