In October, Health and Human Services (HHS) released a press statement that a Dallas based dental office had agreed to a settlement of $10,000 for improperly disclosing patient protected health information (PHI) on a social media platform known for online reviews.
HHS's Office of Civil Rights received a complaint in June 2016 from a patient alleging that Elite Dental Associates had disclosed the patient's last name and details of their condition. The Office for Civil Rights (OCR) is an organization that operates within HHS and has the responsibility of enforcing the Privacy and Security Rules. During their investigation they confirmed that the dental practice had improperly disclosed patient health information while responding to patient reviews on Elite Dental's Yelp listing.
OCR concluded that Elite had numerous infractions including improperly disclosing multiple patients' PHI while responding to online reviews, failing to have a HIPAA policy for disclosures of PHI including proper social media interactions and they didn't have a Notice of Privacy Practices that was compliant with the most recent HIPAA Privacy Rules.
“Social media is not the place for providers to discuss a patient’s care. Doctors and dentists must think carefully about patient privacy before responding to online reviews.” - OCR Director, Roger Severino.
The $10,000 penalty they agreed to actually represents the smallest financial settlement to date and reflects OCR's consideration of Elite Dental Associates size, financial situation and cooperation with their investigation.
In addition to the monetary settlement, they must undertake a corrective action plan that includes updating HIPAA policies and forms, providing employee training and two years of monitoring by OCR for compliance with the HIPAA Rules.
There's nothing wrong with thanking someone for their review, but you want to avoid actually confirming that they're your patient as obvious as it may seem. It's okay for a patient to get into detail about their treatment online, but mentioning details in a public forum about a patient as a healthcare or dental provider could be an improper disclosure under the Privacy and Security Rules.
A similar case in 2016 involved a Physical Therapy practice that settled with OCR for a $25,000 penalty. They failed to get patient authorizations before using personal information for testimonials on their website.
Re posting patient testimonials should only be done with a proper authorization in place or after de-identifying the patients full name.
If you have outdated HIPAA policies, forms or employee training please consider our 2020 HIPAA Privacy and 2020 HIPAA Security Manuals. They include everything you need to get into HIPAA compliance including policies, forms, HIPAA training, Toll-Free phone support for all your HIPAA questions and/or assistance with a HHS audit all at one low price. Oshaguard has provided compliance solutions for physicians and dentists since 1991.
The full HHS press release can be found here: