Cart 0

From Bad Online Reviews to Regulatory Action: The $30K HIPAA Lesson

The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR), has announced a settlement with Manasa Health Center, LLC. 

This settlement is the culmination of a complaint lodged with the OCR in April 2020. The complaint alleged that Manasa Health Center made an impermissible disclosure of a patient’s protected health information in response to a negative review posted online. The OCR launched an investigation to ascertain the accuracy of this allegation, and the findings indicated potential violations of the HIPAA Privacy Rule. These violations encompassed not only the disclosure of sensitive patient information online but also a failure on the part of Manasa Health Center to implement adequate policies and procedures pertaining to protected health information. To resolve these potential violations, Manasa Health Center has agreed to a monetary settlement of $30,000 and will implement a corrective action plan.

OCR Director Melanie Fontes Rainer stated, “OCR continues to receive complaints about healthcare providers disclosing their patients’ protected health information on social media or on the internet in response to negative reviews. Simply put, this is not allowed.” She further emphasized the significance of the HIPAA Privacy Rule in safeguarding patients and reiterated the commitment of the OCR to take action against such disclosures, irrespective of the size of the organization involved.

It's noteworthy that the investigation by OCR found that Manasa Health Center not only responded inappropriately to the negative online review of the patient who filed the complaint but also impermissibly disclosed the protected health information of three additional patients in similar circumstances. Moreover, it was observed that Manasa Health Center had not adequately implemented HIPAA Privacy policies and procedures.

As part of the resolution, Manasa Health Center will undertake a corrective action plan that will be monitored by the OCR for two years to ensure compliance with the HIPAA Privacy Rule. The corrective action plan entails the development, maintenance, and revision of written policies and procedures in accordance with the HIPAA Privacy Rule. Moreover, comprehensive training will be provided to all members of Manasa Health Center’s workforce, including owners and managers, on the organization’s policies and procedures as they relate to HIPAA Privacy and Security Rules. Additionally, within 30 calendar days of the agreement, Manasa Health Center is required to issue breach notices to all individuals whose protected health information was disclosed without valid authorization and submit a breach report to HHS.

 The resolution agreement and the corrective action plan can be accessed for further details at the following link: Resolution Agreement and Corrective Action Plan.

If you don't have HIPAA policies or yours are out-of-date, please consider our 2023 HIPAA Privacy and Security Bundle. It includes everything you need to get your practice HIPAA compliance 


Older Post Newer Post