Dental Practice to Pay $10,000 for Impermissible Disclosures of Patients’ Protected Health Information on Social Media

[Responding to a patient’s review on Yelp triggered an Office of Civil Rights (OCR) investigation of a small Texas dental practice recently which ultimately resulted in an agreement by the practice to pay $10,000 and implement a two-year OCR-monitored corrective action plan. The patient filed the OCR complaint because the practice revealed her protected health information in their response.

Medical practices that choose to react to reviews from patients on social media platforms such as Yelp and Facebook risk impermissibly disclosing patient information merely by acknowledging that the reviewer is a patient. As social media increasingly influences the practice of medicine, providers should evaluate their procedures to ensure compliance with the Health Insurance Portability and Accountability Act (HIPAA), as well as approaches to encourage their patients to directly express concerns and limit the risks of even inadvertent disclosures on social media.

Office of Civil Rights Investigation

On June 4, 2016, Elite Dental Associates (Elite), a privately-owned solo practice in Texas, impermissibly disclosed the protected health information (PHI) of one of its patients when an employee responded to the patient’s review on Yelp. The response divulged the patient’s last name and details of her health condition, including her treatment plan, insurance and cost information. Not surprisingly, the patient filed a complaint with OCR at the U.S. Department of Health and Human Services the next day. OCR’s investigation found that Elite had impermissibly disclosed the PHI of multiple other patients in a similar way on Yelp. Elite did not have policies and procedures to ensure that its employees properly handled patient PHI, and its Notice of Privacy Practices was deficient.

The two-year corrective action plan requires Elite to develop and implement policies and procedures that address permissible and impermissible uses and disclosures of PHI. The plan also mandates that its employees must receive training on the procedures and may not be involved in the use or disclosure of patient PHI until they certify that they have read, understand and will abide by the policies and procedures.

Defining Protected Health Information

Under HIPAA, and other federal and state privacy and confidentiality laws, healthcare providers must guard patients’ personal PHI from unauthorized disclosure, including information that reveals:

    • a patient’s physical or mental health or condition
    • the provision of health care to the patient
    • payment for the provision of health care to the patient, and
    • the identity of the individual (including where there is a reasonable basis to believe the information can be used to identify the individual)

PHI includes many common identifiers such as name, address, birth date, and Social Security number, as well as unique biometric identifiers, including finger, retinal and voice prints, full face photographic images and any comparable images.

Takeaways for Medical Providers

When negative comments on social media surface, it is natural to want to clarify the situation. However, medical providers should reconsider before engaging a dissatisfied patient on a public social media platform. Simply recognizing the individual as a patient could be an impermissible privacy disclosure. In a press release on the Elite settlement, OCR Director Roger Severino noted that “social media is not the place for providers to discuss a patient’s care. Doctors and dentists must think carefully about patient privacy before responding to online reviews.”

A Proactive Approach

Medical providers can use this as an opportunity to ensure that their practice is HIPAA-compliant with their patients’ protected health information in all aspects of their practice, including social media. Elite’s corrective action plan can actually be applied as a roadmap to develop policies, train employees and monitor compliance.

To reduce the risk of publicly posted patient complaints on social media review sites in the first place, providers should take a proactive approach to patient grievances. Patients often turn to social media reviews like Yelp when they feel that their concerns are ignored by their provider or the practice. Look for multiple ways to encourage patients to express their complaints directly to the practice. For example, educate patients on an open-door grievance policy, provide ways for them to directly present feedback, and consider rolling out a practice-specific patient experience survey, such as the Patient Experience Platform developed by SE Healthcare. Tools like these can be helpful to reduce the likelihood that patients will resort to an online forum to air complaints.

Saxton & Stump attorney Darlene King is available to discuss how your practice can prevent being the subject of a similar OCR complaint and how our Healthcare and Risk Mitigation and Safety groups can help you devise an appropriate plan to navigate this complex issue.