A North Carolina dental practice (“Practice”) has been fined $50,000 following a Notice of Final Determination regarding a violation of the HIPAA Privacy Rule.
In the Notice of Proposed Determination, the United States Department of Health and Human Services Office for Civil Rights (“OCR”) stated that a patient visited the Practice in 2013 and 2014 to receive dental treatment. A year later, the patient posted a negative review about the Practice on the Practice’s Google review page. The patient used a pseudonym to post the review. Shortly after, the Practice responded to the patient’s negative Google review. Notably, the response from the Practice included patient protected health information (“PHI”) such as the patient’s full name, the patient’s dental condition, treatment and appointment attendance. Further, the response from the Practice included derogatory remarks about the patient. The patient filed a complaint with OCR about this impermissible disclosure of the patient’s PHI in 2015.
OCR issued a data request to the Practice in 2016, requesting, among a number of items, the Practice’s policies and procedures regarding responses to online reviews by patients. The Practice did not provide a complete response to the data request. OCR notified the Practice that the Practice’s response to the negative review was an impermissible disclosure of PHI and asked the Practice to take its response to the negative review down. However, the Practice did not comply with OCR’s request.
As a result of the incomplete responses and lack of cooperation from the Practice, OCR sent a Letter of Opportunity to the Practice to inform the Practice that there were preliminary indications of non-compliance. The Practice did not respond to this letter. Ultimately, OCR issued a fine based on the penalty tier of “willful neglect not corrected” of $50,000 and informed the Practice via a Notice of Final Determination that the penalty was final.
Key Takeaways
As a result of this penalty, covered entities should consider the following:
- Draft policies and procedures to address the use and disclosure of PHI related to a covered entity’s online presence. Remember that PHI includes demographic information, like name, when held by a covered entity, and it is protected by HIPAA, even when it is not shared with more sensitive medical information.
- Offer patients meaningful avenues to feel heard in the event they have a complaint. Seek offline feedback, and work with patients to address issues that arise.
- Recognize that negative reviews are a part of modern health care practices. Patients posting negative reviews are typically not doing so to receive a response from the provider. They are trying to warn other patients about their experience. Further, responding to an online comment usually only serves to bring more attention to the complaint. Organizations should implement a broader social media/public relations strategy in order to mitigate the impact of a negative online review and to reduce the temptation to respond to a negative review in an impermissible manner.
- Comparing social media activities to peer entities to determine what social media practices are acceptable is not a viable strategy to ensure compliance with HIPAA. Even if peer entities are posting what appears to be PHI on online platforms, these other entities may have obtained a HIPAA compliant authorization to interact with patients online or may themselves be violating HIPAA. Each covered entity must make their own analysis of acceptable online behavior.
- The Practice was found to have failed to cooperate with OCR’s investigation. While a covered entity may disagree with OCR opening an investigation or the scope of an OCR data request, engaging with OCR can help an entity under investigation get a better understanding of a request and move the investigation towards a satisfactory conclusion for each party. Seek counsel if OCR is investigating a complaint about your organization.
For more information, please contact:
- Mark Swearingen at (317) 977-1458 or mswearingen@wp.hallrender.com;
- Patricia Connelly at (317) 429-3654 or pconnelly@wp.hallrender.com; or
- Your primary Hall Render attorney.
Hall Render blog posts and articles are intended for informational purposes only. For ethical reasons, Hall Render attorneys cannot give legal advice outside of an attorney-client relationship.
