The Department of Health and Human Services’ Office for Civil Rights has agreed to a HIPAA settlement for a violation case with Elite Dental Associates in relation to the impermissible disclosure of a number of patients’ protected health information (PHI) when answering patient reviews on the Yelp review website.
Elite Dental Associates is a Dallas, TX-based privately-owned dental clinic that provides general, implant and cosmetic dentistry. On June 5, 2016, OCR were sent a complaint from an Elite patient about a social media HIPAA breach. The patient claimed the dental clinic had replied a review she left on Yelp and publicly shared some of the PHI.
When answering the patient’s June 4, 2016 post, Elite shared the patient’s surname along with details of her health condition, treatment plan, insurance, and cost details.
The investigation revealed this to be the case, but also found it was not the first time that PHI had been shared without permission on the social media platform when responding to patient reviews. Further impermissible PHI disclosures were located on the Elite review page.
In addition to the impermissible sharing of PHI, which breached 45 C.F.R. § 164.502(a), OCR determined Elite had not put in place policies and procedures relating to PHI, in particular the release of PHI on social media and other public platforms, in breach of 45 C.F.R. § 164.530(i). Elite was also found not to have included the minimum required content in its Notice of Privacy Practices as required by the HIPAA Privacy Rule (45 C.F.R. § 164.520(b)).
OCR agreed to pay a HIPAA violation fine of $10,000 and implement a corrective action plan (CAP) to resolve the alleged HIPAA violations and settle the case with no admission of liability. The three possible HIPAA violations could have resulted in a substantially higher financial penalty; however, when considering an appropriate financial penalty, OCR took the financial position of the practice, its size, and Elite’s working with the OCR investigation into account.
OCR Director, Roger Severino said: “Social media is not the place for providers to discuss a patient’s care. Doctors and dentists must think carefully about patient privacy before responding to online reviews.”