The HHS Office for Civil Rights (OCR) recently imposed a $50,000 civil penalty on a dental office that disclosed patient identifying information in response to a negative online review. The case is a reminder that healthcare providers risk being held liable for a breach of HIPAA privacy if they include patient information in their posts on online platforms.
Engaging with customers through review websites and social media platforms is an important – and even necessary – component of business operations in the digital age. This is as true for healthcare providers as it is for companies in other industries.
Yet, when posting content online, healthcare providers should keep in mind a consideration unique to the healthcare industry: the federal Health Insurance Portability and Accountability Act (HIPAA). Enforced by OCR, HIPAA provides patients with privacy rights and protections in their “protected health information” (PHI). To that end, HIPAA prohibits “covered entities” from disclosing an individual’s PHI, unless the disclosure is required or permitted by HIPAA or the individual has authorized the disclosure.
Last March, the OCR announced that it had levied a $50,000 Civil Monetary Penalty (CMP) against a dental practice for “unlawfully disclosing[ing] a patient’s PSR on a web page in response to a negative online review. The enforcement action serves as a reminder that disclosure of PHI in online postings may subject covered entities to liability for a HIPAA violation.
Dental practice reveals patient name and information in response to negative exam
The recent OCR enforcement action stems from a negative review by U. Phillip Igbinadolor, DMD & Associates, PA (UPI), a North Carolina dental practice. According to the findings of OCR’s Notice of Proposed Decision, the negative review was posted on UPI’s Google page under a pseudonym by a patient who was dissatisfied with the dental services he received on two separate occasions.
UPI responded quickly on the Google page to refute the “unsubstantiated accusations” in the negative review. The response revealed the patient’s full name and details of the services he received, saying the patient “never returned for his scheduled appointment”.
“From the foregoing it is evident that [Complainant’s full name] level of intelligence is in question, and he should continue his manual labor and not expose himself to ridicule,” the response said. “Making derogatory statements will not improve your reputation at this time. [Complainant’s full name]. Buy yourself a life.”
The OCR opened an investigation after receiving a complaint from the patient. The agency then informed the dental practice that its response to the patient’s Google review “constituted an inadmissible disclosure by PHI” and that “UPI should withdraw its response promptly.”
A protracted back-and-forth between OCR and UPI ensued, during which the dental firm refused to release its HIPAA-related policies and other documents. After the practice declined to submit a written response to the OCR’s findings or request a hearing to contest the case, the OCR issued a final determination of noncompliance for which the agency imposed a CMP of $50,000. According to the OCR, this was justified because UPI’s violation of HIPAA was an act of “willful uncorrected negligence.”
Other HIPAA Enforcement Actions Involving Online Reviews
OCR’s imposition of the CMP against UPI is not the first enforcement action the agency has taken when a covered entity allegedly disclosed PHI in response to an online review.
In 2019, another dental practice paid $10,000 under a resolution agreement to settle OCR claims that it inadmissibly disclosed a patient’s PHI, including her last name, details of her treatment plan, insurance and cost information, in her response to the patient examination. on Yelp. During its investigation, OCR alleged that it uncovered inappropriate disclosure of other patients’ personal health information in the firm’s responses to their Yelp reviews.
Similarly, in 2013, OCR sent a written letter to a plastic surgery practice noting that the parent of an underage patient had complained that the practice had improperly disclosed the patient’s PSRs in response to an examination. Yelp by parent. The OCR cautioned: “A Covered Entity may not confirm or deny that a particular individual was, in fact, a patient, or disclose any other individually identifiable health information (IIHI), including, but not limited to demographic information such as name or address.” Although the OCR chose not to impose penalties, it encouraged the practice “of removing any specific information about current or former patients from your weblog.”
Maintaining HIPAA Compliance with Online Postings
The aforementioned enforcement actions emphasize that HIPAA-covered entities must act with caution to prevent unauthorized disclosure of PHI in their publicly available online content, including responses to negative reviews. To this end, Covered Entities should consider:
Development of a policy on the use and disclosure of PSI on online platforms: Given the ubiquity of social media in the workplace and business operations, Covered Entities should consider developing a policy regarding the uses and disclosures of PHI on online platforms. Indeed, in its recent enforcement actions, the OCR has emphasized the importance for Covered Entities to have policies specifically addressing PSR and social media. Social media, marketing, and business development staff can be among key stakeholders in developing such a policy.
Creating pre-approved responses to negative reviews: Negative reviews online can sometimes provoke angry and defensive reactions. These reactions, in turn, can fuel hasty responses that may pose an increased risk of revealing identifying information, potentially violating HIPAA. To mitigate this risk, Covered Entities may create pre-approved replies to be used to respond to negative posts. These response templates can show responsiveness on display without compromising patient privacy, as in the following sample response:
We welcome feedback on the patient experience with our care providers. Out of respect for our patients’ right to privacy, we do not disclose patient information in public forums. We encourage you to contact our office by phone or email so we can further discuss your experience.
Consultation with legal counsel to assess potential legal options: Although HIPAA may limit Covered Entities’ responses to negative reviews, this does not mean that Covered Entities are without legal remedies to defend their professional reputation. In some cases, a negative review could constitute defamation or other grounds for a covered entity to take legal action against the poster. Covered Entities should consult legal counsel to assess their options in such cases. In many cases, a harsh cease-and-desist letter may be enough to cause the withdrawal of a review that could harm a Covered Entity’s business interests.
Additional research and writings by Jannat Irshad2022 Summer Associate in the San Francisco office of ArentFox Schiff and law student at Boston University School of Law.