$10K HIPAA Fine Issued to Dental Practice for Disclosing PHI on Yelp
Elite Dental Associates was issued a $10,000 HIPAA fine for disclosing the protected health information (PHI) of one of its’ patients while responding to a review on Yelp. The dental practice responded to the patient’s review revealing the patient’s full name, insurance information, treatment plan, and cost information. The patient in question reported the incident to the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR).
Director of the OCR, Roger Severino stated, “Social media is not the place for providers to discuss a patient’s care. Doctors and dentists must think carefully about patient privacy before responding to online reviews.”
The dental practice failed to comply with the HIPAA Privacy Rule by not only disclosing patient information on social media, but failing to have policies and procedures for the disclosure of PHI and a Notice of Privacy Practices. As such, in addition to paying the fine, Elite is subject to two years of monitoring by the OCR.
Responding to Patient Reviews without Receiving a HIPAA Fine
HIPAA fines are issued for a variety of reasons, including the unauthorized disclosure of PHI. When responding to patient reviews, covered entities (CEs) must ensure that they do not improperly disclose PHI.
It may be tempting to respond to reviews, especially negative ones, but the only permissible way to respond is with a “thank you” or asking the patient to contact your office. Anything more than that would be considered a HIPAA violation that would result in a HIPAA fine. Even a simple “thank you for coming in!” is a HIPAA violation since you are confirming that they are a patient. When asking a patient to call you it is permitted to say “Please give our office a call” however saying “Please call us to address your concerns” is also considered a HIPAA violation as you are also confirming that they are a patient. When in doubt, it is best not to respond to patient reviews on a public forum and risk accidentally disclosing PHI.