By: Jennifer J. Thomas

The U.S. Department of Health and Human Services, Office of Civil Rights (“OCR”), announced on October 2, 2019, that it had entered into a settlement with a private dental practice that had violated the HIPAA Privacy Rule by posting patient protected health information (“PHI”) on Yelp.  The OCR received a complaint in 2016 from a patient alleging that the dental practice had responded to the patient’s online Yelp review of the service the patient had received.  In response to the patient’s review, the dental practice disclosed on Yelp the patient’s PHI including:  last name, condition, details of the treatment plan, insurance, and cost information.  During OCR’s investigation, OCR discovered that the practice had also impermissibly disclosed PHI of other patients when responding to those patients’ reviews. OCR determined that the practice did not have a policy procedure regarding disclosures of protected health information related to social media or a notice of privacy practices that comply with the HIPAA Privacy Rule.

The settlement requires the dental practice to pay $10,000.00 and adopt a corrective action plan with two years of monitoring by OCR for HIPAA compliance.  Included in the corrective action plan is the development of policies and procedures that comply with federal standards governing the privacy and security of PHI, which must be approved by OCR.  The dental practice must distribute the policies and procedures to all employees and each employee must sign a certification that the employee has read, understands, and shall abide by the policies and procedures.  The policies and procedures must be updated at least annually and submitted for review by OCR. The dental practice must also submit reports to OCR summarizing the status of its implementation of the corrective action plan.

Like any business owner, a healthcare provider may think it’s necessary to respond to reviews posted on social media in order to protect the provider’s reputation.  However, as a covered entity, a healthcare provider is always bound to comply with HIPAA, as well as State confidentiality laws.  As suggested by OCR Director, Roger Severino, “doctors and dentists must think carefully about patient privacy before responding to online reviews.”