An unsurprisingly large number of medical and dental practices regularly monitor patient reviews or opinions posted on social media in order to, among other things, respond to unfairly negative or even blatantly false patient statements. However, despite the strong temptation to correct or contextualize patient statements in order to mitigate damage to a practice’s reputation, social media managers and practice owners alike must keep HIPAA and state privacy laws in mind. No disclosure of protected health information is too small to avoid incurring HIPAA penalties, even if that disclosure comes in the seemingly innocent form of defending a practice from an unfairly negative online review.
Recently, the U.S. Department of Health and Human Services, Office for Civil Rights (“OCR”) has made it clear that it will continue to vigorously enforce the HIPAA Privacy Rule1 in the face of wrongful disclosures of protected health information (“PHI”), no matter the magnitude or breadth of that disclosure.
OCR recently took issue with a small dental practice in Texas, Elite Dental Associates - Dallas (“Elite”), that had responded to a patient’s review on its Yelp® page. OCR received a complaint alleging that “Elite impermissibly disclosed [the complainant’s] protected health information (“PHI”) on its Yelp® review page…including her last name, details of her treatment plan, insurance and cost information.”2 OCR investigated the complaint and found that Elite committed three separate violations of the HIPAA Privacy Rule - Elite (1) impermissibly disclosed the PHI of multiple patients in response to negative reviews on Yelp® (2) failed to implement policies and procedures with respect to disclosures of patient PHI to ensure that patient privacy was protected, and (3) failed to put into place a compliant Notice of Privacy Practices. Ultimately, Elite agreed to pay $10,000 to resolve the alleged violations.
Elite entered into a two year Corrective Action Plan with OCR which requires Elite to, among other things, implement policies and procedures that comply with federal standards governing the privacy and security of individually identifiable health information and provide compliance training to its workforce. Further, the Corrective Action Plan requires Elite to revise its Notice of Privacy Practices and issue breach notices to individuals whose PHI Elite disclosed on its Yelp® page without valid authorizations.
OCR’s resolution with Elite highlights some important points:
- First, no healthcare organization is too small to be investigated and penalized by OCR. The violation of three separate provisions of the HIPAA Privacy Rule in this case could have resulted in a financial penalty of up to $50,000 per violation. Notably, OCR admitted that the lower monetary settlement amount in this case was determined upon consideration of Elite’s size, financial circumstances, and cooperation with OCR’s investigation. This means that larger organizations committing the same HIPAA violations might be subject to greater penalties.
- Second, healthcare organizations that use social media to communicate or interact with patients are advised to implement a HIPAA-compliant social media policy to mitigate against the risk of patient privacy violations. The HIPAA Privacy Rule does not specifically address social media, but, as a general matter, it prohibits the use of PHI without patient authorization to do so. Even with valid patient authorization, the HIPAA Privacy Rule prohibits the use of PHI outside the purpose stated in the authorization. Importantly, a patient-initiated public disclosure of his or her own PHI does not constitute valid authorization for purposes of a healthcare organization’s use or disclosure of that patient’s PHI to respond to the patient’s social media post.
The penalties in this case may seem small but serve as a good reminder for healthcare practitioners, social media managers and practice owners that they need to consider patient privacy before responding to, correcting or contextualizing online reviews. Organizations of all sizes should be mindful of privacy considerations and confidentiality obligations when communicating with patients online and should proactively take steps to assess and update HIPAA policies and procedures to ensure that patient privacy is preserved.
45 C.F.R. Part 160 and Subparts A and E of Part 164
This document is intended to provide you with general information regarding the risk for health care practices of violating privacy laws on social media. The contents of this document are not intended to provide specific legal advice. If you have any questions about the contents of this document or if you need legal advice as to an issue, please contact the attorneys listed or your regular Brownstein Hyatt Farber Schreck, LLP attorney. This communication may be considered advertising in some jurisdictions.