HHS Gives Dental Practice Posting PHI on Yelp a Bad Review

Practice Must Pay a $10,000 HIPAA Settlement

A dental practice in Texas that responded to patients’ Yelp reviews by disclosing patient names and other health information has gotten a bad review from federal regulators: A $10,000 HIPAA monetary settlement and a corrective action plan.

See Also: How Tri-Counties Regional Center Secures Sensitive Files and Maintains HIPAA Compliance

In a statement Wednesday, the Department of Health and Human Services said the settlement with Elite Dental Associates of Dallas centered on a patient complaint received in 2016 by HHS’ Office of Civil Rights, which enforces HIPAA.

The patient alleged that Elite had responded to a Yelp social media review by disclosing the patient’s last name and details of the patient’s health condition. “OCR’s investigation found that Elite had impermissibly disclosed the protected health information of multiple patients in response to patient reviews on the Elite Yelp review page,” OCR says in the statement.

“Additionally, Elite did not have a policy and procedure regarding disclosures of PHI to ensure that its social media interactions protect the PHI of its patients or a Notice of Privacy Practices that complied with the HIPAA Privacy Rule.”

OCR says it accepted “a substantially reduced settlement amount” in consideration of Elite’s size, financial circumstances and cooperation with its investigation.

“Social media is not the place for providers to discuss a patient’s care,” said Roger Severino, OCR director. “Doctors and dentists must think carefully about patient privacy before responding to online reviews.”

Corrective Action

Elite agreed to a corrective action plan that includes two years of monitoring by OCR for compliance with HIPAA. The practice has agreed to develop, maintain and revise, as necessary, its written policies and procedures to comply with the HIPAA privacy and security rules, and train staff on compliance.

Dentist Andy Chang, CEO of Elite Dental, tells Information Security Media Group that the incident involving the disclosure of patient information on Yelp involved another associate at the practice.

Chang and that associate each contributed half of the monetary settlement paid to OCR, Chang says. Also, Elite was recently sold to another Dallas-based dental practice, Silk Dental, which will continue to follow the revised policies and procedures put in place by Elite as part of the corrective action plan, he says.

Lessons to Others

Elite’s settlement with OCR offers a cautionary tale to other healthcare entities, some privacy experts note.

“Social media is an important way for healthcare providers to engage patients and for patients to find providers,” says independent HIPAA attorney Paul Hales. “However, many providers simply are not aware of the HIPAA rules that apply to websites, social media and patient reviews. Neither are many vendors that provide Internet-based healthcare marketing services.”

The Elite case has some similarities to a $25,000 HIPAA settlement case OCR signed in 2016 with Complete P.T., Pool & Land Physical Therapy.

In that case, the Los Angeles-based physical therapy provider allegedly failed to obtain patients’ permission before using their personal information for “testimonial” marketing purposes on its website.

“Providers are bound by HIPAA law that requires a valid HIPAA-compliant authorization from the patient before disclosing PHI on the internet,” Hales says. “PHI is any information that identifies a patient and relates to provision of healthcare to the patient. Accordingly, a provider’s response to an online review confirming the reviewer is a patient without the patient’s prior authorization is a HIPAA violation. Now the provider is complicit in exposing its patient to medical identity thieves.”

Social Media Blunders

One of the most significant aspects of the Elite settlement is “the scope of PHI disclosed by Elite in responding to the Yelp reviews,” notes healthcare attorney Matthew Fisher of the law firm Mirick O’Connell.

“As noted in the settlement, the PHI disclosed included the patient’s last name, details of a treatment plan, insurance and cost information. That level of detail is quite specific,” Fisher says.

“This type of situation happens more often than people realize, given that many healthcare providers mistakenly believe that if a patient puts their own information out in the public sphere, the healthcare provider can respond with patient information.”
—Iliana Peters, Polsinelli

The extent of the disclosure, Fisher says, implies a failure by the dental practice to educate its staff on “how PHI can be used and disclosed,” he says.

Small But Significant?

Privacy attorney Iliana Peters of the law firm Polsinelli says the OCR resolution agreement with Elite apparently contains the smallest financial sanction of any settlement so far, which reflects, in part, the practice’s size and cooperation with authorities.

“The same conduct by larger healthcare providers could result in substantially larger settlement amounts or civil money penalties,” she points out.

“This type of situation happens more often than people realize, given that many healthcare providers mistakenly believe that if a patient puts their own information out in the public sphere, the healthcare provider can respond with patient information,” she says. “Obviously, this is not correct, and healthcare providers must train their workforce to ensure that they do not impermissibly disclose patient information in their efforts to ensure a good public reputation.”

OCR earlier indicated it’s working on guidance on PHI and social media, Peters says. “Obviously I encourage OCR to publish such guidance – it would be so helpful for the regulated community.”

Peters offers advice on responding to patient complaints: “Healthcare providers should do their best to get in touch with patients who have bad experiences about which they talk on social media, and obviously not through social media, to understand those patients’ concerns,” she says. “Further, healthcare providers can absolutely craft public-facing messages that do not confirm or deny that an individual is a patient, while providing information on their mission and goals as a healthcare organization.”