The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) recently announced the resolution of an investigation into a North Carolina dental practice for impermissible disclosure of a patient’s protected health information (PHI) on a webpage in response to a negative online review of the practice posted by the patient.
A patient of the North Carolina dental practice (Practice) posted a negative review of the Practice on the Practice’s Google page using a pseudonym, to avoid using his real name. The Practice posted a response on its Google page to the patient’s negative review and disclosed the patient’s name, described the dates on which the patient visited the Practice’s office, and reasons for treatment.
The affected patient filed a complaint with OCR, which OCR investigated, and determined that the Practice’s disclosure of PHI was not permitted nor required by the HIPAA Privacy Rule. The Practice did not respond to OCR’s data request for information related to the disclosure of PHI, did not respond or object to an administrative subpoena, and waived its rights to a hearing by not contesting the findings in OCR’s Notice of Proposed Determination. OCR imposed a $50,000 civil money penalty on the Practice.
This enforcement action is a critical reminder to dental and medical practices to be wary of responding to online reviews and the importance for covered entities to understand their responsibilities under HIPAA if responding to online reviews. This is not the first time OCR has imposed penalties on a dental practice for this same reason, as discussed on the Nixon Peabody blog in October 2019, and this new enforcement action demonstrates that the inappropriate disclosure of PHI is a recurring theme. Back in 2019, OCR announced Elite Dental Associates had agreed to pay $10,000 to OCR and adopt a corrective action plan to settle possible violations of the HIPAA Privacy Rule.
In the 2019 situation, Dallas-based Elite Dental Associates received a review submitted by a patient via Yelp. Elite responded to the patient’s review by disclosing the patient’s last name and details of her treatment plan and insurance. The patient subsequently submitted a complaint to OCR regarding Elite’s response.
For practices tempted to respond to online reviews, it is important to note that, under HIPAA, PHI should never be disclosed in response to an online review or posting without the patient’s written authorization. PHI includes more than a patient’s medical and treatment record, it also includes any demographic data that relates to healthcare for the individual and individually identifiable health information such as name, address, email, birth date, and phone number.
Even when a patient willingly provides information about him or herself online, a healthcare provider’s response to any review or social media posting must comply with the HIPAA Privacy Rule, or the provider risks OCR enforcement and penalties. Any online review, both good and bad, should be handled with care to ensure HIPAA compliance and to avoid any impermissible disclosure of patients’ protected health information.
*Cristal Nova and Ally Bremer, legal interns in Nixon Peabody's Healthcare practice and J.D. candidates at Loyola University Chicago School of Law, assisted with the preparation of this alert.