Skip to main content

Nixon Peabody LLP

Article

HIPAA-regulated entities must use caution responding to online reviews

July 13, 2023

By Valerie MontagueGrace Connelly, a legal intern in Nixon Peabody's Healthcare practice and a 2024 JD candidate at Loyola University Chicago School of Law and assisted with the preparation of this article.

A psychiatry practice is the latest HIPAA covered entity subject to OCR enforcement related to an online response to a patient’s negative review.

The US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced a settlement with Manasa Health Center, LLC on June 5, 2023, to resolve allegations that the psychiatric practice impermissibly disclosed protected health information (PHI) responding to a patient’s online review.

In April 2020, OCR received a complaint alleging that Manasa Health Center impermissibly disclosed the PHI of a patient when the entity posted a response to the patient’s negative Google review. The healthcare provider’s response allegedly included information about the individual’s diagnosis and treatment of their mental health condition. OCR’s subsequent investigation revealed potential HIPAA violations, including impermissible disclosures of PHI of four patients in response to negative Google reviews and the failure of the entity to implement HIPAA Privacy Rule policies and procedures. Manasa Health Center agreed to pay $30,000 and entered into a two-year corrective action plan, which includes a requirement to provide a HIPAA breach notification to the individuals whose PHI was referenced in response to their online reviews.

This enforcement action is the latest of several addressing the issue of the revelation of PHI in response to negative online reviews. In December 2022, OCR and a California dental practice resolved allegations that the practice impermissibly disclosed PHI on its Yelp page when responding to patient reviews. The practice included the patients’ full names and detailed information about the patients’ visit and insurance information that had not been a part of the patients’ initial Yelp review. The practice agreed to pay $23,000 in addition to entering into a two-year corrective action plan to resolve the allegations.

Earlier in 2022, as well as in October 2019, OCR entered into settlements ($50,000 and $10,000, respectively) and corrective action plans with two other dental practices. Both responded online to patients’ reviews, with OCR finding that the practices impermissibly disclosed PHI in violation of HIPAA.

This continued OCR enforcement emphasizes to healthcare providers that disclosures of information on social media and internet posts must not impermissibly contain PHI. HIPAA-regulated entities should take care in their responses, as even confirmation of facts posted online by a patient may raise compliance issues under HIPAA. Entities should ensure that their public relations, social media, and administrative teams are trained on acceptable online responses and what content may result in a HIPAA breach.

OCR Action

Insights And Happenings

The foregoing has been prepared for the general information of clients and friends of the firm. It is not meant to provide legal advice with respect to any specific matter and should not be acted upon without professional counsel. If you have any questions or require any further information regarding these or other related matters, please contact your regular Nixon Peabody LLP representative. This material may be considered advertising under certain rules of professional conduct.

Subscribe to stay informed of the latest legal news, alerts, and business trends.Subscribe