April 1, 2020

March 31, 2020

Subscribe to Latest Legal News and Analysis

March 30, 2020

Subscribe to Latest Legal News and Analysis

March 29, 2020

Subscribe to Latest Legal News and Analysis

Dental Practice Pays $10,000 in HIPAA Settlements for Disclosing Personal Health Information on Social Media

Elite Dental Associates, Dallas (“Elite”) has agreed to pay $10,000 to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services and to adopt a corrective action plan to settle potential violations of the HIPAA Privacy Rule[1]. According to OCR, Elite is a privately owned dental practice in Dallas, Texas, providing general, implant, and cosmetic dentistry.

On June 5, 2016, OCR received a complaint from an Elite patient alleging that Elite had responded to a Yelp! review by disclosing the patient’s last name and details of the patient’s health condition. OCR’s investigation found that Elite had impermissibly disclosed the protected health information (PHI) of multiple patients in response to patient reviews on its Yelp! review page. Additionally, Elite did not have a policy and procedure regarding disclosures of PHI to ensure its social media interactions protected the PHI of its patients or a Notice of Privacy Practices that complied with the HIPAA Privacy Rule. OCR accepted a substantially reduced settlement amount in consideration of Elite’s size, financial circumstances, and cooperation with OCR’s investigation.

This settlement is a reminder to all covered entities subject to the HIPAA Privacy Rule that PHI of your patients cannot be disclosed through social media. Health care providers cannot respond to social media posts and other reviews in a manner that would disclose patient PHI. As OCR Director Roger Severino noted in an HHS press release, “Doctors and dentists must think carefully about patient privacy before responding to online reviews.”

The OCR resolution agreement is available here.

[1] 45 CFR Part 160 and Subparts A and E of Part 164.

© 2020 Dinsmore & Shohl LLP. All rights reserved.


About this Author

Jennifer Mitchell, health care practice group partner, Dinsmore Shohl, law firm,

Jennifer is a Partner in the Health Care Practice Group and leads the firm’s HIPAA Privacy and Security practice and initiatives. In her HIPAA practice, she works with clients to minimize the risk of privacy and data security issues, assisting with all aspects of HIPAA privacy and security compliance, governance, audits/investigations, breach analyses, training and strategic planning. She has a thorough understanding of federal and state privacy and confidentiality laws and has served as a health care privacy expert witness. 

Within the...

Jared Bruce, Dinsmore Law Firm, Cincinnati, Corporate and Health Care Law Attorney

Jared focuses his practice on various health care law matters, including regulatory compliance, transactional matters and cybersecurity.  His prior experience includes serving as in-house counsel for a large non-profit managed care plan.

He drafts and negotiates complex health care-related contracts involving information technology (software licenses and professional service agreements), provider agreements, data sharing agreements and Business Associate Agreements. Jared’s practice includes advising payers, hospitals and providers on compliance and transactional matters related to government-sponsored health insurance plans such as Medicare and Medicaid. Additionally, he has experience representing clients in administrative appeals, Ohio Medicaid State hearings and provider reimbursement disputes.