Disclosing Patient Information in Responses to Online Reviews: Recent OCR Enforcement Action Is a Cautionary Tale
The HHS Office for Civil Rights (OCR) recently imposed a $50,000 civil monetary penalty on a dental practice that disclosed patient-identifying information in response to a negative online review. The case is a reminder that healthcare providers risk liability for a HIPAA privacy violation if they include patient information in their postings on online platforms.
Engagement with customers through rating websites and social media platforms is an important – and even necessary – component of business operations in the digital age. This is as true for healthcare providers as it is for businesses in other industries.
Yet, when posting online content, healthcare providers must be mindful of one consideration unique to the healthcare sector: the federal Health Insurance Portability and Accountability Act (HIPAA). Enforced by OCR, HIPAA affords patients privacy rights and protections in their “protected health information” (PHI). To this end, HIPAA prohibits “covered entities” from disclosing an individual’s PHI, unless the disclosure is required or permitted by HIPAA or the individual has authorized the disclosure.
This past March, OCR announced it had levied a $50,000 civil monetary penalty (CMP) against a dental practice for “impermissibly disclos[ing] a patient’s PHI on a webpage in response to a negative online review.” The enforcement action serves as a cautionary reminder that disclosing PHI in online postings may subject covered entities to liability for a HIPAA violation.
Dental Practice Reveals Patient Name and Information in Response to Negative Review
OCR’s recent enforcement action stems from a negative review of U. Phillip Igbinadolor, D.M.D. & Associates, P.A. (UPI), a dental practice in North Carolina. According to the findings in OCR’s Notice of Proposed Determination, the negative review was published on UPI’s Google page under a pseudonym by a patient who was displeased with the dental services he received on two separate occasions.
UPI responded promptly on the Google page to rebut the “unsubstantiated accusations” in the negative review. The response revealed the patient’s full name and details about the services he received, claiming that the patient “never came back for his scheduled appointment.”
“From the foregoing, it’s obvious that [Complainant’s full name] level of intelligence is in question, and he should continue with his manual work and not expose himself to ridicule,” the response stated. “Making derogatory statements will not enhance your reputation in this era [Complainant’s full name]. Get a life.”
OCR initiated an investigation after receiving a complaint from the patient. The agency later informed the dental practice that its response to the patient’s Google review “constituted an impermissible disclosure of PHI” and that “UPI should remove its response promptly.”
A protracted back-and-forth between OCR and UPI followed, during which the dental practice refused to release its HIPAA-related policies and other documents. After the practice declined to submit a written response to OCR’s findings or to request a hearing to contest the matter, OCR issued a final determination of noncompliance for which the agency imposed a CMP of $50,000. According to OCR, this was justified because UPI’s HIPAA violation was an act of “willful neglect not corrected.”
Other HIPAA Enforcement Actions Involving Online Reviews
OCR’s imposition of the CMP against UPI is not the first enforcement action the agency has taken where a covered entity allegedly disclosed PHI in response to an online review.
In 2019, another dental practice paid $10,000 pursuant to a resolution agreement to settle claims by OCR that it impermissibly disclosed a patient’s PHI, including her last name, details of her treatment plan, insurance, and cost information, in its response to the patient’s review on Yelp. During its investigation, OCR alleged it discovered improper disclosure of other patients’ PHI in the practice’s responses to their Yelp reviews.
Similarly, in 2013, OCR issued a written letter to a plastic surgery practice noting that a minor patient’s parent had complained that the practice impermissibly disclosed the patient’s PHI in response to a Yelp review by the parent. OCR cautioned: “A covered entity may not confirm or deny that a particular person was, in fact, a patient, or disclose any other individually identifiable health information (IIHI) including but not limited to demographic information such as name or address.” Although OCR opted not to impose any penalties, it encouraged the practice “to remove any specific information about current or former patients from your web-blog.”
Maintaining HIPAA Compliance with Online Postings
The foregoing enforcement actions underscore that HIPAA-covered entities must act carefully to prevent unauthorized disclosures of PHI in their public-facing online content, including responses to negative reviews. To this end, covered entities should consider:
Developing a Policy on the Use and Disclosure of PHI on Online Platforms: Given the pervasiveness of social media in the workplace and business operations, covered entities should consider developing a policy regarding uses and disclosures of PHI on online platforms. Indeed, in its recent enforcement actions, OCR has emphasized the importance of covered entities having policies specifically addressing PHI and social media. Social media, marketing, and business development staff may be among the primary stakeholders in developing such a policy.
Creating Pre-Approved Responses to Negative Reviews: Negative online reviews can sometimes provoke angry and defensive reactions. These reactions, in turn, can fuel hasty responses that may be at increased risk of revealing identifying information, potentially violating HIPAA. To mitigate such risk, covered entities may create pre-approved responses for use in replying to negative posts. These template responses can showcase responsiveness to the poster without jeopardizing patient privacy, as in the following sample response:
We value feedback about the patient experience with our care providers. Out of consideration for our patients’ privacy rights, we do not disclose any patient information on public forums. We encourage you to contact our office by phone or email so we can further discuss your experience.
Consulting with Legal Counsel to Evaluate Potential Legal Options: Although HIPAA may constrain covered entities’ responses to negative reviews, that does not mean covered entities are without legal remedies to defend their professional reputations. In some cases, a negative review could constitute defamation or other grounds for a covered entity to file a lawsuit against the poster. Covered entities should consult legal counsel to evaluate their options in such cases. In many instances, a stern cease-and-desist letter may be sufficient to prompt removal of a review that may damage a covered entity’s business interests.
Additional research and writing from Jannat Irshad, a 2022 summer associate in ArentFox Schiff's San Francisco office and a law student at Boston University School of Law.