As illustrated by a recent Office for Civil Rights (OCR) settlement with a dental practice, health care entities continue to struggle with how to respond to negative online reviews while maintaining compliance with the HIPAA Privacy Rule. Given the significant reputational harm that negative reviews on Yelp and other social media and public platforms (Platforms) can create, providers may be tempted to respond to such negative comments with patient specifics in an attempt to mitigate harm to their businesses.

OCR’s recent settlement serves as a reminder to health care entities of their HIPAA Privacy Rule obligations when communicating with patients on Platforms. “This latest enforcement action demonstrates the importance of following the law even when you are using social media. Providers cannot disclose protected health information of their patients when responding to negative online reviews. This is a clear NO.,” said OCR Director, Melanie Fontes Rainer in the OCR settlement news release.

OCR began its investigation of New Vision Dental (NVD) in 2018, after receiving a complaint that the practice repeatedly disclosed patient names, treatment, and insurance information that had not previously been disclosed by patients on its Yelp page. These disclosures led to an onsite audit where OCR’s investigation indicated additional Privacy Rule compliance issues, including Notice of Privacy Practices (NPP) content deficiencies and failure to implement policies and procedures regarding disclosing protected health information (PHI) on Platforms. Ultimately, NVD agreed to pay OCR a resolution amount of $23,000 and implement a two-year corrective action plan (CAP) to resolve any potential violations of HIPAA identified by OCR.   

While $23,000 may seem like a minor amount, NVD is a relatively small dental practice and NVD will incur additional expenses in connection with implementing the two-year CAP, which will require NVD to:

• remove all PHI from NVD’s Yelp page and provide breach reporting to all individuals whose PHI was disclosed on Yelp  without valid authorization (dating back to 2014) and report those breaches using the HHS breach portal within 30 days;

• develop and implement additional policies and procedures and training, which must be approved by OCR;

• revise forms related to compliance with the Privacy Rule (e.g., NPP and authorization forms), which must be approved by OCR;

• monitor and investigate non-compliance with HIPAA policies and procedures;

• report any violations of HIPAA policies and procedures to OCR within thirty (30) days; and

• submit implementation and annual reports to OCR, which include attestations from NVD’s owner or officer regarding accuracy.

Next Steps

While this is not the first time OCR has taken action in connection with health care entities disclosing PHI on Platforms, it is a good reminder for entities responsible for compliance with the HIPAA Privacy Rule to:

• ensure policies and procedures specifically address the use of Platforms and prevent any PHI (including acknowledging the individual as a patient) from being disclosed by the health care entity, even if the patient chooses to disclose the patient’s own information;

• include as part of its auditing processes, a periodic review of Platforms for improper disclosure of PHI; and

• frequently train staff on the use of Platforms to guard against the multitude of potential Privacy Rule pitfalls that come with engaging with patients online.