No business likes to receive bad reviews on Yelp® or anywhere else in social media. When they do, some feel the need to respond to clarify or rebut the reviews, but they must do so carefully. This is particularly true for HIPAA covered entities, as their responses could include protected health information (PHI). A recent Office for Civil Rights (OCR) settlement with a small dental practice highlights this point.

According to the OCR Resolution Agreement, the dental practice responded to a patient’s less than favorable review on Yelp. The patient complained to OCR alleging that the response:

impermissibly disclosed her PHI when it responded to her post and provided her health information including her last name, details of her treatment plan, insurance and cost information.

The OCR conducted its own review of the practice’s Yelp®review page, and claims to have found similar activity with respect to other patients. Specifically, the OCR found that the practice had “impermissibly disclosed PHI of other patients when it responded to those patients’ [Yelp®] reviews without valid authorizations.” The OCR’s investigation also found the practice did not have (i) a policy and procedure addressing impermissible disclosures that could be applied to social media activity, or (ii) a compliant Notice of Privacy Practices. To settle these potential violations, the practice agreed to pay $10,000, and to adhere to a corrective action plan that includes two years of monitoring by OCR.

Yelp reviews certainly are not the only form of social media with which health and dental practices engage. Many use Facebook pages, YouTube channels, and other platforms to promote their business and to interact with persons they serve and others. In some cases, such as nursing homes and assisted living facilities, healthcare workers build relationships with residents, patients, and their family members that can spill over into social media. If not careful, and in the absence of a clear policy, casual and informal communications between practice staff and patients could expose the practice to significant risk.

So what should small medical and dental practices be doing to address these risks:

• Get complaint with HIPAA!

• Develop and maintain a clear social media policy to guide employees (providers and staff) as to company policy and best practices. This policy can and should be included with your HIPAA privacy and security policies and procedures.

• Train concerning these policies.

• Maintain a HIPAA Notice of Privacy Practice and post in on the practice’s website, as applicable.

• Understand the social media channels that the practice engages in and consider periodically monitoring public social media activity by employees.