Dental office fined $10K for alleged HIPAA violation

Download/Print Risk Alert (PDF)

A privately owned dental practice, Elite Dental Associates, ran into trouble when a patient filed a complaint with the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) in June 2016. The patient alleged that the practice responded to a social media review she posted on Yelp and disclosed her last name, details of her treatment plan, insurance, and cost information, in potential violation of the Health Insurance Portability and Accountability Act (HIPAA).¹

The subsequent OCR investigation found that the dental practice had impermissibly disclosed the patient’s protected health information (PHI), as well as the PHI of multiple other patients in response to negative reviews on the practice’s Yelp page.² Furthermore, the OCR investigation found Elite did not have policies and procedures regarding disclosures of PHI to ensure its social media interactions protected patient information, nor a Notice of Privacy Practices in compliance with the HIPAA Privacy Rule.¹

As part of a resolution agreement with the OCR that was published on the HHS website, the practice recently agreed to pay $10,000 the OCR, and agreed to adopt a corrective action plan. The corrective action plan includes developing, maintaining, and revising, as necessary, written policies and procedures to ensure the privacy and security of PHI in compliance with HIPAA, as well as two years of monitoring by OCR for compliance with HIPAA rules.³The alleged HIPAA violations could have attracted a substantially higher financial penalty, but while assessing an appropriate financial penalty, OCR took the financial position of the practice, its size, and the practice’s cooperation with the OCR investigation into account.⁴ Note that the resolution agreement is not an admission of liability from Elite.²

Responding to social media reviews
Consumers often appreciate when business owners respond to a complaint or acknowledge a positive comment. Responding to favorable reviews lets users know their comments are appreciated. It also provides an opportunity to mention a relevant service. Responding to negative reviews is more challenging. Here are some strategies from the Dentist’s Advantage article, Online Reputation Management, to keep in mind:

Is it worth it? Whether it is positive or negative, not every post requires a response. Decide if there is any value in responding, if it would appear uncaring to not respond, or if there is anything positive that can be said.
Follow HIPAA. Do not post any information about patients or employees.
Curtail emotions. Although the comment might be rude, it is important to take the high road.
Respond quickly. The sooner a dentist or staff member responds to a negative posting, the sooner the response will be available for other users to read. Negative comments spread far faster than positive ones, so quick action is needed to minimize potential damage.
Apologize. Do not underestimate the power of saying, “I’m sorry XXX happened,” or, “I’m sorry you experienced such frustration.” Apologizing does not mean the poster was right; it is simply a way of acknowledging that the experience was not ideal.
Address the issue. Social media users know when someone is sidestepping the problem. State how the problem is being addressed and be honest if for some reason the issue cannot be rectified or will take time to rectify.
Thank the person. It is often appropriate to write something like, “Thank you for bringing this to our attention” or “We appreciate knowing how our patients feel.”

References
1. Finnegan, Joanne. “Dental practice pays $10K to settle complaint it disclosed patient information on Yelp.” Fierce Healthcare. 2 Oct. 2019. https://www.fiercehealthcare.com/practices/dental-practice-pays-10k-to-settle-complaint-it-disclosed-patient-information-social
2. Davis, Jessica. “OCR Settles with Dental Provider for Potential HIPAA Violation on Yelp.” HealthITSecurity. 3 Oct. 2019. https://healthitsecurity.com/news/ocr-settles-with-dental-provider-for-potential-hipaa-violation-on-yelp
3. Dental Practice Pays $10,000 to Settle Social Media Disclosures of Patients’ Protected Health Information: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/elite/index.html
4. HIPAA Journal. “Dental Practice Fined $10,000 for PHI Disclosures on Yelp.” 3 Oct. 2019. https://www.hipaajournal.com/dental-practice-fined-10000-for-phi-disclosures-on-yelp/