On October 2, 2019, the Office for Civil Rights (OCR) within the U.S. Department of Health and Human Services (HHS) announced that it had reached a $10,000 monetary settlement with a Dallas-based dental practice to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule.
As part of the settlement, Elite Dental Associates (Elite) agreed to a corrective action plan (CAP), which includes two years of HIPAA compliance monitoring to be conducted by OCR. The settlement does not constitute an admission of liability by Elite.
On June 15, 2016, OCR received a complaint from an Elite patient alleging that the Practice impermissibly disclosed her protected health information (PHI) on Elite’s Yelp review webpage (Yelp). The patient claimed that Elite disclosed her last name, details of her treatment plan, her insurance information, and treatment cost in response to the patient’s review on Yelp. OCR’s investigation uncovered that Elite improperly disclosed PHI for numerous patients on Yelp without valid authorizations to do so. In addition, OCR found that Elite did not have policies and procedures to ensure that Elite’s social media interactions protect patient PHI. Further, Elite’s Notice of Privacy Practices did not comply with the HIPAA Privacy Rule.
As part of the two year CAP, Elite agreed to each of the following:
- develop, maintain, and revise its written policies and procedures to comply with HIPAA, subject to HHS approval;
- distribute the updated written policies and procedures to members of its workforce and provide training to its workforce;
- revise its template authorization form and Notice of Privacy Practices;
- retroactively provide breach notices within 30 days to any individuals whose PHI was disclosed by Elite on Yelp without the appropriate authorization; and
- submit annual CAP compliance reports to OCR.
The OCR settlement is an important (and expensive) reminder for all HIPAA covered entities that the obligation to safeguard PHI extends to the myriad of social media outlets. All covered entities should review their policies and processes to ensure they protect a patient’s rights under HIPAA, including measures to ensure that social media activity is free from PHI disclosures.
Saul Ewing attorneys regularly assist covered entities with creating and maintaining their HIPAA privacy policies and work with covered entities and business associates to ensure HIPAA Privacy Rule and Security Rule compliance. If you have questions regarding an issue raised in this post, please contact the authors or the attorney at the firm with whom you are regularly in contact.