On December 14, 2022, the U.S. Department of Health and Human Services Office of Civil Rights published a notice of a settlement with a dental practice over disclosures of patients’ protected health information over social media. Here is the full version reproduced below:
Date: Wed, 14 Dec 2022
Subject: HHS Civil Rights Office Enters Settlement with Dental Practice Over Disclosures of Patients’ Protected Health Information
HHS Civil Rights Office Enters Settlement with Dental Practice Over Disclosures of Patients’ Protected Health Information; The dental practice responded to reviews on social media by disclosing patient health information in violation of the law; OCR warns others against this practice
Today, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services announces a settlement with B. Brandon Au, DDS, Inc., d/b/a New Vision Dental (New Vision Dental), in California, over the impermissible disclosure of patient protected health information (PHI) in response to online reviews, and other potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. The violation involves the provider’s inappropriate use of social media to respond to patient reviews, disclosing protected health information. This practice is illegal under HIPAA. New Vision Dental paid $23,000 to OCR and agreed to implement a corrective action plan (CAP) to resolve this investigation.
“This latest enforcement action demonstrates the importance of following the law even when you are using social media. Providers cannot disclose protected health information of their patients when responding to negative online reviews. This is a clear NO.,” said OCR Director, Melanie Fontes Rainer. “OCR is sending a clear message to regulated entities that they must appropriately safeguard patients’ protected health information. We take complaints about potential HIPAA violations seriously, no matter how large or small the organization.”
In November 2017, OCR received a complaint alleging that New Vision Dental impermissibly disclosed PHI, including patient names, treatment, and insurance information, in response to patients’ online reviews of the practice. OCR’s investigation found potential violations of the HIPAA Privacy Rule including, impermissible uses and disclosures of PHI, and failures to provide an adequate Notice of Privacy Practices and implement Privacy policies and procedures.
In addition to the monetary settlement, New Vision Dental will undertake a CAP that will be monitored for two years by OCR to ensure compliance with the HIPAA Privacy Rule. The resolution agreement and CAP may be found at: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/new-vision-ra-cap/index.html
The allegations as to what specific information the practice was posting are as follows:
Specifically, Complainant alleged that NVD habitually disclosed PHI when it responded to patient posts sometimes providing full names where only Yelp monikers were used by the patients and including detailed information about patient visits and insurance that may not have been previously mentioned in their initial reviews. During OCR’s review of NVD’s Yelp review page, OCR confirmed that NVD had been posting responses to reviews that compromised PHI.