On October 2, 2019, the Department of Health and Human Services Office for Civil Rights (OCR) announced Elite Dental Associates - Dallas, P.C. (Elite) had agreed to pay $10,000 to OCR and adopt a corrective action plan to settle possible violations of the HIPAA Privacy Rules.
Elite is a private dental practice in Dallas, Texas, that had a patient submit a review on Elite’s Yelp review page. Elite decided to respond to the patient’s review by disclosing the patient’s last name and details of her treatment plan and insurance. The patient subsequently submitted a complaint to OCR on June 5, 2016, regarding Elite’s response.
Once OCR initiated an investigation of the dental practice to review the patient’s complaint, OCR determined that Elite improperly disclosed PHI of multiple patients in response to Elite’s Yelp reviews without valid HIPAA authorizations; failed to implement policies and procedures with respect to PHI, including releasing PHI on social media/public platforms; and failed to have the minimum content required in its Notice of Privacy Practices as provided by the HIPAA Privacy Rule. Even though Elite had the above significant HIPAA violations, OCR noted that it took into account Elite’s size, financial circumstances, and cooperation with OCR’s investigation when accepting the $10,000 settlement amount.
OCR Director Roger Severino stated, “Social media is not the place for providers to discuss a patient’s care” and that “[d]octors and dentists must think carefully about patient privacy before responding to online review.”
To drive this point forward, part of Elite’s corrective action plan with OCR includes Elite being required to revise its Notice of Privacy Practices to include a description of the uses and disclosures of PHI for which Elite is required to obtain an individual’s authorization and OCR gives examples of posting on Elite’s website, social media pages, and/or other public platforms to include in this Notice. Notably, this requirement to provide specific social media examples that require HIPAA authorization goes beyond what is provided in the Notice of Privacy Practices requirements in the HIPAA Privacy Rule. 45 CFR §164.520(b) only requires specific notice of the requirement for authorization for psychotherapy notes and marketing and sale of PHI. For all other uses or disclosures not otherwise permitted by HIPAA, 45 CFR §164.520(b) only requires a general statement that other uses and disclosures not described in the Notice of Privacy Practices will be made only with an individual’s written authorization and a statement that the individual may revoke an authorization.
Elite’s lesson with OCR is an important lesson for all HIPAA covered entities about the necessity of understanding their responsibilities under HIPAA when posting or responding on any social media platform.
OCR’s press release about this settlement can be found here.