The US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced a settlement with Manasa Health Center, LLC on June 5, 2023, to resolve allegations that the psychiatric practice impermissibly disclosed protected health information (PHI) responding to a patient’s online review.
In April 2020, OCR received a complaint alleging that Manasa Health Center impermissibly disclosed the PHI of a patient when the entity posted a response to the patient’s negative Google review. The healthcare provider’s response allegedly included information about the individual’s diagnosis and treatment of their mental health condition. OCR’s subsequent investigation revealed potential HIPAA violations, including impermissible disclosures of PHI of four patients in response to negative Google reviews and the failure of the entity to implement HIPAA Privacy Rule policies and procedures. Manasa Health Center agreed to pay $30,000 and entered into a two-year corrective action plan, which includes a requirement to provide a HIPAA breach notification to the individuals whose PHI was referenced in response to their online reviews.
This enforcement action is the latest of several addressing the issue of the revelation of PHI in response to negative online reviews. In December 2022, OCR and a California dental practice resolved allegations that the practice impermissibly disclosed PHI on its Yelp page when responding to patient reviews. The practice included the patients’ full names and detailed information about the patients’ visit and insurance information that had not been a part of the patients’ initial Yelp review. The practice agreed to pay $23,000 in addition to entering into a two-year corrective action plan to resolve the allegations.
Earlier in 2022, as well as in October 2019, OCR entered into settlements ($50,000 and $10,000, respectively) and corrective action plans with two other dental practices. Both responded online to patients’ reviews, with OCR finding that the practices impermissibly disclosed PHI in violation of HIPAA.
This continued OCR enforcement emphasizes to healthcare providers that disclosures of information on social media and internet posts must not impermissibly contain PHI. HIPAA-regulated entities should take care in their responses, as even confirmation of facts posted online by a patient may raise compliance issues under HIPAA. Entities should ensure that their public relations, social media, and administrative teams are trained on acceptable online responses and what content may result in a HIPAA breach.