The HHS Office for Civil Rights (OCR) lately imposed a $50,000 civil financial penalty on a dental apply that disclosed patient-identifying data in accordance with a adverse on-line evaluation. The case is a reminder that healthcare suppliers chance legal responsibility for a HIPAA privateness violation in the event that they come with affected person data of their postings on on-line platforms.

Engagement with shoppers thru ranking internet sites and social media platforms is the most important – or even essential – part of commercial operations within the virtual age. This is as true for healthcare suppliers as it’s for companies in different industries.

Yet, when posting on-line content material, healthcare suppliers will have to bear in mind of 1 attention distinctive to the healthcare sector: the federal Health Insurance Portability and Accountability Act (HIPAA). Enforced by means of OCR, HIPAA gives sufferers privateness rights and protections of their “safe well being data” (PHI). To this finish, HIPAA prohibits “coated entities” from disclosing a person’s PHI, except the disclosure is needed or approved by means of HIPAA or the person has approved the disclosure.

This previous March, OCR introduced it had levied a $50,000 civil financial penalty (CMP) towards a dental apply for “impermissibly disclosed[ing]a affected person’s PHI on a webpage in accordance with a adverse on-line evaluation.” The enforcement motion serves as a cautionary reminder that disclosing PHI in on-line postings might matter coated entities to legal responsibility for a HIPAA violation.

Dental Practice Reveals Patient Name and Information in Response to Negative Review

OCR’s contemporary enforcement motion stems from a adverse evaluation of U. Phillip Igbinadolor, DMD & Associates, PA (UPI), a dental apply in North Carolina. According to the findings in OCR’s Notice of Proposed Determinationthe adverse evaluation was once printed on UPI’s Google web page underneath a pseudonym by means of a affected person who was once displeased with the dental products and services he won on two separate events.

Read Also  5 Rules the SEC Plans to Review This Year

UPI spoke back promptly at the Google web page to rebut the “unsubstantiated accusations” within the adverse evaluation. The reaction published the affected person’s complete title and information about the products and services he won, claiming that the affected person “by no means got here again for his scheduled appointment.”

“From the foregoing, it is glaring that [Complainant’s full name] degree of intelligence is in query, and he will have to proceed along with his handbook paintings and now not reveal himself to ridicule,” the reaction mentioned. “Making derogatory statements is not going to give a boost to your popularity on this generation [Complainant’s full name]. Get a existence.”

OCR initiated an investigation after receiving a grievance from the affected person. The company later knowledgeable the dental apply that its reaction to the affected person’s Google evaluation “constituted an impermissible disclosure of PHI” and that “UPI will have to take away its reaction promptly.”

A prolonged back-and-forth between OCR and UPI adopted, throughout which the dental apply refused to unlock its HIPAA-related insurance policies and different paperwork. After the apply declined to put up a written reaction to OCR’s findings or to request a listening to to contest the topic, OCR issued a ultimate choice of noncompliance for which the company imposed a CMP of $50,000. According to OCR, this was once justified as a result of UPI’s HIPAA violation was once an act of “willful overlook now not corrected.”

Other HIPAA Enforcement Actions Involving Online Reviews

OCR’s imposition of the CMP towards UPI isn’t the primary enforcement motion the company has taken the place a coated entity allegedly disclosed PHI in accordance with a web based evaluation.

In 2019, every other dental apply paid $10,000 pursuant to a answer settlement to settle claims by means of OCR that it impermissibly disclosed a affected person’s PHI, together with her final title, main points of her remedy plan, insurance coverage, and value data, in its reaction to the affected person’s evaluation on Yelp. During its investigation, OCR alleged it found out wrong disclosure of different sufferers’ PHI within the apply’s responses to their Yelp opinions.

Read Also  2022’s Prime On-line Direct Lenders

Similarly, in 2013, OCR issued a written letter to a cosmetic surgery apply noting {that a} minor affected person’s mother or father had complained that the apply impermissibly disclosed the affected person’s PHI in accordance with a Yelp evaluation by means of the mother or father. OCR cautioned: “A coated entity won’t verify or deny {that a} specific individual was once, in reality, a affected person, or divulge some other in my opinion identifiable well being data (IIHI) together with however now not restricted to demographic data akin to title or cope with.” Although OCR opted to not impose any consequences, it inspired the apply “to take away any explicit details about present or former sufferers out of your web-blog.”

Maintaining HIPAA Compliance with Online Postings

The foregoing enforcement movements underscore that HIPAA-covered entities will have to act moderately to stop unauthorized disclosures of PHI of their public-facing on-line content material, together with responses to adverse opinions. To this finish, coated entities will have to believe:

  • Developing a Policy at the Use and Disclosure of PHI on Online Platforms: Given the pervasiveness of social media within the office and industry operations, coated entities will have to believe creating a coverage referring to makes use of and disclosures of PHI on on-line platforms. Indeed, in its contemporary enforcement movements, OCR has emphasised the significance of coated entities having insurance policies in particular addressing PHI and social media. Social media, advertising, and industry construction workforce is also a few of the number one stakeholders in creating this type of coverage.

  • Creating Pre-Approved Responses to Negative Reviews: Negative on-line opinions can occasionally impress indignant and defensive reactions. These reactions, in flip, can gas hasty responses that can be at higher chance of showing figuring out data, probably violating HIPAA. To mitigate such chance, coated entities might create pre-approved responses to be used in replying to adverse posts. These template responses can show off responsiveness to the poster with out jeopardizing affected person privateness, as within the following pattern reaction:

Read Also  Naomi Lengthy says extra wants performed to sort out abuse in ‘wild west on-line’

We worth comments concerning the affected person revel in with our care suppliers. Out of attention for our sufferers’ privateness rights, we don’t divulge any affected person data on public boards. We inspire you to touch our workplace by means of telephone or e mail so we will additional speak about your revel in.

  • Consulting with Legal Counsel to Evaluate Potential Legal Options: Although HIPAA might constrain coated entities’ responses to adverse opinions, that doesn’t imply coated entities are with out felony treatments to protect their skilled reputations. In some circumstances, a adverse evaluation may just represent defamation or different grounds for a coated entity to record a lawsuit towards the poster. Covered entities will have to seek the advice of felony suggest to judge their choices in such circumstances. In many circumstances, a stern cease-and-desist letter is also enough to instructed elimination of a evaluation that can injury a coated entity’s industry pursuits.

Additional analysis and writing from Jannat Irshada 2022 summer time affiliate in ArentFox Schiff’s San Francisco workplace and a legislation pupil at Boston University School of Law.