Governance & Risk Management , HIPAA/HITECH , Privacy
Dental Practice Hit With HIPAA Fine for Posting PHI on YelpHHS Settlement Is Latest Involving Similar Social Media Blunders
Federal regulators slapped a California dental practice with a $23,000 fine and corrective action plan after its owner responded to negative Yelp reviews by posting patient data online.
See Also: Live Webinar | Breaking Down Security Challenges so Your Day Doesn’t Start at 3pm
Federal investigators found that New Vision Dental, a practice located in the eastern exurbs of greater Los Angeles, responded to criticism by revealing the protected health information of patients.
A complaint submitted in 2017 to the Office of Civil Rights within the Department of Health and Human Services said the practice "habitually" responded to criticism by posting the real names of Yelpers submitting reviews under monikers as well as "detailed information about patient visits and insurance."
New Vision Dental did not immediately respond to Information Security Media Group's inquiry, but its battle with negative Yelp reviews appears to be long-standing. A video on its website dated September 2013 accuses Yelp of obscuring positive reviews. Yelp currently blocks reviews for New Vision Dental and practice owner Dr. Brandon Au.
In addition to paying a $23,000 fine, New Vision Dental must remove any social media postings made since 2014 that include patient data and issue breach notices to affected individuals.
"Providers cannot disclose protected health information of their patients when responding to negative online reviews. This is a clear 'no,'" said Melanie Fontes Rainer, OCR director, in a statement. "We take complaints about potential HIPAA violations seriously, no matter how large or small the organization."
Yelp Is Not a HIPAA-Free Zone
New Dental Vision isn't the first practice to run afoul of federal privacy law on Yelp. In 2019, OCR settled a case with Texas-based Elite Dental Associates of Dallas for $10,000 after a patient complained that the practice had responded by sharing real name information and details of the patient's health condition (see: HHS Gives Dental Practice Posting PHI on Yelp a Bad Review).
Regulatory attorney Paul Hales of the Hales Law Group says incidents involving impermissible disclosures of PHI are rampant on social media sites.
"The internet is flooded with PHI disclosed by providers of all sizes in patient reviews posted on their own websites and in their responses to reviews on independent patient review sites," he says. Apparently many of these entities are unaware that the HIPAA privacy rule standards apply to patient reviews and social media, he says.
"Many fall prey to vendors selling reputation management services that encourage solicitation of five-star reviews and advise providers to reply immediately to every review - good or bad."
Covered entities should adopt and enforce the policy that they will not respond to patient reviews, he suggests - or at least limit responses to neutral statements about their commitment to quality healthcare without confirming or denying the individual is a patient.