HIPAA Journal reports that the Office for Civil Rights (OCR) recently settled a case with a Dallas dental practice for impermissible disclosure of multiple patients’ protected health information (PHI) via social media.
On June 5, 2016, OCR received a complaint from a patient who alleged a HIPAA violation occurred on the Yelp review site. The patient claimed the practice responded to a review she left, and publicly disclosed some of her PHI. Her last name; and details of her health condition, treatment plan, insurance, and cost information were disclosed. The investigation found this was not the first time the practice disclosed PHI without authorization on the social media platform.
In addition, OCR determined the practice had not implemented policies and procedures relating to PHI—particularly the release of PHI on social media and other public platforms—which is a violation of 45 C.F.R. § 164.530(i). It also lacked the minimum required content in its Notice of Privacy Practices, as required by the HIPAA Privacy Rule [45 C.F.R. § 164.520(b)].
OCR agreed to a HIPAA violation fine of $10,000 and a corrective action plan to resolve the alleged HIPAA violations and settle the case with no admission of liability. “Social media is not the place for providers to discuss a patient’s care,” said OCR Director Roger Severino. “Doctors and dentists must think carefully about patient privacy before responding to online reviews.”
This incident is an example of what can happen when employees aren’t correctly trained on patient privacy and how to handle PHI. Since delivering the first employee training on Texas House Bill 300 for the Texas Dental Association, Smart Training has trained more than 15,000 dental professionals in Texas on protecting patients’ PHI. Its online training is inexpensive, convenient, and quick.