HIPAA Journal reports that the Office for Civil Rights (OCR) recently settled a case with a Dallas dental practice for impermissible disclosure of multiple patients’ protected health information (PHI) via social media.
On June 5, 2016, OCR received a complaint from a patient who alleged a HIPAA violation occurred on the Yelp review site. The patient claimed the practice responded to a review she left, and publicly disclosed some of her PHI. Her last name; and details of her health condition, treatment plan, insurance, and cost information were disclosed. The investigation found this was not the first time the practice disclosed PHI without authorization on the social media platform.
In addition, OCR determined the practice had not implemented policies and procedures relating to PHI—particularly the release of PHI on social media and other public platforms—which is a violation of 45 C.F.R. § 164.530(i). It also lacked the minimum required content in its Notice of Privacy Practices, as required by the HIPAA Privacy Rule [45 C.F.R. § 164.520(b)].
OCR agreed to a HIPAA violation fine of $10,000 and a corrective action plan to resolve the alleged HIPAA violations and settle the case with no admission of liability. “Social media is not the place for providers to discuss a patient’s care,” said OCR Director Roger Severino. “Doctors and dentists must think carefully about patient privacy before responding to online reviews.”