By Lee Slaton, Vice President of Healthcare; Smart TrainingA practice owner recently learned the hard way that review platforms such as Yelp and Google can not only drive new patients his way, but also expose his practice to HIPAA violations.
The Office for Civil Rights (OCR) announced a settlement was reached with a general dentist, who owns two offices in California, to resolve multiple HIPAA violations.
The practice paid a $23,000 financial penalty and agreed to adopt a corrective-action plan to address the aspects of non-compliance identified by OCR. The practice is also subject to monitoring by OCR for a period of two years.
Events Leading to Settlement
In November 2017, OCR received a complaint alleging the owner had disclosed PHI in posts responding to several reviews by patients on Yelp.
In some of the posts, patients’ full names were disclosed when they had chosen to only use a moniker on the platform. Other information allegedly posted by the doctor included detailed information about the patients’ visits, treatment, and insurance—information that had not been disclosed by the patients.
The Violations
The investigation, which included an onsite visit to the practice, revealed multiple violations.
- The doctor had impermissibly disclosed the PHI of patients on multiple occasions on Yelp.
- The practice did not have required content in its Notice of Privacy Practices.
- The practice had not implemented appropriate policies and procedures concerning PHI, including the release of PHI on social media platforms and in public places.
The sad thing about the case is that so little needs to be done to keep something like this from happening. A bit of education and common sense goes a long way.