The Case
Welcome to a Bite-Size HIPAA® Case Study, where I will break down a real case of a HIPAA enforcement action at a dental office to see what we can learn and apply to your office.
Today we will look at a case involving a small practice right outside LA, in sunny California. This practice found itself in some hot water with Health and Human Services a few years ago because of how it was responding to patient reviews.
The reporting on this case is a little vague, but here is a general idea of what happened: the Office for Civil Rights (the department at Health and Human Services that enforces HIPAA) received a complaint alleging that the dental practice habitually disclosed PHI when it responded to patient posts on Yelp. Sometimes providing full names where the patient used a screen name and including detailed information about patient visits and insurance that may not have been previously mentioned in their initial reviews. OCR reviewed the Yelp page and confirmed that the doctor’s posts did compromise PHI. Furthermore, they went to the practice office and found, among other things, that the practice had not implemented policies and procedures regarding the release of PHI on social media.
To resolve the investigation, the practice had to cough up $23,000 and commit to a corrective action plan monitored by OCR. This kind of plan isn’t just about saying "we’ll do better", it involves tangible steps to ensure the practice understands and follows HIPAA to the letter. This means new policies and procedures, workforce training, steps to mitigate past disclosures, and annual reports to OCR detailing their compliance.
The HIPAA Law
Unauthorized disclosure of PHI is always taken seriously by OCR. Responding to an online review may not seem like a breach, but unless you have the patient’s specific written authorization to disclose their PHI, you can’t do it. Section 164.502 lays out when disclosures are permissible and it doesn’t include any category for responding publicly to a patient’s communication. The default rule is that unless you have patient authorization, or a specific rule permitting the disclosure, you cannot disclose any PHI.
It is important to remember that Protected Health Information is defined as any information that relates to either an individual’s health, their payment for healthcare, or contains information that could reasonably be used to identify the Individual. Something as simple as identifying somebody as a patient of your practice is protected health information - no treatment details need to be included. If the connection can be made that Todd Baker is a patient of Smiles Family Dentistry, that’s PHI and is protected by HIPAA. It cannot be disclosed. I will agree that it is extremely broad. Nevertheless, it is the law, and your marketing activities have to comply with this standard.
The big gotcha with responding to online content is that just because a patient may have disclosed their PHI by sharing an experience or a review, you - as an agent of the practice still CAN’T DO IT. Again, you can’t even acknowledge that they’re a patient.
Case Analysis
So, what went wrong in this case?
This seems to be a case of a dentist just not paying close enough attention to what the law requires. I was able to review some of his responses on Yelp, and it honestly seems like he was just trying to be helpful and respond to the patients’ comments. But in the process, he disclosed information about insurance coverage, treatment options, and patient names. These communications would have been perfectly fine if they weren’t posted to a public website where anybody could view them.
If the practice had adequate procedures in place for responding to reviews and posting to social media, as well as thorough training on those procedures, they could have saved $23,000 and avoided the pain of annual OCR reviews.
Protecting Your Practice Using Bite-Size HIPAA®
We address this topic in much more detail in Bite-Size HIPAA®, including comprehensive procedures and training that will help your staff ensure they are fully complying with the law when posting to social media.
If you haven’t made HIPAA a priority yet, start today. Join our online HIPAA community for dentists at bitesizehipaa.com. Explore and learn for 60 days, on us! Please, watch every training course (we call them Bites) and explore the tools we’ve created to help ease HIPAA implementation and compliance. There is no risk. Give us a little bit of your time and we’ll teach you about the HIPAA law - why it exists and how, if done right, you can protect your patients and your practice from a variety of very real threats that inherently exist in today’s dentistry.