The Office for Civil Rights reached a settlement with B. Brandon Au, DDS, d/b/a New Vision Dental (NVD), to resolve potential violations of the Health Insurance Portability and Accountability Act, after the impermissible disclosure of patients’ protected health information on social media site Yelp.
The OCR announcement stressed that the violation in question involved the provider inappropriately using social media when responding to patient reviews, which resulted in the impermissible disclosures: the “practice is illegal under HIPAA.”
To resolve these allegations and the OCR investigation, NVD paid the Department of Health and Human Services $23,000 and agreed to implement a corrective action plan. In a rare addition to the settlement action, NVD is required to remove all of its social media posts dated as far back as Jan. 1, 2014, and issue breach notices to the affected patients or their representatives.
NVD must also post a substitute notice of the impermissible disclosure of PHI on its Yelp page and issue a notice to HHS. These actions must all be performed within 30 days.
This is the second OCR settlement over possible HIPAA violations due to inappropriate social media use this year. After a contentious fight with the regulatory agency, North Carolina-based Dr. U. Phillip Igbinadolor, D.M.D. was issued a $50,000 civil monetary penalty over a 2015 incident where the doctor impermissibly disclosed a patient’s PHI after a negative review.
Along with the Dec. 14 settlement, OCR Director Melanie Fontes Rainer is signaling the importance of adhering to HIPAA rules when using social media platforms. OCR takes all complaints regarding HIPAA violations seriously, regardless of the entity’s size.
Frankly, “providers cannot disclose protected health information of their patients when responding to negative online reviews. This is a clear No,” Fontes Rainer said in a statement. “OCR is sending a clear message to regulated entities that they must appropriately safeguard patients’ protected health information.”
For NVD, the settlement stems from a 2017 complaint filed with OCR alleging NVD disclosed patient information on its Yelp page. Yelp itself only referred to patients as their chosen monikers. But when the provider responded to patient reviews, he’d provide their full names, treatment, and detailed information about patient visits and insurance details not previously mentioned in their reviews.
OCR launched an investigation into NVD in response, which confirmed that the dental practice had, indeed, been posting responses to social media reviews that compromised health information.
On Aug. 27, 2018, OCR notified NVD of its ongoing investigation into the possible HIPAA violation, and about 18 months later, OCR conducted an on-site visit to NVD as part of its audit. The investigation found NVD impermissibly disclosed patient data, while its notice of privacy practices did not include the minimum content requirements outlined in HIPAA.
The audit into NVD also revealed NVD failed to implement policies and procedures on PHI, including the social media disclosure of PHI. It’s a notable finding, given that implementing privacy policies and procedures are a key part of HIPAA.
Further, when OCR audits a covered entity for a potential HIPAA violation, they may find possible compliance issues that fall outside of the initial complaint. Providers should see the settlement as a warning to review HIPAA compliance requirements for their own privacy programs.
In addition to the monetary payment, NVD is also required to undertake a corrective action plan that will see OCR monitor the dental practice for compliance over the next two years.
Under the CAP, NVD must develop and maintain written HIPAA policies and procedures to reach compliance with industry standards for governing the privacy and security of PHI. The document must address permissible and impermissible uses and disclosures of PHI, as well as adequate administrative, technical, and physical safeguards to protect patient privacy.
Further, NVD must address its policies to limit the use and disclosure of PHI to the minimum necessary, including email, internet, and social media sites. The policies must receive HHS approval and then be distributed to the workforce, who will receive training on the new measures.