By Angie Cameron Smith
Your practice receives notification that an online review has been posted about you or the medical practice. You immediately check out the review and realize that the patient has left a scathing, negative review, which you find to be offensive and untrue. You remember the patient but do not recall that there was anything negative about the patient’s visit. You want to respond to the patient (and the public) and provide information on how your treatment was appropriate – it’s only fair that you get to defend your practice and the care you provided. But before you start typing and uploading a response, be mindful of your ability to disclose information about the patient or you could face an investigation by the Office of Civil Rights for violating the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy Rule.
In December 2022, the Office of Civil Rights (“OCR”) announced a settlement with a dental practice over a violation of HIPAA when the dental practice disclosed protected health information in response to an online review. OCR received a complaint alleging that the dental practice “habitually disclosed” patient names, treatment, and insurance information on the online forum, Yelp, in response to posts that may not have mentioned the patient’s name (instead of a Yelp moniker) or insurance information. OCR conducted an investigation into the complaint and determined that the dental practice had compromised protected health information in violation of the HIPAA Privacy Rule. Additionally, the practice failed to have in place adequate policies and procedures related to the HIPAA Privacy Rule. The practice was fined $23,000 and entered into a Corrective Action Plan with OCR. The Corrective Action Plan (CAP) is effective for two years and requires the practice to develop policies and procedures, report events that might be a violation of Privacy, Security and Breach Notification policies and train its workforce on HIPAA policies and procedures. Additionally, the practice is required to submit an implementation report summarizing how it implemented the CAP and annual reports to the United States Department of Health and Human Services.
A similar settlement occurred in 2019 with another dental practice requiring the practice to pay $10,000. The dental practice had responded to an online review that included protected health information. These types of cases highlight OCR’s increased focus and enforcement activity related to HIPAA violations in the past few years. In fact, there have been a number of recent settlements related to HIPAA violations. According to OCR, it has investigated and resolved over 29,000 cases since the implementation of HIPAA in 2003, and it has imposed civil money penalties of over $133,500,000. The most frequent complaints received by OCR are related to the impermissible use and disclosure of PHI.
As a reminder, HIPAA generally prohibits covered entities from using or disclosing protected health information absent certain specific circumstances. Covered entities include health care providers such as physician practices, dental practices and individual practitioners. Protected health information includes any information related to the past, present or future physical or mental health condition; the provision of health care; or the past, present or future payment for health care. The Privacy Rule only allows disclosure of PHI under the following circumstances:
• To an individual
• For treatment, pay ment and health care operations;
• After an opportunity by the patient to agree/object;
• As otherwise permitted or required by the Privacy Rules; or
• With patient authorization.
There is no provision in the HIPAA Privacy Rule that would allow a medical practice or dental practice (or individual practitioners) to disclose PHI in response to a public posting on the internet or social media. Some might assume that because the patient has offered certain information in a public forum, then the covered entity could in turn respond with similar information to rebut the negative comments. That is not the case. One might also assume that because the patient has made their health condition the issue, the patient has either waived the right to the protection afforded under HIPAA or has impliedly authorized such responsive disclosure by the covered entity. No such waiver or implied authorization exists under HIPAA. Therefore, if a patient posts information online about his or her health condition or treatment by a physician or practitioner, it does not authorize the physician or practice to disclose any information about the patient or his or her reason for visiting the practice.
The key take away is that health care providers should review their current policies related to the use and disclosure of protected health information and specifically confirm that their policies address the use and disclosure of PHI on the internet or social media sites, including prohibiting the use of PHI in responding to online reviews of the practice.
Angie C. Smith is a Partner at Burr & Forman LLP practicing exclusively in the firm’s Health Care Practice Group. Angie may be reached at (205) 458-5209 or firstname.lastname@example.org.