HIPAA does not prohibit medical practices from responding to online reviews and feedback on platforms such as Google Reviews, Yelp, or on social media websites; but care must be taken as HIPAA prohibits disclosures of protected health information for purposes other than for treatment, payment, or healthcare operations unless a HIPAA-compliant authorization has been received from an individual.
Patients often leave feedback on review sites anonymously. It may be clear to the medical practice who has left the review, and a response may be appropriate, but that patient should not be identified in the response. Regardless of the feedback that has been left, protected health information must not be disclosed.
This week, the Department of Health and Human Services’ Office for Civil Rights (OCR) announced that a Californian dental practice had agreed to settle alleged HIPAA violations that were uncovered during an investigation of a complaint about impermissible disclosures of protected health information on the review platform Yelp. The financial penalty serves as a warning to medical practices about the dangers of responding to reviews. In this case, the dental practice was required to pay a financial penalty of $23,000, adopt a corrective action plan (CAP), provide HIPAA training to staff, and will be monitored closely for compliance with that CAP and HIPAA for two years.
The complainant alleged that the owner and CEO of New Vision Dental, B. Brandon Au, DDS, Inc., had responded to reviews on Yelp on multiple occasions and had disclosed patients’ protected health information. In some cases, patients had left reviews using a moniker so as to remain anonymous. Some of the responses included patients’ full names. Disclosures were also made about treatment and insurance information.
OCR investigated the alleged impermissible disclosures and verified that patients’ protected health information had been impermissibly disclosed, which is prohibited by the HIPAA Privacy Rule – See 45 C.F.R. § 164.502(a). OCR also visited the practice as part of the investigation and reviewed the practice’s policies and procedures and notice of privacy practices.
OCR determined that the practice’s notice of privacy practices was inadequate and did not include the minimum content, as required by 45 C.F.R. § 164.520(b). The practice had also failed to implement HIPAA-compliant policies and procedures, including policies regarding the release of protected health information on social medial platforms and other public platforms, as required by 45 C.F.R. § 164.530(i).
When a patient leaves a negative review, especially when online criticism is misguided or unfounded, a response is important to help preserve the practice’s reputation, but protected health information must not be disclosed.
This is not the first time that OCR has imposed a financial penalty for impermissible disclosures of protected health information on Yelp. Earlier this year, a $50,000 civil monetary penalty was imposed on Dr. U. Phillip Igbinadolor, D.M.D. & Associates, P.A., for disclosing PHI in response to a negative review, and in 2019, Elite Dental Associates settled its case with OCR for $10,000 after impermissibly disclosing protected health information on social media.
“This latest enforcement action demonstrates the importance of following the law even when you are using social media. Providers cannot disclose protected health information of their patients when responding to negative online reviews. This is a clear NO.,” said OCR Director, Melanie Fontes Rainer. “OCR is sending a clear message to regulated entities that they must appropriately safeguard patients’ protected health information. We take complaints about potential HIPAA violations seriously, no matter how large or small the organization.”