Dental Practice Gets $10,000 HIPAA Penalty for PHI Disclosures on Social Media

A dental practice has been fined $10,000 by the HHS’ Office for Civil Rights for violating Health Insurance Portability and Accountability Act (HIPAA) Rules by disclosing patients’ protected health information (PHI) on Yelp when responding to patient reviews.

Under HIPAA Rules, covered entities and their business associates are not permitted to disclose PHI on review sites and social media channels unless prior authorization has been obtained from the individuals concerned in writing.

In this case, a potential HIPAA violation was reported to OCR by a patient of Elite Dental Associates, a privately-owned dental practice in Dallas, TX. The patient alleged that when responding to her Yelp review on June 4, 2016, Elite Dental Associates disclosed her name, details of her dental problem and treatment plan, the cost of treatment, and her insurance details.

OCR investigated the compliant and confirmed that an impermissible disclosure of PHI had occurred and found the complainant was not the only patient whose privacy had been violated on the review platform. Other patients’ PHI had similarly been impermissibly disclosed in response to reviews.

Additionally, OCR determined that the practice’s policies and procedures relating to the release of PHI were not compliant with HIPAA Rules and the practice had not included sufficient information in its notice of privacy practices to comply with the HIPAA Privacy Rule.

The violation of three separate provisions of HIPAA Rules – 45 C.F.R. § 164.502(a), 45 C.F.R. § 164.530(i), and (45 C.F.R. § 164.520(b) – could have attracted a financial penalty of up to $50,000 per violation category. When deciding on an appropriate financial penalty, OCR took the financial position of the dental practice, the size of the practice, the number of patients affected, and the practice’s willingness to assist OCR in its investigation into account and issued a reduced penalty.


Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

In addition to paying the financial penalty, the dental practice is required to adopt a corrective action plan to address the HIPAA failures discovered by OCR investigators.

“Social media is not the place for providers to discuss a patient’s care,” said OCR Director, Roger Severino in a press release announcing the latest HIPAA penalty. “Doctors and dentists must think carefully about patient privacy before responding to online reviews.”

About Liam Johnson
Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: