Dental Practice Gets $10,000 HIPAA Penalty for PHI Disclosures on Social Media

A dental practice has been fined $10,000 by the HHS’ Office for Civil Rights for violating Health Insurance Portability and Accountability Act (HIPAA) Rules by disclosing patients’ protected health information (PHI) on Yelp when responding to patient reviews.

Under HIPAA Rules, covered entities and their business associates are not permitted to disclose PHI on review sites and social media channels unless prior authorization has been obtained from the individuals concerned in writing.

In this case, a potential HIPAA violation was reported to OCR by a patient of Elite Dental Associates, a privately-owned dental practice in Dallas, TX. The patient alleged that when responding to her Yelp review on June 4, 2016, Elite Dental Associates disclosed her name, details of her dental problem and treatment plan, the cost of treatment, and her insurance details.

OCR investigated the compliant and confirmed that an impermissible disclosure of PHI had occurred and found the complainant was not the only patient whose privacy had been violated on the review platform. Other patients’ PHI had similarly been impermissibly disclosed in response to reviews.

Additionally, OCR determined that the practice’s policies and procedures relating to the release of PHI were not compliant with HIPAA Rules and the practice had not included sufficient information in its notice of privacy practices to comply with the HIPAA Privacy Rule.

The violation of three separate provisions of HIPAA Rules – 45 C.F.R. § 164.502(a), 45 C.F.R. § 164.530(i), and (45 C.F.R. § 164.520(b) – could have attracted a financial penalty of up to $50,000 per violation category. When deciding on an appropriate financial penalty, OCR took the financial position of the dental practice, the size of the practice, the number of patients affected, and the practice’s willingness to assist OCR in its investigation into account and issued a reduced penalty.

In addition to paying the financial penalty, the dental practice is required to adopt a corrective action plan to address the HIPAA failures discovered by OCR investigators.

“Social media is not the place for providers to discuss a patient’s care,” said OCR Director, Roger Severino in a press release announcing the latest HIPAA penalty. “Doctors and dentists must think carefully about patient privacy before responding to online reviews.”