Manasa Health Center in New Jersey has agreed to pay $30,000 to resolve alleged HIPAA violations stemming from published responses to negative Google Reviews.
Manasa Health Center, located in Kendall Park, NJ, was the subject of an April 2020 complaint from a patient who had protected health information (PHI) disclosed in response to a negative Google Review that revealed a mental health diagnosis and information related to treatment. The HHS’ Office for Civil Rights (OCR) launched an investigation into the complaint and confirmed there had been an impermissible disclosure of PHI, and also identified a further three patients who had left negative reviews and had their PHI disclosed by Manasa Health Center in its responses. OCR also identified HIPAA Privacy and Breach Notification Rule policy and procedure failures with respect to online disclosures of PHI.
Manasa Health Center chose not to contest the findings and agreed to settle the case with no admission of liability or wrongdoing and agreed to implement a corrective action plan to ensure future compliance with the HIPAA Rules. The corrective action plan requires Manasa Health Center to develop, maintain, and revise its written policies and procedures to comply with the HIPAA Privacy Rule, train its workforce on HIPAA Privacy and Security Rule policies and procedures, and issue breach notifications to OCR and the four individuals whose PHI was impermissibly disclosed.
When responding to online reviews, or posting any Information on the Internet, care must be taken to ensure that no protected health information is disclosed, whether that is a diagnosis, treatment plan, or even the status of an individual as a patient. Even if a patient posts information online related to the services provided, authorization to disclose PHI is still required from that individual before PHI can be disclosed. It is also vital for policies and procedures to be developed and implemented, and for the workforce to be trained about how HIPAA applies to social media networks, online review platforms, and other Internet platforms. As OCR explained, this is a common cause of patient complaints.
“OCR continues to receive complaints about health care providers disclosing their patients’ protected health information on social media or on the internet in response to negative reviews. Simply put, this is not allowed,” said OCR Director Melanie Fontes Rainer. “The HIPAA Privacy Rule expressly protects patients from this type of activity, which is a clear violation of both patient trust and the law. OCR will investigate and take action when we learn of such impermissible disclosures, no matter how large or small the organization.”