HIPAA Penalty Assessed for Social Media Response

Oct 8, 2019 | Blog

Giving in to the temptation to respond to a negative Yelp review with information that identifies complaining patients can be very expensive, even if it may make the clinician feel better in the moment. And the cost and reputational sting of a Corrective Action Plan can last for years.

On October 2, 2019, the Office of Civil Rights (OCR) the entity that enforces HIPAA, issued a Press Release regarding a settlement in the sum of  $10,000 against Elite Dental Services of Dallas, Texas. OCR noted in the Press Release that Elite “had impermissibly disclosed the protected health information (PHI) of multiple patients in response to patient reviews on the Elite Yelp review page.” OCR, perhaps, put a fine point on the matter by noting that Elite had also violated HIPAA by not having a written policy regarding social media usage.

While the $10,000 penalty may not seem onerous, it is only the beginning of the regulatory woes for Elite. In its Resolution Agreement, OCR required Elite to enter into a Corrective Action Plan. The Plan, which will be in effect for two years, requires Elite to:

  • Prepare policies and procedures for compliant social media usage and other aspects of patient privacy within 30 days of the Agreement; to submit those protocols to the U.S. Department of Health and Human Services (DHHS) for approval and make any revisions DHHS requires.
  • Distribute the new policies and obtain certification from the work force that each employee has received, read, and will abide by the new protocols.
  • Keep any employee from working with patient information if he or she has not signed the certification (i.e., suspend them from working with patients).
  • Train the work force on the content and implementation of the new policies and procedures.
  • Prepare an attestation of compliance with the Agreement, signed by owners of the practice, and submit annual compliance reports to DHHS.

The costs in legal and consultants’ fees and in time spent on complying with the Agreement will certainly outstrip the amount of the fine by orders of magnitude.  The damage to the reputation of the practice will be considerable, if more difficult to calculate. Social media can be a powerful marketing tool for dental and medical practices, but those who use it in the medical and dental contexts must be trained in the requirements of federal and state privacy law. And responses to complaints over social media, to the extent a response is indicated at all,  must be approached with the utmost care.

If you have questions concerning social media use and privacy laws and regulations, please contact Kenneth N. Rashbaum.