OCR Announces Enforcement Action of North Carolina Healthcare Provider Who Disclosed PHI in Response to Google Review

On March 28, 2022, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced the resolution of two Health Insurance Portability and Accountability Act (HIPAA) enforcement actions involving the impermissible disclosure of protected health information (PHI) by two separate dental practices.

In one of the actions, a patient complained that a dental practice with two locations in North Carolina disclosed PHI when the entity responded to the patient’s anonymous negative review of the entity on Google. On the same day that the patient posted the negative review, the entity responded on Google:

It’s so fascinating to see [Complainant’s full name] make unsubstantiated accusations when he only came to my practice on two occasions since October 2013. He never came for his scheduled appointments as his treatment plans submitted to his insurance company were approved. He last came to my office on March 2014 as an emergency patient due to excruciating pain he was experiencing from the lower left quadrant. He was given a second referral for a root canal treatment to be performed by my endodontist colleague. Is that a bad experience? Only from someone hallucinating. When people want to express their ignorance, you don’t have to do anything, just let them talk. He never came back for his scheduled appointment. Does he deserve any rating as a patient? Not even one star. I never performed any procedure on this disgruntled patient other than oral examinations. From the foregoing, it’s obvious that [Complainant’s full name] level of intelligence is in question and he should continue with his manual work and not expose himself to ridicule. Making derogatory statements will not enhance your reputation in this ear [Complainant’s full name]. Get a life.

In response to the patient’s complaint, OCR requested that the practice remove the posting and provide (1) a copy of policies and procedures regarding responding to patients’ reviews on online platforms; (2) a copy of policies and procedures with respect to uses and disclosures of PHI; (3) a copy of policies and procedures with respect to safeguarding PHI; and (4) documentation of any HIPAA training conducted by the entity following the incident. According to OCR, the entity failed to provide the requested information and ceased communicating with OCR regarding the complaint and investigation.

As a result, OCR issued a Notice of Final Determination and imposed a civil monetary penalty of $50,000 on the entity.

This enforcement action highlights the need for healthcare providers to develop, maintain, and revise, as necessary, their policies and procedures regarding safeguarding PHI, particularly through online platforms. Specifically, providers must ensure that their entity maintains robust social media and sanction policies and trains its workforce members regularly on the appropriate use and disclosure of PHI.

About the Author

David is a shareholder at Young Moore and advises clients in matters related to healthcare privacy and data security, breach notification and reporting requirements, and HIPAA compliance. He assists covered entities and business associates with HIPAA privacy and security policies and procedures, incident response and investigation, and workforce and management training. David currently serves as the Interim Associate Compliance Officer and Director of Privacy of an Academic Medical Center in North Carolina. Read more


Electronic mail or other oral or written communication to Young Moore and Henderson P.A. in connection with a matter for which we do not already represent you may not be treated as privileged or confidential. Communications are not privileged until the client and lawyer have agreed on legal representation. Please do not send confidential information to us via e-mail or in any other manner without first communicating directly with us about the attorney-client relationship. The transmission of an e-mail request for information does not create an attorney-client relationship. Your initial email should only contain a list of the parties interested in the matter so that we can make sure we have no conflicts before you convey any information about your case.

Accept Decline