OCR Announces Enforcement Action of North Carolina Healthcare Provider Who Disclosed PHI in Response to Google Review
On March 28, 2022, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced the resolution of two Health Insurance Portability and Accountability Act (HIPAA) enforcement actions involving the impermissible disclosure of protected health information (PHI) by two separate dental practices.
In one of the actions, a patient complained that a dental practice with two locations in North Carolina disclosed PHI when the entity responded to the patient’s anonymous negative review of the entity on Google. On the same day that the patient posted the negative review, the entity responded on Google:
It’s so fascinating to see [Complainant’s full name] make unsubstantiated accusations when he only came to my practice on two occasions since October 2013. He never came for his scheduled appointments as his treatment plans submitted to his insurance company were approved. He last came to my office on March 2014 as an emergency patient due to excruciating pain he was experiencing from the lower left quadrant. He was given a second referral for a root canal treatment to be performed by my endodontist colleague. Is that a bad experience? Only from someone hallucinating. When people want to express their ignorance, you don’t have to do anything, just let them talk. He never came back for his scheduled appointment. Does he deserve any rating as a patient? Not even one star. I never performed any procedure on this disgruntled patient other than oral examinations. From the foregoing, it’s obvious that [Complainant’s full name] level of intelligence is in question and he should continue with his manual work and not expose himself to ridicule. Making derogatory statements will not enhance your reputation in this ear [Complainant’s full name]. Get a life.
In response to the patient’s complaint, OCR requested that the practice remove the posting and provide (1) a copy of policies and procedures regarding responding to patients’ reviews on online platforms; (2) a copy of policies and procedures with respect to uses and disclosures of PHI; (3) a copy of policies and procedures with respect to safeguarding PHI; and (4) documentation of any HIPAA training conducted by the entity following the incident. According to OCR, the entity failed to provide the requested information and ceased communicating with OCR regarding the complaint and investigation.
As a result, OCR issued a Notice of Final Determination and imposed a civil monetary penalty of $50,000 on the entity.
This enforcement action highlights the need for healthcare providers to develop, maintain, and revise, as necessary, their policies and procedures regarding safeguarding PHI, particularly through online platforms. Specifically, providers must ensure that their entity maintains robust social media and sanction policies and trains its workforce members regularly on the appropriate use and disclosure of PHI.
For more information or for questions about your own entity’s compliance with HIPAA, please contact Young Moore healthcare attorney, David Senter.