[BreachExchange] HHS Gives Dental Practice Posting PHI on Yelp a Bad Review

[Destry Winant]

https://www.inforisktoday.com/hhs-gives-dental-practice-posting-phi-on-yelp-bad-review-a-13175

A dental practice in Texas that responded to patients' Yelp reviews by
disclosing patient names and other health information has gotten a bad
review from federal regulators: A $10,000 HIPAA monetary settlement
and a corrective action plan.

In a statement Wednesday, the Department of Health and Human Services
said the settlement with Elite Dental Associates of Dallas centered on
a patient complaint received in 2016 by HHS' Office of Civil Rights,
which enforces HIPAA.

The patient alleged that Elite had responded to a Yelp social media
review by disclosing the patient's last name and details of the
patient's health condition. "OCR's investigation found that Elite had
impermissibly disclosed the protected health information of multiple
patients in response to patient reviews on the Elite Yelp review
page," OCR says in the statement.

"Additionally, Elite did not have a policy and procedure regarding
disclosures of PHI to ensure that its social media interactions
protect the PHI of its patients or a Notice of Privacy Practices that
complied with the HIPAA Privacy Rule."

OCR says it accepted "a substantially reduced settlement amount" in
consideration of Elite's size, financial circumstances and cooperation
with its investigation.

"Social media is not the place for providers to discuss a patient's
care," said Roger Severino, OCR director. "Doctors and dentists must
think carefully about patient privacy before responding to online
reviews."

Corrective Action

Elite agreed to a corrective action plan that includes two years of
monitoring by OCR for compliance with HIPAA. The practice has agreed
to develop, maintain and revise, as necessary, its written policies
and procedures to comply with the HIPAA privacy and security rules,
and train staff on compliance.

Dentist Andy Chang, CEO of Elite Dental, tells Information Security
Media Group that the incident involving the disclosure of patient
information on Yelp involved another associate at the practice.

Chang and that associate each contributed half of the monetary
settlement paid to OCR, Chang says. Also, Elite was recently sold to
another Dallas-based dental practice, Silk Dental, which will continue
to follow the revised policies and procedures put in place by Elite as
part of the corrective action plan, he says.

Lessons to Others

Elite's settlement with OCR offers a cautionary tale to other
healthcare entities, some privacy experts note.

"Social media is an important way for healthcare providers to engage
patients and for patients to find providers," says independent HIPAA
attorney Paul Hales. "However, many providers simply are not aware of
the HIPAA rules that apply to websites, social media and patient
reviews. Neither are many vendors that provide Internet-based
healthcare marketing services."

The Elite case has some similarities to a $25,000 HIPAA settlement
case OCR signed in 2016 with Complete P.T., Pool & Land Physical
Therapy.

In that case, the Los Angeles-based physical therapy provider
allegedly failed to obtain patients' permission before using their
personal information for "testimonial" marketing purposes on its
website.

"Providers are bound by HIPAA law that requires a valid
HIPAA-compliant authorization from the patient before disclosing PHI
on the internet," Hales says. "PHI is any information that identifies
a patient and relates to provision of healthcare to the patient.
Accordingly, a provider's response to an online review confirming the
reviewer is a patient without the patient's prior authorization is a
HIPAA violation. Now the provider is complicit in exposing its patient
to medical identity thieves."

Social Media Blunders

One of the most significant aspects of the Elite settlement is "the
scope of PHI disclosed by Elite in responding to the Yelp reviews,"
notes healthcare attorney Matthew Fisher of the law firm Mirick
O'Connell.

"As noted in the settlement, the PHI disclosed included the patient's
last name, details of a treatment plan, insurance and cost
information. That level of detail is quite specific," Fisher says.

"This type of situation happens more often than people realize, given
that many healthcare providers mistakenly believe that if a patient
puts their own information out in the public sphere, the healthcare
provider can respond with patient information."
—Iliana Peters, Polsinelli

The extent of the disclosure, Fisher says, implies a failure by the
dental practice to educate its staff on "how PHI can be used and
disclosed," he says.

Small But Significant?

Privacy attorney Iliana Peters of the law firm Polsinelli says the OCR
resolution agreement with Elite apparently contains the smallest
financial sanction of any settlement so far, which reflects, in part,
the practice's size and cooperation with authorities.

"The same conduct by larger healthcare providers could result in
substantially larger settlement amounts or civil money penalties," she
points out.

"This type of situation happens more often than people realize, given
that many healthcare providers mistakenly believe that if a patient
puts their own information out in the public sphere, the healthcare
provider can respond with patient information," she says. "Obviously,
this is not correct, and healthcare providers must train their
workforce to ensure that they do not impermissibly disclose patient
information in their efforts to ensure a good public reputation."

OCR earlier indicated it's working on guidance on PHI and social
media, Peters says. "Obviously I encourage OCR to publish such
guidance - it would be so helpful for the regulated community."

Peters offers advice on responding to patient complaints: "Healthcare
providers should do their best to get in touch with patients who have
bad experiences about which they talk on social media, and obviously
not through social media, to understand those patients' concerns," she
says.

"Further, healthcare providers can absolutely craft public-facing
messages that do not confirm or deny that an individual is a patient,
while providing information on their mission and goals as a healthcare
organization."