When healthcare providers are subject to a bad review on Yelp! or similar customer-review websites and apps, it can be difficult to hold back and not provide a response or at least attempt to clarify the situation. However, healthcare providers, including dental providers, must ensure that employees who handle their social media, including customer-review websites and apps understand that, even in the social media/customer-review app context, those complaining customers are patients, and information related to that patient’s treatment is protected under HIPAA.
HIPAA was enacted in 1996, so years before social media and apps like Yelp! were a thing. As such, there are no HIPAA rules that are specific to and govern social media and healthcare provider’s communications on those platforms. Despite there being no specific HIPAA laws governing online or social media communications, the same rules regarding consent and the confidentiality of patient protected health information still apply. When ever-evolving technology and old rules combine, however, it can be problematic.
Elite Dental Associates (“Elite”) was reminded of this recently when it settled a social media HIPAA violation case with the Department of Health and Human Services Office for the Civil Rights (“HSS”). The incident was triggered when an employee for Elite responded to a patient’s negative Yelp! review of Elite. In replying to the patient’s post, Elite disclosed the patient’s last name and details of the patient’s treatment plan, health condition, and insurance and cost information. In other words, it disclosed the patient’s protected health information under HIPAA.
HSS investigated the matter and determined that Elite did, in fact, make such protected disclosures via Yelp! in violation of HIPAA. In looking further, HSS determined that the June 4, 2016 post was not the first time that protected patient health information had been disclosed by Elite via social media without proper patient consent. In total, HSS determined that the dental group was in violation of three separate HIPAA statutes:
- The impermissible disclosures of protected health information violated 45 C.F.R. § 164.502(a);
- Failure to implement required policies and procedures relating to the safekeeping and disclosure of protected health information on social media and other public platforms and apps in violation of 45 C.F.R. § 164.530(i); and
- Failure to include the minimum required content its Notice of Privacy Practices required for all patients under 45 C.F.R. § 164.520(b).
Elite agreed to a fine of $10,000 and to a corrective action plan to resolve the alleged HIPAA violations and to settle the matter without admitting fault.
Social media has ushered in a new wave of HIPAA violations, most of them centered on photographs or videos of patients in compromising positions being posted online. These violations cannot be understated and can result in not only civil fines but also criminal penalties. (Remember the nursing assistant who had to serve 30 days in jail for sharing a video of a patient in underwear on Snapchat?)
Regardless of how scathing or factually inaccurate a public-facing criticism may be, healthcare providers must be sure not to violate HIPAA when responding to online reviews. All healthcare providers, doctors and dentists alike, must ensure they have proper policies in place to govern the scope of online commentary and the disclosure of protected health information, and also ensure that all staff, including marketing staff, whose job responsibilities include social media, are well versed in online conduct and disclosures laws under HIPAA.
About the Author:
Sara H. Jodka is a member in the firm’s Columbus office. She focuses on labor and employment law and, as a certified privacy professional (CIPP-US), regularly works with clients on various data privacy and cybersecurity issues. This post is driven by her work as a member of the firm’s Healthcare Practice Group and she chairs the firm’s Healthcare Information Privacy and Security Task Force.