Enter to open, tab to navigate, enter to select
Disclosure of Patients' PHI on Yelp Leads to $10, 000 HIPAA Settlement
Practical Law Legal Update w-022-2966 (Approx. 6 pages)
Disclosure of Patients' PHI on Yelp Leads to $10,000 HIPAA Settlement
by Practical Law Employee Benefits & Executive Compensation
| Published on 03 Oct 2019 • USA (National/Federal) |
The Department of Health and Human Services (HHS), Office of Civil Rights (OCR) announced a $10,000 settlement with a Texas-based dental practice, a covered entity under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The settlement addresses potential HIPAA violations resulting from the disclosure of individuals' protected health information (PHI) in response to online reviews. The practice also must comply with a two-year corrective action plan.
On October 2, 2019, HHS announced a $10,000 settlement to address potential violations of HIPAA's privacy, security, and breach notification rules by a Texas-based dental practice, a HIPAA covered entity (CE), after the practice disclosed patients' protected health information (PHI) in response to their online reviews of the practice (see HIPAA Privacy, Security, and Breach Notification Toolkit). The dental practice also must comply with a two-year corrective action plan.
Provider Disclosed PHI in Response to Individuals' Yelp Reviews
In June 2016, HHS received a complaint from one of the dental practice's patients claiming that the practice had disclosed her PHI on the practice's Yelp review page in responding to her review of the practice on the Yelp page. The disclosed PHI included the individual's last name, treatment plan information, and insurance/cost information. HHS's review confirmed that the practice had disclosed the individual's PHI – and other individuals' PHI, too – in response to online reviews.
HHS's subsequent investigation also revealed that the dental practice failed to:
- Implement policies and procedures concerning individuals' PHI.
- Include the minimum required content in its Notice of Privacy Practices (see Standard Document, HIPAA Notice of Privacy Practices for Group Health Plans).
Corrective Action Plan
In addition to paying HHS $10,000, the practice must satisfy a two-year corrective action plan (CAP) that imposes numerous requirements concerning its HIPAA policies and procedures.
Policies and Procedures
Regarding policies and procedures, the CAP requires the practice to:
- Develop, maintain, or revise its written policies and procedures to comply with HIPAA. The policies and procedures must address:
- the appropriate uses and disclosures of PHI;
- appropriate administrative, technical, and physical safeguards to protect the privacy of PHI in its possession;
- a revised authorization form that complies with HIPAA's Privacy Rule (including a statement of how individuals may revoke an authorization) (see Standard Document, HIPAA Authorization to Use and Disclose PHI);
- a process for evaluating and approving authorizations requesting the use or disclosure of PHI by the practice, before the practice makes such uses or disclosures;
- a revised Notice of Privacy Practices that complies with HIPAA's Privacy Rule;
- the contact person(s) responsible for answering HIPAA compliance questions;
- internal reporting procedures that require workforce members to report potential HIPAA violations, and the practice to investigate reported violations; and
- a description of the sanctions that may be imposed on workforce members who violate HIPAA or the practice's HIPAA policies and procedures.
- Submit its updated policies and procedures to HHS for approval.
- Implement the policies and procedures within 30 days of HHS approval and timely distribute them to workforce members.
- Require all workforce members to sign a written or electronic compliance certification that confirms the workforce member has read, understands, and will comply with the practice's policies and procedures. If a workforce member fails to sign the certification, the practice may not allow that individual to use or disclose PHI.
- Review and revise, as necessary, the policies and procedures on an annual basis.
Revised Privacy Notice Must Address Obtaining Authorizations
Importantly, regarding revisions to the practice's Notice of Privacy Practices, the CAP requires the dental practice's privacy notice to describe the uses and disclosures of PHI for which the practice must obtain an individual's authorization. This provision must expressly include authorizations for posting on the practice's website, social media pages, and other public platforms.
Reportable Events and Training
A section of the CAP addressing reportable events requires the practice to promptly investigate and report any information it receives regarding its workforce members' noncompliance with the HIPAA policies and procedures.
The practice also must provide HIPAA training for all workforce members (see Standard Document, HIPAA Training for Group Health Plans: Presentation Materials). The training materials must be reviewed and updated as necessary at least once a year.
Retroactive Breach Notifications Regarding Yelp Postings
Within 30 days of the CAP's effective date, the practice must furnish HIPAA breach notifications to individuals (or their personal representatives) who were affected by its disclosure of PHI on the Yelp page without a valid authorization. The practice also must timely submit breach notifications for these individuals to HHS, through HHS's HIPAA breach notification portal (see Practice Note, HIPAA Breach Notification Rules: Portal for Submitting HIPAA Breach Information).
Practical Impact: Addressing Social Media in HIPAA Privacy Notices
This is but the latest instance of a HIPAA CE being called to task for its conduct on social media – or through entertainment/media platforms in general. A HIPAA settlement from a year ago involved a health provider that disclosed a patient's PHI to a news reporter at the local television station (see Practice Note, HIPAA Enforcement: Settlement Agreements: Disclosure of Patient's PHI to the Press (November 2018) and Legal Update, Health Provider Must Pay HHS $125,000 for Disclosing PHI to the Press). Another HIPAA settlement from roughly the same time involved hospitals that allowed television crews to film a medical documentary series at their facilities without first obtaining patients' authorizations (see Legal Update, Television Crew's Filming of Hospital Patients Results in HIPAA Settlements Totaling Nearly $1 Million). These settlements are a good reminder that HIPAA CEs and business associates must continue to comply with HIPAA in using and disclosing PHI in the social media age (see Practice Note, HIPAA Privacy Rule: Permitted and Prohibited Uses and Disclosures of Health Information).
In addressing the practice's release of PHI on social media/public platforms, HHS cited a provision of the HIPAA rules that generally governs a CE's implementation of HIPAA policies and procedures. Although this provision does not expressly mention social media – the regulations were finalized before social media was as much a part of our lives as it is today – HHS apparently interprets the regulation as applying to social media and public platforms. As a result, HIPAA CEs and business associates may want to consider whether their privacy notices and HIPAA policies and procedures should address additional uses and disclosures of PHI for which individuals' authorization must be obtained (for example, postings on a CE's website, social media pages, and other public platforms).
One other note – the settlement amount imposed in this agreement ($10,000) is relatively small and would normally have been much bigger. However, HHS accepted a "substantially reduced" amount owing to the practice's size, financial circumstances, and cooperation with HHS's investigation.