The Department of Health and Human Services (HHS), Office of Civil Rights (OCR) announced a $10,000 settlement with a Texas-based dental practice, a covered entity under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The settlement addresses potential HIPAA violations resulting from the disclosure of individuals' protected health information (PHI) in response to online reviews. The practice also must comply with a two-year corrective action plan.
Provider Disclosed PHI in Response to Individuals' Yelp Reviews
In June 2016, HHS received a complaint from one of the dental practice's patients claiming that the practice had disclosed her PHI on the practice's Yelp review page in responding to her review of the practice on the Yelp page. The disclosed PHI included the individual's last name, treatment plan information, and insurance/cost information. HHS's review confirmed that the practice had disclosed the individual's PHI – and other individuals' PHI, too – in response to online reviews.
HHS's subsequent investigation also revealed that the dental practice failed to:
Implement policies and procedures concerning individuals' PHI.
In addition to paying HHS $10,000, the practice must satisfy a two-year corrective action plan (CAP) that imposes numerous requirements concerning its HIPAA policies and procedures.
Policies and Procedures
Regarding policies and procedures, the CAP requires the practice to:
Develop, maintain, or revise its written policies and procedures to comply with HIPAA. The policies and procedures must address:
the appropriate uses and disclosures of PHI;
appropriate administrative, technical, and physical safeguards to protect the privacy of PHI in its possession;
a process for evaluating and approving authorizations requesting the use or disclosure of PHI by the practice, before the practice makes such uses or disclosures;
a revised Notice of Privacy Practices that complies with HIPAA's Privacy Rule;
the contact person(s) responsible for answering HIPAA compliance questions;
internal reporting procedures that require workforce members to report potential HIPAA violations, and the practice to investigate reported violations; and
a description of the sanctions that may be imposed on workforce members who violate HIPAA or the practice's HIPAA policies and procedures.
Submit its updated policies and procedures to HHS for approval.
Implement the policies and procedures within 30 days of HHS approval and timely distribute them to workforce members.
Require all workforce members to sign a written or electronic compliance certification that confirms the workforce member has read, understands, and will comply with the practice's policies and procedures. If a workforce member fails to sign the certification, the practice may not allow that individual to use or disclose PHI.
Review and revise, as necessary, the policies and procedures on an annual basis.
Revised Privacy Notice Must Address Obtaining Authorizations
Importantly, regarding revisions to the practice's Notice of Privacy Practices, the CAP requires the dental practice's privacy notice to describe the uses and disclosures of PHI for which the practice must obtain an individual's authorization. This provision must expressly include authorizations for posting on the practice's website, social media pages, and other public platforms.
Reportable Events and Training
A section of the CAP addressing reportable events requires the practice to promptly investigate and report any information it receives regarding its workforce members' noncompliance with the HIPAA policies and procedures.
Within 30 days of the CAP's effective date, the practice must furnish HIPAA breach notifications to individuals (or their personal representatives) who were affected by its disclosure of PHI on the Yelp page without a valid authorization. The practice also must timely submit breach notifications for these individuals to HHS, through HHS's HIPAA breach notification portal (see Practice Note, HIPAA Breach Notification Rules: Portal for Submitting HIPAA Breach Information).
Practical Impact: Addressing Social Media in HIPAA Privacy Notices
In addressing the practice's release of PHI on social media/public platforms, HHS cited a provision of the HIPAA rules that generally governs a CE's implementation of HIPAA policies and procedures. Although this provision does not expressly mention social media – the regulations were finalized before social media was as much a part of our lives as it is today – HHS apparently interprets the regulation as applying to social media and public platforms. As a result, HIPAA CEs and business associates may want to consider whether their privacy notices and HIPAA policies and procedures should address additional uses and disclosures of PHI for which individuals' authorization must be obtained (for example, postings on a CE's website, social media pages, and other public platforms).
One other note – the settlement amount imposed in this agreement ($10,000) is relatively small and would normally have been much bigger. However, HHS accepted a "substantially reduced" amount owing to the practice's size, financial circumstances, and cooperation with HHS's investigation.