Health care providers, especially those in smaller practices, remain largely unaware of the way Health Insurance Portability and Accountability Act regulations impact their business.
Case in point, the $10,000 settlement announced recently between the Department of Health and Human Service Office for Civil Rights (OCR) and a small dental practice based on impermissible disclosures on Yelp, a popular business directory service and crowd-sourced review forum.
Although this settlement pertained to a dental practice, it is important to recognize the underlying lesson—do not publicly post patient information.
Internet sites such as Yelp have become ubiquitous in our society and their use is an integral part of any business. However, providers are prohibited from posting any patient information on any website without a valid authorization.
Providers are generally also prohibited from using the patient information other than to treat the patient, seek payment from third-party payors, or perform certain limited “health care operations” in their business. This rule applies equally to all HIPAA-covered entities, large and small.
To ensure compliance with HIPAA, physician practices and other health care providers should be extremely cautious in responding to patient posts and reviews on the internet.
Lessons From the Dental Practice Experience
In June 2016, the OCR received a patient complaint alleging that the dental practice’s response to a Yelp review had disclosed the patient’s protected health information (PHI), including last name, details of treatment plan, insurance, and cost information. The OCR’s investigation of the complaint included a review of the dental practice’s Yelp page and revealed that the dental practice had similarly disclosed PHI of other patients without valid authorization in responding to patient reviews.
The OCR concluded that the practice’s Yelp posts constituted impermissible disclosures of PHI in violation of HIPAA.
In the HHS press release discussing the settlement, OCR Director Roger Severino stated, “Social media is not the place for providers to discuss a patient’s care. Doctors and dentists must think carefully about patient privacy before responding to online reviews.”
Severino’s statement reinforces two important points:
- responding to online reviews is not outright prohibited by HIPAA, but must be done cautiously and in a way that does not discuss patient care or other PHI; and
- this lesson is not limited to dental practices, but also applies to physicians and other HIPAA covered entities.
Although $10,000 may not seem like a strong admonition to larger providers, the OCR confirmed that it accepted a “substantially reduced settlement amount” as a result of the practice’s size, financial situation, and cooperation with the OCR. Thus, a larger practice who impermissibly discloses PHI on social media could find itself facing significantly more onerous financial consequences, especially after this publicized action.
Social media presents a host of minefields for providers. While common sense might dictate that patients should not expect a Facebook posting to be confidential, when a provider sponsors a Facebook page, the provider should consider posting disclaimers and notices to ensure patients do not inadvertently misunderstand the limitations of Facebook.
Facebook can also create a secondary concern, as a patient might believe a communication on Facebook Messenger is protected. However, because there is no business associate agreement, the hosting of patient information without advising the patient that it is not a HIPAA compliant method of communication can cause issues.
A patient using Facebook Messenger to change an appointment without any health care specifics is still considered “protected health information” and, therefore, use of the Facebook Messenger communication tool is not without its problems.
OCR Enforcement and Smaller Practices
Social media is not the only concern for providers, including small ones. Consider the use of pictures of patients for advertising or even academic endeavors. Both uses require the patient’s permission. Providers must keep those permissions on file and ensure they meet both federal and state law requirements.
The OCR has been more aggressive toward enforcing HIPAA with smaller practices in the last few years, especially with regard to privacy violations. The issues are not limited to social media disclosures; comments to traditional media should also be cautiously considered.
Another case is the $125,000 settlement with an allergy practice in Connecticut in November 2018. Allergy Associates of Hartford P.C. (Allergy Associates), is a health care practice with three providers that specializes in treating individuals with allergies. In February 2015, a patient of Allergy Associates contacted a local television reporter regarding a dispute that had occurred between the patient and an Allergy Associates’ doctor regarding her right to have a service dog in their office.
The reporter subsequently contacted the doctor for comment. The doctor was found to have impermissibly disclosed the patient’s protected health information to the reporter, as he commented without her permission. The OCR found that the doctor’s discussion with the reporter “demonstrated a reckless disregard for the patient’s privacy rights and that the disclosure occurred after the doctor was instructed by Allergy Associates’ Privacy Officer to either not respond to the media or respond with ‘no comment.’”
The OCR further found that Allergy Associates failed to take any disciplinary action against the doctor or take any corrective action following the impermissible disclosure to the media, which was a factor in their settlement and required corrective action plan.
Such issues and enforcement are not limited to the OCR. In fact, providers should be aware of state actions as well.
In 2015, the New York Attorney General issued a fine of $15,000 against the University of Rochester Medical Center (URMC) when it permitted a departing nurse practitioner to take a list of her patients before moving to a different health care provider. The nurse took that list to her new employer, who sent letters to the patients confirming the nurse’s new position, offering them the opportunity to continue their care with the same nurse, at the new provider.
The New York AG determined the over 3,000 patients had their privacy violated by sharing the URMC.
Complying with the requirements of HIPAA is no small task. Providers of all sizes should consult with legal counsel well-versed in HIPAA to ensure an adequate compliance program.
This column does not necessarily reflect the opinion of The Bureau of National Affairs, Inc. or its owners.
Alisa Chestler serves as the chair of the Data Protection, Privacy and Cybersecurity team at Baker Donelson. She concentrates her practice in privacy, security and records management issues including compliance, contract negotiation and corporate transaction matters.
Alexandria Murphy is a member of Baker Donelson’s Health Law group and works on a variety of matters, including health care privacy requirements, patient privacy rights and general data protection and cybersecurity issues.