Dental Practice Agrees to $10,000 Settlement for Disclosing Patient Health Information on Yelp

Bruce Armon
Saul Ewing LLP
Contact
LinkedIn
Facebook
X
Send
Embed

Saul Ewing Arnstein & Lehr LLP

On October 2, 2019, the Office for Civil Rights (OCR) within the U.S. Department of Health and Human Services (HHS) announced that it had reached a $10,000 monetary settlement with a Dallas-based dental practice to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule.

As part of the settlement, Elite Dental Associates (Elite) agreed to a corrective action plan (CAP), which includes two years of HIPAA compliance monitoring to be conducted by OCR. The settlement does not constitute an admission of liability by Elite.

On June 15, 2016, OCR received a complaint from an Elite patient alleging that the Practice impermissibly disclosed her protected health information (PHI) on Elite’s Yelp review webpage (Yelp). The patient claimed that Elite disclosed her last name, details of her treatment plan, her insurance information, and treatment cost in response to the patient’s review on Yelp. OCR’s investigation uncovered that Elite improperly disclosed PHI for numerous patients on Yelp without valid authorizations to do so. In addition, OCR found that Elite did not have policies and procedures to ensure that Elite’s social media interactions protect patient PHI. Further, Elite’s Notice of Privacy Practices did not comply with the HIPAA Privacy Rule.

As part of the two year CAP, Elite agreed to each of the following:

  • develop, maintain, and revise its written policies and procedures to comply with HIPAA, subject to HHS approval;
  • distribute the updated written policies and procedures to members of its workforce and provide training to its workforce;
  • revise its template authorization form and Notice of Privacy Practices;
  • retroactively provide breach notices within 30 days to any individuals whose PHI was disclosed by Elite on Yelp without the appropriate authorization; and
  • submit annual CAP compliance reports to OCR.

The OCR settlement is an important (and expensive) reminder for all HIPAA covered entities that the obligation to safeguard PHI extends to the myriad of social media outlets. All covered entities should review their policies and processes to ensure they protect a patient’s rights under HIPAA, including measures to ensure that social media activity is free from PHI disclosures.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Saul Ewing LLP | Attorney Advertising

Written by:

Saul Ewing LLP
Saul Ewing LLP
Contact
more
less

Saul Ewing LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide