I don’t know how to say it any more clearly.  Somehow, medical and dental practices continue to get roped into responding to negative patient reviews on Yelp, Google, or elsewhere online, and posting any identifying information about a patient is a HIPAA violation. It’s protected health information (PHI), even if the patient posted something first. Don’t do it.

The latest cautionary tale is that of a California practice called New Vision Dental (NVD), which found itself addressing a complaint that was filed with the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR). OCR’s Resolution Agreement and Correction Action Plan with NVD noted, “Complainant alleged that NVD habitually disclosed PHI when it responded to patient posts, sometimes providing full names where only Yelp monikers were used by the patients and including detailed information about patient visits and insurance that may not have been previously mentioned in their initial reviews.” NVD got off easy with only a $23,000 fine and an agreement to implement a corrective action plan, according to OCR’s press release.