Healthcare Providers Must Remember HIPAA Before Responding to Online Reviews

Akerman LLP - Health Law Rx

Akerman LLP - Health Law Rx

The latest HIPAA resolution agreement by the U.S. Department of Health and Human Services Office for Civil Rights (OCR) is a reminder that healthcare providers must take the high road when responding to unflattering online reviews by patients. While it is tempting to respond to a bad and perhaps untrue online review, healthcare providers need to take care to not disclose patient protected health information (PHI) when defending their reputation.

A Texas dental practice agreed to pay $10,000 and enter a two-year corrective action plan to settle potential violations of the HIPAA Privacy Rule arising from allegations that the practice responded to a patient’s online Yelp review by disclosing the patient’s last name and details of the patient’s health condition. The practice did not have authorization from the patient to disclose his/her protected health information in the online forum. As a result of its investigation, OCR learned that the practice had disclosed the PHI of multiple patients in the course of responding to comments on the practice’s Yelp review page. In announcing the settlement, OCR Director Roger Severino said, “Doctors and dentists must think carefully about patient privacy before responding to online reviews.”

This resolution agreement should not be seen as a signal that OCR is dialing back the settlement amounts it seeks. While the amount in this latest case appears to be substantially less than amounts paid in other recent resolution agreements, the press release announcing the resolution notes that OCR accepted a “substantially reduced” settlement amount due to the size of the dental practice, its financial circumstances, and its cooperation during the investigation.

Also, this is the not the first time that OCR has taken action against healthcare providers who attempt to respond to public comments in the media or online by patients:

  • In November 2018, OCR settled with a three physician allergy practice for $125,000 after a physician disclosed a patient’s PHI to a reporter. The physician had been instructed to either not respond to a reporter’s inquiry or respond with “no comment.” When the physician disregarded those instructions and instead disclosed a patient’s PHI, the practice did not discipline the physician for violating HIPAA. As a result, in addition to paying the settlement amount, the practice also entered a corrective action plan.
  • In 2013, OCR entered a resolution with a hospital after two senior leaders discussed a patient’s medical condition with media outlets in response to news stories regarding allegations of Medicare fraud by the hospital. The hospital paid $275,000 and entered a corrective action plan requiring it to update its policies and procedures on safeguarding PHI from impermissible uses and disclosures.

While no one likes to see unflattering and/or untrue comments about them or their business online or in the media, HIPAA (and many state medical confidentiality laws) prevents healthcare providers from responding to such comments in a way that discloses the PHI of any patient without that patient’s written authorization.

To comply with HIPAA, healthcare providers should:

  • Implement policies and procedures addressing permissible and impermissible uses and disclosures of PHI and appropriate safeguards to protect the privacy of PHI;
  • Train all workforce members on the policies and procedures;
  • Apply and document appropriate sanctions against workforce members (including physicians) who impermissibly use or disclose PHI; and
  • Develop a strategy for responding to online reviews and media inquiries before situations arise. This may include drafting a response to online reviews that describes in general terms how the organization strives to provide high quality care to all of its patients.  Also, providers should consider designating one person within the organization to monitor and, if necessary, respond to online reviews and media inquiries.  All workforce members should know who has that responsibility so the organization delivers an appropriate and consistent message that complies with HIPAA.

Healthcare providers need to remember their obligations to safeguard patient PHI under HIPAA and state licensing laws before responding to bad online reviews or media coverage or else risk making a bad situation even worse.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Akerman LLP - Health Law Rx | Attorney Advertising

Written by:

Akerman LLP - Health Law Rx

Akerman LLP - Health Law Rx on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.