HIPAA Settlement for Social Media Disclosure
Healthcare providers face a dilemma when patients post complaints or make other statements on social media. Just because a patient has made certain information public does not mean that the provider can also post protected health information to respond to something the patient says. The federal Department of Health and Human Services announced, on October 2, 2019, a $10,000 settlement with a dental practice that potentially violated HIPAA in response to a social media review. In June of 2016, the Office for Civil Rights (OCR) received a complaint from a patient that a dental practice had responded to a social media posting by disclosing the patient’s last name and information about the patient’s health. OCR alleged that the practice did not have a policy regarding ensuring that its social media postings complied with HIPAA, and also that it lacked a HIPAA compliant Notice of Privacy Practices. OCR accepted a reduced settlement amount in light of the practice’s size, financial circumstances, and cooperation with OCR.
The resolution agreement indicates that the practice allegedly responded to other social media reviews using PHI as well. The company agreed to a corrective action plan (CAP), which will last for two years. Among other things, the CAP requires development of certain policies and procedures, distributing them to all workforce members, and obtaining from each workforce member a signed compliance certification indicating that the workforce members have read, understand and will comply with them. The policies and procedures must be assessed at least annually and revised as needed. OCR’s Director, Roger Severino, stated, “Social media is not the place for providers to discuss a patient’s care. Doctors and dentists must think carefully about patient privacy before responding to online reviews.”