This week a dental practice in Dallas, Texas agreed to pay a $10,000 fine to the U.S. Department of Health and Human Services ( HHS) for violations of the HIPAA Privacy Rule. Here's how it happened.
Responding to Yelp Reviews
On 5 June 2016, a complaint was filed with HHS from a patient at Elite Dental Associates. The patient's basis for the complaint was that Elite had responded to the patient's online Yelp review and revealed their name and health condition. In other words, someone at Elite Dental publicly posted the patient's protected health information (PHI) online. If you are a reader of this blog, you'll know that it's a HIPAA violation for a Covered Entity to post someone's PHI on a social media platform. As we can see by the dates involved, this complaint kicked off a 39 month investigation by HHS into Elite Dental. One can imagine the investigation incurred an additional $10,000 (or more) in legal and consulting fees.
Lack of Policies and ProceduresDuring the investigation, it was also discovered that Elite Dental did not have the following Policies and Procedures in place:
- Disclosures of Protected Health Information (PHI)
- Privacy Practices that comply with the HIPAA Privacy Rule
HIPAA Fines and Corrective Action Plan
At the conclusion of the investigation, HHS accepted a greatly reduced settlement (i.e., HIPAA fine) in consideration of Elite’s size, financial condition, and cooperation with their investigation. In addition to the settlement, Elite will undergo a corrective action plan that includes two years of monitoring by HHS for compliance with the HIPAA Rules. Read more: HHS press release
Roger Severino of HHS had the following comments regarding this HIPAA fine: “Social media is not the place for providers to discuss a patient’s care. Doctors and dentists must think carefully about patient privacy before responding to online reviews.”
Elite Dental Associates