Disclosure of PHI on Yelp Results in $10,000 HIPAA Settlement

This past October, the Department of Health and Human Services (HHS) Office of Civil Rights (OCR), the entity responsible for policing HIPAA violations, announced a settlement with a Texas dental practice. The dental practice disclosed protected health information (PHI) on Yelp and was subject to a $10,000 fine. This information was disclosed in response to online reviews posted by the patient. In addition to the fine, OCR directed the dental practice to follow a two-year corrective action plan to prevent further HIPAA compliance issues.

Online Marketing and PHI

Online reviews are important to small businesses as clients share the positive and the negative about the people and the processes they encounter. Many times, marketing professionals will suggest responding to reviews, particularly negative reviews, to see if the problem can be fixed so the person takes down the negative review or at least will state online that their problem was resolved. For entities covered under HIPAA, however, this can clearly be problematic.

In the case at hand, the dental practice had disclosed PHI when responding to a review posted on Yelp. This information included the patient’s first and last name, treatment plan, insurance, and cost information. A review by HHS showed that the practice had disclosed this information for multiple patients in response to online reviews.

HHS also discovered that the practice had no policies or procedures in place concerning handling individual PHI, that the practice did not have a Notice of Privacy Practices included in patient documentation, and that whoever was responding to the online reviews clearly had access to information regarding the patients but had not received adequate training regarding HIPAA policies.

Corrective Action Plan

In addition to the fine, the practice has a two-year corrective action plan that has several requirements. The practice must update its HIPAA policies and procedures to include written policies addressing the appropriate use and disclosure of PHI, administrative, technical, and physical safeguards that protect PHI, and a process for evaluating and approving disclosure of PHI by the practice. Also, they must have a revised authorization form that complies with HIPAA, a revised Notice of Privacy Practices, and an internal reporting process by which employees can report potential HIPAA violations.

Once these policies are created, they must be submitted to HHS for approval and implemented within 30 days of receiving HHS approval. Upon approval, a copy will be distributed to all members of the practice’s workforce, and each employee must sign a certification that they have read, understand, and will comply with the new practices and procedures. In the future, this must be done on an annual basis.

The experienced, responsive ERISA attorneys at Hall Benefits Law work with clients to ensure they are in compliance with HIPAA regulations to prevent fines and other problems with HHS. For those who want to retroactively restate their plans, we gather the necessary documentation to do so in compliance with IRS regulations. We also offer on-site and remote training to clients who need to bring their businesses into compliance with HIPAA or are facing problems with HHS. Give us a call at 678-439-6236 today, or visit the Hall Benefits Law website to learn more.

The following two tabs change content below.

Hall Benefits Law, LLC

HBL offers employers comprehensive legal guidance on benefits in mergers and acquisitions, Employee Stock Ownership Plans (ESOPs), executive compensation, health and welfare benefits, healthcare reform, and retirement plans. We counsel a wide spectrum of clients including small, mid-sized, and large companies, 401(k) investment advisors, health insurance brokers, accountants, attorneys, and HR consultants, just to name a few. HBL is passionate about advising clients, and we are dedicated to our mission: to provide comprehensive, personalized, and practical ERISA and benefits legal solutions that exceed client expectations.

Latest posts by Hall Benefits Law, LLC (see all)