This past October, the Department of Health and Human Services (HHS) Office of Civil Rights (OCR), the entity responsible for policing HIPAA violations, announced a settlement with a Texas dental practice. The dental practice disclosed protected health information (PHI) on Yelp and was subject to a $10,000 fine. This information was disclosed in response to online reviews posted by the patient. In addition to the fine, OCR directed the dental practice to follow a two-year corrective action plan to prevent further HIPAA compliance issues.
Online Marketing and PHI
Online reviews are important to small businesses as clients share the positive and the negative about the people and the processes they encounter. Many times, marketing professionals will suggest responding to reviews, particularly negative reviews, to see if the problem can be fixed so the person takes down the negative review or at least will state online that their problem was resolved. For entities covered under HIPAA, however, this can clearly be problematic.
In the case at hand, the dental practice had disclosed PHI when responding to a review posted on Yelp. This information included the patient’s first and last name, treatment plan, insurance, and cost information. A review by HHS showed that the practice had disclosed this information for multiple patients in response to online reviews.
HHS also discovered that the practice had no policies or procedures in place concerning handling individual PHI, that the practice did not have a Notice of Privacy Practices included in patient documentation, and that whoever was responding to the online reviews clearly had access to information regarding the patients but had not received adequate training regarding HIPAA policies.
Corrective Action Plan
In addition to the fine, the practice has a two-year corrective action plan that has several requirements. The practice must update its HIPAA policies and procedures to include written policies addressing the appropriate use and disclosure of PHI, administrative, technical, and physical safeguards that protect PHI, and a process for evaluating and approving disclosure of PHI by the practice. Also, they must have a revised authorization form that complies with HIPAA, a revised Notice of Privacy Practices, and an internal reporting process by which employees can report potential HIPAA violations.
Once these policies are created, they must be submitted to HHS for approval and implemented within 30 days of receiving HHS approval. Upon approval, a copy will be distributed to all members of the practice’s workforce, and each employee must sign a certification that they have read, understand, and will comply with the new practices and procedures. In the future, this must be done on an annual basis.
The experienced, responsive ERISA attorneys at Hall Benefits Law work with clients to ensure they are in compliance with HIPAA regulations to prevent fines and other problems with HHS. For those who want to retroactively restate their plans, we gather the necessary documentation to do so in compliance with IRS regulations. We also offer on-site and remote training to clients who need to bring their businesses into compliance with HIPAA or are facing problems with HHS. Give us a call at 678-439-6236 today, or visit the Hall Benefits Law website to learn more.
Hall Benefits Law, LLC
Latest posts by Hall Benefits Law, LLC (see all)
- March 2024 | HBL Attorneys Visit Atlanta HQ - March 28, 2024