OVERVIEW: Healthcare Providers, Think Before You Yelp… and Other HIPAA Concerns


Healthcare providers, especially those in smaller practices, remain largely unaware of the impact of the health insurance portability and liability law regulations on their businesses.

For example, the recently announced $ 10,000 settlement between the Department of Health and Human Rights Office for Civil Rights (OCR) and a small dental practice based on inadmissible disclosures on Yelp, a directory service of popular business and a participatory review forum.

While this policy is for a dental office, it’s important to recognize the underlying lesson: Don’t post patient information.

Websites such as Yelp have become ubiquitous in our society and their use is an integral part of any business. However, providers are prohibited from posting patient information to any website without valid permission.

Providers are also generally prohibited from using patient information other than to treat the patient, request payment from third party payers, or perform certain limited “healthcare transactions” in their business. This rule also applies to all HIPAA-covered entities, large and small.

To ensure HIPAA compliance, doctors’ offices and other healthcare providers must be extremely careful when responding to publications and patient reviews on the Internet.

Lessons from the experience of dental practice

In June 2016, the OCR received a complaint from a patient alleging that the dental office’s response to a Yelp exam disclosed the patient’s Protected Health Information (PHI), including last name, plan details processing, insurance and cost information. The OCR’s investigation into the complaint included a review of the dental office’s Yelp page and found that the dental office also disclosed other patients’ PHRs without valid authorization to respond to patient reviews.

The OCR concluded that the firm’s Yelp posts constituted objectionable PHI disclosures in violation of HIPAA.

In the HHS press release Discussing the settlement, OCR Director Roger Severino said: “Social media is not the place for providers to discuss a patient’s care. Doctors and dentists should think carefully about patient privacy before responding to online reviews. ”

Severino’s statement reinforces two important points:

  1. responding to online reviews is not outright prohibited by HIPAA, but should be done with caution and in a manner that does not discuss patient care or other PHI; and
  2. this lesson is not limited to dental offices, but also applies to physicians and other entities covered by HIPAA.

While $ 10,000 does not appear to be a strong warning to large vendors, OCR has confirmed that it accepts a “significantly reduced settlement amount” due to the size of the firm, financial situation, and cooperation. with OCR. Thus, a broader practice that inadmissibly discloses PSR on social media could face much heavier financial consequences, especially after this high profile action.

Facebook concerns

Social media presents a multitude of minefields for vendors. While common sense may dictate that patients should not expect a Facebook post to be confidential, when a provider sponsors a Facebook page, the provider should consider posting disclaimers and disclaimers. notice to make sure patients don’t inadvertently misunderstand Facebook’s limits.

Facebook may also create a secondary concern, as a patient might believe that a communication on Facebook Messenger is protected. However, since there is no business associate agreement, hosting patient information without informing the patient that this is not a compliant method of communication. HIPAA can cause problems.

A patient using Facebook Messenger to edit an appointment without any health care details is still considered “protected health information” and, therefore, using the Facebook Messenger communication tool is not. without causing any problems.

ROC application and small practices

Social networks are not the only concern of providers, including the smallest. Consider using patient photos for advertising or even academic purposes. Both uses require patient permission. Suppliers should keep these permissions on file and ensure that they meet the requirements of federal and state laws.

The OCR has been more aggressive in enforcing the HIPAA law with smaller practices over the past few years, particularly when it comes to privacy breaches. The problems aren’t limited to social media disclosures; comments in traditional media should also be treated with caution.

Another case is the $ 125,000 settlement with an allergy specialist in Connecticut in November 2018. Allergy Associates of Hartford PC (Allergy Associates) is a three-vendor healthcare practice specializing in treating people with allergies. . In February 2015, a patient from Allergy Associates contacted a local television reporter about a dispute that had arisen between the patient and a doctor from Allergy Associates regarding her right to have a service dog. in his office.

The reporter then contacted the doctor for comment. It was found that the doctor inadmissibly disclosed the protected health information of the patient to the reporter, as he had commented on without her permission. The OCR found that the doctor’s discussion with the reporter “demonstrated a reckless disregard for the patient’s privacy rights and that the disclosure took place after the doctor was invited by the privacy officer of Allergy Associates not to respond to media or to respond without comment. ‘”

The OCR further found that Allergy Associates had not taken any disciplinary action against the doctor or taken any corrective action following the prohibited media disclosure, which was a factor in their settlement and required a plan of action. corrective.

These questions and application are not limited to OCR. In fact, providers must also be made aware of the actions of the state.

In 2015, the New York Attorney General fined the University of Rochester Medical Center (URMC) $ 15,000 when he allowed an outgoing nurse practitioner to take a list of her patients before passing through. to another health care provider. The nurse took this list to her new employer, who sent letters to patients confirming the nurse’s new position, offering them the option of continuing their care with the same nurse, at the new provider.

The New York AG has determined that more than 3,000 patients have had their privacy violated by sharing the URMC.

Complying with HIPAA requirements is no small feat. Suppliers of all sizes should consult a legal advisor familiar with HIPAA to ensure an adequate compliance program.

This column does not necessarily reflect the opinion of the Bureau of National Affairs, Inc. or its owners.

Author Info

Alisa chestler is president of the data protection, privacy and cybersecurity team at Baker Donelson. She focuses her practice on matters of confidentiality, security and records management, including compliance, contract negotiation and corporate transactions.

Alexandria Murphy is a member of Baker Donelson’s Health Law Group and works on a variety of issues including healthcare privacy requirements, patient privacy rights, and general data protection and cybersecurity issues.


Leave a Reply

Your email address will not be published.