As part of a society that seems unabashedly eager to disclose personal information online, health care providers must remember that the disclosure of protected health information (PHI) remains very much proscribed. Pursuant to the Health Insurance Portability and Accountability Act Privacy Rule (HIPAA Privacy Rule), a covered entity is generally prohibited from disclosing PHI. The HIPAA Privacy Rule also imposes certain administrative requirements on covered entities that include, but are not limited to, designating a privacy official who is responsible for developing and implementing policies and procedures for the covered entity; training employees on those policies and procedures; and employing appropriate administrative, technical and physical safeguards to protect PHI.
The Office of Civil Rights (OCR) the agency which enforces the HIPAA Privacy Rule recently provided a pointed reminder about these standards to a dental provider who impermissibly disclosed PHI online and thereafter refused to cooperate with OCR’s requests for policies and procedures relating to protecting PHI. OCR began investigating the dental provider after receiving a complaint that the dental provider impermissibly disclosed PHI in responding to an anonymous negative online review. The dental provider’s response stated:
It’s so fascinating to see [patient’s full name] make unsubstantiated accusations when he only came to my practice on two occasions since October 2013. He never came for his scheduled appointments as his treatment plans submitted to his insurance company were approved. He last came to my office on March 2014 as an emergency patient due to excruciating pain he was experiencing from the lower left quadrant. He was given a second referral for a root canal treatment to be performed by my endodontist colleague. Is that a bad experience? Only from someone hallucinating. When people want to express their ignorance, you don’t have to do anything, just let them talk. He never came back for his scheduled appointment[.] Does he deserve any rating as a patient? Not even one star. I never performed any procedure on this disgruntled patient other than oral examinations. From the foregoing, it’s obvious that [patient’s full name] level of intelligence is in question and he should continue with his manual work and not expose himself to ridicule. Making derogatory statements will not enhance your reputation in this era [patient’s full name]. Get a life.
The dental provider admitted as much and refused to remove his or her response to the anonymous negative online review.
In its initial request for information, OCR sought: 1) a copy of the dental provider’s policies and procedures with respect to responding to patient reviews online; 2) a copy of the dental provider’s policies and procedures on uses and disclosures of PHI; 3) a copy of the dental provider’s policies and procedures on safeguarding PHI; and 4) documentation of any HIPAA training of staff conducted by the dental provider prior to and in response to the incident described in the complaint. In response, the dental provider only provided OCR with its Notice of Privacy Practices and an Acknowledgement of Training, but the Acknowledgment of Training failed to include anything about the training curriculum. After initial attempts to obtain information from the dental provider were stonewalled, OCR hit the dental provider with an administrative subpoena directing the dental provider to produce “its policies and procedures related to the HIPAA Privacy Rule including, but not limited to, ‘social media’ and uses and disclosures of PHI; documentation of any training related to the HIPAA Privacy Rule; and income statements, balance sheets, statements of cash flow and federal tax returns.” The dental provider did not respond to the administrative subpoena.
Based on the dental provider’s violation of the HIPAA Privacy Rule and failure to work with the OCR to resolve the violation, OCR assessed a civil monetary penalty (CMP) against the dental provider. OCR determined that the appropriate penalty tier was willful neglect not corrected, which supported a CMP against the dental provider for $50,000. The dental provider did not challenge the proposed CMP, and OCR later issued its Notice of Final Determination, requiring the dental provider to pay the $50,000 CMP.
This story has two key takeaways: First, regardless of how upsetting an online post may be in reference to one’s medical or dental practice, a provider cannot battle patients online. Doing so may be unethical, unprofessional and a violation of the HIPAA Privacy Rule. A second important takeaway is the OCR’s imposition of a significant fine, which demonstrates that accountability for errors and cooperating with OCR is of the utmost importance. Had the dental provider worked with OCR, OCR likely would have imposed a much lesser CMP.
To ensure you are complying with the HIPAA Privacy Rule, especially as it relates to social media, here are a few quick tips to remember:
· Prepare internal policies and procedures related to the disclosure of PHI and, more specifically, related to the disclosure of PHI on social media.
· Educate and train staff on policies and procedures related to the disclosure of PHI. Keep a record of attendance and, also, maintain a record of the policies and procedures on which the education and training is based.
· Maintain both a physical and online notice of a Notice of Privacy Practices.
· Monitor social media activity by staff.
· Cooperate fully with OCR if presented with a compliance audit or investigation based on disclosure of PHI.
Kristyn B. Escalante is an associate attorney at Parsons Behle & Latimer’s Boise office and a member of the firm’s healthcare practice group. She is experienced in healthcare law; business and commercial litigation; appeals; and real estate litigation. Kristyn can be contacted by calling 208.562.4900 or by sending an email to kescalante@parsonsbehle.com.