Elite Dental Associates, a Dallas dental practice, just wrote a check for $10,000 to the Office of Civil Rights (OCR) for Dept. Health and Human Services. The reason. A HIPAA violation. What “egregious” act did the practice commit?
Responding to negative reviews on Yelp.
OCR’s investigation found that the dental practice had impermissibly disclosed the protected health information, or PHI, of multiple patients in response to reviews on the Elite page on Yelp.
The patient first filed a complaint on June 5, 2016, which alleged Elite responded to a social media review about the provider with the patient’s last name and details of the patient’s health condition. The post also included details of their treatment plan, insurance, and cost information.
The practice got off easy. OCR showed mercy.
OCR accepted a substantially reduced settlement amount in consideration of Elite’s size, financial circumstances, and cooperation with OCR’s investigation.
Elite Dental is a single practitioner practice. The potential penalty could have been an order of magnitude higher or more. Whether or not his professional liability carrier paid the penalty was not made public. My guess is they did not. Most policies preclude payment of a penalty.
Social media privacy “breaches” are becoming fair game for the HIPAA police.
In 2016, Complete PT, Pool & Land Physical Therapy paid OCR $25,000 over patient allegations that the provider “posted patient testimonials, including full names and full face photographic images, to its website without obtaining valid, HIPAA-compliant authorizations.”
More will come.
How am I so sure?
Because most healthcare professionals believe the privacy laws are grounded in logic and make sense. They assume, INCORRECTLY, if a patient has “outed” themselves, disclosing all types of details about their care, then their medical or dental record is fair game. The doctor can then respond with facts to get the truth out. While logically it should be the case, it is not so. Responding by disclosing protected health information (PHI) is a breach. Even acknowledging a reviewer is your patient is a breach. A patient can use a pseudonym. If their picture is plastered on the screen, they are identifiable. We have even seen a case where an attorney argued a patient’s freckling pattern identified her. No face. No name. Just before and after photos of her breast augmentation. That attorney was rewarded with a settlement.
Responding to a review can be done safely only under the following circumstances:
A.
The patient has given prior written authorization to disclose protected health information. If a patient is slamming you online, this likely will not be a viable path.
B.
There is a statutory exception which allows one to disclose protected health information with advance written authorization. For example – providing information to a treating doctor to help treat your patient. Or providing financial records to resolve a claim or addresses a financial dispute. There are a bevy of other statutory exceptions; most will never be relevant to responding to an online review.
C.
Your response does not disclose protected health information. It does not even acknowledge the reviewer is your patient. There are ways to do this. We do it for our clients all the time. But this is not for amateurs. The goal is not to get into a factual online debate with the patient. It is to broadly send a message to the public. This seems like a subtle distinction. It is not. It is the difference between protecting your reputation and writing a big check to OCR.
Now, let me digress and talk a minute about responding to positive reviews. Some marketing companies state that medical practices should thank patients for their thanks. Patients will react positively to this. They like knowing their reviews are being read.
While this may make sense for retail stores, automobile dealers, and hair salons, in healthcare, do not do this. Repeat. Do not do this. Why? Each response is a potential vector to trigger a complaint. As stated above, there are ways to respond to negative reviews. This should be an infrequent occurrence. Positive reviews are more frequent. So, you would be increasing the number of times you are potentially committing a privacy breach. No less important, it’s hard to come up with fresh material thanking someone for their thanks. If you are that creative, quit your job, and move to Hollywood. You will be handsomely compensated as a script writer.
Complaints related to HIPAA are triggered by unhappy patients. Would a happy patient really complain? Remember, not all happy patients stay happy. Some go to a competitor and later become unhappy. With you. Then the complaint gets filed.
Or a HIPAA complaint is triggered by a “concerned citizen”. A disgruntled employee, ex-spouse, or competitor.
My two closing points.
Do not respond to positive reviews.
consultation, visit our booking page or use the scheduling tool linked below.
In addition to the $10,000 penalty, Elite will be required to follow a corrective action plan that includes developing, maintaining, and revising, as a necessary, written policies and procedures to ensure the privacy and security of individually identifiable health information in compliance with HIPAA.
The policies should address permissible and impermissible uses and disclosures of PHI, as well as the appropriate administrative, technical, and physical safeguards to protect PHI. Elite must also create a process for evaluating and approving authorizations around PHI, before that data is used or disclosed.
As mandated by HIPAA, the policies must also outline how a patient may revoke authorization and a “statement regarding a covered entity’s ability or inability to condition treatment, payment, enrollment, or eligibility for benefits on the authorization.”
Elite must also bolster its current notice of privacy practices to include the requirement of obtaining an individual’s authorization before use and disclosure, including posting on its website, social media pages, and or other public platforms.
The dental provider must also assign a contact person for inquiries or concerns around HIPAA compliance in relation to PHI. All workforce members must report to this designated person or office any potential violation, as part of its internal reporting procedures.
Elite will need to apply and document appropriate sanctions, such as retraining or instructive corrective action.
“Such reporting procedures shall require Elite to promptly investigate and address all received reports in a timely manner,” officials wrote. “Training shall cover all the topics that are necessary and appropriate for each member of the workforce to carry out that workforce member’s functions within Elite.”
The Department of Health and Human Services must receive those policies within 30 days of the effective date to be reviewed and approved. Any changes will need to be made by Elite within 30 days of receipt and distributed to all workforce members.
New employees must receive the documents within 30 days of beginning their employment. Elite must require its workforce to sign a compliance certification, which attests the employee has read, understood, and will follow the policies.
Elite will be required to assess, update, and review the procedures on an annual basis, and as necessary. What’s more, employees that fail to sign the procedure are not permitted to use or disclose PHI.
Take Advantage of Our Review Monitoring Service
With eMerit, we help you automate review collection and posting to improve your online reputation.
Consult with a Medico-Legal Expert
Medical Justice Founder and CEO, Jeff Segal, MD, JD and our expert team provide consultations to doctors in need of guidance.
Meet the Experts Driving Medical Justice
Our Executive Team walks with our member doctors until their medico-legal obstacles are resolved.
Thanks for sharing the details of this case, Jeff. Your assertion that a practice should NEVER respond to a positive review seems to be an evolution of your past position.
Is it your professional opinion today that a response to a positive review in the vein of, “Thank you for your kind words [screen-name], they inspire our entire team'” constitutes a HIPAA risk?
And if the review is left with an elective practice that does not accept Federal reimbursements for care…and is not a HIPAA-covered entity…would your guidance still apply?
Thanks for leading the dialogue on these important topics, Jeff!
Thanks, Ryan.
My position on responding to positive reviews is essentially unchanged from before. Any response to a review must be done in a HIPAA compliant way. This is not easy to do. It is doubly hard to do in a creative, authentic voice. So, my position is avoid working extra hard for marginal benefit, if you are taking on increased risk. Most practices will have significantly more positive than negative reviews, particularly if they have a process for cultivating reviews. The more you respond online, the more you create threat vectors for HIPAA breach. My two cents: Responding should be limited to negative reviews, and again, be done in a HIPAA complaint way. If you want to express gratitude for the gratitude, call the patient, or acknowledge it the next time you see them in person.
Is the risk high with “Thank you for your kind words [screen-name], they inspire our entire team”? No. But it is not zero. And if that happy patient becomes unhappy, it can evolve into another excuse to create a headache. From a more practical perspective, repeating that phrase over and over again to the public may paradoxically come across as uninspiring and unoriginal. My point is, it is hard to craft an original, creative response to many positive reviews.
Regarding an entirely elective practice that does not accept insurance….perhaps HIPAA does not apply. (For HIPAA to not apply, it theoretically requires more than not accepting federal funds – it requires accepting no insurance at all.) But you’d still have to defend against a federal complaint if the feds filed a complaint (never a pleasant experience…even if you later get the case dismissed). More importantly, many states now look to HIPAA for guidance on how to address state-based privacy laws. The state attorney generals and medical licensing boards are empowered to pick up where the federal government may not be able to go.
What happens when patients reveal their names voluntarily in the countless on line reviews( they sometimes sign their name at the end of their review? ). We do not even solicit these reviews.
It does not matter if the patient reveals their name. HIPAA only allows the doctor to acknowledge the doctor-patient relationship if the patient has given prior written authorization of there is a statutory exception, which likely would never be the case in a typical online review of a doctor.
It’s surprising to me that HIPAA hasn’t been repealed. It’s a flagrant tipping of the playing field: medical people have to walk on eggs, but the data are freely shared by businesses, insurance companies, the government, etc. and they aren’t subject to the same strictures as medical people.
Am I the only one troubled by this?
1) A positive review cannot be acknowledged, because it confirms that the patient is a patient of that physician. The patient can acknowledge whatever they want. The practice can’t without violating HIPAA. Unless of course the practice has written okay from the patient.
2) Patients can reveal what they want, when they want, but that does not authorize the practice or the physician to do so. If the patient chooses to reveal their name that is their right.
Do these things make sense? Only under HIPAA. There just doesn’t seem to be a lot of common sense to these laws, but common sense is in short supply.
Do other countries have these kinds of laws?
“ Remember, not all happy patients stay happy. Some go to a competitor and later become unhappy. With you. Then the complaint gets filed.” This is SO true. We recently saw a patient for a revision rhinoplasty consultation, and the patient showed me B&A photos from the internet that were posted without permission. And the screenshots had the name of the surgeon watermarked.
This surgeon had a “happy” reveal 7 days postop, and assumed all would be sunshine and lollipops moving forward down the 1-year recovery. This was bad judgement by the first surgeon. The 10 months postop result wasn’t terrible, but the patient became unhappy as nasal swelling resolved and the final nasal appearance was declared.
I highly recommend MedicalJustice without reservation. The internet is uncharted waters for many, and having MJ on your team leads to peace of mind by enabling you to concentrate on patient care – instead of worrying about the MD rating sites.
Out of curiosity, ( and pardon potential naivete) can you include in your authorization to treat form (or what ever is your equivalent), a clause that states that if the patient posts an online review that they are assumed to have given written permission to give out said potential PHI in response, be it a positive or negative comment that is responded to.
I do not believe that proposed solution will work because of three practical considerations.
You would be asking for the patient’s authorization to post a response, using their protected health information, if the patient posted online. To do so, you would need to obtain a formal authorization from each patient.
A valid authorization must meet certain requirements. 45 C.F.R. § 164.508(c)(2);
45 C.F.R. § 164.508(b)(3) and (c)(4).
(a) Identify the disclosing health care provider,
(b) Identify the recipient of the PHI,
(c) Label the purpose
(d) Define an expiration date or event
(e) Date
(f) Signature.
(g) The authorization must include certain required statements, indicating that failure to sign the authorization will not affect treatment or payment for treatment, that the patient may revoke the authorization at any time, and that the information may no longer be protected by HIPAA once disclosed pursuant to the authorization. The authorization must be a stand-alone document and the health care provider must provide the patient with a copy of the signed authorization.
Here, the patient might decide to not sign that authorization, and you could not use that decision to avoid treating the patient. So, the savvy patient could just say, no thanks, not going to sign.
Next, even if the patient does sign, they are free to withdraw their authorization at any time. They could sign the agreement, be treated, then withdraw their authorization, then post a nasty review. And you’d be back where you started.
Finally, the most important reason is that it could turn into a public relations nightmare. If a patient went to the media with that authorization form, particularly after you used that agreement to release PHI, the media would have a field day.
My larger point is that it is easier to use a rifle compared to a shotgun to address an isolated problem. There are ways to respond to select negative reviews without revealing PHI. If you release PHI to present your side in an online debate about your care, expect a pile-on.
Don’t kill the messenger.
as I thought, even more complex issue than what we are led to believe.