Elite Dental Associates, a Dallas dental practice, just wrote a check for $10,000 to the Office of Civil Rights (OCR) for Dept. Health and Human Services. The reason. A HIPAA violation. What “egregious” act did the practice commit?
OCR’s investigation found that the dental practice had impermissibly disclosed the protected health information, or PHI, of multiple patients in response to reviews on the Elite page on Yelp.
The patient first filed a complaint on June 5, 2016, which alleged Elite responded to a social media review about the provider with the patient’s last name and details of the patient’s health condition. The post also included details of their treatment plan, insurance, and cost information.
OCR accepted a substantially reduced settlement amount in consideration of Elite’s size, financial circumstances, and cooperation with OCR’s investigation.
Elite Dental is a single practitioner practice. The potential penalty could have been an order of magnitude higher or more. Whether or not his professional liability carrier paid the penalty was not made public. My guess is they did not. Most policies preclude payment of a penalty.
Social media privacy “breaches” are becoming fair game for the HIPAA police.
In 2016, Complete PT, Pool & Land Physical Therapy paid OCR $25,000 over patient allegations that the provider “posted patient testimonials, including full names and full face photographic images, to its website without obtaining valid, HIPAA-compliant authorizations.”
More will come.
How am I so sure?
Because most healthcare professionals believe the privacy laws are grounded in logic and make sense. They assume, INCORRECTLY, if a patient has “outed” themselves, disclosing all types of details about their care, then their medical or dental record is fair game. The doctor can then respond with facts to get the truth out. While logically it should be the case, it is not so. Responding by disclosing protected health information (PHI) is a breach. Even acknowledging a reviewer is your patient is a breach. A patient can use a pseudonym. If their picture is plastered on the screen, they are identifiable. We have even seen a case where an attorney argued a patient’s freckling pattern identified her. No face. No name. Just before and after photos of her breast augmentation. That attorney was rewarded with a settlement.
Responding to a review can be done safely only under the following circumstances:
The patient has given prior written authorization to disclose protected health information. If a patient is slamming you online, this likely will not be a viable path.
There is a statutory exception which allows one to disclose protected health information with advance written authorization. For example – providing information to a treating doctor to help treat your patient. Or providing financial records to resolve a claim or addresses a financial dispute. There are a bevy of other statutory exceptions; most will never be relevant to responding to an online review.
Your response does not disclose protected health information. It does not even acknowledge the reviewer is your patient. There are ways to do this. We do it for our clients all the time. But this is not for amateurs. The goal is not to get into a factual online debate with the patient. It is to broadly send a message to the public. This seems like a subtle distinction. It is not. It is the difference between protecting your reputation and writing a big check to OCR.
Now, let me digress and talk a minute about responding to positive reviews. Some marketing companies state that medical practices should thank patients for their thanks. Patients will react positively to this. They like knowing their reviews are being read.
While this may make sense for retail stores, automobile dealers, and hair salons, in healthcare, do not do this. Repeat. Do not do this. Why? Each response is a potential vector to trigger a complaint. As stated above, there are ways to respond to negative reviews. This should be an infrequent occurrence. Positive reviews are more frequent. So, you would be increasing the number of times you are potentially committing a privacy breach. No less important, it’s hard to come up with fresh material thanking someone for their thanks. If you are that creative, quit your job, and move to Hollywood. You will be handsomely compensated as a script writer.
Complaints related to HIPAA are triggered by unhappy patients. Would a happy patient really complain? Remember, not all happy patients stay happy. Some go to a competitor and later become unhappy. With you. Then the complaint gets filed.
Or a HIPAA complaint is triggered by a “concerned citizen”. A disgruntled employee, ex-spouse, or competitor.
My two closing points.
Do not respond to positive reviews.
Respond judiciously to negative reviews in a way that discloses zero protected health information. Not even disclosing the complaining patient was your patient. Do not guess how to do that. Speak with professionals. As stated above, we provide this service to our clients. To request a complimentary, confidential consultation, email us. Or call 336-691-1286.
In addition to the $10,000 penalty, Elite will be required to follow a corrective action plan that includes developing, maintaining, and revising, as a necessary, written policies and procedures to ensure the privacy and security of individually identifiable health information in compliance with HIPAA.
The policies should address permissible and impermissible uses and disclosures of PHI, as well as the appropriate administrative, technical, and physical safeguards to protect PHI. Elite must also create a process for evaluating and approving authorizations around PHI, before that data is used or disclosed.
As mandated by HIPAA, the policies must also outline how a patient may revoke authorization and a “statement regarding a covered entity’s ability or inability to condition treatment, payment, enrollment, or eligibility for benefits on the authorization.”
Elite must also bolster its current notice of privacy practices to include the requirement of obtaining an individual’s authorization before use and disclosure, including posting on its website, social media pages, and or other public platforms.
The dental provider must also assign a contact person for inquiries or concerns around HIPAA compliance in relation to PHI. All workforce members must report to this designated person or office any potential violation, as part of its internal reporting procedures.
Elite will need to apply and document appropriate sanctions, such as retraining or instructive corrective action.
“Such reporting procedures shall require Elite to promptly investigate and address all received reports in a timely manner,” officials wrote. “Training shall cover all the topics that are necessary and appropriate for each member of the workforce to carry out that workforce member’s functions within Elite.”
The Department of Health and Human Services must receive those policies within 30 days of the effective date to be reviewed and approved. Any changes will need to be made by Elite within 30 days of receipt and distributed to all workforce members.
New employees must receive the documents within 30 days of beginning their employment. Elite must require its workforce to sign a compliance certification, which attests the employee has read, understood, and will follow the policies.
Elite will be required to assess, update, and review the procedures on an annual basis, and as necessary. What’s more, employees that fail to sign the procedure are not permitted to use or disclose PHI.
So, there you have it. The HIPAA Privacy law may not follow common sense. But, failure to adhere to its tenets in the online world can empty your wallet. We’ve outlined best practices in past publications – linked below. If you’ve not read these articles, familiarize yourself. The strategies discussed may save your practice a $10,000 black mark – or more.
What do you think about Elite Dental’s odyssey? Click here to join the discussion below.
Jeffrey Segal, MD, JD
Chief Executive Officer and Founder
Dr. Segal was a practicing neurosurgeon for approximately ten years, during which time he also played an active role as a participant on various state-sanctioned medical review panels designed to decrease the incidence of meritless medical malpractice cases.
Dr. Segal holds a M.D. from Baylor College of Medicine, where he also completed a neurosurgical residency. Dr. Segal served as a Spinal Surgery Fellow at The University of South Florida Medical School. He is a member of Phi Beta Kappa as well as the AOA Medical Honor Society. Dr. Segal received his B.A. from the University of Texas and graduated with a J.D. from Concord Law School with highest honors.
In 2000, he co-founded and served as CEO of DarPharma, Inc, a biotechnology company in Chapel Hill, NC, focused on the discovery and development of first-of-class pharmaceuticals for neuropsychiatric disorders.
Dr. Segal is also a partner at Byrd Adatto, a national business and health care law firm. With over 50 combined years of experience in serving doctors, dentists, and other providers, Byrd Adatto has a national pedigree to address most legal issues that arise in the business and practice of medicine.