ARTICLE
14 October 2019

HIPAA Settlement For Social Media Disclosure

HK
Holland & Knight

Contributor

Holland & Knight is a global law firm with nearly 2,000 lawyers in offices throughout the world. Our attorneys provide representation in litigation, business, real estate, healthcare and governmental law. Interdisciplinary practice groups and industry-based teams provide clients with access to attorneys throughout the firm, regardless of location.
Healthcare providers face a dilemma when patients post complaints or make other statements on social media.
United States Food, Drugs, Healthcare, Life Sciences

Healthcare providers face a dilemma when patients post complaints or make other statements on social media. Just because a patient has made certain information public does not mean that the provider can also post protected health information to respond to something the patient says. The federal Department of Health and Human Services announced, on October 2, 2019, a $10,000 settlement with a dental practice that potentially violated HIPAA in response to a social media review. In June of 2016, the Office for Civil Rights (OCR) received a complaint from a patient that a dental practice had responded to a social media posting by disclosing the patient's last name and information about the patient's health. OCR alleged that the practice did not have a policy regarding ensuring that its social media postings complied with HIPAA, and also that it lacked a HIPAA compliant Notice of Privacy Practices. OCR accepted a reduced settlement amount in light of the practice's size, financial circumstances, and cooperation with OCR.

The resolution agreement indicates that the practice allegedly responded to other social media reviews using PHI as well. The company agreed to a corrective action plan (CAP), which will last for two years. Among other things, the CAP requires development of certain policies and procedures, distributing them to all workforce members, and obtaining from each workforce member a signed compliance certification indicating that the workforce members have read, understand and will comply with them. The policies and procedures must be assessed at least annually and revised as needed. OCR's Director, Roger Severino, stated, "Social media is not the place for providers to discuss a patient's care. Doctors and dentists must think carefully about patient privacy before responding to online reviews."

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More