HIPAA Penalty Assessed for Social Media Response
Giving in to the temptation to respond to a negative Yelp review with information that identifies complaining patients can be very expensive, even if it may make the clinician feel better in the moment. And the cost and reputational sting of a Corrective Action Plan can last for years.
On October 2, 2019, the Office of Civil Rights (OCR) the entity that enforces HIPAA, issued a Press Release regarding a settlement in the sum of $10,000 against Elite Dental Services of Dallas, Texas. OCR noted in the Press Release that Elite “had impermissibly disclosed the protected health information (PHI) of multiple patients in response to patient reviews on the Elite Yelp review page.” OCR, perhaps, put a fine point on the matter by noting that Elite had also violated HIPAA by not having a written policy regarding social media usage.
While the $10,000 penalty may not seem onerous, it is only the beginning of the regulatory woes for Elite. In its Resolution Agreement, OCR required Elite to enter into a Corrective Action Plan. The Plan, which will be in effect for two years, requires Elite to:
The costs in legal and consultants’ fees and in time spent on complying with the Agreement will certainly outstrip the amount of the fine by orders of magnitude. The damage to the reputation of the practice will be considerable, if more difficult to calculate. Social media can be a powerful marketing tool for dental and medical practices, but those who use it in the medical and dental contexts must be trained in the requirements of federal and state privacy law. And responses to complaints over social media, to the extent a response is indicated at all, must be approached with the utmost care.
If you have questions concerning social media use and privacy laws and regulations, please contact Kenneth N. Rashbaum.