Dental Practice Penalized $10,000 for PHI Disclosures on Yelp

The Department of Health and Human Services’ Office for Civil Rights decided to a settlement with Elite Dental Associates regarding its HIPAA violation case involving the impermissible disclosure of protected health information (PHI) of several patients when answering patient feedback on the Yelp review site.

Elite Dental Associates in Dallas, TX is a privately-owned dental practice that provides services in general, implant and cosmetic dentistry. OCR got a complaint from an Elite patient on June 5, 2016 regarding a social media HIPAA violation. According to the patient, a response by the dental practice to a review she posted on Yelp disclosed some PHI publicly.

When responding to the patient’s post on June 4, 2016, Elite disclosed the last name of the patient along with details of her health issue, treatment plan, cost and insurance information.

The investigators publicly verified that story to be true and also discovered that it was not the first occasion that the dental practice had disclosed PHI without authorization on social media when answering to patient feedback. There are more impermissible PHI disclosures found on the Elite review site.

Besides the impermissible disclosures of sensitive data, which is a violation of 45 C.F.R. § 164.502(a), OCR concluded that Elite did not implement policies and procedures concerning PHI, particularly the sharing of PHI on social media and other general platforms, breaching 45 C.F.R. § 164.530(i). Elite likewise did not include in its Notice of Privacy Practices the minimum required content as stipulated in (45 C.F.R. § 164.520(b)) HIPAA Privacy Rule.

OCR issued a HIPAA violation fine amounting to $10,000 and required a corrective action plan (CAP) to take care of the supposed HIPAA violations and settle the HIPAA violation case with no admission of liability. The three prospective HIPAA violations might have drawn a considerably greater financial penalty; but, OCR looked at the practice’ financial status, its size, and its help in the OCR investigation before deciding the right financial penalty.

Patient care must not be discussed on social media. Doctors and dentists should think very carefully about patient privacy before answering online reviews.

This is the fourth OCR HIPAA settlement in 2019. Bayfront Health St Petersburg paid OCR $85,000 for a HIPAA Right of Access failure in September. There were two settlements in May, which involved the multiple HIPAA violations at Touchstone Medical Imaging ($3,000,000) and Medical Informatics Engineering ($100,000).