Dental practice pays $10K to settle disclosures of patients' PHI on social media

A private dental practice in Dallas, Texas, has agreed to pay $10,000 to the U.S. Department of Health and Human Services’ Office for Civil Rights to settle potential violations of the HIPAA privacy rule.

The HHS reported last week that the OCR completed its investigation of a complaint by a patient who alleged that Elite Dental Associates, Dallas, disclosed on social media the patient’s last name and the details of the patient’s health condition.

“OCR’s investigation found that Elite had impermissibly disclosed the protected health information (PHI) of multiple patients in response to patient reviews on the Elite Yelp review page,” the HHS stated in the news release.

In addition to paying the $10,000 settlement, Elite agreed to two years of monitoring by OCR for compliance with HIPAA as part of a corrective action plan.

“Doctors and dentists must think carefully about patient privacy before responding to online reviews,” OCR Director Roger Severino said.

The HIPAA privacy rule defines and limits the situations in which a HIPAA-covered entity may use or disclose patients’ protected health information. Written patient authorization is required for any use or disclosure that is not permitted or required by HIPAA or state law.

The CDA Practice Support resource “Uses and Disclosures of Patient Health Information” (login required) reviews the HIPAA privacy rule and other federal and state laws that protect PHI.

Find HIPAA-related resources in the CDA Practice Support resource library.

Related Items

A medical center in St. Petersburg, Florida, is the first to face enforcement action by the U.S. Department of Health and Human Services for failing to promptly provide a patient with medical records. The HHS Office for Civil Rights announced early this year that it would vigorously enforce its Right of Access Initiative that allows patients to receive copies of their medical records promptly and without being overcharged.

All HIPAA-covered entities and their business associates are required to conduct an initial comprehensive security risk assessment to identify “potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information. Small- to medium-sized health care practices with one to 10 providers now have an upgraded tool that is specifically designed to assist them with completing this assessment.