The latest HIPAA resolution agreement by the U.S. Department of Health and Human Services Office for Civil Rights (OCR) is a reminder that healthcare providers must take the high road when responding to unflattering online reviews by patients. While it is tempting to respond to a bad and perhaps untrue online review, healthcare providers need to take care to not disclose patient protected health information (PHI) when defending their reputation.

A Texas dental practice agreed to pay $10,000 and enter a two-year corrective action plan to settle potential violations of the HIPAA Privacy Rule arising from allegations that the practice responded to a patient’s online Yelp review by disclosing the patient’s last name and details of the patient’s health condition. The practice did not have authorization from the patient to disclose his/her protected health information in the online forum. As a result of its investigation, OCR learned that the practice had disclosed the PHI of multiple patients in the course of responding to comments on the practice’s Yelp review page. In announcing the settlement, OCR Director Roger Severino said, “Doctors and dentists must think carefully about patient privacy before responding to online reviews.”

This resolution agreement should not be seen as a signal that OCR is dialing back the settlement amounts it seeks. While the amount in this latest case appears to be substantially less than amounts paid in other recent resolution agreements, the press release announcing the resolution notes that OCR accepted a “substantially reduced” settlement amount due to the size of the dental practice, its financial circumstances, and its cooperation during the investigation.

Also, this is the not the first time that OCR has taken action against healthcare providers who attempt to respond to public comments in the media or online by patients:

  • In November 2018, OCR settled with a three physician allergy practice for $125,000 after a physician disclosed a patient’s PHI to a reporter. The physician had been instructed to either not respond to a reporter’s inquiry or respond with “no comment.” When the physician disregarded those instructions and instead disclosed a patient’s PHI, the practice did not discipline the physician for violating HIPAA. As a result, in addition to paying the settlement amount, the practice also entered a corrective action plan.
  • In 2013, OCR entered a resolution with a hospital after two senior leaders discussed a patient’s medical condition with media outlets in response to news stories regarding allegations of Medicare fraud by the hospital. The hospital paid $275,000 and entered a corrective action plan requiring it to update its policies and procedures on safeguarding PHI from impermissible uses and disclosures.

While no one likes to see unflattering and/or untrue comments about them or their business online or in the media, HIPAA (and many state medical confidentiality laws) prevents healthcare providers from responding to such comments in a way that discloses the PHI of any patient without that patient’s written authorization.

To comply with HIPAA, healthcare providers should:

  • Implement policies and procedures addressing permissible and impermissible uses and disclosures of PHI and appropriate safeguards to protect the privacy of PHI;
  • Train all workforce members on the policies and procedures;
  • Apply and document appropriate sanctions against workforce members (including physicians) who impermissibly use or disclose PHI; and
  • Develop a strategy for responding to online reviews and media inquiries before situations arise. This may include drafting a response to online reviews that describes in general terms how the organization strives to provide high quality care to all of its patients.  Also, providers should consider designating one person within the organization to monitor and, if necessary, respond to online reviews and media inquiries.  All workforce members should know who has that responsibility so the organization delivers an appropriate and consistent message that complies with HIPAA.

Healthcare providers need to remember their obligations to safeguard patient PHI under HIPAA and state licensing laws before responding to bad online reviews or media coverage or else risk making a bad situation even worse.