The Civil Rights Office has reached an agreement with B. Brandon Au, DDS, d/b/a New Vision Dental (NVD), to resolve potential violations of the Health Insurance Portability and Accountability Act, after the inadmissible disclosure of protected patient health information on the Yelp social media site.
The OCR announcement pointed out that the violation in question involved the provider inappropriately using social media when responding to patient reviews, which resulted in inadmissible disclosures: “The practice is illegal under HIPAA law”.
To resolve these allegations and the OCR investigation, NVD paid $23,000 to the Department of Health and Human Services and agreed to implement a corrective action plan. In a rare addition to the settlement action, NVD is required to remove all of its social media posts dating as far back as January 1, 2014 and issue notices of violation to affected patients or their representatives.
NVD must also post a replacement notice of PHI’s unauthorized disclosure on its Yelp page and issue a notice to HHS. These actions must all be completed within 30 days.
This is the second OCR settlement regarding possible HIPAA violations due to inappropriate use of social media this year. After a contentious fight with regulatory agency, North Carolina-based Dr. U. Phillip Igbinadolor, DMD was issued a $50,000 civil penalty for a 2015 incident where the physician inadmissibly disclosed a patient’s PHI after a negative test.
Along with the Dec. 14 settlement, OCR Director Melanie Fontes Rainer points to the importance of adhering to HIPAA rules when using social media platforms. OCR takes all complaints about HIPAA violations seriously, regardless of the size of the entity.
Frankly, “providers cannot disclose their patients’ protected health information when responding to negative reviews online. It’s a clear no,” Fontes Rainer said in a statement. “OCR sends a clear message to regulated entities that they must appropriately safeguard patients’ protected health information.”
For NVD, the settlement stems from a 2017 complaint filed with the OCR alleging that NVD leaked patient information on its Yelp page. Yelp itself only referred to patients as chosen nicknames. But when the provider responded to patient reviews, they provided their full names, treatment, and detailed information about patient visits and insurance details not previously mentioned in their reviews.
The OCR launched an investigation into NVD in response, which confirmed that the dental practice had indeed posted responses to social media criticism that compromised health information.
On August 27, 2018, OCR notified NVD of its ongoing investigation into the possible HIPAA violation, and approximately 18 months later, OCR conducted an on-site visit to NVD as part of its audit. The investigation found that NVD had inadmissibly disclosed patient data, while its Privacy Practices Notice did not include the minimum content requirements outlined in HIPAA.
NVD’s audit also found that NVD had not implemented PSR policies and procedures, including PSR disclosure on social media. This is a notable finding, given that implementing privacy policies and procedures is a key part of HIPAA.
Additionally, when OCR audits a Covered Entity for a potential violation of HIPAA, it may find potential compliance issues that are not part of the original complaint. Providers should take the rule as a wake-up call to review HIPAA compliance requirements for their own privacy programs.
In addition to the monetary payment, NVD is also required to undertake a corrective action plan which will see the OCR monitor the compliance of the dental practice over the next two years.
As part of the CAP, NVD must develop and maintain written HIPAA policies and procedures to comply with industry standards governing the privacy and security of PHI. The document should address authorized and unauthorized uses and disclosures of PHI, as well as adequate administrative, technical, and physical safeguards to protect patient privacy.
Additionally, NVD shall enforce its policies to limit the use and disclosure of PHI to the minimum necessary, including email, internet, and social media sites. The policies must receive HHS approval and then be distributed to the workforce, who will receive training on the new measures.
#Dentist #settles #HIPAA #violations #leaking #information #responding #Yelp #reviews