A Seattle-area plastic surgery provider tried to manipulate online reviews of his practice. After an investigation and a lawsuit, he will pay $5 million to settle the matter, according to a July 2, 2024 consent decree. Dr. Javad Sajan was accused of threatening patients over negative reviews and posting fake positive ones.

Three enforcement reminders emerged from the case.

1. States can enforce HIPAA.
2. Providers must follow consumer protection laws in addition to HIPAA.
3. HIPAA violations plus fraud can be costly.

The Associated Press reported that the consent decree resolves a lawsuit brought by Washington Attorney General Bob Ferguson in December 2022. The complaint accused Allure Esthetic and its owner, Dr. Javad Sajan, of violating HIPAA and state and federal consumer protection laws by posting false reviews and forcing patients to sign nondisclosure agreements (NDAs) barring them from posting or saying anything negative about Allure.

According to the lawsuit, Allure also does business under other names, including Alderwood Surgical Center, Gallery of Cosmetic Surgery, Seattle Plastic Surgery, Northwest Nasal Sinus Center, and Northwest Face & Body. The Alderwood Surgical Center and Northwest Nasal Sinus Center are named in the consent decree.

The resolution, filed in the U.S. District Court for the Western District of Washington, requires Allure to pay $1.5 million in restitution to about 21,000 Washington state residents. People who were forced to sign illegal NDAs will each receive $50, while those who paid a nonrefundable consultation fee before they signed an illegal NDA will receive $120.

According to the resolution, about $3.5 million will go to the State Attorney General for attorney fees, litigation costs, and monitoring and enforcing the consent decree.

“Writing a truthful review about a business should not subject you to threats or intimidation,” Attorney General Ferguson said. “Consumers rely on reviews when determining who to trust, especially services that affect their health and safety. This resolution holds Allure accountable for brazenly violating that trust — and the law — and ensures the clinic stops its harmful conduct.”

States Can Enforce HIPAA

The HITECH Act of 2009 gave State Attorneys General the authority to bring civil actions on behalf of state residents for HIPAA Privacy and Security Rules violations. The Washington Attorney General’s lawsuit against Allure and Dr. Sajan also alleged violations of the federal Consumer Review Fairness Act (CRFA) and the Washington Consumer Protection Act (CPA).

Fraudulent and Unethical Practices

According to the complaint, Allure threatened to sue patients if they did not take down negative reviews and, in some cases, followed through with a lawsuit. Sometimes, it offered patients cash and free services or products in exchange for taking down negative reviews. The practice also had more than 10,000 patients sign nondisclosure agreements restricting them from posting negative reviews online before receiving treatment.

The lawsuit said that Sajan “personally authorized” the amount of money or value of services offered to patients who posted negative comments. He allegedly directed employees to create fake email accounts to pose as patients and post positive reviews.

Allure and Dr. Sajan must remove all their remaining online reviews and are prohibited from creating new reviews on platforms such as Google, Yelp, RateMD, Healthgrades, WebMD, and Vitals.

The lawsuit alleged that the company rigged “best doctor” competitions hosted by local media outlets, kept tens of thousands of dollars in rebates intended for patients, and altered before-and-after photos of procedures on patients.

The resolution also requires Allure to hire a third-party forensic accounting firm to conduct an independent audit of its consumer rebate program to identify those who are owed rebates and, upon request, provide the Attorney General’s office with proof of compliance with the terms of the consent decree for the next ten years.

If Allure or any related businesses violate the terms, they could face civil penalties of up to $125,000 per violation.