The internet is full of feedback loops. Google, Yelp, Facebook, and others ask internet users to comment on services they’ve received from service providers, like stores, restaurants, auto shops and doctors. However, in healthcare, if a patient posts a review (whether positive or negative) the provider may NOT respond online without risking violating HIPAA.
OCR Settles Potential HIPAA Violations with Manasa Health Center
Today the Office for Civil Rights (OCR) announced a settlement with Manasa Health Center, LLC (Manasa) a health care provider in New Jersey that provides adult and child psychiatric services, stemming from a complaint that Manasa impermissibly disclosed protected health information (PHI) in public responses to negative online reviews. In the settlement Manasa is agreeing to pay a $30,000 fine and submit to a corrective action plan.
OCR Director Melanie Fontes Rainer said in the announcement:
“OCR continues to receive complaints about health care providers disclosing their patients’ protected health information on social media or on the internet in response to negative reviews. Simply put, this is not allowed. The HIPAA Privacy Rule expressly protects patients from this type of activity, which is a clear violation of both patient trust and the law. OCR will investigate and take action when we learn of such impermissible disclosures, no matter how large or small the organization.”
The announcement explained that OCR opened its investigation in response to a complaint by a patient alleging that Manasa posted a response to the patient’s negative online review that included specific information regarding the individual’s diagnosis and treatment of their mental health condition. However, OCR also discovered that Manasa had impermissibly disclosed the PHI of three other patients in response to their negative online reviews. OCR’s investigation also found that Manasa failed to implement HIPAA Privacy policies and procedures.
In addition to the $30,000 payment, Manasa will implement a two-year corrective action plan to ensure compliance with the HIPAA Privacy Rule. The corrective action plan includes the following steps:
- Develop, maintain, and revise its written policies and procedures to comply with the HIPAA Privacy Rule,
- Train all members of Manasa Health Center’s workforce, including owners and managers, on the organization’s policies and procedures to comply with the HIPAA Privacy and Security Rules,
- Within 30 calendar days of the agreement, Manasa Health Center shall issue breach notices to all individuals, or their personal representatives, whose protected health information is disclosed on any internet platform without a valid authorization, and
- Within 30 calendar days of the agreement, Manasa Health Center shall submit a breach report to HHS concerning individuals whose protected health information is disclosed on any internet platform without a valid authorization.
Protected Health Information Defined
Patients may disclose their own PHI but their providers may not. And if a patient discloses something publicly, they have NOT waived their rights under HIPAA. Providers must maintain patient privacy and remain silent.
In this case it appears the provider’s response contained information about the patient’s diagnosis and treatment. But even if the provider had not disclosed a diagnosis, his response still would have been an impermissible disclosure under HIPAA.
Remember that PHI is defined as any one of 18 different pieces of individually identifiable information that is connected to the provision of past, present or future health care services or benefits. PHI does not need to contain or reveal medical information. If the patient uses any kind of identifier in the review, e.g., a name, an email address, initials, or a handle using @_______, any response from the provider would have confirmed the patient was receiving treatment. By responding to the review, the provider is connecting the individual to past health care services. Again, this is okay for the patient to do, but not for the doctor.
How to Use Social Media and Follow HIPAA
Covered entities may use social media if they follow HIPAA. If you take care to follow simple guidelines you can safeguard patient privacy and stay ahead of OCR regulators.
If you are communicating with patients online and using social media, there are several key requirements:
- maintain and follow policies to limit use and disclosure of PHI in electronic format (on the Internet, social media sites and in email);
- obtain a patient authorization for testimonials, or any other kind of use or disclosure of PHI on your website or social media; and
- do not communicate with patients via unencrypted email or text without first obtaining their consent.
Responding to Reviews
If you want to respond to a negative review, there are two options. To respond online, use a general, neutral statement that does not confirm the reviewer is a patient, such as “Our practice is committed to providing quality health care.” Do not say “Please contact us offline and we will help you with your complaint.”
But the best option to reduce negative online reviews, or turn them into positive reviews, is to discuss the patient’s complaint privately on the telephone or in person.
If you need help sorting through your next steps to improving HIPAA compliance, give The HIPAA E-Tool® a call.