Beware the pitfalls of social media in healthcare.
A dental provider in southern California has been ordered to pay a $23,000 fine and must follow a corrective action plan after its owner responded to negative Yelp reviews by posting patient data online. The Office for Civil Rights (OCR) which enforces HIPAA announced the settlement with New Vision Dental of the Los Angeles metro area yesterday.
Patients aren’t required to follow HIPAA and may disclose their own information on a social media site, but that does not mean they consent to a provider’s disclosure. Covered entities like the dental provider are required to safeguard privacy. If a provider discloses protected health information (PHI) without a written HIPAA authorization, they should prepare to pay a big fine for violating HIPAA.
In addition to the fine, New Vision Dental must remove any social media postings made since 2014 that include patient data and issue breach notices to affected individuals.
OCR director Melanie Fontes Rainer said in a statement:
“Providers cannot disclose protected health information of their patients when responding to negative online reviews. This is a clear ‘no’. We take complaints about potential HIPAA violations seriously, no matter how large or small the organization.”
Social Media Marketing Needs to Follow HIPAA
Done correctly and in compliance with HIPAA, social media marketing is a powerful tool. Healthcare providers may take advantage of the power of the Internet if they know and follow the rules.
Unfortunately, the Internet is flooded with PHI disclosed by providers of all sizes in patient reviews posted on their own websites and in their responses to reviews on independent patient review sites. Lots of providers probably think “it must be ok if everyone is doing it.”
It appears that many are not aware of HIPAA Privacy Rule standards that apply to patient reviews and social media. They may be taking advice from vendors selling reputation management services (who don’t understand HIPAA) that encourage solicitation of five-star reviews and advise providers to reply immediately to every review – good or bad.
If you’re a healthcare provider using social media marketing, be sure to review your plans with a HIPAA lawyer who can help you avoid HIPAA risks.
Lessons from OCR
The New Vision Dental settlement is important for two reasons.
- It is a warning to covered entities and marketing vendors showing OCR’s awareness of persistent, widespread Internet-based HIPAA violations.
- It explains the Privacy Rule standard requiring covered entities to have administrative, technical, and physical safeguards in place to protect the privacy of PHI.
The Privacy Rule provides little direction regarding those safeguards in contrast to its newer sibling, the Security Rule. OCR has been filling in that gap by describing appropriate Privacy Rule safeguards in corrective action plans like the one New Vision Dental must follow. In this case they include patient authorization for use or disclosure of PHI on social media, and policies to limit use and disclosure of PHI in electronic format (on the Internet, social media sites and in email).
Enforcement activities like this one are essential to protect patients. The Internet is a gold mine for medical identity thieves offering big rewards and requiring little skill. With the identity of a patient and identity of a provider criminals contact the patient posing as a trusted provider to ‘update’ or confirm information that many patients freely give. Then it is sold on the Dark Web and used to commit health insurance fraud and get prescription medications.
HIPAA Guidance Can Keep You Competitive
Appropriate HIPAA safeguards are simple and allow flexibility.
First, if reviews and testimonials are important to your practice, obtain authorizations in advance. Then you should adopt and enforce a policy that it will:
- not respond to patient reviews, or
- may respond neutrally with a statement that is committed to providing high quality healthcare without confirming or denying the individual is its patient, or
- will respond more fully only after obtaining a valid HIPAA authorization from the individual to do so.
The HIPAA E-Tool® understands marketplace realities and can help you grow your business, stay compliant and avoid investigations and fines.
If you need broader legal guidance on HIPAA compliance with social media, give the E-Tool a call.