A Dallas Dental Office Responds to a Yelp Review with a Privacy Rule Breach
Managers of a small Texas dental practice did what many responsible business operators do on social media. They responded to a Yelp review.
That response and the subsequent Privacy Rule Breach cost Elite Dental of Dallas $10,000.
If you’re in business today, you probably know that review sites such as Yelp and Google My Business appear to be a permanent part of the landscape. These services allow customers to freely share their experiences with the world.
Review Sites are Privacy Rule Breach Traps
Review sites can be a benefit to any business because authentic reviews provide “social proof” of service or product quality. As designed, review sites encourage conversation and can even boost the search engine rankings of a business.
In its enthusiasm to respond to a visitor’s Yelp review, however, Elite Dental failed to keep in mind the most fundamental element of the 1996 Health Insurance Portability and Accountability Act (HIPAA): “The Privacy Rule.”
The Yelp review was initiated by a patient. But when practice management responded in the comments section of the online review site, they violated the Privacy Rule.
As crazy as it sounds, it’s legal for a patient to post about his or her visit. But it’s illegal for a HIPAA Covered Entity to respond because even a simple response can verify treatment and identity — which is a Privacy Rule Breach.
A quick scan of Elite’s Yelp reviews shows that all responses have now been replaced by a generic HIPAA-safe response that is more noncommittal.
“Per Federal Privacy Law (HIPPA), this office and any health related offices are prohibited to confirm, deny or comment on this review. We know this business (like every other) are more then willing to help resolve any concerns that any potential client may have by contacting them directly — our business clients will do “whatever it takes” to make it right so we ask that you please contact them directly. Federal Privacy Laws prohibits any additional comments from a health related business directly online hence why they are unable to legally respond to your concerns and comments. Thank you again for your feedback — just note that our clients are truly here to resolve your concerns.”
-Elite Dental
Ironically, the patient who wrote the review complained to the Office for Civil Rights (OCR), the federal agency responsible for investigating HIPAA violations, about the privacy rule breach.
The OCR, in announcing the penalty, noted that the $10,000 was a discounted fine based on the relatively small size of the practice and Elite’s cooperation with the investigation.
In addition to the monetary penalty, Elite must undergo a lengthy Corrective Action Plan.
Review sites and social media can create a big lift for your business, but you need to know the rules. We can help!
Starting today, HIPAA Horror Stories will be published every other week.