A patient alleged Elite Dental Associates impermissibly disclosed details of their health condition on a Yelp review; OCR found several potential HIPAA violations, including the lack of a social media policy.
Elite Dental Associates, Dallas has agreed to pay the Office of Civil Rights $10,000 and adopt a corrective action plan, following a patient complaint that the dental provider shared details of their health condition on a Yelp social media page.
The patient first filed a complaint on June 5, 2016, which alleged Elite responded to a social media review about the provider with the patient’s last name and details of the patient’s health condition. The post also included details of their treatment plan, insurance, and cost information.
The OCR investigation found that Elite impermissibly disclosed the protected health information of multiple patients when responding to other patient reviews on the dental provider’s Yelp review page – without valid authorizations.
Elite also lacked a policy and procedure for disclosures of PHI to ensure interactions on social media protection patient information and did not have a HIPAA-compliant notice of privacy practices for patients.
“Social media is not the place for providers to discuss a patient’s care,” OCR Director Roger Severino, said in a statement. “Doctors and dentists must think carefully about patient privacy before responding to online reviews.”
In November 2016, OCR notified Elite of the investigation’s findings, including that the provider had indeed impermissibly disclosed PHI. However, the resolution agreement is not an admission of liability from Elite.
In addition to the $10,000 penalty, Elite will be required to follow a corrective action plan that includes developing, maintaining, and revising, as a necessary, written policies and procedures to ensure the privacy and security of individually identifiable health information in compliance with HIPAA.
The policies should address permissible and impermissible uses and disclosures of PHI, as well as the appropriate administrative, technical, and physical safeguards to protect PHI. Elite must also create a process for evaluating and approving authorizations around PHI, before that data is used or disclosed.
As mandated by HIPAA, the policies must also outline how a patient may revoke authorization and a “statement regarding a covered entity’s ability or inability to condition treatment, payment, enrollment, or eligibility for benefits on the authorization.”
Elite must also bolsters its current notice of privacy practices to include the requirement of obtaining an individual’s authorization before use and disclosure, including posting on its website, social media pages, and or other public platforms.
The dental provider must also assign a contact person for inquiries or concerns around HIPAA compliance in relation to PHI. All workforce members must report to this designated person or office any potential violation, as part of its internal reporting procedures.
Elite will need to apply and document appropriate sanctions, such as retraining or instructive corrective action.
“Such reporting procedures shall require Elite to promptly investigate and address all received reports in a timely manner,” officials wrote. “Training shall cover all the topics that are necessary and appropriate for each member of the workforce to carry out that workforce member’s functions within Elite.”
The Department of Health and Human Services must receive those policies within 30 days of the effective date to be reviewed and approved. Any changes will need to be made by Elite within 30 days of receipt and distributed to all workforce members.
New employees must receive the documents within 30 days of beginning their employment. Elite must require its workforce to sign a compliance certification, which attests the employee has read, understood, and will follow the policies.
Elite will be required to asses, update, and review the procedures on an annual basis, and as necessary. What’s more, employees that fail to sign the procedure are not permitted to use or disclose PHI.
This is not the first OCR settlement around improper disclosure on social media. In 2016, Complete PT, Pool & Land Physical Therapy paid OCR $25,000 over patient allegations that the provider “posted patient testimonials, including full names and full face photographic images, to its website without obtaining valid, HIPAA-compliant authorizations.”
Date: October 07, 2019