Compliance, Health Information Technology

Print PDF

Violations of Patient Privacy on Social Media Will Result in HIPAA Fines

Posted on October 4, 2019 in Compliance, Health Information Technology

Published by: Hall Render

On October 2, 2019, the Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) announced that a Texas dental practice (“Practice”) will settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) by paying a civil penalty of $10,000 and adopting a corrective action plan.

A patient of the Practice filed a complaint with OCR regarding the Practice’s response to a social media review posted by the patient. Specifically, the Practice disclosed the patient’s last name, treatment plan, insurance and cost information for the patient. During the course of its investigation, OCR reviewed the Practice’s Yelp review page. OCR subsequently discovered other responses from the Practice that were also impermissible disclosures under HIPAA. OCR concluded that the Practice impermissibly disclosed patient protected health information, that the Practice did not have policies and procedures in place that covered the release of patient protected health information on social media and that the Practice’s Notice of Privacy Practices did not contain the required minimum content.

OCR specifically noted that it chose to accept a reduced settlement amount based in part on the Practice’s cooperation with OCR as well as the Practice’s finances and size, which is consistent with OCR’s scalable and voluntary compliance enforcement approach.

Practical Takeaways

Covered entities sometimes struggle to have a social media presence that is engaging and helpful to their community, while also balancing their obligations to protect patient privacy. Unlike other industries that are not as heavily regulated as health care, covered entities cannot simply respond to a social media complaint with the covered entity’s side of the story. Covered entities should consider the following:

  • Covered entities should have social media policies and procedures in place that address:
    1. The use of social media by the covered entity’s workforce members in their personal capacity that makes it clear that workforce members cannot post patient protected health information on their own social media pages; and
    2. The operation of the covered entity’s official social media presence by the covered entity’s marketing team.
  • Policies and procedures for the covered entity’s official social media presence should include appropriate steps for responding to social media complaints and negative reviews and should include a plan in the event a covered entity suspects negative reviews or posts are not genuine.
  • Reputation management strategies should encompass both onsite and online interactions. A patient’s experience at a health care provider starts when they make their appointment and lasts until their bills are resolved. For covered entities both large and small, it is important to make certain patients are aware that there is someone at the covered entity they can speak with if they have concerns. A responsive and helpful patient care team or point person can prevent patient frustration that leads to an angry post.
  • Remember, while patients have the right to disclose their own health information, including publicizing details of their care on a third party website review page or the health care provider’s own social media page, covered entities cannot do the same. A patient who posts a complaint on a third party review page, or even on the covered entity’s own social media page, is not necessarily trying to generate a response from the covered entity. Sometimes a patient posts a negative review or comment only to warn or inform others of a bad experience. Covered entities cannot rely on the fact that a patient posted health information in the comment or review as any kind of consent or permission for the covered entity to address a complaint through the same method. Only a HIPAA-compliant authorization would permit a covered entity to disclose PHI publicly in response to a patient complaint.

If you have any questions or would like additional information about this topic, please contact:

For more information on Hall Render’s HIPAA, Privacy & Security services, click here.