The Office for Civil Rights (OCR) at the Department of Health and Human Services announced it reached a settlement with Elite Dental Associates of Dallas (Elite) to resolve a complaint alleging Elite impermissibly disclosed a patient’s protected health information (PHI) on a social media website that reviews businesses. According to the complaint, Elite included the patient’s name, treatment plan details, and information related to her insurance and treatment cost when the office responded to the patient’s review on a social media website. When OCR investigated the complaint, it found that Elite had made similar comments in response to other patients’ reviews on the site.

Following its investigation, OCR determined that Elite had impermissibly disclosed PHI, failed to implement policies and procedures for PHI including the release of PHI through social media platforms, and failed to include necessary information in its Notice of Privacy Practices. The resolution agreement details that Elite must pay $10,000 to settle the complaint, adhere to a corrective action plan requiring the practice to develop policies and procedures that comply with the Privacy Rule’s requirements, and train employees on the new policies and procedures. In addition, Elite must issue a breach notice to any patient whose PHI was disclosed on the review site and send OCR a report on each impermissible disclosure.

Even with the reduced maximum penalty limits, the fine of $10,000 is small. Each violation could have carried a penalty of up to $50,000. With multiple penalties and violations that did not appear to have a reasonable cause (unless responding to criticism on social media is considered reasonable cause) and were not independently corrected prior to OCR’s involvement, the penalty could have reached $1.5 million, depending on the number of violations. OCR’s press release on the settlement explained the low penalty amount, citing Elite’s size, financial circumstances, and cooperation with the investigation.

HIPAA policies and procedures may not specifically address situations such as responding to criticism on social media, but those subject to HIPAA need to keep in mind the limitations that apply to them in all circumstances, even when some information has been made public or they are provoked.

Ballard Spahr attorneys advise health care providers and other businesses on compliance with HIPAA and other laws and regulations governing PHI.