Natali_Mis/istock via Getty Imag

OCR Settles Potential HIPAA Violation After Dental Practice Discloses PHI on Yelp

The dental practice paid $23,000 to OCR to settle a potential HIPAA violation after including PHI in its responses to reviews on Yelp.

The HHS Office for Civil Rights (OCR) reached a settlement with California-based New Vision Dental (NVD), over a potential HIPAA violation. The practice paid OCR $23,000 and agreed to implement a corrective action plan.

New Vision Dental allegedly disclosed protected health information (PHI) online in response to negative social media reviews, a 2017 complaint to OCR stated. The comments included patient names, insurance information, and treatment information.

“Specifically, Complainant alleged that NVD habitually disclosed PHI when it responded to patient posts sometimes providing full names where only Yelp monikers were used by the patients and including detailed information about patient visits and insurance that may not have been previously mentioned in their initial reviews,” OCR noted.

OCR launched an investigation and determined that New Vision Dental impermissibly disclosed PHI, failed to implement certain policies and procedures with respect to PHI, and failed to have the minimum content required in its Notice of Privacy Practices. The settlement agreement is not an admission of liability by NVD.

As part of its corrective action plan, NVD agreed to develop, revise, and maintain written policies and procedures to comply with federal privacy and security standards. All workforce members will also receive training on those policies and procedures, and NVD is required to remove all social media postings that include PHI.

“This latest enforcement action demonstrates the importance of following the law even when you are using social media. Providers cannot disclose protected health information of their patients when responding to negative online reviews. This is a clear NO,” OCR Director Melanie Fontes Rainer explained in a press release.

“OCR is sending a clear message to regulated entities that they must appropriately safeguard patients’ protected health information. We take complaints about potential HIPAA violations seriously, no matter how large or small the organization.”

Next Steps

Dig Deeper on HIPAA compliance and regulation