No one likes receiving negative reviews on Yelp. But healthcare providers need to exercise better restraint than a dentist who will pay $23,000 to the Department of Health and Human Services’ Office for Civil Rights (OCR) to settle claims that his responsive posts violated HIPAA.
OCR received a complaint that New Vision Dental (NVD) continuously disclosed patients’ protected health information (PHI) when responding to reviews on Yelp. The PHI included full patient names and detailed information about visits and insurance that the patient did not disclose in the initial review. Clearly, NVD did not read my March blog post “Three Dentists and a Psychiatrist Walk into a Bar: Four HIPAA Enforcement Actions that are No Joke.”
As is often the case, the complaint opened the door to an OCR investigation. Once OCR started poking around, in addition to the improper disclosures on Yelp, OCR also found that NVD’s Notice of Privacy Practices failed to meet requirements and it did not have adequate HIPAA policies.
Remember, healthcare providers subject to HIPAA must take care in responding to on-line reviews from patients. If the review is positive, either do not respond or respond with a simple “Thank you.”
When the response is negative, it may be best to simply say “We’re sorry to learn that you did not have a good experience. Please feel free to contact X in our office. We’d like to have the opportunity to work through this with you directly.” There’s always the option to not respond at all. If the practice regularly uses social media, it should have a policy outlining how it will ensure HIPAA compliance.
For those of you keeping score, there are a total of 21 HIPAA enforcement action resolutions so far this year with a total of settlements and penalties slightly exceeding $2.15 million. With two weeks to go in the year, there’s still time for others!