OCR investigated the compliant and confirmed that an impermissible disclosure of PHI had occurred and found the complainant was not the only patient whose privacy had been violated on the review platform. Other patients’ PHI had similarly been impermissibly disclosed in response to reviews.Additionally, OCR determined that the practice’s policies and procedures relating to the release of PHI were not compliant with HIPAA Rules and the practice had not included sufficient information in its notice of privacy practices to comply with the HIPAA Privacy Rule.
The violation of three separate provisions of HIPAA Rules – 45 C.F.R. § 164.502(a), 45 C.F.R. § 164.530(i), and (45 C.F.R. § 164.520(b) – could have attracted a financial penalty of up to $50,000 per violation category. When deciding on an appropriate financial penalty, OCR took the financial position of the dental practice, the size of the practice, the number of patients affected, and the practice’s willingness to assist OCR in its investigation into account and issued a reduced penalty.
In addition to paying the financial penalty, the dental practice is required to adopt a corrective action plan to address the HIPAA failures discovered by OCR investigators.
“Social media is not the place for providers to discuss a patient’s care,” said OCR Director, Roger Severino in a press release announcing the latest HIPAA penalty. “Doctors and dentists must think carefully about patient privacy before responding to online reviews.”