I've counseled our marketing folks on this as well, that even an acknowledgement of an individual as a patient would be a HIPAA violation. It's difficult in the social media context as of course we want to defend our organizations, but I've instructed our staff to respond only with a very generic, "We are happy to address any concerns directly. Please feel free to contact our patient advocate at xxx.xxx.xxxx"
I provide these cases to explain my position:
Dental Practice Pays $10,000 to Settle Social Media Disclosures of Patients' Protected Health Information
Elite Dental Associates, Dallas ("Elite") has agreed to pay $10,000 to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services and to adopt a corrective action plan to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. Elite is a privately-owned dental practice located in Dallas, Texas, providing general, implant, and cosmetic dentistry.
On June 5, 2016, OCR received a complaint from an Elite patient alleging that Elite had responded to a social media review by disclosing the patient's last name and details of the patient's health condition. OCR's investigation found that Elite had impermissibly disclosed the protected health information (PHI) of multiple patients in response to patient reviews on the Elite Yelp review page. Additionally, Elite did not have a policy and procedure regarding disclosures of PHI to ensure that its social media interactions protect the PHI of its patients or a Notice of Privacy Practices that complied with the HIPAA Privacy Rule. OCR accepted a substantially reduced settlement amount in consideration of Elite's size, financial circumstances, and cooperation with OCR's investigation.
"Social media is not the place for providers to discuss a patient's care," said OCR Director, Roger Severino. "Doctors and dentists must think carefully about patient privacy before responding to online reviews."
In addition to the monetary settlement, Elite will undertake a corrective action plan that includes two years of monitoring by OCR for compliance with the HIPAA Rules. The resolution agreement and corrective action plan may be found at: www.hhs.gov/hipaa/for-professionals/....
Shasta Regional Medical Center (SRMC) has agreed to a comprehensive corrective action plan to settle a U.S. Department of Health and Human Services (HHS) investigation concerning potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule.
The HHS Office for Civil Rights (OCR) opened a compliance review of SRMC following a Los Angeles Times article which indicated two SRMC senior leaders had met with media to discuss medical services provided to a patient. OCR's investigation indicated that SRMC failed to safeguard the patient's protected health information (PHI) from impermissible disclosure by intentionally disclosing PHI to multiple media outlets on at least three separate occasions, without a valid written authorization. OCR's review indicated that senior management at SRMC impermissibly shared details about the patient's medical condition, diagnosis and treatment in an email to the entire workforce. In addition, SRMC failed to sanction its workforce members for impermissibly disclosing the patient's records pursuant to its internal sanctions policy.
"When senior level executives intentionally and repeatedly violate HIPAA by disclosing identifiable patient information, OCR will respond quickly and decisively to stop such behavior," said OCR Director Leon Rodriguez. "Senior leadership helps define the culture of an organization and is responsible for knowing and complying with the HIPAA privacy and security requirements to ensure patients' rights are fully protected."
In addition to a $275,000 monetary settlement, a corrective action plan (CAP) requires SRMC to update its policies and procedures on safeguarding PHI from impermissible uses and disclosures and to train its workforce members. The CAP also requires fifteen other hospitals or medical centers under the same ownership or operational control as SRMC to attest to their understanding of permissible uses and disclosures of PHI, including disclosures to the media.
Physical therapy provider settles violations that it impermissibly disclosed patient information
Complete P.T., Pool & Land Physical Therapy, Inc. has agreed to settle violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rules with the U.S. Department of Health and Human Services Office for Civil Rights (OCR). Complete P.T. is a physical therapy practice located in the Los Angeles area. The settlement agreement is an admission of civil liability by Complete P.T., requiring payment of $25,000, adoption and implementation of a corrective action plan, and annual reporting of compliance efforts for a one year period.
On August 8, 2012, OCR received a complaint alleging that Complete P.T. had impermissibly disclosed numerous individuals' protected health information (PHI), when it posted patient testimonials, including full names and full face photographic images, to its website without obtaining valid, HIPAA-compliant authorizations. OCR's investigation revealed that Complete P.T.:
- Failed to reasonably safeguard PHI;
- Impermissibly disclosed PHI without an authorization; and
- Failed to implement policies and procedures with respect to PHI that were designed to comply with HIPAA's requirements with regard to authorization.
"The HIPAA Privacy Rule gives individuals important controls over whether and how their protected health information is used and disclosed for marketing purposes. With limited exceptions, the Rule requires an individual's written authorization before a use or disclosure of his or her protected health information can be made for marketing." said OCR Director Jocelyn Samuels. "All covered entities, including physical therapy providers, must ensure that they have adequate policies and procedures to obtain an individual's authorization for such purposes, including for posting on a website and/or social media pages, and a valid authorization form."
Natalie Roehlk, CHC, CHPC
Show Low, Arizona
The opinions expressed herein are my own, and do not necessarily represent those of my employer.