OCR Announces $10,000 Settlement for Disclosure of Patients’ PHI through Social Media

Paige Haughton, Edward Leeds
Ballard Spahr LLP
Contact
LinkedIn
Facebook
X
Send
Embed

Ballard Spahr LLP

The Office for Civil Rights (OCR) at the Department of Health and Human Services announced it reached a settlement with Elite Dental Associates of Dallas (Elite) to resolve a complaint alleging Elite impermissibly disclosed a patient’s protected health information (PHI) on a social media website that reviews businesses. According to the complaint, Elite included the patient’s name, treatment plan details, and information related to her insurance and treatment cost when the office responded to the patient’s review on a social media website. When OCR investigated the complaint, it found that Elite had made similar comments in response to other patients’ reviews on the site.

Following its investigation, OCR determined that Elite had impermissibly disclosed PHI, failed to implement policies and procedures for PHI including the release of PHI through social media platforms, and failed to include necessary information in its Notice of Privacy Practices. The resolution agreement details that Elite must pay $10,000 to settle the complaint, adhere to a corrective action plan requiring the practice to develop policies and procedures that comply with the Privacy Rule’s requirements, and train employees on the new policies and procedures. In addition, Elite must issue a breach notice to any patient whose PHI was disclosed on the review site and send OCR a report on each impermissible disclosure.

Even with the reduced maximum penalty limits, the fine of $10,000 is small. Each violation could have carried a penalty of up to $50,000. With multiple penalties and violations that did not appear to have a reasonable cause (unless responding to criticism on social media is considered reasonable cause) and were not independently corrected prior to OCR’s involvement, the penalty could have reached $1.5 million, depending on the number of violations. OCR’s press release on the settlement explained the low penalty amount, citing Elite’s size, financial circumstances, and cooperation with the investigation.

HIPAA policies and procedures may not specifically address situations such as responding to criticism on social media, but those subject to HIPAA need to keep in mind the limitations that apply to them in all circumstances, even when some information has been made public or they are provoked. 

 
Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Ballard Spahr LLP | Attorney Advertising

Written by:

Ballard Spahr LLP
Ballard Spahr LLP
Contact
more
less

Ballard Spahr LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide