Can I Post That?

By Matt Fisher, Esq
Twitter: @matt_r_fisher
Host of Healthcare de Jure#HCdeJure

For the first time, a medical practice received a HIPAA fine as a result of an online post. The settlement provides a clear lesson on the limitations of social media for healthcare organizations and the need to carefully consider what information will be posted before clicking submit.

The Resolution Agreement resolving the issue reveals that Elite Dental Associates – Dallas, P.C. (Elite) is a dental practice. Patients apparently bad posting reviews of Elite on Yelp. While Yelp is often thought of in the context of restaurants, there is a robust array of reviews available on the website including for healthcare professionals. On June 4, 2016, Elite responded to a review on Yelp by posting information about a patient including the patient’s last name, details of the patient’s treatment plan, insurance information, and cost information. That is a fairly significant amount of information to disclose about a patient on a public platform. Once the Office for Civil Rights began investigating following the inevitable complaint, it was determined that Elite posted information about multiple patients in order to respond to reviews. As would be expected, the posting of patient information was not viewed favorably by OCR.

Of note from the settlement, OCR began its investigation of Elite in November 2016. However, it took until October 2019 for a settlement to be announced. The almost three year lag between the investigation beginning and a fine being issued continues a recent trend. In this instance, the lag is not clear since the underlying improper disclosure is relatively clear and unassailable.

Additionally, the full list of concerns identified by OCR is not that comprehensive. There is an obvious fault for improper disclosure of protected health information. OCR also faulted Elite for not implementing policies and procedures to protect protected health information, specifically calling out social media and public platforms. While it is a good idea to have a clear policy on how to use social media and what information can be shared on social media, HIPAA does not necessarily mandate that a social media focused policy be implemented. Use of social media could arguably be subsumed within another policy or be covered implicitly in other policies designed to protect the privacy of patient information. An insufficient Notice of Privacy Practices was the last issue cited by OCR, which does not provide any detail as to the actual issue.

Lastly, the settlement resulted in a $10,000 penalty. How was this amount determined? Along with the delay to settlement, coming up with the means of how a fine was calculated is another quandary when it comes to HIPAA settlements. If the practice impermissibly responded to multiple patient reviews, the fine seems low given the deliberate action taken in disclosing patient information. Was the low fine a result of Elite not having readily available funds to pay a higher fine or was some other factor considered? At some point in time, getting guidelines from OCR would be appreciated to aid in assessing the likely impact when a breach or complaint arises.

Discussion of the different elements of the Elite settlement leaves a number of questions, but the clear primary takeaway is the need for caution when using social media. If healthcare organizations interpret the settlement as a rebuke against social media use generally, then that is a misinterpretation. The settlement should not stand for a prohibition on social media. Instead, the settlement is most appropriately characterized as a reminder that patient-specific information cannot be shared. That is a major distinction.

If HIPAA does not permit patient information to be shared, how can a healthcare organization respond to a negative review? One option is to reach out to the patient privately (namely not on the social media platform) and use the review as an opportunity for engagement. Maybe there was a disconnect between the organization and the patient. A direct follow up could, therefore, result in material benefit.

Another option would be to respond to the review generally. A general response would not have to acknowledge that the reviewer is actually a patient. Instead, the general response could provide insight into how the organization operates generally or what a patient could expect when visiting the practice. The general response does not reveal information about the patient and is a more subtle way of countering the review.

A third option would be contacting the review site to take the review down. Such an approach is honestly an uphill battle because most sites will ignore such a request unless it is absolutely clear that the review is fake. Removal should not be expected just because a review is negative.

Taking the discussion further, broader use of social media can also follow the same general approach. Namely, social media is an opportunity to promote the knowledge and specialty of the organization or individual clinician. No need exists to attempt direct engagement with a patient. If a patient tries to initiate, the interaction can be moved to an appropriate forum. All beneficial use takes is practice and not moving too fast.

Ultimately, the Elite settlement was bound to happen to some entity. Elite is not the only organization to have posted patient information on a social media site, but it will now bear the distinction of being the first organization fined for such an indiscretion. All organizations should take this as a learning opportunity though and the chance to update or enhance practices before another complaint is filed.

This article was originally published on Mirick O’Connell’s Health Law Blog and is republished here with permission.