Dental Practice’s Response to Yelp Review Leads to $10,000 Fine

By Art Gross, President and CEO, HIPAA Secure Now!
Twitter: @HIPAASecureNow
Read other articles by this author

When it’s YOU in the Review
Making dinner plans? Check online for reviews before you spend your money dining out. Ready to book a vacation? You’re definitely making sure the pool is as big as they say it is.

How about when it comes to personal care? Do you check online to see if a medical facility is up to par?

A lot of people do. Between neighborhood chat groups and online review sites, the information is there for the taking. So, what happens when it is your business that is affected by a negative review? You would likely want to respond and perhaps give your side of the story or work to remedy the situation with the consumer. This seems like a good way to deal with any negative press or feedback.

Unless you’re under HIPAA jurisdiction and requirements.

Recently a dental practice in Dallas, Texas found out the hard way that responding to an online review put them in violation of HIPAA and cost them $10,000 in fines – plus a multitude of other actionable items.

The fine came after a patient found their full name and medical information (among other details) had been disclosed on the Elite Dental Associates Yelp review page. This led to an investigation by the Office for Civil Rights (OCR) which then led to uncovering additional violations in their policies and procedures of HIPAA compliance in accordance with its social media practices.

Social Distortion
Social media is a valuable asset to any business, but just because it is “free” and not monitored by any one entity, for the most part, doesn’t mean it can be overlooked as being a responsibility of the business. HIPAA was enacted before platforms like Facebook were around, but there are rules in place that apply despite that timing.

Above all, and as is true with nearly all HIPAA regulations, never disclose patient health information (PHI) on social media channels or networks. If a patient is visible in any image or video, they must provide – in writing, their consent to use that media. The purpose for which that media is to be used must also be explicitly defined in the consent.

Social media can be used for posting health tips, event details, research news, marketing messages that exclude any PHI, and to present staff bios.

As with all HIPAA compliance, you must remember that no one is excluded from regulation or judgment. This was a small privately-owned practice. Not only were they affected monetarily with a fine, but they must also now bring their policies and procedures up to par.

HIPAA standards are not created based on visibility or on the size of a healthcare organization, therefore you must rise to meet the standard, not expect to be overlooked when you don’t. Ensure your organization has a social media policy in place that clearly lays out what is acceptable on social and that employees are trained on the policy.

This article was originally published on HIPAA Secure Now! and is republished here with permission. HIPAA Secure Now offers annual online subscriptions to help covered entities and business associates keep up with compliance. Learn more here.

HIPAA Secure Now! suite of subscriptions offers an extensive list of tools to provide ongoing training, assessment, moderation activities and more to support an organization’s privacy and security efforts. Subscriptions also support the process of conducting an annual Security Risk Assessment to meet MIPS and Promoting Interoperability requirements.

The subscriptions work for organizations of all sizes, both Covered Entities and Business Associates. All are priced at a flat annual fee, based on number of employees, for a full 12 months. All include a discount if purchased through us.


If your organization has more than 50 employees, or if you’d like to schedule a demo or you just want to get a couple questions answered, take a few seconds to complete this form and we will get back to you.