HIPAA Settlement on Repeat

By Matt Fisher, General Counsel, Carium
Twitter: @matt_r_fisher
Twitter: @cariumcares
Host of Healthcare de Jure#HCdeJure

Stop if you’ve heard this story before: a dental practice was unhappy with patient reviews left on Yelp, so responded. In responding, the practice disclosed patient information including names and diagnoses. That is the basic outline of the latest settlement announced by the Office for Civil Rights to resolve an alleged HIPAA violation.

The Details

As laid out in the resolution agreement, OCR received a complaint on November 29, 2017 that New Vision Dental responded to a number of patient reviews on Yelp. The complainant asserted that New Vision Dental had a habit of responding to reviews, which implies that the responses happened on multiple occasions. The responses sometimes included the patient’s full name, which the patient may not even have disclosed since Yelp allows the display of self-selected user names. The practice went even further though because it would add details about the patient’s visit and insurance.

OCR confirmed the existence of the Yelp responses in its investigation. Additionally, OCR, in a bit of an understatement, just said that it confirmed the responses compromised patient information.

OCR did provide a little bit more information than usual that it conducted a site visit to New Vision Dental as part of the investigation. The initial statement of OCR revealing that it notified New Vision Dental of the investigation is not unusual since that happens all of the time. However, actually going to the location of the entity being reviewed is not necessarily something that happens frequently. It is an interesting aside, but likely not a factor in the ultimate outcome.

What did all of New Vision Dental’s activity end up costing it? A monetary payment of $23,000.

Didn’t This Happen Before?

In reading about the facts outlined by OCR as the basis for the settlement, you would be accurate in asking, doesn’t this all sound very familiar?

The answer is yes. OCR announced a nearly identical settlement on October 2, 2019. Shouldn’t the 2019 settlement have tipped off New Vision Dental that responding to a Yelp review with patient information is a really bad idea? Yes, but look at the timing. Even though the first settlement happened in 2019, New Vision Dental’s improper conduct happened in 2017 (or possibly earlier). That means New Vision Dental didn’t have the opportunity to learn from the earlier mistakes of another dental practice.

Was a Lesson Needed?

But wait, why should New Dental Vision have required another settlement to understand that posting patient information Yelp is not ok under HIPAA? The honest answer is that seeing another settlement should not have been needed to know that revealing patient information publicly on a website is not permissible.

HIPAA is quite cleat about when and how patient information can be used and disclosed. While covered entities receive a wide degree of latitude through the treatment, payment, and health care operations categories, that latitude does not apply to posting on social media or other websites to appease frustration over disagreement with the content of a post.

Why Another Long Settlement Delay?

As so often seems to happen when OCR announces a settlement, why did the settlement with New Vision Dental take so long? The resolution agreement contains a statement that the on-site investigation, the last stated interaction, occurred on March 1, 2019. That site visit occurred before the first Yelp-related settlement in October 2019. The pandemic did come up in the interim, but that does not really seem to explain the three year delay in reaching a settlement.

The question of timing will likely never be answered. Since it can be uncertain when a settlement could occur or OCR will take interest in a particular type of action, the best course to follow, as always, is upfront compliance and awareness. No organization subject to HIPAA should wait for OCR to show up before implementing a solid compliance plan and then regularly reviewing the state of its compliance.

This article was originally published on The Pulse blog and is republished here with permission.