The Office of Civil Rights of the Department of Health and Human Services (“OCR”) settled a HIPAA violation with a Texas-based dental practice based on the practice’s inappropriate disclosures of PHI on YELP.

OCR received a complaint on June 5, 2016, from a patient of Elite Dental Associates alleging that the practice violated HIPAA when it responded to a review the patient submitted to YELP with a response that included PHI. The practice’s response on social media disclosed the patient’s last name, medical condition, treatment plan, insurance information and information about charges.

During its investigation of the complaint, OCR determined that the practice had responded to social media patient reviews on other occasions with disclosures of PHI. In addition, OCR determined that the practice had not implemented policies and procedures and was not using a HIPAA compliant Notice of Privacy Practices. In particular, OCR noted that the practice did not have policies and procedures specific to release of PHI on social media.

OCR imposed a fine of $10,000 and a corrective action plan. OCR indicated that the fine would typically have been larger but considered other factors, such as the financial resources of the practice, its size and the fact that the practice cooperated with OCR during the investigation.

This settlement clearly shows OCR’s intolerance for disclosure of PHI on social media as well as the need for providers to maintain HIPAA compliant policies and procedures and other required documents. As tempting as it is for a health care provider to respond to patient comments, particularly inaccurate or negative comments, the provider should think carefully before making any public response and consider responding to the patient with a private letter instead.