This week a dental practice was hit with a HIPAA violation and fine from social media misuse. HHS Civil Rights Office entered a settlement with New Vision Dental over disclosures of patients’ protected health information (PHI).
The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services announced a settlement with B. Brandon Au, DDS, Inc., d/b/a New Vision Dental (New Vision Dental), in California, over the impermissible disclosure of PHI in response to online reviews and other potential violations of HIPAA.
The violation involves the provider’s inappropriate use of social media to respond to patient reviews and the disclosure of PHI. This practice is illegal under HIPAA.
Learn what happened and how you can safely use social media in your practice while avoiding HIPAA violations.
On November 29, 2017, OCR received a complaint alleging that New Vision Dental (NVD) impermissibly disclosed PHI on its Yelp business page when Dr. Brandon Au responded to various reviews posted by individuals. Specifically, the Complainant alleged that NVD habitually disclosed PHI when it responded to patient posts, sometimes providing full names where only Yelp monikers were used by the patients and included detailed information about patient visits and insurance that may not have been previously mentioned in their initial reviews. During OCR’s review of NVD’s Yelp review page, OCR confirmed that NVD had been posting responses to reviews that compromised PHI. On August 27, 2018, OCR notified NVD of OCR’s investigation regarding NVD’s compliance with the Privacy Rule. On March 1, 2019, OCR conducted an on-site visit to NVD as a part of its investigation.
NVD paid $23,000 to OCR and agreed to implement a corrective action plan (CAP) to resolve this investigation.
In addition to the monetary settlement, NVD will undertake a CAP that will be monitored for two years by OCR to ensure compliance with the HIPAA Privacy Rule. The resolution agreement and CAP may be found at: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/new-vision-ra-cap/index.html.
“This latest enforcement action demonstrates the importance of following the law even when you are using social media. Providers cannot disclose protected health information of their patients when responding to negative online reviews. This is a clear NO.” said OCR Director, Melanie Fontes Rainer. “OCR is sending a clear message to regulated entities that they must appropriately safeguard PHI. We take complaints about potential HIPAA violations seriously, no matter how large or small the organization.”
Per HIPAA, OCR is committed to protecting PHI privacy and security. If you believe your privacy or civil rights have been violated, you can file a complaint with OCR.
Rather than deal with the costs of HIPAA violations, organizations must ensure robust HIPAA compliance. This includes various elements, but one of the most important is up-to-date employee training on social media use. HHS provides guidance and clarity on what covered entities can and cannot post on social media.
Have you considered using email as a better way to reach your patients? You can easily and securely send HIPAA compliant email that includes PHI with Paubox Email Suite. Paubox solutions are easy to implement, enabling HIPAA compliant email by default by automatically encrypting every outgoing communication.
Messages go straight to patients’ inboxes, with no unnecessary passwords or portals to navigate. PHI stays contained, and email, though considered the worst threat vector, remains secure.
Even better are our inbox protections. Our HIPAA compliant, HITRUST CSF certified solution impedes such techniques as spoofing with ExecProtect and keeps malware and phishing emails at bay with Zero Trust Email.