HIPAA Violation: Dentist Responded to an Online Review

On December 14, 2022, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services announced a settlement with a dental practice in California over the impermissible disclosure of patient protected health information (PHI) in response to online reviews, and other potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. The practice used social media inappropriately responding to a negative online review that disclosed Protected Health Information. The dental practice paid $23,000 to OCR and agreed to implement a corrective action plan (CAP) to resolve this investigation.

Options to Avoid HIPAA Violations When Addressing Negative Reviews

Option 1: Contact the Reviewer Offline

If the author of the negative review can be determined, you may contact that person offline to address the stated concerns. Keep documentation of the communications between your practice and the negative reviewer in the said patient’s file. If the negative comment from the patient is valid and corrective action has taken place in the practice, privately thank the patient for letting you know about the issue. You can let them know that their concerns have helped the practice to improve. This could improve the patient’s view of the practice and help maintain a positive long-term relationship with the patient.

Option 2: Avoid Confirming or Denying Patient Status

If the practice does feel the absolute need to respond to the social media post, never confirm or deny that the reviewer is a patient of the practice (even if it is a good review!). Even if their online identity is ambiguous or hidden, do not confirm or discuss the dental or medical treatment that was provided or alluded to in the review.

Option 3: Use Generic Responses on Social Media

When responding to reviews via social media, limiting the response to being a generic or standardized response is key, such as one of these options:

• “According to state and privacy laws, we are precluded from commenting on patient treatment. However, we are always available to discuss concerns with our patients. Patients are welcome to contact us directly.”
• “In order to protect our patients’ privacy, all patient concerns and complaints are resolved directly by [name of practice] and not through social media.”
• “At [name of practice], we strive for the highest levels of patient satisfaction. However, we cannot discuss specific situations due to patient privacy regulations. We encourage those with questions or concerns to contact us directly at our office.”

Post Patient Privacy Practices

Align with this by posting your Patient Privacy Practices on the practice’s website. Also, in a visible location in the building, such as the lobby or front desk area.

Conclusion

Are you worried about paying hefty HIPAA fines? Schedule your HIPAA risk assessment and training to start the new year out right! Contact us!