PATIENTS SAY THE DARNDEST THINGS: Providers Risk Disclosing PHI in Response to Online Reviews
October 28, 2019
In the age of increased access to online review platforms such as Google, Facebook, Healthgrades, and Vitals, healthcare providers face the difficult task of managing negative reviews. It can be tempting to respond to negative reviews in an effort to resolve problems. However, these platforms pose unique challenges for providers, including potential violations of the Health Insurance Portability and Accountability Act (“HIPAA”) and state privacy laws when providers disclose protected health information (“PHI”) in response to online reviews.
HIPAA regulations provide a limited set of circumstances in which a covered entity may disclose a patient’s health information. A few examples of permissible disclosures include: to the individual; for treatment, payment, or healthcare operations (which can include defense of legal claims); and pursuant to and in compliance with a valid authorization. In other words, a patient does not waive the right to privacy even if the patient discloses PHI to a third-party, including online review websites. Recently, a dental practice was found in violation of HIPAA when it responded to a patient’s online review. On October 2, 2019, Elite Dental Associates and the Office of Civil Rights (“OCR”) at the U.S. Department of Health and Human Services, entered into a settlement agreement to resolve allegations that Elite violated HIPAA when it responded to a patient’s online review and, in the process, disclosed aspects of the patient’s protected health information. When responding to the patient’s review, Elite provided the patient’s last name, details of the patient’s treatment plan, and insurance information without authorization. Moreover, OCR’s investigation revealed that Elite had impermissibly disclosed the PHI of multiple patients in response to several online reviews on Elite’s Yelp page.
The terms of the settlement agreement required Elite to pay $10,000 to OCR, and to comply with a two-year corrective action plan. The corrective action plan requires Elite to amend policies and procedures to comply with HIPAA, provide training to its staff, and file reports to OCR of any potential breaches that occur. The complete resolution agreement and the corrective action plan are available here.
Before responding to online reviews, healthcare providers should be aware that entities that merely host online sites for patient reviews are generally immune from civil litigation under Section 230 of the Communication Decency Act (the “Act”). The Act sets forth that “[n]o provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider.” In addition to the Act, Indiana’s Anti-SLAPP Statute provides for prompt dismissal of litigation aimed at squelching free speech in connection with an issue of public importance and an award of attorney’s fees against the party trying to squelch such speech. Commentary or criticism (even unfair criticism) about the quality of healthcare services may easily be characterized as commentary on a matter of public importance.
The Elite settlement serves as a cautionary example for other providers. Do not include PHI when responding to a patient’s online review or avoid responding entirely. Some helpful tips for effectively managing online patient reviews include:
If you have questions regarding online reviews, HIPAA compliance policies, or other HIPAA-related questions, please contact Thomas N. Hutchinson, Alexandria M. Foster, or any other Krieg DeVault attorney in the Health Care Practice Group.
© 2020 Krieg DeVault All Rights Reserved.