The US Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a settlement on June 5, 2023, with a New Jersey healthcare provider that provides adult and child psychiatric services. The settlement resolved a complaint received by OCR in April 2020, alleging that the provider impermissibly disclosed the protected health information (PHI) of a patient when it posted a response to the patient’s negative online review.
OCR opened an investigation in response to a complaint by a patient alleging that the provider posted a response to the patient’s negative online review that included specific information regarding the individual’s diagnosis and treatment of their mental health condition. In addition to the patient who filed the complaint, OCR’s investigation found that the provider impermissibly disclosed the PHI of three other patients in response to their negative online reviews. OCR’s investigation also found that the provider failed to implement the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule policies and procedures.
Potential violations of the HIPAA Privacy Rule included impermissible disclosures of patient PHI in response to negative online reviews, and failure to implement policies and procedures with respect to PHI. The provider paid $30,000 to OCR and agreed to implement a corrective action plan to resolve these potential violations.
In addition to the monetary settlement, the provider will undertake a corrective action plan that will be monitored for two years by OCR to ensure compliance with the HIPAA Privacy Rule. The corrective action plan includes the following steps:
- Developing, maintaining, and revising its written policies and procedures to comply with the HIPAA Privacy Rule;
- Training all members of its workforce, including owners and managers, on the organization’s policies and procedures to comply with the HIPAA Privacy and Security Rules;
- Issuing breach notices within 30 calendar days of the agreement to all individuals, or their personal representatives, whose PHI was disclosed on any internet platform without a valid authorization; and
- Submitting a breach report within 30 calendar days of the agreement to HHS concerning individuals whose PHI was disclosed on any internet platform without a valid authorization.
“OCR continues to receive complaints about healthcare providers disclosing their patients’ [PHI] on social media or on the internet in response to negative reviews. Simply put, this is not allowed,” said OCR Director Melanie Fontes Rainer. “The HIPAA Privacy Rule expressly protects patients from this type of activity, which is a clear violation of both patient trust and the law. OCR will investigate and take action when we learn of such impermissible disclosures, no matter how large or small the organization.”
Compliance Perspective
Issue
The HIPAA Privacy Rule established national standards to protect individuals’ medical records and other individually identifiable health information (collectively defined as protected health information (PHI)) and applies to health plans, healthcare clearinghouses, and those healthcare providers that conduct certain healthcare transactions electronically. The Rule requires appropriate safeguards to protect the privacy of PHI and sets limits and conditions on the uses and disclosures that may be made of such information without an individual’s authorization. HHS has the authority to conduct compliance reviews and investigations of complaints alleging violations of the HIPAA Rules by covered entities and business associates, and these covered entities and business associates must cooperate with HHS compliance reviews and investigations.
Discussion Points
- Review policies and procedures related to HIPAA, PHI, and the Privacy Rule. Ensure that they address not disclosing residents’ PHI on social media platforms in response to negative reviews.
- Train all staff on HIPAA, PHI, and the Privacy Rule upon hire and annually. Document that these trainings occurred and file the signed training document in the employees’ education files.
- Periodically audit to ensure that the facility’s policies and procedures for HIPAA, PHI, and the Privacy Rule are being followed by all staff, and that each person demonstrates understanding and competency.
*This news alert has been prepared by Med-Net Concepts, LLC for informational purposes only and is not intended to provide legal advice.*