HHS Resolution Agreement: Elite Dental Assoc. Dallas, P.C. (Sept. 30, 2019); HHS News Release (Oct. 2, 2019)
HHS’s Office for Civil Rights (OCR) has announced a resolution agreement with a dental practice to settle alleged violations of HIPAA’s privacy rule. OCR opened its investigation after a patient complained that the dental practice had disclosed the patient’s last name, treatment plan, and insurance and cost information in response to a review posted on social media. The investigation found that the practice had impermissibly disclosed protected health information (PHI) of multiple patients in response to their social media reviews. Additionally, the practice failed to adopt policies and procedures to protect patients’ PHI in social media interactions and lacked a HIPAA-compliant Notice of Privacy Practices.
In addition to making a $10,000 settlement payment, the practice agreed to comply with a corrective action plan (CAP). The CAP requires the practice to revise its privacy policies and procedures, subject to HHS approval. The revised policies and procedures must address permissible and impermissible uses and disclosures of PHI—including requirements for individual authorizations—and adopt administrative, technical, and physical safeguards to protect the privacy of PHI. In addition, the practice must adopt procedures for internally reporting at the earliest possible time any violation of HIPAA’s privacy, security, or breach notification rules, with sanctions against workforce members who fail to comply with HIPAA or the practice’s policies and procedures. Workforce members must receive training on the revised policies and procedures. The practice also must provide breach notifications to individuals whose PHI was disclosed on the social media platform without a valid authorization.
EBIA Comment: Although the practice’s desire to respond to social media reviews is understandable, covered entities and business associates are reminded that individuals do not waive their privacy rights by publicly disclosing their own PHI. In another resolution agreement (see our Checkpoint article), OCR took the position that disclosures of PHI in response to media inquiries are permissible only with a written, HIPAA-compliant authorization—even if the PHI is already in the public domain or has been disclosed by the patient. This resolution agreement extends that rationale to social media. OCR noted that it had accepted a substantially reduced settlement amount due to the practice’s size, financial circumstances, and cooperation with OCR’s investigation. Others may not be so fortunate. Therefore, covered entities (including group health plans) and their business associates should exercise great caution—and consult with legal counsel—if they find themselves engaged in public relations battles potentially involving use or disclosure of PHI. For more information, see EBIA’s HIPAA Portability, Privacy & Security manual at Sections XX.D (“Resolution Agreements”) and XXVI (“Core Privacy Requirement #1: Use and Disclosure Rules”). You may also be interested in our webinar “Nuts and Bolts of HIPAA Uses and Disclosures” (recorded on 7/25/19).
Contributing Editors: EBIA Staff.