Whenever a settlement agreement is announced, the OCR is sending a message to all providers. On October 2nd, The OCR announced a $10,000 settlement agreement with Elite Dental Associates in Dallas Texas. At first glance, it is easy to overlook this settlement; $10,000 does not seem to be a big deal when there are other cases with fines in the millions of dollars. For example, Anthem paid a record $16 million following the PHI breach of close to 79 million people; the largest health data breach in history. So what is the big deal? Or more importantly, what are the lessons to be learned from this breach? There are several.
The OCR received a complaint from a patient on June 4, 2016 that Elite “responded to a social media review by disclosing the patient’s last name and details of the patient’s health condition.” The OCR investigated and found that “Elite had impermissibly disclosed the [PHI] of multiple patients in response to patient reviews on the Elite Yelp review page.” Elite’s responses included the patient’s last name, treatment details, charges and insurance information. The OCR also found that Elite lacked a policy and procedure to ensure social media interactions comply with HIPAA.
Lessons to be Learned
The first lesson is obvious: don’t post PHI on social media without a valid HIPAA authorization. This is not the first time providers have responded to Yelp posts that included PHI or information that could identify the patient. Providers can respond to reviews with generic information about their practice – or ask patients to call. Provider responses should never reveal any information about the patient or their visit.
Another lesson is that the OCR is an equal-opportunity enforcement agency. All providers big and small can be investigated. In this instance, the patient notified the OCR of the breach. And within five months of the notification, the investigation started. That should be a “wow” moment for everyone.
Lastly, if you are unsure of what needs to be in place to comply with HIPAA to protect PHI, read the Elite Dental resolution agreement. The OCR provided Elite with “Corrective Action Obligations." These obligations can be used as a checklist to be used to evaluate your current privacy rule practices. Here are some (but not all) key requirements:
- Policies and procedures that comply with the Privacy Rule.
- The policies should cover the following:
- Permissible and impermissible uses and disclosures of PHI
- Administrative, technical and physical safeguards to protect the privacy of PHI
- Privacy authorization form
- A Notice of Privacy Practices – that lists the way PHI is used on social media
- Provider contact to address Privacy issues – usually the designation of a Privacy Officer
- Internal reporting mechanisms of possible violations
- Privacy practice employee training