Dr. U. Phillip Igbinadolor, D.M.D. & Associates received a $50,000 civil monetary penalty after his practice disclosed patient PHI in its response to a negative online review.
The practice did not respond to the OCR’s data request, did not respond to an administrative subpoena, and did not contest the findings in the OCR’s Notice of Proposed Determination.
The dentist’s response to the patient’s review stated:
It’s so fascinating to see [Complainant’s full name] make unsubstantiated accusations
when he only came to my practice on two occasions since October 2013. He never
came for his scheduled appointments as his treatment plans submitted to his insurance
company were approved. He last came to my office on March 2014 as an emergency
patient due to excruciating pain he was experiencing from the lower left quadrant. He
was given a second referral for a root canal treatment to be performed by my
endodontist colleague. Is that a bad experience? Only from someone hallucinating.
When people want to express their ignorance, you don't have to do anything, just let
them talk. He never came back for his scheduled appointment Does he deserve any
rating as a patient? Not even one star. I never performed any procedure on this
disgruntled patient other than oral examinations. From the foregoing, it's obvious that
[Complainant’s full name] level of intelligence is in question and he should continue
with his manual work and not expose himself to ridicule. Making derogatory
statements will not enhance your reputation in this era [Complainant’s full name].
Get a life.
Lessons to be Learned
The first lesson is obvious: don’t post PHI on social media without a valid HIPAA authorization. This is not the first time providers have responded to Yelp posts that included PHI or information that could identify the patient. Providers can respond to reviews with generic information about their practice – or ask patients to call. Provider responses should never reveal any information about the patient or their visit.
Another lesson is that the OCR is an equal-opportunity enforcement agency. All providers big and small can be investigated. In this instance, this was not a large provider.
Lastly, if you are unsure of what needs to be in place to comply with HIPAA to protect PHI, read the OCR resolution agreement for a prior - and similar - social media breach. The OCR provided the dental practice with “Corrective Action Obligations." These obligations can be used as a checklist to be used to evaluate your current privacy rule practices. Here are some (but not all) key requirements:
- Policies and procedures that comply with the Privacy Rule.
- The policies should cover the following:
- Permissible and impermissible uses and disclosures of PHI
- Administrative, technical and physical safeguards to protect the privacy of PHI
- Privacy authorization form
- A Notice of Privacy Practices – that lists the way PHI is used on social media
- Provider contact to address Privacy issues – usually the designation of a Privacy Officer
- Internal reporting mechanisms of possible violations
- Policies that address corrective action of privacy policy violations
- Privacy practice employee training