Dental Practice find for Sharing PHI on Yelp

by

A California-based dental practice has been issued with a $23,000 fine after it published a patient’s Protected Health Information (PHI) on the Yelp review website. This unauthorized use of PHI resulted in a complaint to the Office for Civil Rights, who then launched an investigation into the incident. 

On November 29, 2017, the OCR received a complaint relating to New Vision Dental, owned and run by Dr. Brandon Au. The complaints alleged that, when responding to patient reviews on the platform Yelp, Dr. Au frequently used and disclosed PHI. Yelp is a public platform, so any visitor to the website would be able to see the response. The responses posted by Dr. Au could contain quite a lot of information, such as their treatment plans or information relating to insurance. In other instances, he included a patient’s name, even when they used a pseudonym on Yelp. 

During their investigation, the OCR visited New Vision Dental, which has practices in South Pasadena and Glendora. The investigators confirmed that Dr. Au had posted private patient details on Yelp, which constituted an unauthorized use of PHI. They also established that New Vision Dental did not have appropriate policies and procedures in place to safeguard PHI (including the use of PHI on social media platforms or other public forums), and that there was information lacking from the practice’s Notice of Privacy Practices. 

New Vision Dental has agreed to adopt a corrective action plan to correct its mistakes, in addition to paying a $23,000 fine. The OCR will monitor the dental practice for 24 months. 

The Director of the OCR, Melanie Fontes Rainer, has stated: “This latest enforcement action demonstrates the importance of following the law even when you are using social media.  Providers cannot disclose [the] protected health information of their patients when responding to negative online reviews. This is a clear NO… OCR is sending a clear message to regulated entities that they must appropriately safeguard patients’ protected health information. We take complaints about potential HIPAA violations seriously, no matter how large or small the organization.”