Social Media HIPAA Violation Results in $50,000 Civil Monetary Penalty for Dental Clinic

A dental clinic operating out of Charlotte and Monroe, North Carolina, has been investigated by OCR due to a complaint that was filed in November 2015 claiming that the unauthorised release of protected health information (PHI) took place following the publishing of a negative online review of the practice.  

On or around September 28 2015 a person using a pseudonym published a negative review on the Google page of Dr. U. Phillip Igbinadolor, D.M.D. & Associates, P.A., (UPI).  As a reaction to this UPI replied and alleged that the accusations published by the patient were untrue. Additionally UPI included the patient’s full name three times along with the symptoms the patient was suffering with and the treatment that was recommended but not administered.

OCR examined the complaint and asked for documentation from UPI in July 2016 in relation to its policies and processes for dealing with responses to online reviews and social media platforms, uses and sharing PHI, securing PHI, and HIPAA training course that were conducted before, and in response to, the breach. UPI admitted that a reply had been published on the Google page, but only sent OCR its notice of privacy practices.

In August 2016, OCR contacted UPI to inform them that the response to the review breached the HIPAA Privacy Rule and was an unacceptable disclosure of PHI and told UI to delete its reply to the review and implement policies and processes, if they had not already been configured, related to Internet reviews and social media. In 2017, OCR asked for a copy of the policies and processes and again advised UPI to delete the reply to the posting.

The proof provided to OCR that HIPAA training had taken place was just an acknowledgement, none of the course content was included for examination. UCI failed to delete the reply to the review. OCR then asked for financial statements in order to calculate an accurate and appropriate fine, but UPI refused to provide them claiming they were not connected to HIPAA. After OCR gave a detailed reasoning as to why this was necessary UPI reacted in September 2017 by not complying with the request to hand over the records and sending a statement that said “I will see you in court”.

Following this OCR issued an administrative subpoena requesting the provision of policies and processes, HIPAA training, financial statements, balance sheets, bank statements, and federal tax returns UCI continued to reject all attempts to get them to engage in the process. In response to this OCR sought the authorization of the Attorney General of the United States and sanctions imposed a civil monetary penalty of $50,000.