In recent years, the Office of Civil Rights (OCR) has imposed some civil monetary penalties on healthcare providers who disclose patient information in their responses to online reviews. This comes from the rise of professional blogs and the use of social media for professional marketing. While the internet can be effectively used for promoting healthcare services, it is important that healthcare providers are aware of the dangers of non-compliance with laws and regulations while having an online presence.
On June 5, 2023, OCR settled with a New Jersey healthcare provider that provides adult and child psychiatric services, Manasa Health Center, LLC (MHC )[1]. A patient of MHC filed a complaint alleging that the entity disclosed information regarding the diagnosis and treatment of a mental health condition when MHC posted a response to the patient’s negative online review. MHC agreed to pay $30,000 to OCR and implement a Corrective Action Plan (CAP). Under the CAP[2], OCR will be monitoring MHC for two years and MHC will do the following, not limited to:
- “Develop, maintain, and revise its written policies and procedures to comply with the HIPAA Privacy Rule,
- Train all members of Manasa Health Center’s workforce, including owners and managers, on the organization’s policies and procedures to comply with the HIPAA Privacy and Security Rules,
- Within 30 calendar days of the agreement, Manasa Health Center shall issue breach notices to all individuals, or their personal representatives, whose protected health information is disclosed on any internet platform without valid authorization, and
- Within 30 calendar days of the agreement, Manasa Health Center shall submit a breach report to HHS concerning individuals whose protected health information is disclosed on any internet platform without a valid authorization.”
The HIPAA Privacy Rule does not allow impermissible disclosures of patient-protected health information (PHI) in response to negative online reviews. While healthcare providers are free to respond to patient online reviews, they must not disclose PHI. PHI is any information in the medical record that can be used to identify a patient which can include but is not limited to phone numbers and email addresses.
OCR has zero tolerance for disclosing patient PHI online in response to an online review. HIPAA-covered entities should take extra precautions to prevent unauthorized disclosures on online platforms. Entities should consider creating policies for an online presence to ensure compliance with HIPAA. Developing pre-approved responses, re-iterating standard policies and procedures, or privately calling patients to address their concerns are all effective and compliant ways providers can respond to patient reviews. Healthcare organizations should not ignore negative reviews or shy away from having an online presence but should put measures in place to protect patient PHI.
[1] U.S. Department of Health and Human Services, “HHS Office for Civil Rights Reaches Agreement with Health Care Provider in New Jersey That Disclosed Patient Information in Response to Negative Online Reviews” (June 5, 2023), https://www.hhs.gov/about/news/2023/06/05/hhs-office-civil-rights-reaches-agreement-health-care-provider-new-jersey-disclosed-phi-response-negative-online-reviews.html.
[2] U.S. Department of Health and Human Services, “Manasa Health Center LLC Resolution Agreement and Corrective Action Plan” (June 5, 2023), https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/manasa-ra-cap/index.html.
© Copyright 2023. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.