Social media HIPAA violation series: Elite Dental Associates and Yelp 

A dental practice’s response to a Yelp review led to a $10,000 HIPAA fine and showed the risks of disclosing patient information online.

The situation

In October 2019, the Office for Civil Rights (OCR) fined Elite Dental Associates, a Dallas-based dental practice, after a patient filed a complaint about a response to their Yelp review. In the response, Elite disclosed the patient’s treatment plan, insurance details, and associated costs, violating HIPAA’s privacy regulations.

OCR’s investigation revealed that Elite had engaged in similar disclosures in responses to other online reviews, indicating a broader issue with handling patient information on social media. Alongside the fine, Elite agreed to a corrective action plan requiring updated privacy policies, employee training, and breach notifications to affected patients.

Read more: How to avoid a HIPAA corrective action plan 

What rules were violated

The HIPAA privacy rule prohibits healthcare providers from disclosing protected health information (PHI) without patient authorization. The rule applies even when responding to online reviews, regardless of whether the patient initiates the public discussion.

Elite’s response to the patient’s review violated these rules by including identifiable treatment and insurance details. The OCR also found that Elite lacked sufficient policies and procedures for managing PHI in online interactions and failed to properly notify patients of their privacy rights in its Notice of Privacy Practices.

OCR Director at the time, Roger Severino reiterated the necessity of maintaining confidentiality, stating, “Social media is not the place for providers to discuss patient care. This case is a lesson for all healthcare providers on the importance of safeguarding patient information.”

Read also: What is a Notice of Privacy Practices? 

How companies can avoid violations in the future

To prevent similar violations, healthcare providers should adopt best practices for responding to online feedback while complying with HIPAA regulations:

• Use neutral, general responses: When addressing negative reviews, avoid referencing specific details about a patient’s care. Instead, respond with a neutral message, such as, “We value your feedback. Please contact our office so we can address your concerns directly.”
• Implement social media policies: Develop clear policies outlining how employees should engage with online reviews and ensure all responses align with HIPAA rules.
• Provide employee training: Train staff regularly on HIPAA compliance, including scenarios involving online interactions. Use examples like the Elite case to illustrate potential pitfalls.
• Monitor online activity: Assign a compliance officer or team to review social media interactions and ensure responses are appropriate.
• Focus on professionalism: Avoid emotional or defensive responses to criticism. Responding professionally protects both the organization’s reputation and patient privacy.

Related: HIPAA and social media rules 

FAQs

Can healthcare organizations use social media to share patient success stories or testimonials?

Healthcare organizations can share patient success stories or testimonials on social media with patient consent. Ensure that the information shared is de-identified to protect patient privacy. That involves removing or altering details that could identify the patient. 

Is de-identified healthcare information subject to HIPAA restrictions?

De-identified healthcare information that cannot be linked to an individual is not subject to HIPAA restrictions. Healthcare professionals should ensure that any information shared on social media has been properly de-identified to protect patient confidentiality. 

Can healthcare professionals respond to patient inquiries or comments on social media without violating HIPAA?

Healthcare professionals can respond to general inquiries or comments on social media if they do not disclose any patient-specific information. Responses should be general and avoid discussing individual cases or revealing PHI, even inadvertently.

See also: Social media & HIPAA compliance: The ultimate guide