Social media HIPAA violation series: Online reviews

A New Jersey psychiatric practice faced a $30,000 settlement after disclosing patient information in responses to online reviews.

The situation

In April 2020, a patient filed a complaint with the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) against Manasa Health Center, LLC, a psychiatry practice in New Jersey. The patient alleged that the center disclosed protected health information (PHI) in its public response to its negative online review. OCR’s subsequent investigation revealed that the center had also disclosed PHI in responses to reviews from three other patients.

Manasa Health Center’s responses reportedly included details about patients’ diagnoses and treatment plans, violating HIPAA’s privacy rule. In addition to the settlement, the center agreed to implement a corrective action plan to address these violations and ensure future compliance.

Read more: What is the HIPAA Privacy Rule? 

What rules were violated

HIPAA’s privacy rule prohibits healthcare providers from disclosing PHI without valid authorization. The rule prohibits sharing information that could identify a patient, even indirectly, in public forums such as online reviews.

Manasa Health Center failed to meet these requirements on two fronts:

• Improper disclosure of PHI: By responding to negative reviews with specific details about patients’ mental health conditions and treatment, the practice violated HIPAA’s strict privacy protections.
• Failure to implement privacy policies: OCR found that the center lacked adequate HIPAA compliant policies and procedures to prevent such breaches, further exacerbating the issue.

The settlement included a $30,000 penalty and required the center to issue breach notifications to affected individuals and file a breach report with HHS.

How companies can avoid violations in the future

To prevent similar incidents, healthcare providers must take proactive steps to handle online interactions without compromising patient privacy:

• Avoid discussing patient details publicly: Under no circumstances should healthcare providers respond to reviews or comments with any information that could identify a patient or disclose their treatment. Stick to generic responses that acknowledge feedback without referencing specifics.
• Train employees thoroughly: Ensure all staff members, including management, understand the rules governing patient privacy and appropriate responses to public feedback.
• Implement policies and procedures: Develop and maintain clear, HIPAA compliant guidelines for handling online interactions and patient communications.
• Appoint a compliance officer: Designate a staff member to oversee privacy practices and review all external communications involving patients.
• Encourage offline resolution: Offer patients a way to address concerns privately rather than engaging publicly. For example, responses can include a simple statement such as, “We take patient feedback seriously. Please contact our office directly to discuss your concerns further.”

By taking these steps, healthcare organizations can safeguard patient trust and avoid the legal and financial repercussions of privacy violations. As Melanie Fontes Rainer noted, “Simply put, this is not allowed. OCR will investigate and take action when we learn of such impermissible disclosures, no matter how large or small the organization.”

Related: HIPAA and social media rules 

FAQs

Can healthcare organizations use social media to share patient success stories or testimonials?

Healthcare organizations can share patient success stories or testimonials on social media with patient consent. Ensure that the information shared is de-identified to protect patient privacy. That involves removing or altering details that could identify the patient. 

Is de-identified healthcare information subject to HIPAA restrictions?

De-identified healthcare information that cannot be linked to an individual is not subject to HIPAA restrictions. Healthcare professionals should ensure that any information shared on social media has been properly de-identified to protect patient confidentiality. 

Can healthcare professionals respond to patient inquiries or comments on social media without violating HIPAA?

Healthcare professionals can respond to general inquiries or comments on social media if they do not disclose any patient-specific information. Responses should be general and avoid discussing individual cases or revealing PHI, even inadvertently.

Related: How to stay HIPAA compliant on social media