Social media and PHI get the OCR spotlight in the latest settlement announced. Reading these settlement agreements provides the best guidance from OCR which is why we always take the time to get those details for you. How much have you considered about your social media policies and how your staff understands their responsibilities?
When OCR announced its latest settlement the headline was Dental Practice Pays $10,000 to Settle Social Media Disclosures of Patients’ Protected Health Information. Most people pay attention to the low figure in the settlement which is where they think it ends and they move onto the next thing on their list. This is the perfect example of the problem with not taking the time to read the details and living by the headlines and excerpts at the top of the articles. Just like the last settlement, this one has details in the text that should be considered by every entity that controls PHI.
What happened with Social Media and PHI to get us here?
OCR received a complaint that started the ball rolling on an investigation into privacy practices for Elite Dental Associates which is a dentistry practice in Dallas, TX. On June 5, 2016, a patient filed a complaint alleging that Elite responded to their Yelp review from the previous day with information disclosing their last name and other health information. That certainly doesn’t fall within HIPAA disclosure rules so OCR decided to check out the Yelp page themselves and found not only that patient’s information listed but information on other patients when Elite had replied to the patient reviews on Yelp. On November 9, 2016, OCR notified them that they were opening an investigation into the privacy practices of Elite due to the complaint filed by the patient.
It is very important to note that OCR could easily see the disclosures were actually there online before they even needed to contact the practice about the complaint that had been filed by the patient. This is one thing many folks don’t realize just how much information is leaking out of their business into the public domain until someone like OCR, or even worse the FBI, finds out you have problems and calls you to tell you it is happening. There wasn’t any documentation required from Elite to find out if the complaint was true because they saw it with their own eyes and took screenshots of it before you even heard from them that there was a complaint filed. Let’s just say I am aware of that happening more than anyone who hasn’t been through it would believe until it actually happens to them.
What did OCR find in their investigation?
The first part of the investigation was easy to handle with the confirmation on Yelp that not only was the complainant patient’s information disclosed but also multiple other patients had improper disclosures of their information on the Yelp reviews. These other patients apparently didn’t know they could complain to anyone when their information was released to the public.
OCR also found that Elite did not have a “policy and procedure regarding disclosures of PHI to ensure that its social media interactions protect the PHI of its patients” nor did they have a Notice of Privacy Practices that complied with the HIPAA Privacy Rule
What is in the settlement and CAP about social media and PHI?
The quote for this settlement from Dir Severino provides the usual to the point what they did wrong so the rest of you should learn from it statement as follows:
The failures identified in the investigation were pretty simple since it was clear that Elite impermissibly disclosed PHI based on the publicly available information online but OCR listed three specific issues found:
- Elite impermissibly disclosed PHI.
- Elite failed to implement policies and procedures with respect to PHI, including releasing PHI on social media/public platforms.
- Elite failed to have the minimum content required in its Notice of Privacy Practices.
The settlement amount was so small in comparison to the others that have been negotiated recently they made a point of explaining it also.
The corrective action plan (CAP) is a long one though at two full years but it seems that the practice is willing to work on the problems OCR noted in their investigation and focus on building a proper HIPAA compliance program.
The CAP requires them to do the things that we would expect to see if there were little or no program in place to begin with and this type of violation in repeated cases shows there probably wasn’t much of one in place. For two years they will be monitored and reporting their status on a regular basis. If they decide not to do these things they violate the terms of the settlement and OCR will not be treating them so kindly. Here is their to-do list for HIPAA:
That is their compliance program for the next two years and that doesn’t really make it clear all the work that they will have to do to be able to produce all of those documents, planning, training, and reviews. It is not easy to do it this way but we have never said that HIPAA was easy, have we?
What do we think are the top points to note in this settlement?
There sure is a lot going on in such a small settlement that many people will likely overlook until it happens to them and they have no idea what hit them. It isn’t about Yelp and $10,000 it is about way more than that when you look at the settlement as a whole.
Have a specific and detailed social media policy that covers posting on company sites, replying to posts by patients on company sites, posting about work on personal pages and replying to patients on personal pages. You can’t just say don’t share PHI on social media you have to be specific with examples and discussions of different case scenarios because people left to their own devices will make their own decisions and put it out there. Be very careful what your responses are on social media sites because even a positive review with a positive response could inadvertently expose PHI.
Make certain ALL workforce members understand that once it is out there it is too late to prevent the damage it may cause since a single screenshot is all it takes to make it last forever. If you wouldn’t want it listed above the fold on the hometown newspaper one morning, then never put it on the Internet in the first place. For those of you who don’t know what above the fold in a newspaper means than just Google it.
A major thing to learn in this case is that cooperating and showing remorse is the best way to handle these situations since they stated that it was one of the reasons the settlement was for only $10K when it could have been way more cash required plus this same two year CAP. That doesn’t even take into account what the maximum could actually have been under the law.
Get your ducks in a row now so that you can walk away without making the news like these folks have done and the two-year monitoring program they will be under the watchful eye of OCR. The more you do now the better off you will be because it will happen at some point that a patient, an ex-employee, a vendor, or even a competitor will file a complaint with HHS and you will not have what they need if you have only done the bare minimum.
Imagine how that office felt when they got the letter from OCR telling them they were being investigated because a patient had filed a complaint and OCR had already looked on the Yelp page to see what was out there. It appears these folks really had no idea they shouldn’t be doing that kind of response on social media and had only the bare minimum program in place. Since they offered to start doing the right thing immediately they dodged a major enforcement bullet from OCR but they have repeatedly said they aren’t looking to break a business, they want patient information protected properly, not to be a money-making opportunity for the government.