social media and phi on yelpSocial media and PHI get the OCR spotlight in the latest settlement announced.  Reading these settlement agreements provides the best guidance from OCR which is why we always take the time to get those details for you.  How much have you considered about your social media policies and how your staff understands their responsibilities?

When OCR announced its latest settlement the headline was Dental Practice Pays $10,000 to Settle Social Media Disclosures of Patients’ Protected Health Information.  Most people pay attention to the low figure in the settlement which is where they think it ends and they move onto the next thing on their list.  This is the perfect example of the problem with not taking the time to read the details and living by the headlines and excerpts at the top of the articles.  Just like the last settlement, this one has details in the text that should be considered by every entity that controls PHI.

What happened with Social Media and PHI to get us here?

OCR received a complaint that started the ball rolling on an investigation into privacy practices for Elite Dental Associates which is a dentistry practice in Dallas, TX.  On June 5, 2016, a patient filed a complaint alleging that Elite responded to their Yelp review from the previous day with information disclosing their last name and other health information.  That certainly doesn’t fall within HIPAA disclosure rules so OCR decided to check out the Yelp page themselves and found not only that patient’s information listed but information on other patients when Elite had replied to the patient reviews on Yelp.  On November 9, 2016, OCR notified them that they were opening an investigation into the privacy practices of Elite due to the complaint filed by the patient.

It is very important to note that OCR could easily see the disclosures were actually there online before they even needed to contact the practice about the complaint that had been filed by the patient.  This is one thing many folks don’t realize just how much information is leaking out of their business into the public domain until someone like OCR, or even worse the FBI, finds out you have problems and calls you to tell you it is happening.  There wasn’t any documentation required from Elite to find out if the complaint was true because they saw it with their own eyes and took screenshots of it before you even heard from them that there was a complaint filed.  Let’s just say I am aware of that happening more than anyone who hasn’t been through it would believe until it actually happens to them.

What did OCR find in their investigation?

The first part of the investigation was easy to handle with the confirmation on Yelp that not only was the complainant patient’s information disclosed but also multiple other patients had improper disclosures of their information on the Yelp reviews.  These other patients apparently didn’t know they could complain to anyone when their information was released to the public.

OCR also found that Elite did not have a “policy and procedure regarding disclosures of PHI to ensure that its social media interactions protect the PHI of its patients” nor did they have a Notice of Privacy Practices that complied with the HIPAA Privacy Rule

What is in the settlement and CAP about social media and PHI?

The quote for this settlement from Dir Severino provides the usual to the point what they did wrong so the rest of you should learn from it statement as follows:

Social media is not the place for providers to discuss a patient’s care. Doctors and dentists must think carefully about patient privacy before responding to online reviews.Severino

The failures identified in the investigation were pretty simple since it was clear that Elite impermissibly disclosed PHI based on the publicly available information online but OCR listed three specific issues found:

  • Elite impermissibly disclosed PHI.
  • Elite failed to implement policies and procedures with respect to PHI, including releasing PHI on social media/public platforms.
  • Elite failed to have the minimum content required in its Notice of Privacy Practices.

The settlement amount was so small in comparison to the others that have been negotiated recently they made a point of explaining it also.

OCR accepted a substantially reduced settlement amount in consideration of Elite’s size, financial circumstances, and cooperation with OCR’s investigation.OCR Press Release

The corrective action plan (CAP) is a long one though at two full years but it seems that the practice is willing to work on the problems OCR noted in their investigation and focus on building a proper HIPAA compliance program.

The CAP requires them to do the things that we would expect to see if there were little or no program in place to begin with and this type of violation in repeated cases shows there probably wasn’t much of one in place.  For two years they will be monitored and reporting their status on a regular basis.  If they decide not to do these things they violate the terms of the settlement and OCR will not be treating them so kindly.  Here is their to-do list for HIPAA:

2 Year CAP List
  1. Develop, maintain, and revise, as necessary, its written policies and procedures to comply with the Federal standards that govern the privacy and security of individually identifiable health information
  2. Provide such policies and procedures, consistent with paragraph 1 above, to HHS within 30 calendar days of the Effective Date for review and approval
  3. Implement such policies and procedures within 30 calendar days after receiving HHS’ final approval
  4. Distribute the policies and procedures to all members of the workforce within 30 calendar days of HHS’ approval of such policies and to new members of the workforce within 30 calendar days of their beginning of service
  5. Require, at the time of distribution of such policies and procedures, a signed written or electronic initial compliance certification from all members of the workforce, stating that the workforce members has read, understands, and shall abide by such policies and procedures
  6. Shall assess, update, and revise, as necessary, the policies and procedures at least annually with any changes being approved by HHS during the CAP
  7. Shall not involve any member of its workforce in the use or disclosure of PHI if that workforce member has not signed or provided the written or electronic certification
  8. Revision to Policies and Procedures that address permissible and impermissible uses and disclosures of PHI and appropriate administrative, technical, and physical safeguards to protect the privacy of PHI
  9. Revise authorization form to comply with the requirements of the Privacy Rule, including a description of how the individual may revoke the authorization and a statement regarding a covered entity’s ability or inability to condition treatment, payment, enrollment, or eligibility for benefits on the authorization
  10. Develop a process for evaluating and approving authorizations requesting the use or disclosure of PHI by Elite, before Elite makes such uses or disclosures
  11. Revise the Notice of Privacy Practices to comply with the requirements of the Privacy Rule, including a description of the uses and disclosures of PHI for which Elite is required to obtain an individual’s authorization (e.g., posting on Elite’s website, social media pages and/or other public platforms)
  12. Identify personnel or representatives whom workforce members, agents, or business associates may contact in the event of any inquiry or concern regarding compliance with HIPAA in relation to these activities
  13. Develop internal reporting procedures which will require all workforce members to report to the designated person or office at the earliest possible time any potential violations of the Privacy, Security or Breach Notification Rules or of Elite’s privacy and security policies and procedures. Such reporting procedures shall require Elite to promptly investigate and address all received reports in a timely manner
  14. Application and documentation of appropriate sanctions (which may include retraining or other instructive corrective action, depending on the circumstances) against members of Elite’s workforce, including senior-level management, who fail to comply with the Privacy, Security or Breach Notification Rules or Elite’s privacy and security policies and procedures. This content shall include a description of the sanctions; a timeframe in which Elite will apply and document sanctions for violations of the HIPAA Rules or of Elite’s privacy, security or breach policies or procedures; the manner in which Elite will document the sanctions; and where Elite will store or retain such documentation (e.g., personnel file)
  15. During the CAP period, upon receiving information that a workforce member may have failed to comply with its Privacy, Security, and Breach Notification policies and procedures, promptly investigate this matter.  If after review and investigation, Elite determines that a member of its workforce has failed to comply with its Privacy, Security, and Breach Notification policies and procedures, Elite shall notify HHS in writing within 30 calendar days. The report must include
  16. Complete description of the event, including the relevant facts, people involved, and the specific Privacy, Security, and Breach Notification policies and procedures that were violated.
  17. Details about the actions taken and any further steps Elite plans to take to deal with the matter to mitigate any harm, prevent it from recurring, including application of any appropriate sanctions against workforce members who fail to comply with the policies and procedures
  18. If no reportable events occur over a year then there must be a section of the annual report explaining that no events occurred requiring notification.
  19. Training lists are similar to above and require training and confirmation from all staff of training within 30 days plus no employee should be allowed to touch PHI without confirming they understand the training they were given.
  20. Training must be reviewed and updated annually.
  21. Elite has 30 days from settlement to properly notify any patient that had PHI exposed on Yelp reviews and provide confirmation of those notifications to HHS in that same 30 days by putting the details on the breach portal.
  22. Provide implementation reports attested to by officers of the company within 60 days of approval of policies and procedures.  The report includes documentation of all training and attestations from staff
  23. Provide an annual report showing what has been done and attestation by an officer of the company that they have confirmed the report details to be complete and true

That is their compliance program for the next two years and that doesn’t really make it clear all the work that they will have to do to be able to produce all of those documents, planning, training, and reviews.  It is not easy to do it this way but we have never said that HIPAA was easy, have we?

What do we think are the top points to note in this settlement?

There sure is a lot going on in such a small settlement that many people will likely overlook until it happens to them and they have no idea what hit them.  It isn’t about Yelp and $10,000 it is about way more than that when you look at the settlement as a whole.

Have a specific and detailed social media policy that covers posting on company sites, replying to posts by patients on company sites, posting about work on personal pages and replying to patients on personal pages.  You can’t just say don’t share PHI on social media you have to be specific with examples and discussions of different case scenarios because people left to their own devices will make their own decisions and put it out there.  Be very careful what your responses are on social media sites because even a positive review with a positive response could inadvertently expose PHI.

Make certain ALL workforce members understand that once it is out there it is too late to prevent the damage it may cause since a single screenshot is all it takes to make it last forever.  If you wouldn’t want it listed above the fold on the hometown newspaper one morning, then never put it on the Internet in the first place.  For those of you who don’t know what above the fold in a newspaper means than just Google it.

A major thing to learn in this case is that cooperating and showing remorse is the best way to handle these situations since they stated that it was one of the reasons the settlement was for only $10K when it could have been way more cash required plus this same two year CAP.  That doesn’t even take into account what the maximum could actually have been under the law.

Get your ducks in a row now so that you can walk away without making the news like these folks have done and the two-year monitoring program they will be under the watchful eye of OCR.  The more you do now the better off you will be because it will happen at some point that a patient, an ex-employee, a vendor, or even a competitor will file a complaint with HHS and you will not have what they need if you have only done the bare minimum.

Imagine how that office felt when they got the letter from OCR telling them they were being investigated because a patient had filed a complaint and OCR had already looked on the Yelp page to see what was out there.  It appears these folks really had no idea they shouldn’t be doing that kind of response on social media and had only the bare minimum program in place.  Since they offered to start doing the right thing immediately they dodged a major enforcement bullet from OCR but they have repeatedly said they aren’t looking to break a business, they want patient information protected properly, not to be a money-making opportunity for the government.