Although HIPAA (the Health Insurance Portability and Accountability Act of 1996) was implemented before social media networks were launched and online review sites became popular, there are still elements of the privacy law that do apply to how healthcare organizations and their employees can engage on such platforms.
Elite Dental Associates, a privately owned dental practice based in Dallas, recently found this out the hard way when it agreed to pay a $10,000 settlement fine to the Office for Civil Rights (OCR) stemming from a 2016 incident in which an Elite patient alleged that the practice had responded to a social media review by disclosing the patient’s last name and details of the patient’s health condition.
According to federal officials, “OCR’s investigation found that Elite had impermissibly disclosed the protected health information (PHI) of multiple patients in response to patient reviews on the Elite Yelp review page. Additionally, Elite did not have a policy and procedure regarding disclosures of PHI to ensure that its social media interactions protect the PHI of its patients or a Notice of Privacy Practices that complied with the HIPAA Privacy Rule. OCR accepted a substantially reduced settlement amount in consideration of Elite’s size, financial circumstances, and cooperation with OCR’s investigation.”
Of course, the settlement figure is not the key here, but rather the underlying issue of how healthcare organizations, in this changing consumerism landscape, need to have stringent social media policies in place for their employees. “Social media is not the place for providers to discuss a patient’s care,” OCR Director Roger Severino said in a press release statement. “Doctors and dentists must think carefully about patient privacy before responding to online reviews.”
Matthew Fisher, a healthcare attorney at Massachusetts-based law firm Mirick O'Connell, who specializes in data privacy and HIPAA, says that while it’s a natural human reaction for healthcare professionals to want to respond to patient reviews online, they simply have to be more careful when doing so. Nonetheless, many physicians can feel helpless since their ability to respond without violating the law can be challenging. “There’s a prevailing concern among physicians and other clinicians about the arguable imbalance when it comes to these types of sites, since patients can say and post whatever they want and wherever they want, whereas being able to respond is constrained to a far greater degree,” notes Fisher.
That said, in this specific instance with Elite Dental Associates, according to the HIPAA resolution agreement, the group “had impermissibly disclosed [the patient’s] PHI when it responded to her post and provided her health information including her last name, details of her treatment plan, insurance and cost information.” What’s more, during OCR’s review of Elite’s Yelp review page, the agency discovered that the practice “had also impermissibly disclosed PHI of other patients when it responded to those patients’ reviews without valid authorizations.”
As such, per the settlement, Elite will be required to follow a corrective action plan that will include developing, maintaining, and revising, as a necessary, written policies and procedures to comply with federal standards that govern the privacy and security of individually identifiable health information. More specifically related to social media, Elite must revise its Notice of Privacy Practices to include the requirement of obtaining an individual’s authorization before use and disclosure, including posting on its website, social media pages, and/or other public platforms, according to the agreement.
Fisher, who calls the violation “egregious” based on what was in the resolution agreement, points out that whoever disclosed that PHI online probably had to pull up the patient’s medical record in order to draft the post since it would be extremely unlikely that this information would be memorized. “Perhaps there was a momentary lapse in judgement, but I don’t know how you go about thinking that you can post all that [sensitive] information,” he says. He does believe that this was an outlier and that the overwhelming majority of healthcare organizations would never make a mistake of this degree.
How Healthcare Organizations Can Respond Online
So, the question then becomes, what are the best practices for physicians and others to respond to online reviews while also abiding by HIPAA standards?
Fisher suggests that responding in general terms by noting how the practice operates without acknowledging that you have actually seen the patient, or getting into the specifics of what the review might be about, is one “safe” method. While that can seem bland, there is value in using generalized language in these instances, Fisher advises. “If you look at how restaurants respond to reviews online, they usually don’t get really specific about the user’s comments, but rather they’re getting a positive marketing message out there,” he says.
Another best practice, Fisher offers, is to simply reach out to the patient directly—not through the social media site—assuming you have his or her contact information. “Tell the patient that you saw the review and that you would like to speak with him or her to figure out what’s going on. Now, that won’t work with every patient, but perhaps you can [fix] what went wrong, which could have a broader and more positive impact than you might expect. And a lot of that comes from not having a knee-jerk reaction [to bad reviews], but recognizing that you can’t just go out and start blasting information that responds point by point. Use it as an opportunity to get messaging out there about how you operate, broadly,” he says.
When asked if a HIPAA incident such as this one would only increase the cynicism that some doctors already have over social media, Fisher says that for those people who are entrenched in their opposition of social media utilization, this incident “probably just underscores some of their complaints.” Those skeptics might just move further away from social media engagement since they will convince themselves that it’s not worth the trouble, though Fisher does believe that the majority of folks understand that this situation was a one-off and that they will still use online sites.
At the same time, a more optimistic viewpoint, Fisher remarks, is that healthcare organizations should see this as a learning opportunity to put an effective strategy for social media in place. An incident like this “gives organizations a chance to be more instructive and explain how appropriate social media utilization can occur,” he says.
Fisher notes that many of the bigger groups he works with do have a large presence on social media, and they do have policies in place. They often use these platforms to highlight the work they’re doing in the community, while offering general health improvement messages for consumers. “In that regard, the power of social media is well-founded, and helps posit you as a resource and expert in the community,” Fisher says.
