HHS Civil Rights Office Enters Settlement with Dental Practice Over Disclosures of Patients’ Protected Health Information | HHS.gov

HHS Civil Rights Office Enters Settlement with Dental Practice Over Disclosures of Patients’ Protected Health Information
The dental practice responded to reviews on social media by disclosing patient health information in violation of the law; OCR warns others against this practice

Today, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services announces a settlement with B. Brandon Au, DDS, Inc., d/b/a New Vision Dental (New Vision Dental), in California, over the impermissible disclosure of patient protected health information (PHI) in response to online reviews, and other potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. The violation involves the provider’s inappropriate use of social media to respond to patient reviews, disclosing protected health information. This practice is illegal under HIPAA. New Vision Dental paid $23,000 to OCR and agreed to implement a corrective action plan (CAP) to resolve this investigation.

“This latest enforcement action demonstrates the importance of following the law even when you are using social media. Providers cannot disclose protected health information of their patients when responding to negative online reviews. This is a clear NO.,” said OCR Director, Melanie Fontes Rainer. “OCR is sending a clear message to regulated entities that they must appropriately safeguard patients’ protected health information. We take complaints about potential HIPAA violations seriously, no matter how large or small the organization.”

In November 2017, OCR received a complaint alleging that New Vision Dental impermissibly disclosed PHI, including patient names, treatment, and insurance information, in response to patients’ online reviews of the practice. OCR’s investigation found potential violations of the HIPAA Privacy Rule including, impermissible uses and disclosures of PHI, and failures to provide an adequate Notice of Privacy Practices and implement Privacy policies and procedures.

In addition to the monetary settlement, New Vision Dental will undertake a CAP that will be monitored for two years by OCR to ensure compliance with the HIPAA Privacy Rule. The resolution agreement and CAP may be found at: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/new-vision-ra-cap/index.html.

OCR is committed to ensuring that the privacy and security of peoples’ health information is protected under HIPAA. If you believe that your or another person’s health information privacy or civil rights have been violated, you can file a complaint with OCR at: https://www.hhs.gov/ocr/complaints/index.html.