This past October, the Department of Health and Human Services (HHS) Office of Civil Rights (OCR), the entity responsible for policing HIPAA violations, announced a settlement with a Texas dental practice. The dental practice disclosed protected health information (PHI) on Yelp and was subject to a $10,000 fine. This information was disclosed in response to online reviews posted by the patient. In addition to the fine, OCR directed the dental practice to follow a two-year corrective action plan to prevent further HIPAA compliance issues.

Online reviews are important to small businesses as clients share the positive and the negative about the people and the processes they encounter. Many times, marketing professionals will suggest responding to reviews, particularly negative reviews, to see if the problem can be fixed so the person takes down the negative review or at least will state online that their problem was resolved. For entities covered under HIPAA, however, this can clearly be problematic.

In the case at hand, the dental practice had disclosed PHI when responding to a review posted on Yelp. This information included the patient’s first and last name, treatment plan, insurance, and cost information. A review by HHS showed that the practice had disclosed this information for multiple patients in response to online reviews.

[…]

This is an excerpt from a previously published article.