Provider Discloses PHI in Response to Negative Review

OCR Enforces HIPAA Privacy Rule

A recent enforcement action by the HHS Office for Civil Rights (OCR) resulted in a $30,000 settlement regarding impermissible disclosures of PHI in online reviews. A psychiatry practice in New Jersey was found to have disclosed a patient’s PHI on a public online platform when responding to the patient’s negative online review. The disclosure, along with the practice’s failure to implement policies and procedures to safeguard PHI, violated the HIPAA Privacy Rule and resulted in a fine and an agreement to implement a corrective action plan.

These instances are not uncommon. OCR Director Melanie Fontes Rainier stated, “OCR continues to receive complaints about health care providers disclosing their patients’ protected health information on social media or on the internet in response to negative reviews. Simply put, this is not allowed.”

If a patient leaves an online review of your practice, whether positive or negative, a practice or provider must never include PHI in response to such reviews. If the practice wishes to respond to a patient’s complaint, the patient must be contacted through a private method such as a phone call or patient portal message. You may respond on the review platform only to thank the person for their feedback and to provide contact information for the patient to file a complaint with the practice. Your response must never include patient information. When in doubt, do not respond directly to the review and reach out to the patient in a private, secure manner.

If you have questions or concerns about responding to an online review in an appropriate manner, do not hesitate to reach out to Eagle Associates for guidance.