Governance & Risk Management
,
Healthcare
,
HIPAA/HITECH
HHS Settlement Is Latest Involving Negative Social Media Responses
Federal regulators fined a New Jersey psychiatric care provider after it disclosed patient information online in response to negative online reviews.
See Also: Live Webinar | Breaking Down Security Challenges so Your Day Doesn’t Start at 3pm
Manasa Health Center will pay $30,000 and implement a corrective action plan to settle potential HIPAA violations, the Department of Health and Human Services disclosed Monday in a settlement reached with practice owner Dr. Nidagalle Gowda.
The settlement resolves an April 2020 complaint alleging that Manasa disclosed specific information regarding a patient’s diagnosis and treatment of a mental health condition while responding to the individual’s online review.
HHS OCR said its investigation found three additional disclosures of patient information. Manasa is not admitting guilt of violating HIPAA under the terms of the settlement.
It nonetheless will implement a corrective action plan that includes revising its privacy practices and procedures and submitting those to the agency for approval.
Once HHS approves the practice’s HIPAA privacy policies and procedures, Manasa must distribute them to its workforce and provide staff with related training.
The practice must additionally issue breach notices to all individuals whose PHI was disclosed “on Google Reviews or any other internet platform without a valid authorization.”
The settlement is the second in six months involving a medical practice posting online protected health information in response to bad reviews. In mid-December, federal investigators found Vision Dental, a practice located in the eastern exurbs of greater Los Angeles, responded to criticism on Yelp by revealing the protected health information of patients (see: Dental Practice Hit With HIPAA Fine for Posting PHI on Yelp).
The HHS Office of Civil Rights “continues to receive complaints about healthcare providers disclosing their patients’ protected health information on social media or on the internet in response to negative reviews. Simply put, this is not allowed,” said office Director Melanie Fontes Rainer in a statement.
HHS OCR has previously issued HIPAA penalties in at least two similar cases involving healthcare entities posting patient PHI, including names and health conditions, on social media sites, including Yelp, in response to negative reviews.
Manasa Health Center did not immediately respond to Information Security Media Group’s request for comment.