“Get a Life” – Another Dentist Responds to Patient’s Online Review, This Time Faces a $50,000 OCR Penalty

It may be cathartic responding to a destructive on-line overview. It might additionally backfire, as can failing to cooperate with an OCR investigation as required below HIPAA.

The Workplace for Civil Rights (OCR) not too long ago announced 4 enforcement actions, one in opposition to a small dental apply that imposed a $50,000 civil financial penalty below HIPAA. The OCR alleged the dentist impermissibly disclosed a affected person’s protected well being data (PHI) when the dentist responded to a affected person’s destructive on-line overview. In accordance to the OCR, the dentist’s response to the affected person learn:

It’s so fascinating to see [Complainant’s full name] make unsubstantiated accusations when he solely got here to my apply on two events since October 2013. He by no means got here for his scheduled appointments as his remedy plans submitted to his insurance coverage firm had been accredited. He final got here to my workplace on March 2014 as an emergency affected person due to excruciating ache he was experiencing from the decrease left quadrant. He was given a second referral for a root canal remedy to be carried out by my endodontist colleague. Is that a dangerous expertise? Solely from somebody hallucinating. When individuals need to categorical their ignorance, you don’t have to do something, simply allow them to discuss. He by no means got here again for his scheduled appointment Does he deserve any ranking as a affected person? Not even one star. I by no means carried out any process on this disgruntled affected person aside from oral examinations. From the foregoing, it’s apparent that [Complainant’s full name] degree of intelligence is in query and he ought to proceed together with his guide work and never expose himself to ridicule. Making derogatory statements is not going to improve your status on this period [Complainant’s full name]. Get a life.

This will not be the primary time a dentist was fined by the OCR in reference to responding to a affected person’s on-line overview. In 2019, it was a Yelp review that resulted in a $10,000 penalty. So, why is the OCR imposing 5 instances that penalty on this matter?

Briefly, the OCR explained the coated dental supplier “did not respond to OCR’s data request, did not respond or object to an administrative subpoena, and waived its rights to a hearing by not contesting the findings in OCR’s Notice of Proposed Determination.” In accordance to the OCR, amongst different issues, the dentist has not eliminated the response to the affected person’s on-line overview.

Online overview platforms, similar to supplied by Google and Yelp, could be essential for small healthcare suppliers and different small companies to promote their practices, companies, and facilitate their interplay with individuals they serve. Nevertheless, warning ought to be exercised. Disclosing a affected person’s id and the affected person’s well being standing in a response to an opposed on-line overview with out the affected person’s authorization is probably going a violation of the HIPAA Privateness Rule. If not cautious, and within the absence of a clear coverage, informal and casual communications between apply employees and sufferers might expose the apply to important threat.

However based mostly on how this case turned out, a refusal to cooperate with the ensuing OCR investigation can set off a extra important HIPAA penalty.

So, what ought to small dental, doctor and different healthcare practices be doing to tackle these dangers:

  • Get criticism with HIPAA and Keep Insurance policies on Disclosures in Social Media! On this case, for instance, the OCR famous that HIPAA coated healthcare suppliers ought to have insurance policies and procedures associated to the disclosures of PHI and extra particularly with regard to disclosures of PHI on social media.

  • Prepare employees (together with healthcare suppliers and house owners) regarding these insurance policies. Right here, the OCR requested for copies of those insurance policies. That’s, the OCR didn’t solely need to see a sign-in sheet displaying employees attended the coaching, the company wished to see the insurance policies that the coaching was based mostly on.

  • Keep a HIPAA Discover of Privateness Follow. At a minimal, this ought to be posted within the workplace and on the apply’s web site, as relevant.

  • Monitor social media exercise by employees. Perceive the social media channels that the apply engages in and think about periodically monitoring public social media exercise by employees.

  • Cooperate with the OCR. Coated entities ought to completely make their case to the OCR in protection of a compliance overview or investigation. On the identical time, being responsive to the company’s requests can go a great distance towards resolving the matter shortly and with minimal influence. Having skilled authorized counsel versed within the HIPAA Privateness and Safety Guidelines to information the apply could be tremendously useful.

Source link