New Vision Dental HIPAA violation: Thanks to Jamie Sorley for tipping me off to this at the Dallas Bar Association Health Law Section's holiday party last night (sponsored by Bradley -- thanks for the excellent tequila!), HHS has issued a settlement with a dental practice that doesn't involve access. The practice disclosed PHI on social media when responding to patient complaints and bad reviews. The good news for the practice, the fine was only $23,000.
It's tough when a patient posts a false negative review. But a provider has to be very careful that any response does not involve any disclosure of PHI. The safest route is to ignore it, but if you must respond, do so with global statements, not anything that could specify any particular patient. For example, if the patient says he/she had to wait 3 hours in the waiting room on the day before Thanksgiving, the practice could respond and say it reviewed all of its sign-in sheets and the time-stamp of every patient encounter during the month of November and the longest any patient waited between sign-in and being taken to an exam room was 45 minutes. That response does not disclose any patient's PHI. On the other hand, saying "Mrs. Jones says she waited 3 hours, but she signed the sign-in sheet at 1:30 and was in the chair at 2:15" would be an improper disclosure of PHI.