HIPAA Blog

[ Wednesday, June 07, 2023 ]

 

HHS fines NJ psychiatric provider for disclosing PHI when responding to a negative review.  Manasa Health Center was fined $30,000 and required to enter into a corrective action plan with new training of employees and revised policies and procedures.  Apparently, a patient complained about the practice in an online forum, and the psychiatric practice responded and defended itself, but in doing so, it exposed PHI of the patient.  

I've previously posted on this subject, and on similar issues with covered entities inadvertently disclosing PHI while trying to defend themselves (some of the links have died from link rot, but you get the idea).  You don't have to sit silently while a patient posts an unfair or false bad review; however, your response cannot include the patient's PHI (simply confirming that the patient is in fact your patient is PHI).  There's no "he said it first" exception, nor does the fact that the PHI already been made public mean that the provider can disclose it again.  

For example, if a patient states that he had an 8:00am appointment in November but wasn't seen by the doctor until 2:00pm, you could respond with a statement such as, "While we can neither confirm nor deny whether this individual is a patient, we time stamp all patient sign-ins and the start of all patient-provider encounters.  We have reviewed all patient encounters during November and have not found any instance where the length of time between a patient's sign-in and the start of his/her physician visit was longer than 45 minutes."  That response refutes the patient's claim without disclosing PHI.


Jeff [12:41 PM]

Comments: Post a Comment
http://www.blogger.com/template-edit.g?blogID=3380636 Blogger: HIPAA Blog - Edit your Template