A Yelp From Posting on Yelp®
Are your employees instructed on the proper (and improper) use of social media? Does your organization have policies and provide training on the appropriate handling of sensitive information? A recent United States Department of Health and Human Services, Office for Civil Rights (OCR) settlement illustrates a costly mistake of providing too much information on a Yelp® review.
According to the settlement between OCR and Elite Dental Associates – Dallas (Elite), Elite impermissibly disclosed a patient’s protected health information (PHI) when responding to her negative post on Yelp® when its response disclosed the patient’s last name, details of her treatment plan, insurance, and cost information. The OCR stated that during its review of the complaint, it also discovered on the social media site that Elite impermissibly had disclosed PHI of other patients when responding to their Yelp® posts.
On November 9, 2016, OCR notified Elite of its investigation regarding its compliance with the Privacy Rule. During its investigation, the OCR discovered that Elite did not have a policy and procedure addressing the handling of sensitive information and impermissible disclosures that could be applied to social media activity, or a compliant Notice of Privacy Practices. Providing again that once an investigation begins, any uncovered violation is game.
To settle these potential violations, the practice agreed to pay a $10,000 fine, and to adhere to a Corrective Action Plan (CAP) that includes two years of substantial monitoring by OCR. Requirements in the CAP included:
- the development, maintenance and revision, as necessary, to/of its written policies and procedures to comply with the Federal standards governing privacy and security of individually identifiable health information;
- forwarding such policies and procedures to the Department of Health and Human Services (HHS) within 30 calendar days of the settlement, and implementing them within 30 calendar days of receiving HHS’ final approval of them;
- distribution of the policies and procedures to the workforce and to require written or electronic acknowledgement from all workforce members, stating that they have read, understand and will abide by such policies and procedures;
- assessment, updating, and revision, as necessary, of the policies and procedures at least annually; and
- revision of the Notice of Privacy Practices to comply with the requirements of the Privacy Rule.
Elite also must “promptly” investigate any information or notice it receives of a workforce member failing to comply with its Privacy, Security, and Breach Notification policies and procedures. If Elite determines that the workforce member has failed to comply, it must notify HHS in writing within 30 calendar days. Such a report must include:
- a complete description of the event, including the relevant facts, the persons involved, and the applicable provision(s) of Elite’s Privacy, Security, and Breach Notification policies and procedures; and
- a description of the actions taken and any further steps Elite plans to take to address the matter to mitigate any harm, and to prevent it from recurring, including application of any appropriate sanctions against workforce members who failed to comply with its Privacy, Security, and Breach Notification policies and procedures.
What Could Have Been Done
The urge to respond to an unfavorable Yelp® review is understandable. However, a few inexpensive steps could have saved the dental practice almost three years of regulatory investigation, a $10,000 fine, and being subject to a costly two-year monitoring program. What should an/your organization do?
- Perform a risk assessment at least annually.
- Develop and maintain guides (i.e., a data privacy and security program) that address how to treat and handle sensitive information, especially in connection with social media, public disclosure, or use of portable media containing such information. Don’t forget policies addressing the use of the organization’s information systems. Place someone in charge of this program.
- Train employees on the organization’s requirements. What are they expected to do? What are they not allowed to do – especially when using social media or handling sensitive information?
- Rinse. Repeat.
If you have questions or would like further information, please contact Joshua Mooney (firstname.lastname@example.org; 215.864.6345).