Health care providers play a critical role in ensuring the privacy and security of patients’ protected health information (PHI).  With the increasing prevalence of online reviews, providers must navigate the delicate balance between patient satisfaction, communication, and privacy protection.  

On June 5, 2023, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced that Manasa Health Center, a New Jersey health care provider, agreed to a settlement with the government to resolve allegations it breached HIPAA privacy rules when using social media to respond to a patient complaint.  According to the press release, the OCR started an investigation into a complaint lodged by a patient who alleged that Manasa had disclosed her PHI, such as specific information about her diagnosis and treatment for her mental health condition, in response to a negative online review.  The complainant’s allegations raised concerns about potential violations of the HIPAA Privacy Rule, which protects patients’ sensitive medical information from unauthorized disclosure.  OCR’s Subsequent findings during the investigation corroborated the patient’s allegations.  OCR’s investigation also uncovered that Manasa impermissibly disclosed the PHI of three other patients in response to their negative online reviews.  According to the press release, Manasa also failed to put HIPAA Privacy policies and procedures into practice.  Unsurprisingly, failing to incorporate proper policies and disclosing PHI on social platforms or review boards drew the ire of OCR.  These types of allegations and shortcomings are common and may easily occur when providers are not diligent with compliance.

To resolve the allegations, Manasa agreed to pay $30,000 and take corrective action measures.  The corrective measures mandated by the OCR include putting revised policies and procedures into practice related to PHI disclosure, providing workforce training on privacy and security, and submitting annual reports to the OCR regarding compliance efforts. Manasa will also face monitoring by the OCR to ensure ongoing adherence to privacy regulations.

OCR continues to warn providers about social media use, particularly when communicating with or about patients.  OCR Director Melanie Fontes Rainer explained, “OCR continues to receive complaints about health care providers disclosing their patients’ protected health information on social media or on the internet in response to negative reviews. The HIPAA Privacy Rule expressly protects patients from this type of activity, which is a clear violation of both patient trust and the law. OCR will investigate and take action when we learn of such impermissible disclosures, no matter how large or small the organization.”  This case and OCR’s warnings serve as a reminder to health care providers of the importance of safeguarding patient information and being mindful of any response to negative online feedback.  HIPAA violations can result in significant penalties and damage to an organization’s reputation.  Health care providers should focus on training their staff, establishing robust privacy policies, and implementing safeguards to protect patient privacy.  

The attorneys at Chilivis Grubman assist businesses of all types and sizes in connection with HIPAA-related matters, privacy matters, and professional licensing matters – including Georgia medical, dental, and nursing board investigations, breach response, breach notification, OCR investigations, and resulting civil litigation.  If you need assistance with such a matter, please contact us today.