New Jersey's Manasa Health Center, a provider of psychiatric services for adults and children, has agreed to pay HHS' Office for Civil Rights (OCR) $30,000 for allegations that it revealed protected health information about its patients in replies to negative Google reviews.
OCR investigated Manasa after receiving a complaint in April 2020 from a patient, according to an from the office. After the patient posted a negative online review about Manasa, this person alleged that the provider's response had included specific information about their mental health diagnosis and treatment.
The subsequent OCR investigation found three additional similar disclosures of patient medical information, and found that Manasa had not implemented policies to prevent this kind of HIPAA privacy violation.
Manasa has since agreed to implement a corrective action plan to resolve what OCR called "potential violations" of the HIPAA Privacy Rule.
"OCR continues to receive complaints about healthcare providers disclosing their patients' protected health information on social media or on the internet in response to negative reviews," Melanie Fontes Rainer, director of OCR, said in the announcement. "Simply put, this is not allowed."
According to Manasa's , the health center will develop written policies and procedures to ensure HIPAA compliance, will train all employees on these policies, and will issue "breach notices" to notify patients whose protected health information has been disclosed, as well as a similar report to HHS, among other steps.
The health center, located in Kendall Park, New Jersey, currently has no visible reviews on its Google overview.
As patients and healthcare providers rely increasingly on reviews and other digital health tools to navigate healthcare, medical providers are adjusting their privacy policies accordingly. Healthcare "covered entities," by HIPAA, must have a security officer and a privacy officer (who can be the same person, in some cases) who ensure they are compliant with patient privacy laws. However, not all practices are successful at meeting and maintaining privacy standards.
Kelli Fleming, a healthcare lawyer at Burr & Forman LLP in Birmingham, Alabama, where she focuses on compliance and regulatory issues, told ֱ she'd encountered similar cases to Manasa's. Fleming said that OCR may not have the resources to investigate every complaint they receive, but that she advises her clients, mainly healthcare providers, to be aware of certain "hot topics" in privacy.
"Based on enforcement patterns and in the past couple of years, online reviews and social media postings ... are certainly a topic that is of interest [to OCR] constantly," she noted.
"It is a blatant violation of federal law to post about anyone's health information on the World Wide Web for anybody and everybody to see, and that, in and of itself, is pretty common sense," she added.
There are specific ways healthcare providers can ensure patient information is being protected in the realm of social media and online review responses, Fleming said, despite the unique challenges those platforms present.
"If somebody's out there, and to the public, bashing you, your first intuition is to defend yourself," she said. "Unfortunately, healthcare providers' hands are a little bit tied in defending themselves because of HIPAA."
Even responding to a comment in a way that confirms the reviewer was a patient could be a violation, she noted.
One way to stay within the bounds of the law is to respond to reviews with "something general, along the lines of 'please feel free to call our office at [phone number] to discuss this matter further,'" Fleming said. "Something very general that in no way, shape, or form releases any type of patient information, or even confirms that the person writing the review was in fact a patient of the practice." Or, she added, providers can ban responses to reviews all together.
It's worth connecting directly with negative reviewers to resolve any problems they encountered, and implementing mechanisms to gather positive reviews, Fleming said, like giving patients information about where to leave one.
And because a $30,000 fine could be significant for a small practice like Manasa, Fleming stressed that all employees must be trained -- and updated regularly -- on HIPAA compliance.
"Ideally, every physician practice would have those sets of policies, and I tell clients that they're designed to be working documents," she said. "[If] you check that box and you put them on a shelf and you don't look at them again, that doesn't serve any purpose."