Industry News

Dental Practice Pays $10,000 for Social Media Disclosures of PHI

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) recently announced that Elite Dental Associates (Elite) paid $10,000 to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule.  Specifically, OCR found that Elite disclosed a patient’s protected health information (PHI) over a social media platform.  Elite will also adopt a corrective action plan (CAP) as part of the settlement.  The Dallas based practice provides general dental services, implants, and cosmetic dentistry.

On June 5, 2016, OCR received a patient complaint alleging that Elite had used the patient’s protected health information (PHI) in a response to a social media review.  Elite used the patient’s last name and details of the patient’s health condition in the response.  OCR’s investigation found that Elite impermissibly disclosed multiple patients’ PHI in responses to online reviews.  Moreover, OCR found that Elite did not have policies and procedures related to PHI, including the disclosure of PHI on social media and other public platforms.  Finally, OCR found that Elite did not have a Notice of Privacy Practices that met the HIPAA Privacy Rule content requirements.

Elite entered into a CAP with OCR that requires the practice to create or update policies and procedures related to permissible and impermissible PHI uses and disclosures, their authorization form, and their Notice of Privacy Practices.  OCR must approve all new and updated policies, procedures, and forms and Elite must distribute them to workforce members.  Elite must also create internal reporting and sanctions policies for HIPAA rule violations within the organization.  The CAP requires Elite to provide training to all current and new workforce members within 30 days of implementation or hire, and annually thereafter.  Elite must issue breach notices to any individual or their representative whose PHI was disclosed and to OCR through the breach portal within 30 days.  Finally, Elite must disclose any reportable events to OCR during the two year CAP.

OCR notes that it has reduced the fine due to Elite’s size, financial circumstances, and cooperation with OCR’s investigation.

The OCR press release is available at: