• HINT
  • Posts
  • Psychiatry Practice Pays Settlement for Disclosing Patient Info When Responding to Negative Reviews

Psychiatry Practice Pays Settlement for Disclosing Patient Info When Responding to Negative Reviews

Responding to Online Reviews Can Lead to HIPAA Violations for Healthcare Providers

November 01, 2023

a person sitting at a table and looking at a phone

Social media can be a useful tool for healthcare organizations to communicate with patients and promote their services. However, it also poses risks related to protecting patient privacy under HIPAA rules. A recent settlement between the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) and a New Jersey psychiatry practice highlights the potential pitfalls of responding to online patient reviews.

In June 2023, Manasa Health Center paid a $30,000 settlement to OCR to resolve allegations that it violated HIPAA rules by disclosing protected health information (PHI) of patients in response to their negative online reviews. OCR's investigation found that on four separate occasions, the practice revealed details about patients' treatment and conditions when responding to negative reviews the patients posted on social media sites.

In a statement on the settlement, OCR Director Melanie Fontes Rainer said providers continue to improperly show PHI on social media and the internet when responding to patient reviews. She stressed these actions violate patient trust and HIPAA rules, and OCR will investigate and act on such disclosures regardless of the provider’s size.

This case highlights steps healthcare organizations should take when engaging patients on social media:

- Develop clear social media policies that align with HIPAA rules on disclosing PHI. Train staff annually on correct social media communications.

- Do not refer to patients or their treatment on public social media accounts, even without using their name. Avoid specifics that could identify them.

- Designate staff members responsible for monitoring comments and responding professionally to negative feedback. Ensure they understand HIPAA limitations.

- Recognize that even non-PHI social media posts about the organization can affect reputation. Encourage employees to be cautious about sharing employment details online.

With proper social media policies and training, providers can benefit from connecting with patients online while avoiding privacy and reputational risks. The OCR settlement serves as a reminder of HIPAA boundaries healthcare organizations must observe on social media and the internet.

Related: