How a Yelp Review Led to a $10K HIPAA Fine & How You Can Avoid A Similar Fate
Another HIPAA enforcement fine for 2019, another reality that the focus, investigations, and settlements of the Department of Health and Human Services’ Office for Civil Rights (OCR) attention is on protecting patient’s rights given under HIPAA.
This time, a dental office in Texas was assessed a $10,000 HIPAA fine as information was improperly disclosed in response to a Yelp review. I know it can be frustrating to have negative online reviews and you want to respond and support/protect your clinic – but unfortunately, there are items you cannot say, especially in the online world! Like it or not – it is the REALITY! Read more about responding to Yelp reviews in my Article “An Expert’s Guide to Patient Privacy and Online Reviews.”
“It’ll Never Happen to my Organization”
In my many years of consulting in the healthcare privacy and security space, I hear it all the time:
- “The OCR doesn’t focus on my type of organization”
- “HIPAA Fines are only assessed to large organizations with large data breaches”
- “I’m a small-town dentist, my practice isn’t at risk for a HIPAA investigation”
The reality is if you are a HIPAA covered entity, you must comply with the HIPAA regulations. The last 2 HIPAA enforcement fines have taught us that you MUST get your HIPAA Compliance Program in order. Both of these latest fines have shown that small data breaches (less than 10 individuals impacted) have the potential to get a HIPAA fine assessed. There are no more excuses, no more “I didn’t know,” no more “it won’t happen to my organization.”
It is important to remember that HIPAA compliance is more than providing an annual staff training or creating and posting a Notice of Privacy Practices. It is about developing a HIPAA program that is supported by policies, procedures, and practices to show you are serious about protecting the information that your patients provide to you.
Are you unsure of the current state of your organization’s HIPAA Compliance? Take Planet HIPAA’s FREE 11 question HIPAA Checkup below!
Dental Office Pays $10,000 for HIPAA Violation
In the most recent HIPAA enforcement fine, the dental office was investigated because a patient complained (they have that right under HIPAA), that their protected health information was improperly disclosed in response to a Yelp review response. The dental practice in this example isn’t a large organization, it is actually a one provider dental office located in Dallas, Texas.
Besides the HIPAA Fine, the Dental Practice has to take some drastic steps to get their HIPAA Compliance up to date AND get it approved by the federal government:
- Develop and update HIPAA policies and procedures to comply with the entire HIPAA privacy and security requirements
- Provide those policies and procedures to the OCR for approval within 30 days of the corrective action plan
- Train workforce and distribute policies and procedures within 30 days of the approval of the policies from the OCR
- Established a training program and provide workforce training at a minimum annually
- Have the workforce member certify in writing that they acknowledge and understand the privacy requirements provided in training (if they don’t provide in writing – they don’t get access to PHI)
- Notify HHS in writing within 30 days after any workforce member fails to comply with the organization’s HIPAA privacy, security, and breach notification policies and procedures.
Wow, that is a lot of important steps to take that are timely and cost prohibitive to the practice BESIDES the $10,000 fine.
We have created a FREE HIPAA Training Acknowledgement Form for you workforce after HIPAA training has been completed. All workforce members should complete this once they have finished HIPAA training. Click the button below now to download your Free copy!
If you have questions about HIPAA training, please feel free to contact us at [email protected]
What we have learned from the last 2 OCR HIPAA Enforcement penalties: Patients have a right to have their information protected by your organization. In the event that a patient feels that the information provided was not properly protected, they have a right to complain to the OCR. The OCR may open an investigation, which can result in a corrective action plan or a fine with a corrective action plan. Don’t let this happen to your organization, focus your organization on getting into HIPAA Compliance now!