Author HeadshotBy George F. Indest III, J.D., M.P.A., LL.M., Board Certified by The Florida Bar in Health Law

On December 14, 2022, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) settled with New Vision Dental (NVD) over a potential HIPAA Privacy violation. The California-based dental practice paid $23,000 to OCR and agreed to implement a corrective action plan after allegedly including protected health information (PHI) in its responses to reviews on Yelp.

The Complaint and Investigation.

On November 29, 2017, the Office for Civil Rights (OCR) received a complaint alleging New Vision Dental had posted responses to several unfavorable reviews by patients on Yelp and frequently disclosed confidential protected health information (PHI) in its responses. For example, in some posts, patients were allegedly identified, and NVD revealed their full names when the patient may have only chosen to use a made-up name on the platform. Other information allegedly posted included detailed information about the patient’s visits, treatment, and health insurance, when that information had not been posted publicly by the patient.

The federal agency’s investigation found potential violations of the HIPAA Privacy Rule, including impermissible uses and disclosures of PHI and failures to provide adequate Notice of Privacy Practices and implement Privacy policies and procedures. “This latest enforcement action demonstrates the importance of following the law even when you are using social media. Providers cannot disclose protected health information of their patients when responding to negative online reviews. This is a clear ‘NO,’” said OCR Director Melanie Fontes Rainer in a statement.

To read more, click here for the press release from the HHS.

In addition to the settlement, NVD agreed to implement a corrective action plan (CAP) that will be monitored for two years by OCR. As part of its CAP, the dental practice agreed to develop, revise, and maintain written policies and procedures to comply with federal privacy and security standards. All workforce members will also receive training on those policies and procedures, and NVD is required to remove all social media postings that include PHI.

The resolution agreement and CAP can be viewed here.

Guidelines for Appropriate use of Social Media and Social Networking.

Healthcare professionals are discouraged from interacting with current or past patients on personal social networking sites and should never, under any circumstances, reveal personal information about the patient or the patient’s treatment or care. Online interaction with patients should only occur when discussing the patient’s medical treatment within the physician-patient relationship and with written, signed consent by the patient to use e-mail or other online services for such messaging. These interactions should never occur on personal social networking or social media websites.

Patient privacy must be protected at all times, especially on social media and social networking websites. Breaches in patient confidentiality could harm the patient and violate federal privacy laws such as the Health Insurance Portability and Accountability Act of 1996 and applicable state privacy laws.

Failure to Comply With HIPAA Can Result in Both Civil and Criminal Penalties.

This penalty was the 21st financial penalty to be imposed by OCR in 2022 to resolve HIPAA violations, more than in any other year since it was given the authority to enforce HIPAA compliance. With the increased popularity and availability of social media platforms also comes an increase in potential privacy violations. To read a previous blog I wrote on this, click here.

If Notified of a HIPAA Investigation or Audit, Consult an Experience Health Law Attorney Immediately.

If you receive notice that you have a HIPAA Privacy Complaint, are suspected of a HIPAA breach, or are subject to a HIPAA audit, consult with an experienced health care attorney immediately. There are many technicalities to these laws and regulations, and what may initially seem like a violation may be proven to be nothing. Many defenses can be raised, and often a complaint may be dismissed by the OCR once the correct facts are shown to it by your attorney.

Don’t Wait Until It’s Too Late, Contact a Health Law Attorney Experienced in Defending HIPAA Complaints and Violations.

The attorneys of The Health Law Firm represent physicians, nurses, and other healthcare providers and institutions in investigating and defending alleged HIPAA complaints and violations and in preparing Corrective Action Plans (CAPs).

For more information about HIPAA violations, electronic health records or corrective action plans (CAPs) please visit our website at or call (407) 331-6620 or toll-free (888) 331-6620.


Alder, Steve. “OCR Fines California Dental Practice for PHI Disclosures on Yelp.” HIPAA Journal. (December 14, 2022). Web.

McKeon, Jill. “OCR Settles Potential HIPAA Violation After Dental Practice Discloses PHI on Yelp.” Health Care It News. (December 14, 2022).

Health News Weekly. “California Dental Practice Pays $23,000 to Resolve Potential HIPAA Violations Involving Social Media Posts.” AHLA. (December 16, 2022). Web.

About the Author: George F. Indest III, J.D., M.P.A., LL.M., is Board Certified by The Florida Bar in Health Law. He is the President and Managing Partner of The Health Law Firm, which has a national practice. Its main office is in the Orlando, Florida, area. The Health Law Firm, 1101 Douglas Ave. Suite 1000, Altamonte Springs, FL 32714, Phone: (407) 331-6620 or Toll-Free: (888) 331-6620.

Current Open Positions with The Health Law Firm. The Health Law Firm always seeks qualified individuals interested in health law. Its main office is in the Orlando, Florida, area. If you are a current member of The Florida Bar or a qualified professional who is interested, please forward a cover letter and resume to: [email protected] or fax them to (407) 331-3030.

“The Health Law Firm” is a registered fictitious business name of and a registered service mark of The Health Law Firm, P.A., a Florida professional service corporation, since 1999.
Copyright © 2023 The Health Law Firm. All rights reserved.