penalties for HIPAA violation | The Health Law Firm Blog

California Dental Practice Pays $23,000 Settlement For Potential HIPAA Privacy Violations Involving Yelp Posts

By George F. Indest III, J.D., M.P.A., LL.M., Board Certified by The Florida Bar in Health Law

On December 14, 2022, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) settled with New Vision Dental (NVD) over a potential HIPAA Privacy violation. The California-based dental practice paid $23,000 to OCR and agreed to implement a corrective action plan after allegedly including protected health information (PHI) in its responses to reviews on Yelp.

The Complaint and Investigation.

On November 29, 2017, the Office for Civil Rights (OCR) received a complaint alleging New Vision Dental had posted responses to several unfavorable reviews by patients on Yelp and frequently disclosed confidential protected health information (PHI) in its responses. For example, in some posts, patients were allegedly identified, and NVD revealed their full names when the patient may have only chosen to use a made-up name on the platform. Other information allegedly posted included detailed information about the patient’s visits, treatment, and health insurance, when that information had not been posted publicly by the patient.

The federal agency’s investigation found potential violations of the HIPAA Privacy Rule, including impermissible uses and disclosures of PHI and failures to provide adequate Notice of Privacy Practices and implement Privacy policies and procedures. “This latest enforcement action demonstrates the importance of following the law even when you are using social media. Providers cannot disclose protected health information of their patients when responding to negative online reviews. This is a clear ‘NO,’” said OCR Director Melanie Fontes Rainer in a statement.

In addition to the settlement, NVD agreed to implement a corrective action plan (CAP) that will be monitored for two years by OCR. As part of its CAP, the dental practice agreed to develop, revise, and maintain written policies and procedures to comply with federal privacy and security standards. All workforce members will also receive training on those policies and procedures, and NVD is required to remove all social media postings that include PHI.

The resolution agreement and CAP can be viewed here.

Guidelines for Appropriate use of Social Media and Social Networking.

Healthcare professionals are discouraged from interacting with current or past patients on personal social networking sites and should never, under any circumstances, reveal personal information about the patient or the patient’s treatment or care. Online interaction with patients should only occur when discussing the patient’s medical treatment within the physician-patient relationship and with written, signed consent by the patient to use e-mail or other online services for such messaging. These interactions should never occur on personal social networking or social media websites.

Patient privacy must be protected at all times, especially on social media and social networking websites. Breaches in patient confidentiality could harm the patient and violate federal privacy laws such as the Health Insurance Portability and Accountability Act of 1996 and applicable state privacy laws.

Failure to Comply With HIPAA Can Result in Both Civil and Criminal Penalties.

This penalty was the 21st financial penalty to be imposed by OCR in 2022 to resolve HIPAA violations, more than in any other year since it was given the authority to enforce HIPAA compliance. With the increased popularity and availability of social media platforms also comes an increase in potential privacy violations. To read a previous blog I wrote on this, click here.

If Notified of a HIPAA Investigation or Audit, Consult an Experience Health Law Attorney Immediately.

If you receive notice that you have a HIPAA Privacy Complaint, are suspected of a HIPAA breach, or are subject to a HIPAA audit, consult with an experienced health care attorney immediately. There are many technicalities to these laws and regulations, and what may initially seem like a violation may be proven to be nothing. Many defenses can be raised, and often a complaint may be dismissed by the OCR once the correct facts are shown to it by your attorney.

Don’t Wait Until It’s Too Late, Contact a Health Law Attorney Experienced in Defending HIPAA Complaints and Violations.

The attorneys of The Health Law Firm represent physicians, nurses, and other healthcare providers and institutions in investigating and defending alleged HIPAA complaints and violations and in preparing Corrective Action Plans (CAPs).

For more information about HIPAA violations, electronic health records or corrective action plans (CAPs) please visit our website at www.TheHealthLawFirm.com or call (407) 331-6620 or toll-free (888) 331-6620.

Sources:

Alder, Steve. “OCR Fines California Dental Practice for PHI Disclosures on Yelp.” HIPAA Journal. (December 14, 2022). Web.

McKeon, Jill. “OCR Settles Potential HIPAA Violation After Dental Practice Discloses PHI on Yelp.” Health Care It News. (December 14, 2022).

Health News Weekly. “California Dental Practice Pays $23,000 to Resolve Potential HIPAA Violations Involving Social Media Posts.” AHLA. (December 16, 2022). Web.

About the Author: George F. Indest III, J.D., M.P.A., LL.M., is Board Certified by The Florida Bar in Health Law. He is the President and Managing Partner of The Health Law Firm, which has a national practice. Its main office is in the Orlando, Florida, area. www.TheHealthLawFirm.com The Health Law Firm, 1101 Douglas Ave. Suite 1000, Altamonte Springs, FL 32714, Phone: (407) 331-6620 or Toll-Free: (888) 331-6620.

Current Open Positions with The Health Law Firm. The Health Law Firm always seeks qualified individuals interested in health law. Its main office is in the Orlando, Florida, area. If you are a current member of The Florida Bar or a qualified professional who is interested, please forward a cover letter and resume to: [email protected] or fax them to (407) 331-3030.

“The Health Law Firm” is a registered fictitious business name of and a registered service mark of The Health Law Firm, P.A., a Florida professional service corporation, since 1999.
Copyright © 2023 The Health Law Firm. All rights reserved.

Dental Practice Pays $23,000 For Potential HIPAA Privacy Violations Involving Yelp Posts

By George F. Indest III, J.D., M.P.A., LL.M., Board Certified by The Florida Bar in Health Law

On December 14, 2022, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) settled with New Vision Dental (NVD) over a potential HIPAA Privacy violation. The California-based dental practice paid $23,000 to OCR and agreed to implement a corrective action plan after allegedly including protected health information (PHI) in its responses to reviews on Yelp.

The Complaint and Investigation.

On November 29, 2017, the Office for Civil Rights (OCR) received a complaint alleging New Vision Dental had posted responses to several unfavorable reviews by patients on Yelp and frequently disclosed confidential protected health information (PHI) in its responses. For example, in some posts, patients were allegedly identified, and NVD revealed their full names when the patient may have only chosen to use a made-up name on the platform. Other information allegedly posted included detailed information about the patient’s visits, treatment, and health insurance when the patient had not posted that information publicly.

The federal agency’s investigation found potential violations of the HIPAA Privacy Rule, including impermissible uses and disclosures of PHI and failures to provide adequate Notice of Privacy Practices and implement Privacy policies and procedures. “This latest enforcement action demonstrates the importance of following the law even when using social media. Providers cannot disclose protected health information of their patients when responding to negative online reviews. This is a clear ‘NO,’” said OCR Director Melanie Fontes Rainer in a statement.

In addition to the settlement, NVD agreed to implement a corrective action plan (CAP) that will be monitored for two years by OCR. As part of its CAP, the dental practice agreed to develop, revise, and maintain written policies and procedures to comply with federal privacy and security standards. All workforce members will also receive training on those policies and procedures, and NVD must remove all social media postings that include PHI.

The resolution agreement and CAP can be viewed here.

Guidelines for Appropriate Use of Social Media and Social Networking.

Healthcare professionals are discouraged from interacting with current or past patients on personal social networking sites and should never, under any circumstances, reveal personal information about the patient or the patient’s treatment or care. Online interaction with patients should only occur when discussing the patient’s medical treatment within the physician-patient relationship and with written, signed consent by the patient to use e-mail or other online services for such messaging. These interactions should never occur on personal social networking or social media websites.

Patient privacy must always be protected, especially on social media and social networking websites. Breaches in patient confidentiality could harm the patient and violate federal privacy laws such as the Health Insurance Portability and Accountability Act of 1996 and applicable state privacy laws.

Failure to Comply With HIPAA Can Result in Both Civil and Criminal Penalties.

This penalty was the 21st financial penalty OCR imposed in 2022 to resolve HIPAA violations, more than in any other year since it was given the authority to enforce HIPAA compliance. With the increased popularity and availability of social media platforms also comes an increase in potential privacy violations. To read a previous blog I wrote on this, click here.

If Notified of a HIPAA Investigation or Audit, Consult an Experience Health Law Attorney Immediately.

If you receive notice that you have a HIPAA Privacy Complaint, are suspected of a HIPAA breach, or are subject to a HIPAA audit, consult an experienced healthcare attorney immediately. There are many technicalities to these laws and regulations, and what may initially seem like a violation may be proven to be nothing. Many defenses can be raised, and often a complaint may be dismissed by the OCR once the correct facts are shown to it by your attorney.

Don’t Wait Until It’s Too Late, Contact a Health Law Attorney Experienced in Defending HIPAA Complaints and Violations.

The attorneys of The Health Law Firm represent physicians, nurses, and other healthcare providers and institutions in investigating and defending alleged HIPAA complaints and violations and in preparing Corrective Action Plans (CAPs).

For more information about HIPAA violations, electronic health records or corrective action plans (CAPs) please visit our website at www.TheHealthLawFirm.com or call (407) 331-6620 or toll-free (888) 331-6620.

Sources:

Alder, Steve. “OCR Fines California Dental Practice for PHI Disclosures on Yelp.” HIPAA Journal. (December 14, 2022). Web.

McKeon, Jill. “OCR Settles Potential HIPAA Violation After Dental Practice Discloses PHI on Yelp.” Health Care It News. (December 14, 2022).

Health News Weekly. “California Dental Practice Pays $23,000 to Resolve Potential HIPAA Violations Involving Social Media Posts.” AHLA. (December 16, 2022). Web.

About the Author: George F. Indest III, J.D., M.P.A., LL.M., is Board Certified by The Florida Bar in Health Law. He is the President and Managing Partner of The Health Law Firm, which has a national practice. Its main office is in the Orlando, Florida, area. www.TheHealthLawFirm.com The Health Law Firm, 1101 Douglas Ave. Suite 1000, Altamonte Springs, FL 32714, Phone: (407) 331-6620 or Toll-Free: (888) 331-6620.

Current Open Positions with The Health Law Firm. The Health Law Firm always seeks qualified individuals interested in health law. Its main office is in the Orlando, Florida, area. If you are a current member of The Florida Bar or a qualified professional who is interested, please forward a cover letter and resume to: [email protected] or fax them to (407) 331-3030.

“The Health Law Firm” is a registered fictitious business name of and a registered service mark of The Health Law Firm, P.A., a Florida professional service corporation, since 1999.
Copyright © 2023 The Health Law Firm. All rights reserved.

Don’t Ring in the New Year with a HIPAA Audit – Safeguard Yourself Now

By George F. Indest III, J.D., M.P.A., LL.M., Board Certified by The Florida Bar in Health Law

Here’s a scary reminder: There are people attempting to hack into electronic health systems every second of every day. Thankfully, most of these attempts are unsuccessful due to the preventive technologies in place to safeguard such information. However, electronic data will never be 100 percent secure.

Electronic health records promised was intended to be a tool for doctors to share patient data, reduce prescription drug errors, and allow patients convenient access to their records. However, since the transition to digital medical records, there have been concerns from patients about privacy, security and identity theft.

Recently, the Office for Civil Rights (OCR) announced that the agency will ramp up its Health Insurance Portability and Accountability Act (HIPAA) privacy and security audit program in 2015 for covered entities and business associates. These audits will focus on device encryptions, media controls, data transmission security protocols, and staff training on HIPAA policies and procedures.

Now is the time to ensure compliance.

Real World Privacy Breaches Happen All the Time.

On December 2, 2014, OCR and Anchorage Community Mental Health Services, Inc. (ACMHS), settled alleged violations of the HIPAA Security Rule. OCR started an investigation into ACMHS’s compliance with HIPAA after receiving a notification about a breach of unsecured electronic patient information affecting 2,743 individuals. The breach resulted from malware that compromised ACMHS’s information technology resources. According to the settlement, ACMHS must pay a $150,000 fine and enter into a resolution agreement and corrective action plan (CAP).

In November 2014, Beth Israel Deaconess Medical Center in Massachusetts agreed to a $100,000 settlement after a physician’s laptop was stolen from the hospital. The computer was not issued by the hospital and had not been encrypted in accordance with the hospital’s policies. However, the hospital was aware that the physician used the device. The laptop contained the health information and personal information, including Social Security numbers, of nearly 4,000 individuals. It’s alleged the hospital took three months to notify affected patients about the breach, which is a violation of HIPAA. (HIPAA requires such notifications to take place within 60 days.)

Tips to Protect Yourself and Your Business.

Again, the HIPAA audit program will be resuming after the first of the year. Accordingly, hundreds of covered entities and business associates will be receiving inquiries that could lead to an onsite audit. The audit requirements will be very difficult for organizations that have not planned in advance. Here are three easy-to-implement steps to prepare your practice.

1. Review the latest HIPAA policies and procedures. Make sure your office is meeting the latest privacy and security criteria. Identify gaps, update documents, and retrain staff on HIPAA policies and procedures. Don’t forget to document your educational efforts. Click here for a link to the latest policies and procedures.

2. Contact your business associates. Ask each of them to provide your practice with an updated Business Associate Agreement and list of all subcontractors they use. For business associates, the 2015 HIPAA audits will focus on risk analysis, risk management and updated policies and procedures for breach notification.

3. Have a risk assessment performed on your practice. To learn more about risk assessments, click here for a previous blog.

Also, a violation of the HIPAA privacy and security provisions does carry civil and criminal penalties. Anyone who is a health care professional or facility, should be aware of these legal provisions. Click here to read my previous blog.

HIPAA is Not One Size Fits All.

Protecting patient data is not a one-size-fits-all method, meaning that security measures and access to electronic records should not necessarily be uniform. There needs to be processes and check points in place at practices to ensure that the electronic health record system and its many users consistently meet HIPAA policies and procedures. Health care practices must be vigilant that when they integrate other medical practices and facilities into their organization that they extend these measures to incorporate new employees, new sites and locations, and various technologies.

As demonstrated throughout this blog, the risks of non-compliance simply outweigh the costs of sound preparation. If you’d like more information, contact a health law attorney experienced in these matters.

Comments?

Are you worried about the next round of HIPAA audits? Are you concerned about HIPAA violations? How are you ensuring compliance within your practice? Please leave any thoughtful comments below.

Contact a Health Law Attorney Experienced in Defending HIPAA Complaints and Violations.

The attorneys of The Health Law Firm represent physicians, medical groups, nursing homes, home health agencies, pharmacies, hospitals and other health care providers and institutions in investigating and defending alleged HIPAA complaints and violations and in preparing Corrective Action Plans (CAPs).

For more information about HIPAA violations, electronic health records or corrective action plans (CAPs) please visit our website at www.TheHealthLawFirm.com or call (407) 331-6620 or (850) 439-1001.

Sources:

Van Terheyden, Nick and Faix, Rob. “Digital Health Records: Pain and Gain.” Orlando Sentinel. (December 12, 2014). From: The Orlando Sentinel News Section on page A20.

“Beth Israel Agrees To Pay $100K To Settle 2012 Data Breach Case.” iHealthBeat. (November 25, 2014). From: http://www.ihealthbeat.org/articles/2014/11/25/beth-israel-agrees-to-pay-100k-to-settle-2012-data-breach-case?view=print

About the Author: George F. Indest III, J.D., M.P.A., LL.M., is Board Certified by The Florida Bar in Health Law. He is the President and Managing Partner of The Health Law Firm, which has a national practice. Its main office is in the Orlando, Florida, area. www.TheHealthLawFirm.com The Health Law Firm, 1101 Douglas Ave., Altamonte Springs, FL 32714, Phone: (407) 331-6620.

“The Health Law Firm” is a registered fictitious business name of George F. Indest III, P.A. – The Health Law Firm, a Florida professional service corporation, since 1999.
Copyright © 1996-2014 The Health Law Firm. All rights reserved.

By The Health Law Firm|2024-03-14T10:00:58-04:00June 1, 2018|Categories: Electronic Health Record, HIPAA, The Health Law Firm Blog|Tags: civil penalties for HIPAA violation, compliance plans, criminal penalties for HIPAA violation, data security, defense attorney, defense lawyer, digital health records, EHR, electronic health records, electronic medical records, EMR, hacking medical records, Health Insurance Portability and Accountability Act, health law firm, hipaa, HIPAA attorney, HIPAA compliance, HIPAA compliance audit, HIPAA defense attorney, HIPAA lawyer, HIPAA violation, HIPAA violation help, identity theft, medical data, medical records, Patient privacy, patients record, penalties for HIPAA violation, privacy, protected health information (PHI), The Health Law|Comments Off

Breach of HIPAA Privacy Regulations May be a Basis for Negligence Actions

By Shelby Root and George F. Indest III, J.D., M.P.A., LL.M., Board Certified by the Florida Bar in Health Law

Given the advances in information technology, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) was enacted by Congress as a comprehensive legislative and regulatory scheme to ensure basic protections of patients’ right of privacy regarding their health information. HIPAA, standing alone, does not provide a private right of action. It also preempts contrary state laws. A recent case in the Supreme Court of Connecticut, Byrne v. Avery Center for Obstetrics and Gynecology, P.C., 102 A.3d 32 (Conn. 2014), addressed these issues. The decision answered the question of whether HIPAA preempts state law claims for negligence and negligent infliction of emotional distress against a healthcare provider who released medical records in the course of complying with a subpoena.

The Facts of Byrne v. Avery Center for Obstetrics and Gynecology, P.C.

During May 2004, Byrne started a personal relationship with Andro Mendoza, which lasted four months. At some point during May 2004 and July 12, 2005, the Avery Center provided Byrne with gynecological and obstetrical care and treatment. During the visit she was given the center’s privacy policy regarding protected health information. The policy, and the law, state that a patient’s health information will not be disclosed without their authorization. After Byrne’s relationship with Mendoza ended she instructed the center not to release her medial records to him.

On May 31, 2005, Mendoza filed paternity actions against Byrne. The Avery Center was served with a subpoena requesting its presence, along with Byrne’s medical records, at Probate Court. The center did not alert Byrne of the subpoena, file a motion to quash or appear in court. Instead, it mailed a copy of Byrne’s medical file to the court.

The Supreme Court of Connecticut’s Holding.

The Supreme Court of Connecticut reasoned that the fact a state law that allows an individual to file a civil action to protect their privacy exist does not mean that the law conflicts with the HIPAA penalty provisions. Therefore, the court concluded that HIPAA does not preempt causes of action when they are based on a state common or statutory law due to a healthcare provider’s breach of confidentiality.

The court found that a number of federal and state courts have ruled that a breach of the HIPAA Privacy Rule may be the basis for a breach of a duty of care in state court negligence actions. A patient’s private right of action does not conflict with or complicate healthcare provider’s compliance with HIPAA. In fact, negligence claims in state courts are furthering HIPAA’s goal of deterring wrongful disclosure of patient’s healthcare information. To view a past blog on a HIPAA violation case in California, click here.

Editors’ Comments on Byrne.

This is the latest of several recent cases where state courts have allowed cases to proceed against health care providers who breached the medical confidentiality of their patients, based in part on the HIPAA Privacy Regulations. In this case, the court correctly held that, although HIPAA does not afford a private right of action by itself, it does establish the duty that is owed by a healthcare provider to its patients to protect their medical information. With this duty being established, the plaintiff can then proceed under a straight negligence tort cause of action.

It is also noteworthy that the HIPAA Privacy Regulations are just one source of “evidence” or standards that can be used to establish th duty owed by medical professionals and theories.

This case also helps to put to rest the spurious defense that HIPAA might “preempt” such a cause of action that is brought under state law. We have seen this theory used by defendants just about any time a federal statute or federal regulation might come into play in a tort law suit. The court correctly determined that this defense theory was not valid.

If anything, HIPAA has better defined and strengthened a duty that has been owed to patients by physicians, nurses, health professionals and health facilities since the time of Hippocrates.

Comments?

What are your thoughts on the Supreme Court of Connecticut’s ruling? Please leave any thoughtful comments below.

Contact a Health Law Attorney Experienced in Defending HIPAA Complaints and Violations.

The attorneys of The Health Law Firm represent physicians, medical groups, nursing homes, home health agencies, pharmacies, hospitals and other healthcare providers and instiuttions in investigating and defending alleged HIPAA complaints and violations and in preparing Corrective Action Plans (CAPs).

For more information about HIPAA violations, electronic health records or corrective action plans (CAPs) please visit our website at www.TheHealthLawFirm.com or call (407) 331-6620 or (850) 439-1001.

Source:

Byrne v. Avery Center for Obstetrics and Gynecology, P.C., 102 A.3d 32 (Conn. 2014). From:

http://scholar.google.com/scholar_case?case=6869878125055474806&q=Byrne+v.+Avery+Center+for+Obstetrics+and+Gynecology,+P.C.,+102+A.3d+32+(Conn.+2014)&hl=en&as_sdt=40006

About the Authors: Shelby Root is a summer associate at The Health Law Firm. She is a student at Barry University College of Law in Orlando. George F. Indest III, J.D., M.P.A., LL.M., is Board Certified by The Florida Bar in Health Law. He is the President and Managing Partner of The Health Law Firm, which has a national practice. Its main office is in the Orlando, Florida, area. www.TheHealthLawFirm.com The Health Law Firm, 1101 Douglas Ave., Altamonte Springs, FL 32714, Phone: (407) 331-6620.

KeyWords: Health Insurance Portability and Accountability Act, HIPAA, HIPAA Privacy Rules, HIPAA compliance, protected health information, patient privacy, patient rights, HIPAA violation, penalties for HIPAA violation, civil penalties for HIPAA violation, privacy, defense attorney, defense lawyer, HIPAA defense attorney, HIPAA violation help, HIPAA attorney, HIPAA lawyer, compliance plans, health law, The Health Law Firm

“The Health Law Firm” is a registered fictitious business name of George F. Indest III, P.A. – The Health Law Firm, a Florida professional service corporation, since 1999.
Copyright © 1996-2015 The Health Law firm. All rights reserved.