Dr. U. Phillip Igbinadolor runs a dental practice in North Carolina. In October 2013 and March 2014, a patient visited the practice for treatment. Around September 28, 2015, the patient posted a negative online review on Google, using a partial alias. Around September 28, 2015, the practice responded, disclosing the patient’s real name, unmasking the alias:
“It’s so fascinating to see [Complainant’s full name] make unsubstantiated accusations when he only came to my practice on two occasions since October 2013. He never came for his scheduled appointments as his treatment plans submitted to his insurance company were approved. He last came to my office on March 2014 as an emergency patient due to excruciating pain he was experiencing from the lower left quadrant. He was given a second referral for a root canal treatment to be performed by my endodontist colleague. Is that a bad experience? Only from someone hallucinating. When people want to express their ignorance, you don’t have to do anything, just let them talk. He never came back for his scheduled appointment Does he deserve any rating as a patient? Not even one star. I never performed any procedure on this disgruntled patient other than oral examinations. From the foregoing, it’s obvious that [Complainant’s full name] level of intelligence is in question and he should continue with his manual work and not expose himself to ridicule. Making derogatory statements will not enhance your reputation in this era [Complainant’s full name]. Get a life.”
On November 15, 2015, the former patient filed a complaint with the Office of Civil Rights (OCR).
- A copy of the practice’s policies and procedures with respect to responding to patients’ reviews on online platforms;
- A copy of policies and procedures with respect to uses and disclosures of Protected Health Information (PHI);
- A copy of the practice’s policies and procedures with respect to safeguarding PHI ; and
- Documentation of any HIPAA training conducted prior to, and in response to, the incident described in the complaint.
Within a week, the practice confessed it did respond to the online negative review.
The practice delivered the requested Notice of Privacy Practices, but “no policies and procedures or documentation of training was provided.”
Fast forward to August 22, 2016.
OCR and the practice spoke by phone.
OCR informed the practice that its response to the negative review constituted an impermissible disclosure of Protected Health Information (PHI), and the practice should remove its response promptly. Further, OCR also informed the practice that it should, if it did not currently have such, develop policies and procedures related to the disclosures of PHI and more specifically with regard to disclosures of PHI on social media.
Fast forward to April 3, 2017.
OCR requested the practice’s policies and procedures regarding disclosures of PHI on social media and the removal of the practice’s response to the negative review on its Google page. The practice had been “warned” eight months earlier on the roadmap to avoiding further trouble.
On April 14, 2017, in its response, [the practice] provided an Acknowledgment of Training, which did not contain any documents about the contents of the training (e.g., PowerPoint slides). [the practice] did not remove the PHI from its Google page, and the response remains public as of the date of this Notice. Further, no social media policies and procedures or any policies and procedures regarding disclosures of PHI were provided.
Was the investigation closed?
In trying to determine the appropriate “penalty”, OCR requested financial statements and tax returns.
In determining the amount of any [Civil Monetary Penalty], OCR considers, among other factors, the financial condition of the covered entity, whether the covered entity has financial difficulties that may affect its ability to comply, whether the imposition of a [Civil Monetary Penalty] would jeopardize the ability of the covered entity to continue to provide, or to pay for, health care, and the size of the covered entity, pursuant to 45 C.F.R. § 160.408.
The practice refused, arguing such financial information had nothing to do with HIPAA.
OCR repeated its demand.
On September 29, 2017, [the practice] refused to provide the data that OCR requested and responded, in pertinent part, “I will see you in court.”
On November 30, 2017, OCR served the practice with an administrative subpoena.
The practice allegedly did not respond to or object to the subpoena.
Did OCR stand down?
On August 22, 2019, OCR mailed what is euphemistically called a “Letter of Opportunity.” This letter noted that OCR had tried to resolve a perceived Privacy Rule problem informally despite numerous attempts. The letter was asking for any affirmative defenses or mitigating factors to soften the looming Civil Monetary Penalty. The letter also stated the practice could submit evidence supporting a waiver for non-compliance. I cannot imagine what might allow for such a waiver. Perhaps being incapacitated on a ventilator in an ICU and unable to tend to such mundane tasks as the Privacy Rule.
No response landed in OCR’s mailbox.
OCR obtained the authorization of the Attorney General of the United States prior to issuing this Notice of Proposed Determination to impose a [Civil Monetary Penalty].
The proposed penalty: $50k
This Notice was sent to the practice on October 22, 2020.
Notice of Final Determination of $50k was sent to the practice on June 1, 2021.
Consequences for Non-Payment. In the event that payment is not received upon [the practice’s] receipt of this Notice of Final Determination, the amount of the penalty may be deducted from any sum then or later owing by the United States or by a State agency, and a civil action may be brought in the United States District Court to recover the amount of the penalty.
The Department of Health and Human Services published its enforcement action on March 28, 2022. Almost seven years after responding to the negative review. What are the lessons learned?
- It probably feels good to win an online debate. Still, resist the impulse to tell your side of the story if doing so will reveal any protected health information. Merely disclosing a poster is your patient is an impermissible disclosure of protected health information. This is true even if the patient has already “outed” themselves as your patient. The only exception: If the patient has given prior written authorization to disclose protected health information. Or a statutory exception – which almost never applies to the online world. I know it’s unfair, but please don’t kill the messenger.
- There ARE ways to respond broadly to online criticism without revealing any protected health information. This needs to be done carefully.
- OCR may move slowly, but it will not go away. If they are looking for information or remediation, it’s better to provide what is expected. OCR already has rules in place expecting that practices will have a Notice of Privacy Practices, periodically train staff in privacy best practices, and regularly perform a “risk assessment” to determine technical and human vulnerabilities for privacy breaches. Once an investigation is opened, you can expect a request for this supporting documentation. Putting it together after the investigation has been opened is too late.
- If OCR tells you to remove a response to a negative review because it reveals protected health information, the vast majority of times it is cost-effective to just remove it.
- Ignoring the OCR and hinting they should pound sound is not an effective financial strategy.
Some lessons take time to be absorbed.
On March 30th, 2022, this is what Google displayed.
More recently, the practice thanked a patient for a critical one-star review.
A question to our readers. Do you believe OCR will have more to say to this practice? Or will they move on? What do you think?
This article was written by ByrdAdatto partner, and Medical Justice Founder Jeff Segal, MD, JD. If you have any questions or would like to learn more, please schedule a consult at firstname.lastname@example.org.