$50,000 Civil Monetary Penalty Issued to Dental Practice for Social Media HIPAA Violation
OCR investigated Dr. U. Phillip Igbinadolor, D.M.D. & Associates, P.A., (UPI), a dental practice operating offices in Charlotte and Monroe, NC because a patient sent a complaint last November 2015 about unauthorized disclosure of his protected health information (PHI) related to a damaging online review of the dental practice.
On or approximately September 28, 2015, the complainant employed a pseudonym to keep his privacy and submitted an unfavorable comment on UPI’s Google web page. UPI reacted to the review and said the claims made by the patient were unsubstantiated; nevertheless, UPI recognized who the patient was and mentioned the patient’s full name three times in the reply, the issues the patient was suffering from, and the treatment that was suggested but not delivered.
OCR analyzed the complaint and asked for paperwork from UPI in July 2016 regarding its guidelines and procedures covering answers to online comments and social media, uses and disclosures of PHI, securing PHI, and specifics of HIPAA training that was made available before, and in reply to, the incident. UPI verified that an answer was published to the Google page, however only gave OCR its notice of privacy practices.
In August 2016, OCR told UPI that its posted answer to the critique violated the HIPAA Privacy Rule and it committed an impermissible disclosure of PHI. UPI was instructed to delete its reaction to the review and impose its policies and procedures if perhaps they had not already been enforced. This action covers both online reviews and social media posts. In 2017, OCR asked for a copy of the policies and protocols and once again instructed UPI to delete the reply to the feedback.
Merely an acknowledgment of training was given to OCR, and it failed to include any of the training content. The reply to the review wasn’t deleted. OCR then required financial statements to be employed to establish a proper financial penalty, nevertheless, UPI declined to give them stating they were not associated with HIPAA. After OCR explained to UPI why they were necessary, UPI answered in September 2017 and refused to give the information, and put in the declaration “I will see you in court”.
After receiving and declining to take action to an administrative subpoena requiring the provision of policies and procedures, training, balance sheets, earnings statements, federal tax returns, and statements of cash flow, and the failure to answer to additional communications, OCR received the agreement of the Attorney General of the United States and issued a civil monetary penalty of $50,000 as per the penalty tier of willful negligence with no correction.
Dental Practice Penalized $62,500 for Impermissible Disclosure of PHI for Promotional Purposes
OCR investigated Northcutt Dental-Fairhope, LLC (Northcutt Dental), a dental practice based in Fairhope, AL, due to an impermissible disclosure of PHI. Dr. David Northcutt operates and owns Northcutt Dental and was a candidate for state senator last 2017 for Alabama District 32. Dr. Northcutt employed a campaign manager and also a third-party marketing firm to provide support for the state senate election campaign. The campaign manager got an Excel spreadsheet that enclosed the names and addresses of 3,657 individuals, and letters were sent to those people to tell them that Dr. Northcutt was a state senate candidate. The email addresses of those persons, as well as the email addresses of an additional 1,727 persons, were furnished to the marketing firm Solutionreach to distribute a campaign email.
OCR decided that the disclosures of PHI to the campaign manager and third-party marketing business were impermissible disclosures of PHI. OCR furthermore confirmed that Northcutt Dental did not appoint a HIPAA Privacy Officer prior to November 14, 2017, and policies and procedures linked to the HIPAA Privacy and Breach Notification Rules weren’t enforced until January 1, 2018. The case was resolved and Northcutt Dental paid a $62,500 penalty and carry out a corrective action plan to deal with the supposed areas of noncompliance.