California Dental Practice Pays Financial Penalty for PHI Disclosures on Yelp

The HHS’ Office for Civil Rights (OCR) reported an arrangement with a Californian dental practice to settle multiple HIPAA violations associated with a complaint concerning impermissible disclosures of protected health information (PHI) on Yelp, an online review platform.

Californian general dental practice, New Vision Dental, has offices located in Glendora and South Pasadena. On November 29, 2017, OCR got a complaint stating that Dr. Brandon Au, CEO and owner of New Vision Dental, had published replies to a number of patient reviews on Yelp and had disclosed PHI in the replies. In a few of the reviews, patients were recognized and their complete names were exposed, when they had just used a moniker on the site. Other data purportedly published by Dr. Au contained specific details concerning the patients’ appointments, treatment, and medical insurance when the patients did not share that data publicly.

OCR investigated the impermissible disclosures and conducted an on-site visit to the dental practice. It was confirmed by OCR’s investigators that New Vision Dental had the following violations:

  • Dr. Au did disclose 1impermissibly the PHI of patients on several instances on Yelp.
  • The practice didn’t have the necessary information in its Notice of Privacy Practices
  • The practice did not implement the proper guidelines and procedures with regard to protected health information, such as the disclosure of protected health information on public places and social media websites.

New Vision Dental decided to negotiate the case and paid OCR $23,000 as a financial penalty. It also agreed to follow a corrective action plan to deal with the areas of non-compliance determined by OCR. The practice will be under the supervision of OCR for a span of two years.

According to OCR Director, Melanie Fontes Rainer, this most recent enforcement action of OCR shows how important it is to follow the law even while using social media platforms. Healthcare providers are not allowed to disclose the PHI of their patients when replying to bad reviews online. OCR’s message to HIPAA-covered entities is clear. Entities need to properly protect patients’ PHI. Complaints regarding possible HIPAA violations are taken seriously, irrespective of how big or small the company is.

This financial penalty is the 21st that is enforced by OCR in 2022 to settle HIPAA violations since OCR received the mandate to impose HIPAA compliance.

About Christine Garcia 1309 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at