Dental Practice To Pay $10,000 for Impermissible Discolsure of PHI on Yelp

The Department of Health and Human Services’ Office for Civil Rights consented to a negotiation with Elite Dental Associates concerning its HIPAA violation case relating to the impermissible disclosure of protected health information (PHI) of a number of patients when replying to patient comments on the Yelp review webpage.

Elite Dental Associates located in Dallas, TX is a private dental practice which offers services in general, cosmetic and implant dentistry. OCR obtained a complaint from an Elite Dental Associates patient on June 5, 2016 concerning a social media HIPAA violation. As per the patient, a reply by the dental practice to feedback she wrote on Yelp disclosed certain PHI openly.

When answering the patient’s write-up on June 4, 2016, Elite exposed the surname of the patient together with information on her health problem, treatment program, cost, and insurance plan details.

The investigators publicly affirmed that claim to be true and likewise learned that it wasn’t the first instance that the dental practice had shared sensitive information without consent on the social network when replying to patient comments. There are other impermissible data disclosures seen on the Elite review webpage.

Aside from the impermissible PHI disclosure, which is a breach of 45 C.F.R. § 164.502(a), OCR decided that Elite did not follow policies and procedures associated with PHI, specifically the disclosure of PHI on social network and other open platforms, violating 45 C.F.R. § 164.530(i). Elite furthermore did not have in its Notice of Privacy Practices the minimum mandatory content as specified in (45 C.F.R. § 164.520(b)) HIPAA Privacy Rule.

OCR gave a HIPAA violation penalty amounting to $10,000 and demanded a corrective action plan (CAP) to deal with the claimed HIPAA violations and resolve the HIPAA violation case without admitting liability. The three likely HIPAA violations may have pulled in a significantly bigger financial penalty; nonetheless, OCR considered the practice’ financial standing, its size, and its assistance in the OCR investigation prior to making a decision on the suitable financial penalty.

Patient’s care shouldn’t be spoken of on social media. Doctors and dentists ought to think thoroughly regarding patient privacy prior to replying to online comments.

This is the number 4 OCR HIPAA settlement in 2019. Bayfront Health St Petersburg paid OCR $85,000 for a HIPAA Right of Access failure in September. There were 2 settlements in May, which involved the payment of $100,000 by Medical Informatics Engineering and $3,000,000 by Touchstone Medical Imaging.

About Christine Garcia 1309 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at