$50,000 Civil Monetary Penalty Paid by Dental Practice for Social Media HIPAA Violation
OCR investigated Dr. U. Phillip Igbinadolor, D.M.D. & Associates, P.A., (UPI), dental practice managing offices in Monroe and Charlotte, NC after a patient filed a complaint in November 2015 claiming an unauthorized disclosure of his protected health information (PHI) associated with a bad online critique of the practice.
On or about September 28, 2015, the complainant used a pseudonym to secure his privacy and shared a bad critique on UPI’s Google page. UPI replied to the review and stated the allegations posted by the patient were unsubstantiated; nonetheless, UPI knew who the patient was and stated the patient’s complete name thrice in the reply, the conditions the patient was going through, and the treatment that was advised though not given.
OCR examined the complaint and required records from UPI in July 2016 about its guidelines and procedures addressing replies to online critiques and social media, uses and disclosures of PHI, protecting PHI, and particulars of HIPAA training that was given before, and in reply to, the incident. UPI affirmed that a reply was published on the Google page, however only presented to OCR its notice of privacy procedures.
In August 2016, OCR advised UPI that its posted answer to the comment breached the HIPAA Privacy Rule and it had done an impermissible disclosure of PHI. UPI was directed to take away its reaction to the review and enforce its policies and procedures, in case they had not already been executed. This action includes both online feedback and social media posting. In 2017, OCR asked for a copy of the policies and protocols and once more advised UPI to take out the answer to the comment.
Just an acknowledgment of training was given to OCR, and it didn’t include the training material. The reply to the review wasn’t taken out. OCR then required financial statements to be utilized to decide on a suitable financial penalty, nevertheless, UPI declined to give them saying they were not associated with HIPAA. After OCR told UPI why they were needed, UPI replied in September 2017 and refused to present the documents, and added the statement “I will see you in court”.
After getting and refusing to reply to an administrative subpoena asking for the presentation of policies and procedures, training, balance sheets, revenue statements, statements of cash flow, and federal tax returns, and the inability to answer more communications, OCR acquired the consent of the Attorney General of the United States and enforced a civil monetary penalty of $50,000 according to the penalty tier of willful disregard without correction.
Dental Practice Pays $62,500 for Impermissible Disclosure of PHI for Advertising Reasons
OCR investigated Northcutt Dental-Fairhope, LLC (Northcutt Dental), a dental practice located in Fairhope, AL, because of an impermissible PHI disclosure. Dr. David Northcutt, the manager and owner of Northcutt Dental, run for state senator last 2017 for Alabama District 32. Dr. Northcutt hired a campaign manager as well as a third-party marketing firm to provide help with the state senate election campaign. The campaign manager was given an Excel spreadsheet that contained the names and addresses of 3,657 individuals, and letters were sent to those people to inform them that Dr. Northcutt ran for state senate. The email addresses of those persons, together with the email addresses of another 1,727 persons, were furnished to the marketing business Solutionreach to mail a campaign email.
OCR confirmed that the sharing of PHI to the campaign manager and third-party marketing business were impermissible PHI disclosures. OCR additionally decided that Northcutt Dental failed to designate a HIPAA Privacy Officer prior to November 14, 2017, and policies and procedures linked to the HIPAA Privacy and Breach Notification Rules weren’t executed until January 1, 2018. The violation was settled and Northcutt Dental agreed to pay a $62,500 fine and implement a corrective action plan to handle the claimed areas of non-compliance.