While it may sound like common sense to not disclose protected health information (PHI) on social media, this important HIPAA guideline may be overlooked while responding to online reviews or posting to the practice’s Facebook page. To understand what can lead to a HIPAA violation, let’s first review what constitutes PHI. Protected Health Information includes any health information that can be tied to an individual. Examples include full names, medical histories, treatment information, insurance information, addresses, birthdates, social security numbers, and email addresses.
Now let’s assume the practice receives a positive online review. Innocently, you respond to the review with the following: “Janet, thank you very much for the great review. We know you will enjoy the new implants we just placed, and we look forward to fixing that broken crown for you next month.” By responding this way, you just disclosed treatment plan information about the patient, and treatment plans are PHI. A better response would have been to simply respond with, “Janet, we really appreciate the great feedback.”
Let’s assume the practice receives a negative review questioning the doctor’s diagnosis and suggesting that treatment costs are excessive. You unfortunately respond with, “Nick, even though you may think your three teeth do not need crowns, you have clear radiographic evidence of cavities in each tooth. You also have gum disease. You are more at risk for gum disease when you have diabetes. Your MetLife insurance will cover less than you expected because you had a root canal back in the spring and used most of your benefits.”
In this example, multiple types of PHI were disclosed while trying to defend the practice against a negative review. Instead, the practice needed to respond with, “Nick, we are sorry to hear about your experience. We will be in touch to address your concerns.” Then the practice should have followed up with a phone call to the patient to address each concern.
Disclosing PHI is a serious matter. Recently, the Office of Civil Rights of the Department of Health and Human Services settled a HIPAA violation made by a dental practice in Texas. PHI was disclosed on YELP while responding to a review. The practice was fined $10,000. The fine could have been much steeper.
Make sure you include social media communication in your next HIPAA training. Also, create a review process before anything is posted on social media. Make sure you are not accidentally disclosing protected health information.