In recent years, the term “HIPAA violation” has been thrown around a lot, often incorrectly. People have cited the law protecting patients’ health information as one reason they can’t be asked if they… vaccinated or get a doctor’s note for an employer.
But asking someone if they’ve been vaccinated isn’t actually a HIPAA violation. That’s fine and not illegal for one non-doctor to ask another non-doctor. What is a HIPAA violation is what U. Phillip Igbinadolor, a dentist in North Carolina, did in September 2015, according to the Department of Health and Human Services† After a patient left an anonymous, negative Google review, he logged in and responded with his own message on the Google page, saying that the patient had missed scheduled appointments. “Does he deserve any appreciation as a patient? Not even one star,” wrote Igbinadolor according to the notification of intended decision describing the violation. (For the curious, the redacted HIPAA-violating Google post is on page 3.)
In the post, he used the patient’s full name and described in detail the specific dental problem he was experiencing: “excruciating pain” of the lower left quadrant, which resulted in a referral for a root canal.
That’s what a HIPAA violation is actually resembling. The law says health care providers and insurance companies cannot share identifiable personal information without a patient’s consent. In this case, the dentist (a health care provider) has publicly shared a patient’s name, medical condition, and medical history (personal information). As a result, the office $50,000 fine†
This is not uncommon: a 2016 ProPublica research found that doctors regularly provide details about patients’ health in response to negative Yelp reviews. And in 2019 there was another dentist $10,000 fine for posting multiple patients’ information on Yelp.
The Office of Civil Rights at the Department of Health and Human Services, which enforces HIPAA, asked to see The internal policies and procedures of the Igbinadolor office around personal health information and social media. By the fall of 2020, the office had not yet delivered anything. The office should probably implement one simple policy to prevent something like this from happening again: Even if a patient is annoying, never post.
SOURCE – www.theverge.com