Health care providers and health plans frustrated by unfavorable social media or other online reviews should heed the schooling Manasa Health Center, LLC (“Manasa”) received from the Department of Health and Human Services (“HHS”) Office of Civil Rights (“OCR”) for its response to a patient’s negative online review announced June 5, 2023. 

The Manasa Resolution Agreement and Corrective Action Plan (“settlement”) adds social media and other internet reviews to previous OCR warnings to health care providers, health plans and health care clearinghouses and their business associates about their responsibility when dealing with media or other public discourse about patients or health care concerns not to share or disclose protected health information without appropriate authorization under the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule.

The settlement results from a complaint received by OCR in April 2020, alleging that Manasa violated the HIPAA Privacy Rule by impermissibly disclosing the protected health information of a patient when it responded to the patient’s negative online review.

HIPAA Generally Prohibits Unauthorized Disclosure

HIPAA requires health care providers, health plans, health care clearinghouses and their business associates to keep confidential and prohibits disclosure of protected health information of individuals except as specifically allowed by the HIPAA Privacy Rule. Absent a HIPAA-compliant authorization from the patient or his or her personal representative, HIPAA’s rules do not allow providers or other HIPAA covered entities to disclose or discuss protected health information to respond to negative reviews or other public discussions about care or other matters.  Since HIPAA only treats disclosures of protected health information as “authorized” when the disclosure is made pursuant to a written authorization that meets the detailed requirements of HIPAA for authorization, this prohibition extends to communications by health care providers or other HIPAA covered entities in response to negative reviews or other public discussions prompted patient reviews or other discussion of the patient. 

Manasa Responded To Negative Online Review

OCR opened an investigation in response to a complaint by a patient alleging that Manasa, a psychiatric care provider, posted a response to the patient’s negative online review that included specific information regarding the individual’s diagnosis and treatment of their mental health condition. In addition to the patient who filed the complaint, OCR’s investigation found that Manasa impermissibly disclosed the protected health information of three other patients in response to their negative online reviews. OCR’s investigation also found that Manasa Health Center failed to implement HIPAA Privacy policies and procedures.  To resolve these HIPAA violation charges, Manasa paid $30,000 to OCR and agreed to implement a corrective action plan to resolve these potential violations. OCR will oversee and monitor Manasa’s implementation of the corrective action plan for two years by OCR to ensure compliance with the HIPAA Privacy Rule. The corrective action plan includes the following steps:

• Develop, maintain, and revise its written policies and procedures to comply with the HIPAA Privacy Rule,
• Train all members of Manasa Health Center’s workforce, including owners and managers, on the organization’s policies and procedures to comply with the HIPAA Privacy and Security Rules,
• Within 30 calendar days of the agreement, Manasa Health Center shall issue breach notices to all individuals, or their personal representatives, whose protected health information is disclosed on any internet platform without a valid authorization, and
• Within 30 calendar days of the agreement, Manasa Health Center shall submit a breach report to HHS concerning individuals whose protected health information is disclosed on any internet platform without a valid authorization.

When announcing the Manasa settlement, OCR cautioned other health care providers, health plans and other HIPAA covered entities against sharing patient protected health information on social media or the internet in response to negative reviews or otherwise.  “OCR continues to receive complaints about health care providers disclosing their patients’ protected health information on social media or on the internet in response to negative reviews. Simply put, this is not allowed,” said OCR Director Melanie Fontes Rainer. “The HIPAA Privacy Rule expressly protects patients from this type of activity, which is a clear violation of both patient trust and the law. OCR will investigate and take action when we learn of such impermissible disclosures, no matter how large or small the organization.”

The warning to health care providers and other HIPAA covered entities not to make or share unauthorized disclosures of protected health information when responding to social media or other internet reviews supplements previous OCR warnings and enforcement against HIPAA covered entities for improper disclosure of protected health information in other media.  See, e.g. Unauthorized Filming for “NY Med” Results in $2.2 Million Settlement with New York Presbyterian Hospital (April 21, 2016). 

In fact, this is not the first health care provider OCR has nailed for sharing protected health information online. In 2016, for instance, OCR required Complete P.T., Pool & Land Physical Therapy, Inc. to pay $25,000 and implement a compliance plan for impermissibly posting patient testimonials without appropriate authorization.  

As the Complete P.T., Pool & Land Physical Therapy, Inc. settlement illustrates, the prohibition against unauthorized disclosure of protected health information is not limited to responding to accusations or other unfavorable feedback about the health care provider or other HIPAA covered entity.  Rather, HIPAA prohibits any unauthorized disclosure to the public or others whether made to respond to unfavorable claims or to tout or share positive feedback.  This means that in addition to abstaining from sharing protected health information in response to negative social or other public discussion about a patient or are concern, health care providers and other covered entities also should ensure proper HIPAA compliant authorization is obtained before any positive patient reviews, endorsements or other public use or disclosure of patient protected health information is made public.  Health care providers and other covered entities should consult with legal counsel experienced with HIPAA and other applicable rules to confirm the defensibility of both their practices for responding to pubic reviews posted by patients and others on social media or other platforms as well as the covered entities practices for using and sharing patient reviews and other information on the provider or other covered entity’s website, social media, marketing or other public communications. 

For More Information

We hope this update is helpful. For more information about these or other health or other legal, management or public policy developments, please contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297. 

Solutions Law Press, Inc. invites you to receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations Group, HR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy.

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 35 plus years of health industry and other management work, public policy leadership and advocacy, coaching, teachings, and publications.

A Fellow in the American College of Employee Benefit Counsel, Chair of the American Bar Association (“ABA”) International Section Life Sciences and Health Committee, Chair-Elect of the ABA TIPS Section Medicine & Law Committee, Past Chair of the ABA Managed Care & Insurance Interest Group, Scribe for the ABA JCEB Annual Agency Meeting with HHS-OCR, past chair of the ABA RPTE Employee Benefits & Other Compensation Group and current co-Chair of its Welfare Benefit Committee, Ms. Stamer is most widely recognized for her decades of pragmatic, leading-edge work, scholarship and thought leadership on health and managed care and employer benefits legal, public policy and operational concerns in the healthcare, employer benefits, and insurance and financial services industries. She speaks and publishes extensively on HIPAA and other related compliance issues.

Ms. Stamer’s work throughout her career has focused heavily on working with health care and managed care, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns.

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here. 

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested in reviewing some of our other Solutions Law Press, Inc.™ resources available here such as:

• OCR Sanction Of 44th Health Care Provider For Violating HIPAA Right of Access Rules Warning To Other Covered Entities
• Medical Center’s Overtime Award Highlights FLSA Risks For Health Industry Employers
• HHS Prepares To End COVID Vaccine Mandate
• Medical Professionals, Medical Businesses Owners and Others Criminally Charged In $490 Million Plus COVID-19 Related False Billings Takedown
• Sibley Hospital & Johns Hopkins Health System Pay $5 Million To Settle Stark Violations
• Sibley Hospital & Johns Hopkins Health System Pay $5 Million To Settle Stark Violations
• HHS Inspector General Comments Signal MorrContinuAggressive Ahghinued Aggresdiv
• 4/21 Deadline For Comments On Proposed HIPAA Administrative Simplification Adoption of Standards for Health Care Attachments Transactions and Electronic Signatures, and Modification To Referral Certification and Authorization Transaction Standard
• Pharmaceutical Distributor Danco’s $765,000 False Claims Act Settlement Shows Importance Of Customs Marking and Duty Rules
• $400K EEOC Settlement Warns Health Care Organizations Against Pregnancy Discrimination
• 2 Pharmacy FCA Convictions WarnAgainst Billing Or Undelivered Drugs Or Care
• “Rock Doc” Opioid Conviction Reaffirms DOJ Prioritization & Frequent Success of Illegal Opioid Distribution Enforcement
• Health Care Provider Pays $4 Million For Making Prohibited Donations Toward County Medicaid Funding
• OIG Asks Cigna MA Plans To Refund $6 Million, Clean Up Plan Processes After Poor Audit Results
• FY 2022 Medicaid Fraud Conviction Increase, Other Data Shows Continued Robustness of Federal Medicaid Enforcement
• Health Care Providers Should Verify Compliance, Audit Risks In Preparation For End of COVID Flexibilities
• Prepare To Handle Justice Department Marijuana Pardon Certificates From Applicant
• Sentencings & Charges Of Clinic Operators For Defrauding Health Plans Highlight Risks Of Involvement In Schemes To File Fraudulent Health Benefit Claims
• Former Missouri Lawmaker Sentenced On COVID & Stem Cell Fraud, Illegally Distributing Prescription Drugs & False Statements
• Ensure Health Care & Other Compliance Practices Updated For New DOJ Voluntary Disclosure Policy
• F-1 Visa Guidance Could Impact Health Industry Work Eligibility Of Some Foreign Students
• DOJ Withdraws Health Care Antitrust Policy & Enforcement Statements

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE: These statements and materials are for general informational and educational purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstances at any particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author and Solutions Law Press, Inc.™ reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules make it highly likely that subsequent developments could impact the currency and completeness of this discussion. The author and Solutions Law Press, Inc.™ disclaim, and have no responsibility to provide any update or otherwise notify anyone of any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication. Readers acknowledge and agree to the conditions of this Notice as a condition of their access to this publication. 

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2023 Cynthia Marcotte Stamer. Limited non-exclusive right to republish granted to Solutions Law Press, Inc.™

This entry was posted on Monday, June 5th, 2023 at 1:14 pm and is filed under Health Care, HIPAA, Media. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.