Social Media Mishap Leads to $30,000 Fine for Health Care Provider

When used correctly, social media can be a great tool for sharing the unique services your pharmacy has to offer patients and local community. However, be very cautious about what information is posted on social media because one slip up could land your pharmacy in the crosshairs of an Office for Civil Rights (OCR) investigation.

According to a U.S. Department of Health and Human Services press release on June 5, the OCR opened an investigation after a patient filed a complaint against a New Jersey health care provider specializing in adult and child psychiatric services, alleging the provider improperly disclosed protected health information (PHI). According to the press release, the patient claimed that the health center “posted a response to the patient’s negative online review that included specific information regarding the individual’s diagnosis and treatment of their mental health condition.” During the OCR’s investigation, improper disclosure of three additional patients’ information was found in responses to negative online reviews. To settle the complaint, the health care provider agreed to at least two years of monitoring by the OCR, to pay $30,000, and a corrective action plan (including written policies and procedures to meet the HIPAA Privacy Rule, providing additional staff training, issuing individual breach notifications, and issuing a breach notification to the Secretary of Health and Human Services).

PAAS Tips: 

Become an audit assistance member today to continue reading this article. As a member, you’ll have access to hundreds of articles and receive our monthly proactive newsletter!

  • Ensure all social media posts are compliant with the HIPAA Privacy Rule
    • Restrict user access to pharmacy social media accounts to trusted personnel with a clear understanding of HIPAA privacy rules
    • Use extreme caution when responding to online reviews
  • PAAS Fraud, Waste and Abuse and HIPAA Compliance members can read section 11.11.5 of their Policy and Procedure Manual for more information regarding Physical Safeguards such as Facility Access Controls; specifically, social media
    • Do not permit any unauthorized video/audio in the pharmacy area
    • Train staff on methods to mitigate video and/or audio PHI breaches
    • Investigate, resolve, and document any potential HIPAA violations (all documents related to HIPAA must be maintained for a minimum of six years from the last effective date)
  • Refer to the June 2020 Newsline article, Smartphones put Pharmacies at Risk for Inappropriate PHI Disclosures for an additional discussion about protecting PHI
Sara Hathaway, PharmD