Social Media Mishap Leads to $30,000 Fine for Health Care Provider

When used correctly, social media can be a great tool for sharing the unique services your pharmacy has to offer patients and local community. However, be very cautious about what information is posted on social media because one slip up could land your pharmacy in the crosshairs of an Office for Civil Rights (OCR) investigation.

According to a U.S. Department of Health and Human Services press release on June 5, the OCR opened an investigation after a patient filed a complaint against a New Jersey health care provider specializing in adult and child psychiatric services, alleging the provider improperly disclosed protected health information (PHI). According to the press release, the patient claimed that the health center “posted a response to the patient’s negative online review that included specific information regarding the individual’s diagnosis and treatment of their mental health condition.” During the OCR’s investigation, improper disclosure of three additional patients’ information was found in responses to negative online reviews. To settle the complaint, the health care provider agreed to at least two years of monitoring by the OCR, to pay $30,000, and a corrective action plan (including written policies and procedures to meet the HIPAA Privacy Rule, providing additional staff training, issuing individual breach notifications, and issuing a breach notification to the Secretary of Health and Human Services).

PAAS Tips:

Become an audit assistance member today to continue reading this article. As a member, you’ll have access to hundreds of articles and receive our monthly proactive newsletter!

Join today!

Ensure all social media posts are compliant with the HIPAA Privacy Rule
- Restrict user access to pharmacy social media accounts to trusted personnel with a clear understanding of HIPAA privacy rules
- Use extreme caution when responding to online reviews
PAAS Fraud, Waste and Abuse and HIPAA Compliance members can read section 11.11.5 of their Policy and Procedure Manual for more information regarding Physical Safeguards such as Facility Access Controls; specifically, social media
- Do not permit any unauthorized video/audio in the pharmacy area
- Train staff on methods to mitigate video and/or audio PHI breaches
- Investigate, resolve, and document any potential HIPAA violations (all documents related to HIPAA must be maintained for a minimum of six years from the last effective date)
Refer to the June 2020 Newsline article, Smartphones put Pharmacies at Risk for Inappropriate PHI Disclosures for an additional discussion about protecting PHI

Author
Recent Posts

Sara Hathaway, PharmD

Analyst at PAAS National^®

After graduating from UW-Madison's School of Pharmacy with my PharmD, I spent my first eight years at an independent pharmacy dividing my time between both retail and long-term care. I fell in love with the independent pharmacy world and joined the PAAS team to help independents not only survive, but thrive.

I enjoy assisting pharmacy staff both pre- and post-audit and enjoy providing them with knowledge and tools to decrease audit risk going forward. I write articles for Third-Party Newsline each month and answer member questions daily. I look forward to building professional relationships with each of our members and assisting you with your next audit.

Latest posts by Sara Hathaway, PharmD (see all)

Why Do You Need a HIPAA Risk Analysis? Ask Change Healthcare… - May 4, 2024
Numerous Sumatriptan Formulations Cause Headaches for Pharmacies, & Potential Recoupments - April 14, 2024
Be on the Lookout for Eye Drops Requiring Extra Billing Consideration - March 16, 2024