June 05, 2023
The HHS Office of Civil Rights (OCR) recently made public the resolution of a settlement agreement with Manasa Health Center of New Jersey – a provider of psychiatric services.
Reports from an investigation revealed that Manasa Health Center violated the HIPAA Privacy Rule by disclosing patients’ protected health information (PHI) to respond to negative online reviews.
The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule is an essential safeguard designed to protect PHI, maintain the confidentiality of sensitive health records, and preserve patient trust. It sets standards and guidelines for using and disclosing PHI by healthcare providers and their business associates. Violations can lead to severe consequences, such as damaged reputations and even significant financial losses.
Table of Contents
Improper Disclosure: Manasa Health Center Violation of Patient Privacy
Based on an official complaint filed with OCR in April 2020 and subsequent investigation, it was discovered that Manasa Health Center engaged in inappropriate disclosure of PHI belonging to four patients. This breach occurred when Manasa responded to negative reviews that patients posted on Google Reviews with specific medical details regarding diagnoses or mental health conditions related to those patients – something which violates HIPAA Privacy Rule that mandates protecting sensitive patient data.
This incident has both violated patients’ privacy and exposed them to potential harm. Patients trust healthcare providers with their sensitive health data, so any unwarranted disclosure can erode that trust, leading to reputational damage, emotional distress, and even discrimination or stigmatization for those involved.
Investigation Unveils Breach: Protected Health Information Exposed
OCR’s investigation also revealed that Manasa Health Center had failed to implement required privacy and breach notification policies under HIPAA, such as patient privacy violations due to disclosure in response to negative online reviews – an increasing issue. Healthcare providers must abide by said federal law to protect patient confidentiality. In any circumstance, unauthorized disclosure in response to online or offline reviews infringes upon patients’ rights and clearly violates the standards set by HIPAA.
Financial Penalty: Manasa Health Center Pays $30,000 Settlement to OCR
As part of their investigation, Manasa Health Center agreed to pay OCR a settlement sum of $30,000. This fine serves as a deterrent against future violations and underlines the severity of this breach, further demonstrating HHS’ commitment to upholding the HIPAA Privacy and Security Rule.
Manasa Health Center must also develop and implement a corrective action plan (CAP) to address HIPAA Privacy Rule violations and improve compliance. The plan involves revising policies to conform with HIPAA Privacy Rules; training staff members on privacy and security policies; issuing breach notices; or offering compensation to those affected by such disclosures of PHI without authorization.
The CAP serves as an opportunity for Manasa Health Center to enhance its privacy practices, promote awareness, and prevent future breaches. Healthcare organizations must prioritize patient privacy and take the necessary measures to comply with HIPAA Privacy Rule.
OCR Director Melanie Fontes Rainer stressed the importance of protecting patient privacy when responding to online reviews. She stated, “OCR continues to receive complaints about healthcare providers disclosing their patient’s protected health information on social media or the internet in response to negative reviews. Simply put, this is not allowed.” Rainer further highlighted that such activities violate patient trust, compromise the confidentiality, and are clear violations of both patient rights and the law.
Manasa Health Center’s settlement was part of a broader trend regarding improper disclosure of PHI due to negative online reviews. In December 2022, OCR reached an agreement with New Vision Dental, a California dental practice accused of disclosing PHI due to negative Yelp reviews. Part of that settlement agreement included paying $23,000 as well as creating and implementing a CAP to rectify and ensure future compliance.
Securing Patient Trust and Privacy
The HHS settlement with Manasa Health Center serves as an important reminder to healthcare providers about the critical nature of adhering to the HIPAA Privacy Rule. When patient confidentiality is violated through the unapproved release of protected health information, trust and laws are broken, jeopardizing a patient’s right to privacy.
OCR remains dedicated to investigating and responding to privacy breaches within healthcare, striving to maintain high standards of privacy and security for patients. Also, this goes to show that healthcare organizations should prioritize patient privacy and keep their trust by adopting robust security policies aligned with HIPAA regulations.
