Skip to main content

Case briefs — Online patient privacy

These case studies are based on alleged violations of patient privacy on social media and the web. The cases show how actions by physicians or their employees led to the allegations, and how risk management techniques may have prevented the violations.

Case 1: Improper response on social media

A dental practice in Dallas was recently fined $10,000 by the Office of Civil Rights (OCR) after publishing protected health information (PHI) in response to a patient review on Yelp, a social media platform.

In a complaint filed with the OCR, a patient reported that the dental practice posted their name, details of their treatment plan, insurance, and cost information in a comment on the Yelp review page.

While investigating the complaint, the OCR discovered that the practice had responded to several patient reviews on Yelp and revealed patient information in the process.

“Social media is not the place for providers to discuss a patient’s care. Doctors and dentists must think carefully about patient privacy before responding to online reviews,” said OCR Director Roger Severino.

The OCR also found that the dental practice did not have policies or procedures addressing the release of PHI on social media or public platforms. The practice also failed to create a sufficient Notice of Privacy Practices.

Along with the $10,000 fine, the practice implemented a corrective action plan with the following requirements.

  • Develop, maintain, and revise federally approved PHI policies and standards and distribute to all employees;
  • train employees on PHI policies and procedures;
  • revise policies and procedures annually;
  • revise authorization forms and the Notice of Privacy Practices to comply with the HIPAA Privacy Rule;
  • identify employees who must be contacted in the event of a HIPAA violation or questions; and
  • apply sanctions to those who fail to comply with policies.

Risk management considerations

As more people go online to research products and services, online reputation management has become increasingly relevant for physicians. Online reputation management often involves addressing reviews on sites like Yelp.

Because of the HIPAA Privacy Rule, physicians cannot respond to online reviews in any way that reveals PHI. Even if a patient discloses their own personal information in a review, physicians cannot respond with the same level of disclosure.

What you CAN do

  1. Speak in person with the patient who wrote the review. Listening to the patient will allow you to thoroughly understand their feedback and propose productive solutions. Sometimes, patients will remove negative reviews after a face-to-face conversation, and may even post a positive review to show the practice is listening. 
  2. If you choose to respond to the complaint, reply with something general that moves the discussion offline. “At our medical practice, we strive to provide the highest levels of patient satisfaction. However, we cannot discuss specific situations due to patient privacy regulations. If you are a patient and have questions or concerns, please contact us directly at [phone number].”
  3. One bad review will not destroy your reputation. People who browse online reviews typically do not consider one bad review as representative of the practice.

What you CANNOT do

  1. Respond impulsively. Wait and respond in a measured, productive way.
  2. Disclose any information about the patient. Even acknowledging that the reviewer is a patient is a violation of HIPAA.
  3. Ignore criticism. Instead, take criticism as an opportunity to improve your practice or your policies from the patient’s point of view.
  4. Avoid online reviews. Most online reviews are positive and provide positive information. 5


Case 2: Patient identified on surgeon’s website

A plastic surgeon’s website featured “before and after” photos of patients. The patients’ names were not used and the photos were posted in a way that preserved patient anonymity.

However, unknown to the plastic surgeon and his staff, the patients’ names had not been properly removed from the meta tags associated with the photos. Meta tags are content descriptors that describe web page content to search engines. Meta tags do not appear on the page, but are found in the HTML code for the page.

The issue was discovered when a patient performed a Google search on herself and her images from the plastic surgeon’s site appeared in the search results. Although he was told about the meta tag issue, the plastic surgeon did not immediately remove the photos.

Fifteen patients filed lawsuits against the plastic surgeon. The Office of Civil Rights also investigated the plastic surgeon for possible HIPAA violations.

Risk management considerations

  • Obtain patient consent to take photographs. Specify how you plan to use the photos (i.e. medical records only, marketing, website, journal article) on the consent form.
  • Do not name or save photo files with any of the identifiable information (described below) in any publicly accessible area. (Clearly, if you are just adding photos to medical records, they can contain identification.)
  • Audit photos that have been added to your website. Check the site page for tags, meta tags, keywords, or anything that could be used to identify patients.
  • Do not store photos of patients in an unencrypted device, such as a camera, cell phone, tablet, or personal laptop.

When it comes to publishing patient photos, certain HIPAA requirements must be met. If patient photos are completely de-identified, HIPAA requirements are satisfied. If patient photos are not de-identified, written authorization from the patient is required to post or share the photos.