Violating HIPAA by responding to Yelp

Published

Specializes in Healthcare risk management and liability.

Stung by Yelp Reviews, Health Providers Spill Patient Secrets - ProPublica

This is interesting. I have seen negative Yelp reviews about us that are flatly untrue, or is a unique interpretation of events by the patient. However, you cannot cite the patient's clinical information in writing a rebuttal to the review. Unless of course you have the patient's permission, which I have never been able to obtain for this purpose.

Up Vote Up Vote ×

Very interesting indeed. The woman from the article argues her position further in the comments. On a public review site like Yelp, the practitioner has no recourse to false accusations that can severely damage their business... But that's HIPAA.

And I once had a horrendous experience as a patient (long before my RN days, and before the days of Yelp) and it never would have occurred to me to vilify the practitioner publicly like this... But we now live in the days of the internet and all that comes with it. I'm really curious to hear what others in the healthcare field have to say here.

I look at Yelp reviews for restaurants and such, but never really thought about Yelp as related to healthcare. What does the Risk Manager have to say about all this??

Up Vote Up Vote ×
Specializes in Healthcare risk management and liability.

Our social media coordinator asks me to look at her responses to the Yelp reviews on occasion, to make sure we are not violating anyone's privacy or engaging in defamatory conduct. Our typical response is something like this: "We are sorry that you did not have a good patient experience with us. We work hard to do a good job for all of our patients. We cannot discuss the details of your care here due to confidentiality laws. Please contact us at xxx-xxx-xxxx or email address so that we can work with you to address your concerns". I think that is about as far as you can go, and it is not a good idea to get into some Yelp flame war with a patient.

These negative Yelp and other reviews for healthcare entities are increasingly common. In my risk management and medical-legal journals, I have read of some parties, usually physicians, that have sued persons posting negative Yelp or other reviews. It is usually for defamation. I understand that the results of these suits are mixed, with some of them being thrown out of court and some of them prevailing. Even if the physician wins, it may be a Pyrrhic victory if the patient does not have sufficient assets or insurance to pay any judgment and legal fees.

Up Vote Up Vote ×

I was surprised not to see large fines and/or prison terms for HIPAA violations.

Up Vote Up Vote ×
Specializes in Complex pedi to LTC/SA & now a manager.
I was surprised not to see large fines and/or prison terms for HIPAA violations.

If the provider does not bill electronically they are not bound by HIPAA. If they don't participate in Medicare they are not required to submit electronic bills. This is a major loophole not known by many granted there are not many providers that don't bill electronically

Up Vote Up Vote ×
If the provider does not bill electronically they are not bound by HIPAA. If they don't participate in Medicare they are not required to submit electronic bills. This is a major loophole not known by many granted there are not many providers that don't bill electronically

My understanding is that HIPAA covers all protected health information, whether electronic, written, or spoken. Could you tell me where you found this information?

Up Vote Up Vote ×
Specializes in Healthcare risk management and liability.
I was surprised not to see large fines and/or prison terms for HIPAA violations.

The Office of Civil Rights, that does the enforcement, prefers to not impose fines. They generally only do it for large-scale breaches, egregious violations of the Regs, or someone selling PHI for profit, as to a newspaper or TV station.

Up Vote Up Vote ×
Specializes in Complex pedi to LTC/SA & now a manager.
My understanding is that HIPAA covers all protected health information, whether electronic, written, or spoken. Could you tell me where you found this information?

You are correct in that what PHI is protected. The issue is whether HIPAA applies to the agency.

A covered entity must meet a two prong test. You must be a healthcare provider billing for services/doing covered electronic transactions/insurance company/information clearing house AND you must electronically submit claims to insurance. So for example if you sent medical reports to your child's school nurse and the information was disseminated HIPAA would not apply. FERPA would.

"Covered entities are defined in the HIPAA rules as (1) health plans, (2) health care clearinghouses, and (3) health care providers who electronically transmit any health information in connection with transactions for which HHS has adopted standards."

Are You a Covered Entity? - Centers for Medicare & Medicaid Services

If the provider or facility does not electronically submit information they are not a covered entity and HIPAA does not apply. An example in above linked article included a psychology practice that revealed diagnoses however since they did not bill insurance electronically HIPAA did not apply.

Covered Entities and Business Associates | HHS.gov

https://www.cms.gov/Regulations-and-Guidance/HIPAA-Administrative-Simplification/HIPAAGenInfo/Downloads/CoveredEntitycharts.pdf

Up Vote Up Vote ×

A covered entity must meet a two prong test. You must be a healthcare provider billing for services/doing covered electronic transactions/insurance company/information clearing house AND you must electronically submit claims to insurance. So for example if you sent medical reports to your child's school nurse and the information was disseminated HIPAA would not apply. FERPA would.

"Covered entities are defined in the HIPAA rules as (1) health plans, (2) health care clearinghouses, and (3) health care providers who electronically transmit any health information in connection with transactions for which HHS has adopted standards."

Are You a Covered Entity? - Centers for Medicare & Medicaid Services

If the provider or facility does not electronically submit information they are not a covered entity and HIPAA does not apply.

Covered Entities and Business Associates | HHS.gov

https://www.cms.gov/Regulations-and-Guidance/HIPAA-Administrative-Simplification/HIPAAGenInfo/Downloads/CoveredEntitycharts.pdf

In regard to the first part of the two prong test: The CMS Regulations and Guidance link you provided in regard to determining whether one is a covered entity refers to asking whether the person, business or agency furnishes, bills or receives payment for health care during normal business activities. I understand "furnishes" to mean "providing" health care, and read "billing" or "receiving" payment for health care as two separate independent criteria. So either furnishing health care or billing for health care or receiving payment for health care.

Up Vote Up Vote ×
Specializes in Complex pedi to LTC/SA & now a manager.
In regard to the first part of the two prong test: The CMS Regulations and Guidance link you provided in regard to determining whether one is a covered entity refers to asking whether the person, business or agency furnishes, bills or receives payment for health care during normal business activities. I understand "furnishes" to mean "providing" health care.

The electronic transactions is the critical part

Up Vote Up Vote ×
Specializes in Complex pedi to LTC/SA & now a manager.
In regard to the first part of the two prong test: The CMS Regulations and Guidance link you provided in regard to determining whether one is a covered entity refers to asking whether the person, business or agency furnishes, bills or receives payment for health care during normal business activities. I understand "furnishes" to mean "providing" health care.

Furnishes AND "but only if they transmit any information in an electronic form in connection with a transaction for which HHS has adopted a standard"

Providing healthcare services for payment is the first part they must also transmit information electronically in connection with a transaction.

Up Vote Up Vote ×
Specializes in Complex pedi to LTC/SA & now a manager.
In regard to the first part of the two prong test: The CMS Regulations and Guidance link you provided in regard to determining whether one is a covered entity refers to asking whether the person, business or agency furnishes, bills or receives payment for health care during normal business activities. I understand "furnishes" to mean "providing" health care.

Page 7 clarifies electronic transactions:

https://www.cms.gov/Regulations-and-Guidance/HIPAA-Administrative-Simplification/HIPAAGenInfo/Downloads/CoveredEntitycharts.pdf

If a small practice submits manual claims or is a cash only/self pay practice such as some mental health, dermatology and cosmetic surgery practices then they are technically not bound by HIPAA regulations.

Up Vote Up Vote ×
+ Join the Discussion