Healthcare Provider Fined $30,000 for Online PHI Disclosure Following Criticism

A healthcare organization faces a $30,000 penalty after violating patient confidentiality by revealing Protected Health Information (PHI) online as a retort to negative reviews. AFTER INVESTIGATING THE INCIDENT, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) levied the fine.

 The case involved an unnamed provider of child psychiatric services, who responded to negative online reviews by disclosing patients’ PHI publicly. This action violates the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule, which strictly prohibits exposing such sensitive information without the patient’s consent.

 The HIPAA breach came to light after the OCR received a complaint regarding the public disclosure of PHI by the provider in August 2019. The OCR’s investigation confirmed the violations and led to a $30,000 fine, which the provider agreed to pay.

 The provider also agreed to a corrective action plan that mandates regular reporting to the OCR for two years. The plan involves implementing a series of policies and procedures to ensure this violation doesn’t occur again. Staff members are expected to receive appropriate training to understand the severity of the HIPAA Privacy Rule and its importance in maintaining patient confidentiality.

 This incident underlines the significance of adhering to HIPAA rules and highlights the consequences of non-compliance. Patient trust is essential in healthcare provision, and breaches of this nature can seriously jeopardize that trust. This case should be a stark reminder to healthcare providers about respecting patient privacy and abiding by regulations, even in the face of negative online reviews.


Small healthcare practices can adopt the following strategies to avoid similar penalties and corrective action plans (CAP):

 Understand and comply with HIPAA regulations: Every healthcare practice must fully understand how they apply to their practice. The Health and Human Services (HHS) website provides comprehensive resources that can help.

 Employee Training: Regular and comprehensive training on HIPAA regulations and privacy policies is necessary for all staff members, regardless of their role. Staff should understand the importance of patient confidentiality and how to manage PHI appropriately.

 Proper Use of Social Media and Online Platforms: Healthcare practices must understand the risks associated with social media and online reviews. Any response to a negative review must never include PHI. It’s best to have a standardized and legal procedure for responding to such reviews.

 Develop and Enforce Policies: It’s essential to have a privacy policy in place that adheres to HIPAA guidelines. This should cover every aspect of the practice, including the handling, storage, and transmission of PHI.

 Regular Audits: Regular audits can help identify and rectify any compliance issues before they become major problems. It’s also a good practice to document the results of these audits to show that your practice is continuously complying with HIPAA regulations.

 Use of Secure Systems: Only use secure systems for storing and transmitting PHI. Access to these systems should be limited to only those who need it to perform their duties. Implement robust password protocols and consider two-factor authentication where appropriate.

 Breach Reporting: Develop a plan to report breaches promptly. Immediate reporting is vital if a breach occurs.

Patient Consent: Always get written consent from patients before using or disclosing their PHI for purposes not covered under the HIPAA Privacy Rule.

 By following these steps, a small healthcare practice can enhance compliance with HIPAA regulations and significantly reduce the risk of a penalty or CAP.



The incident of a healthcare provider being fined $30,000 for disclosing PHI online in response to negative reviews underscores the importance of adhering to HIPAA rules and maintaining patient confidentiality. This case exemplifies the severe penalties that can be incurred due to non-compliance with these critical regulations. It serves as a crucial reminder for all healthcare providers that patient trust is paramount in the industry, and protecting patient privacy should always take precedence, irrespective of any negative feedback or criticism they might receive. Therefore, healthcare providers must ensure they have stringent policies in place and provide adequate training to their staff to prevent such violations.


Like this post? Subscribe to receive updates directly in your inbox.