Tag: HIPAA

Think Twice Before Responding to That Negative Online Review

Post author By WadeEmmert
Post date April 8, 2025

It’s natural to want to defend your practice—especially when a negative online review feels unfair, misleading, or outright false. But for healthcare providers, responding to a bad review isn’t just a public relations concern—it’s a legal one. You could be walking straight into a HIPAA violation.

Under HIPAA—and many state privacy laws—healthcare providers are prohibited from disclosing patient health information to unauthorized individuals. This includes not only obvious disclosures, such as a diagnosis or treatment details, but also something as seemingly harmless as confirming that someone is a patient. Even a simple statement like, “I’m sorry you felt that way about your visit,” could be interpreted as a disclosure of protected health information (PHI).

So what should you do when confronted with a negative review?

First, decide if it’s worth responding at all. Not every negative review needs a response. Sometimes, the most strategic move is to let it go. However, if the review contains false or defamatory statements, you may want to contact the review platform and request that it be removed in accordance with their content policies.

If you do choose to respond, you can still do so in a way that protects patient privacy. A compliant response should acknowledge that your practice takes concerns seriously, reaffirm your general commitment to quality care, and invite the individual to contact your office directly to discuss the matter further. This approach demonstrates professionalism without crossing any legal boundaries.

What you should never do is reference the reviewer’s condition, visit, or any personal detail—no matter how vague it seems. Likewise, avoid blaming the patient, even if you feel their account is inaccurate or incomplete. Comments like, “You missed several appointments” or “You didn’t follow the treatment plan,” are not only unprofessional—they may constitute a HIPAA violation.

Also, don’t get pulled into an online back-and-forth. Responding more than once can escalate tensions, increase the risk of disclosing sensitive information, and reflect poorly on your practice. One thoughtful, respectful response is enough.

Finally, remember that your response is not just for the reviewer—it’s for everyone else reading it. Potential patients will form impressions about your professionalism, judgment, and values based on how you handle criticism. Always be polite, measured, and HIPAA-compliant. A negative review can be frustrating—but turning it into a HIPAA violation is far worse. Stay calm, stay professional, and when in doubt, don’t respond publicly at all.

Tags HIPAA

Health Law Highlights

Online Tracking Technologies and HIPAA Misconceptions

Post author By WadeEmmert
Post date July 28, 2024

Summary of article from IAPP, by John Haskell:

Misconceptions persist about the use of online tracking technologies (OTTs) for marketing under HIPAA compliance. HIPAA mandates that covered entities must obtain explicit authorization from individuals before using or disclosing their personal health information (PHI) for marketing purposes. Simply signing a Business Associate Agreement (BAA) does not ensure compliance, particularly when PHI is involved. The U.S. Department of Health and Human Services (HHS) has clarified that disclosures of PHI to tracking technology vendors without proper authorizations are impermissible. Additionally, business associates are prohibited from using PHI for their own purposes, such as marketing campaigns. Compliance with HIPAA requires obtaining valid authorizations and adhering to specific guidelines, rather than relying solely on BAAs. Understanding these requirements is crucial to avoid regulatory issues.

Tags Data Privacy, HIPAA

Health Law Highlights

P-R-I-V-A-C-Y is Priceless to Me: The 2024 Privacy Rule

Post author By WadeEmmert
Post date July 28, 2024

Summary of article from Holland & Hart, by Leslie Thomson:

The Department of Health and Human Services has issued the 2024 Privacy Rule, amending HIPAA privacy regulations to restrict the use or disclosure of an individual’s Protected Health Information (PHI) related to reproductive healthcare for certain non-healthcare purposes. This rule aims to protect individual privacy and trust in healthcare providers by prohibiting the use of PHI for criminal, civil, or administrative investigations or liabilities concerning lawful reproductive healthcare activities. Covered entities must update workforce training, HIPAA policies, procedures, and business associate agreements by December 23, 2024. Additionally, the Notice of Privacy Practices must be revised by February 16, 2026, to reflect these changes and address proposals related to the Confidentiality of Substance Use Disorder (SUD) Patient Records.

Tags HIPAA, Reproductive Rights

Health Law Highlights

Does HIPAA Apply to Veterinarians?

Post author By WadeEmmert
Post date July 25, 2024

Summary of article from The HIPAA Journal, by Steve Adler:

HIPAA does not apply to veterinarians because they do not conduct electronic healthcare transactions for which the Department of Health and Human Services has adopted standards, thus not qualifying as HIPAA covered entities. However, veterinarians are subject to various state-level data privacy and breach notification laws that resemble HIPAA regulations. For instance, California law prohibits the unauthorized disclosure of information concerning animal patients and their owners, with specific exceptions. Additionally, veterinarians handling data of EU citizens must comply with the GDPR. The American Veterinary Medical Association (AVMA) provides guidelines to help veterinarians navigate these diverse data privacy regulations.

Tags HIPAA

Health Law Highlights

OCR Settles Alleged HIPAA Violations for $950,000 Following 2017 Ransomware Attack

Post author By WadeEmmert
Post date July 14, 2024

Summary of article from King & Spalding, by Elizabeth Kimball Key:

On July 1, 2024, the HHS Office of Civil Rights (OCR) announced that Heritage Valley Health System agreed to pay $950,000 to settle alleged HIPAA violations following a 2017 ransomware attack. The settlement includes a corrective action plan (CAP) to address compliance gaps, marking the third HIPAA enforcement action involving ransomware. The OCR’s investigation revealed several potential HIPAA violations, including inadequate risk analysis, lack of a contingency plan, and insufficient access controls for electronic protected health information (ePHI). As part of the CAP, Heritage Valley will conduct a comprehensive risk analysis, implement a risk management plan, update its policies and procedures, and train its workforce on HIPAA compliance. OCR highlighted a significant increase in ransomware-related breaches, underscoring its enforcement priority.

Tags HIPAA, Ransomware

Health Law Highlights

Texas Retina Associates Cyberattack Affects 312,000 Patients

Post author By WadeEmmert
Post date July 8, 2024

Summary of article from The HIPAA Journal, by Steve Adler:

A cyberattack on Texas Retina Associates, the largest ophthalmology practice in Texas, has compromised the sensitive data of 312,867 patients. The breach, which occurred from October 8, 2023, to March 27, 2024, exposed personal information including names, addresses, Social Security numbers, and medical details. Texas Retina Associates has since secured its systems, enhanced cybersecurity measures, and provided additional training to its staff. Notifications are being issued to affected individuals as a precaution, and a helpline has been established for further assistance. The practice has not mentioned offering complimentary credit monitoring or identity protection services.

Tags Cybersecurity, HIPAA

Health Law Highlights

HIPAA Unique Identifiers Explained

Post author By WadeEmmert
Post date July 2, 2024

Summary of article from The HIPAA Journal, by Steve Adler:

HIPAA mandates unique identifiers for employers, health plans, and healthcare providers to enhance transaction efficiency and reduce administrative costs, though no standards for individual identifiers were adopted due to cost and complexity. Employer identifiers use IRS-issued EINs, while health plan identifiers, initially introduced in 2012, were rescinded in 2019 due to implementation challenges. Healthcare providers use National Provider Identifiers (NPIs), established before HIPAA and extended in 2004. It’s crucial to distinguish these HIPAA unique identifiers from PHI identifiers, which must be removed for data de-identification. Entities uncertain about these distinctions should seek HIPAA compliance guidance to avoid violations.

Tags HIPAA

Health Law Highlights

Six Months to Go: HIPAA Privacy Rule Changes Require Additional Diligence

Post author By WadeEmmert
Post date June 27, 2024

Summary of article from Taft Privacy & Data Security Insights, by Scot Ganow:

The Department of Health and Human Services (HHS) has issued final regulations modifying the HIPAA Privacy Rule to protect individuals’ reproductive health information, effective June 25, 2024, with compliance required by December 23, 2024. These changes prohibit HIPAA-regulated entities from disclosing protected health information (PHI) for purposes of investigating or imposing liability for lawful reproductive health care. Additionally, the regulations establish a presumption of lawfulness for reproductive care and mandate obtaining signed attestations for certain disclosures. HIPAA-covered entities and business associates must update their policies, procedures, agreements, and training to align with these new requirements. Notices of privacy practices must also be revised by February 16, 2026.

Tags HIPAA

Health Law Highlights

Texas Judge Upholds Hospitals’ Right to Use Online Tracking Technology

Post author By WadeEmmert
Post date June 25, 2024

Summary of article from The Record, by Suzanne Smalley:

A Texas federal judge ruled that the Biden administration’s policy to limit hospitals’ use of online tracking technology overstepped its authority. The policy, issued by the HHS in 2022, aimed to protect user privacy by warning that third-party data collection could violate HIPAA. Despite the HHS’s recent revision and warnings about the risks of technologies like Meta/Facebook Pixel and Google Analytics, the judge found that the guidance improperly extended HIPAA’s reach to data from public website searches. This decision followed a lawsuit from the American Hospital Association and other plaintiffs. The ruling underscores the complexity and extensive reach of federal regulations in modern life.

Tags Cybersecurity, HIPAA

Health Law Highlights

Feds Announce Final Penalties for Information Blocking. Hospitals and Medical Groups Aren’t Happy

Post author By WadeEmmert
Post date June 25, 2024

Summary of article from Chief Healthcare Executive, by Ron Southwick:

The U.S. Department of Health & Human Services has finalized rules to prevent information blocking, imposing significant financial penalties on hospitals, clinicians, and medical groups that fail to share health information freely. Hospitals could face reductions in federal aid and substantial financial disincentives, while clinicians and medical groups could see reduced reimbursements and other penalties. The American Hospital Association and the Medical Group Management Association have criticized the penalties as excessive and punitive, urging for more collaborative approaches. The rule also affects Accountable Care Organizations by barring violators from participating in the Medicare Shared Savings Program for at least a year. These measures will take effect 30 days after the rule’s publication.

Tags HIPAA, Information Blocking