PogoWasRight.org

Menu
  • About
  • Privacy
Menu

How can you safely respond to a negative online review by a patient?

Posted on June 11, 2023June 24, 2025 by Dissent

This post originally appeared on DataBreaches.net on June 5, but is being republished here to add a commentary under the press release from HHS.


New Jersey psychiatry practice pays $30,000 to settle complaint about impermissible disclosure of protected health information by disclosing this information in online review

Today, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announces a settlement with Manasa Health Center, LLC, a health care provider in New Jersey that provides adult and child psychiatric services. The settlement resolves a complaint received by OCR in April 2020, alleging that Manasa Health Center impermissibly disclosed the protected health information of a patient when the entity posted a response to the patient’s negative online review. Following an OCR investigation, potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule include impermissible disclosures of patient protected health information in response to negative online reviews, and failure to implement policies and procedures with respect to protected health information. Manasa Health Center paid $30,000 to OCR and agreed to implement a corrective action plan to resolve these potential violations.

“OCR continues to receive complaints about health care providers disclosing their patients’ protected health information on social media or on the internet in response to negative reviews. Simply put, this is not allowed,” said OCR Director Melanie Fontes Rainer. “The HIPAA Privacy Rule expressly protects patients from this type of activity, which is a clear violation of both patient trust and the law. OCR will investigate and take action when we learn of such impermissible disclosures, no matter how large or small the organization.”

OCR opened an investigation in response to a complaint by a patient alleging that Manasa Health Center posted a response to the patient’s negative online review that included specific information regarding the individual’s diagnosis and treatment of their mental health condition. In addition to the patient who filed the complaint, OCR’s investigation found that Manasa Health Center impermissibly disclosed the protected health information of three other patients in response to their negative online reviews. OCR’s investigation also found that Manasa Health Center failed to implement HIPAA Privacy policies and procedures.

In addition to the monetary settlement, Manasa Health Center will undertake a corrective action plan that will be monitored for two years by OCR to ensure compliance with the HIPAA Privacy Rule. The corrective action plan includes the following steps:

  • Develop, maintain, and revise its written policies and procedures to comply with the HIPAA Privacy Rule,
  • Train all members of Manasa Health Center’s workforce, including owners and managers, on the organization’s policies and procedures to comply with the HIPAA Privacy and Security Rules,
  • Within 30 calendar days of the agreement, Manasa Health Center shall issue breach notices to all individuals, or their personal representatives, whose protected health information is disclosed on any internet platform without a valid authorization, and
  • Within 30 calendar days of the agreement, Manasa Health Center shall submit a breach report to HHS concerning individuals whose protected health information is disclosed on any internet platform without a valid authorization.

The resolution agreement and corrective action plan may be found at: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/manasa-ra-cap/index.html

OCR is committed to enforcing the HIPAA Rules that protect the privacy and security of peoples’ health information. If you believe that your or another person’s health information privacy or civil rights have been violated, you can file a complaint with OCR at: https://www.hhs.gov/ocr/complaints/index.html.

Source:  HHS


Update: Jeff Drummond has always been a great resource on HIPAA law and often comments on decisions and cases on his blog.  In response to the Manasa settlement, Jeff wrote:

I’ve previously posted on this subject, and on similar issues with covered entities inadvertently disclosing PHI while trying to defend themselves (some of the links have died from link rot, but you get the idea).  You don’t have to sit silently while a patient posts an unfair or false bad review; however, your response cannot include the patient’s PHI (simply confirming that the patient is in fact your patient is PHI).  There’s no “he said it first” exception, nor does the fact that the PHI already been made public mean that the provider can disclose it again.

For example, if a patient states that he had an 8:00am appointment in November but wasn’t seen by the doctor until 2:00pm, you could respond with a statement such as, “While we can neither confirm nor deny whether this individual is a patient, we time stamp all patient sign-ins and the start of all patient-provider encounters.  We have reviewed all patient encounters during November and have not found any instance where the length of time between a patient’s sign-in and the start of his/her physician visit was longer than 45 minutes.”  That response refutes the patient’s claim without disclosing PHI.

That’s great advice.  Readers who are interested in HIPAA should bookmark Jeff’s blog, HIPAA Blog, if you haven’t done so already.

Related posts:

  • HHS Office for Civil Rights Settles with Holy Redeemer Hospital Over Disclosure of Patient’s Protected Health Information, Including Reproductive Health Information
  • BULLETIN: HIPAA Privacy and Novel Coronavirus — from HHS OCR
  • HHS Issues Guidance to Protect Patient Privacy in Wake of Supreme Court Decision on Roe
  • HHS Office for Civil Rights Imposes a $548,265 Penalty Against Children’s Hospital Colorado
Category: BreachesHealthcareLaws

Post navigation

← Rothman: Investigate spyware evidence in compromised double murder case
Louisiana Passes Bill That Would Require Parental Consent for Kids’ Online Accounts →

Now more than ever

Search

Contact Me

Email: info@pogowasright.org

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

Categories

Recent Posts

  • Navigating Privacy Gaps and New Legal Requirements for Companies Processing Genetic Data
  • Germany’s top court holds that police can only use spyware to investigate serious crimes
  • Flightradar24 receives reprimand for violating aircraft data privacy rights
  • Nebraska Attorney General Sues GM and OnStar Over Alleged Privacy Violations
  • Federal Court Allows Privacy Related Claims to Proceed in a Proposed Class Action Lawsuit Against Motorola
  • Italian Garante Adopts Statement on Health Data and AI
  • Trump administration is launching a new private health tracking system with Big Tech’s help

RSS Recent Posts on DataBreaches.net

  • NL: Hackers breach cancer screening data of almost 500,000 women
  • Violent Crypto Crimes Surge in 2025 Amid Massive Data Leaks
  • Why Ransomware Attacks Are Decreasing in 2025
  • KR: Yes24, the largest Internet bookstore in Korea, suffered its second ransomware attack in two months
  • Korea wins world’s top hacking contest for 4th consecutive year
©2025 PogoWasRight.org. All rights reserved.
Menu
  • About
  • Privacy