The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) recently announced that Manasa Health Center in Kendall Park, New Jersey entered into a Resolution Agreement and Corrective Action Plan to resolve a HIPAA Privacy Rule violation. The psychiatric practice, owned by Dr. Nidagalle Gowda, inexplicably disclosed four patients’ protected health information (PHI) online, but is getting off easy with a fine of only $30,000.
A patient complained to OCR in 2020 that Manasa, in responding to a negative online review, posted information regarding the patient’s mental health condition. OCR’s investigation found other violations of the Privacy Rule, including the disclosure of three other patients’ PHI in Manasa’s responses to their negative online reviews.
Manasa’s corrective action plan includes reviewing and revising its HIPAA policies and procedures, training its workforce, sending breach notices to all patients whose PHI was improperly disclosed online, and two years of monitoring by OCR. OCR Director Melanie Fontes Rainer stated the obvious: “OCR continues to receive complaints about health care providers disclosing their patients’ protected health information on social media or on the internet in response to negative reviews. Simply put, this is not allowed.”
This type of egregious conduct has frustrated OCR for years and has been previously covered here (“Don’t Post Patient Info on Social Media!”). Surely, our readers know better.
Sign up to receive Rivkin Rounds at www.RivkinRounds.com.