An official website of the United States government
Here’s how you know
Official websites use .gov A .gov website belongs to an official government organization in the United States.
Secure .gov websites use HTTPS A lock () or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.
HHS Civil Rights Office Enters Settlement with Dental Practice Over Disclosures of Patients’ Protected Health Information
The dental practice responded to reviews on social media by disclosing patient health information in violation of the law; OCR warns others against this practice
Today, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services announces a settlement with B. Brandon Au, DDS, Inc., d/b/a New Vision Dental (New Vision Dental), in California, over the impermissible disclosure of patient protected health information (PHI) in response to online reviews, and other potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. The violation involves the provider’s inappropriate use of social media to respond to patient reviews, disclosing protected health information. This practice is illegal under HIPAA. New Vision Dental paid $23,000 to OCR and agreed to implement a corrective action plan (CAP) to resolve this investigation.
“This latest enforcement action demonstrates the importance of following the law even when you are using social media. Providers cannot disclose protected health information of their patients when responding to negative online reviews. This is a clear NO.,” said OCR Director, Melanie Fontes Rainer. “OCR is sending a clear message to regulated entities that they must appropriately safeguard patients’ protected health information. We take complaints about potential HIPAA violations seriously, no matter how large or small the organization.”
In November 2017, OCR received a complaint alleging that New Vision Dental impermissibly disclosed PHI, including patient names, treatment, and insurance information, in response to patients’ online reviews of the practice. OCR’s investigation found potential violations of the HIPAA Privacy Rule including, impermissible uses and disclosures of PHI, and failures to provide an adequate Notice of Privacy Practices and implement Privacy policies and procedures.
OCR is committed to ensuring that the privacy and security of peoples’ health information is protected under HIPAA. If you believe that your or another person’s health information privacy or civil rights have been violated, you can file a complaint with OCR at: https://www.hhs.gov/ocr/complaints/index.html.
For general media inquiries, please contact media@hhs.gov.
Content created by Office for Civil Rights (OCR) Content last reviewed
Disclaimer Policy: Links with this icon () mean that you are leaving the HHS website.
The Department of Health and Human Services (HHS) cannot guarantee the accuracy of a non-federal website.
Linking to a non-federal website does not mean that HHS or its employees endorse the sponsors, information, or products presented on the website. HHS links outside of itself to provide you with further information.
You will be bound by the destination website's privacy policy and/or terms of service when you follow the link.
HHS is not responsible for Section 508 compliance (accessibility) on private websites.
For more information on HHS's web notification policies, see Website Disclaimers.