Manasa Health Center Fined $30,000 Over Disclosing Patient Information Online

The Department of Health and Human Services’ Office for Civil Rights agreed to settle the HIPAA violation case that started after a complaint received in April 2020.

By HFT Staff


The Department of Health and Human Services’ Office for Civil Rights (OCR) has agreed to settle a HIPAA violation case with a New Jersey provider of adult and child psychiatric services for $30,000. In April 2020, OCR received a complaint alleging Manasa Health Center had impermissibly disclosed patient information online when responding to a negative online review. The complainant alleged Manasa Health Center’s responded to a patient’s review and disclosed the patient’s mental health diagnosis and treatment information. 

OCR launched an investigation into the Kendall Park, New Jersey-based healthcare provider and discovered the protected health information of a total of four patients had been impermissibly disclosed in responses to negative Google Reviews and notified the practice about the HIPAA Privacy Rule investigation on November 18, 2020. In addition to the impermissible disclosures of PHI, which violated 45 C.F.R. § 164.502(a) of the HIPAA Privacy Rule, the practice was determined to have failed to comply with standards, implementation specifications, or other requirements of HIPAA Privacy Rule and Breach Notification Rules – 45 C.F.R. § 164.530(i). 

Manasa Health Center chose to settle the case with OCR with no admission of liability or wrongdoing. In addition to the financial penalty, Manasa Health Center has agreed to adopt a corrective action plan which includes the requirement to develop, maintain, and revise its written policies and procedures to ensure compliance with the HIPAA Privacy Rule, provide training to all members of the workforce on those policies and procedures, issue breach notification letters to the individuals whose PHI was impermissibly disclosed online, and submit a breach report to OCR about those disclosures. 

This is not the first time that OCR has imposed a financial penalty for disclosures of PHI on social media and online review platforms. In 2022, OCR agreed to a $23,000 settlement with New Vision Dental and imposed a civil monetary penalty of $50,000 on Dr. U. Phillip Igbinadolor, D.M.D. & Associates, P.A. In 2019, OCR settled an online disclosure case with Elite Dental Associates for $10,000. The HIPAA Privacy Rule does not prohibit HIPAA-regulated entities from responding to online reviews or using social media; however, protected health information must not be disclosed online without written consent from the patient. 

This is the 5th OCR HIPAA enforcement action in 2023 that has been resolved with a financial penalty. So far this year, $1,661,500 has been paid by HIPAA-regulated entities to resolve violations of the HIPAA Rules. 



June 21, 2023


Topic Area: Maintenance and Operations


Recent Posts

17 Million Patient Records Stolen in PIH Health Ransomware Attack

A ransomware attack halted operations across three of PIH’s hospitals.


Holidays are Prime Times for Healthcare Cyberattacks

A study found that 86 percent of organizations that experienced ransomware attacks were targeted on a holiday or weekend.


Hartford Healthcare Forms Partnership to Open Health Equity Clinic

The new clinic will open in January 2025.


UCHealth Reveals Plans for Memorial Hospital North Expansion

Construction on the patient tower is slated for 2026 with a projected opening to patients in 2029.


What Are 'Hospi-tels'?

Hospitals and hotels are partnering to better cater to patients and families.


 
 


FREE Newsletter Signup Form

News & Updates | Webcast Alerts
Building Technologies | & More!

 
 
 


All fields are required. This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

 
 
 
 

Healthcare Facilities Today membership includes free email newsletters from our facility-industry brands.

Facebook   Twitter   LinkedIn   Posts

Copyright © 2023 TradePress. All rights reserved.