Holland & Hart's Health Law Blog
  • Publications
  • Webinar Recordings
    • 2026 Webinar Recordings
    • 2025 Webinar Recordings
    • 2024 Webinar Recordings
    • 2023 Webinar Recordings
    • 2022 Webinar Recordings
    • 2021 Webinar Recordings
    • 2020 Webinar Recordings
    • 2019 Webinar Recordings
    • 2018 Webinar Recordings
    • 2017 Webinar Recordings
    • 2016 Webinar Recordings
  • Compliance Bootcamps
  • Attorneys
  • Healthcare Law
  • Employers’ Lawyers Blog
  • Click to open the search input field Click to open the search input field Search
  • Menu Menu

Responding to Negative Internet Reviews: Beware HIPAA

November 23, 2016/in HIPAA

By Kim Stanger, Holland & Hart LLP

As a healthcare provider, you may log onto the internet one day only to discover a negative review from a disgruntled patient or family member. Undoubtedly, the review contains inaccurate, incomplete, or downright defamatory information. Your first impulse may be to post a response online, but doing so may subject you to HIPAA fines, adverse licensure action, or privacy lawsuits.

HIPAA generally prohibits healthcare providers from using or disclosing a patient’s protected health information without the patient’s authorization. (45 CFR 164.502). “Protected health information” includes information that “[r]elates to the past, present, or future physical or mental health or condition of an individual [or] the provision of health care to an individual, and … that [i]dentifies the individual, or [w]ith respect to which there is a reasonable basis to believe the information can be used to identify the individual.” (45 CFR 160.103). Thus, posting any information that identifies the individual as a patient likely violates HIPAA even if specific medical information is not disclosed; a patient does not waive their HIPAA rights by posting his or her own information, and there is no HIPAA exception that allows a healthcare provider to disclose information in response to a negative review. In 2013, Shasta Regional Medical Center paid $275,000 to settle claims that it violated HIPAA when it disclosed a patient’s health information to the media in response to a negative newspaper article. (See Press Release). ProPublica recently published a report identifying numerous HIPAA violations resulting from providers’ ill-considered responses to negative internet reviews. (See article).

Read more

https://hhhealthlawblog.com/wp-content/uploads/2024/05/logo_vertical-v2.png 0 0 admin https://hhhealthlawblog.com/wp-content/uploads/2024/05/logo_vertical-v2.png admin2016-11-23 19:20:442016-11-23 19:20:44Responding to Negative Internet Reviews: Beware HIPAA

Conduct a Thorough HIPAA Risk Analysis or Pay Big Fines

October 26, 2016/in HIPAA

by Kim Stanger, Romaine Marshall, and C. Matt Sorensen, Holland & Hart LLP

St. Joseph Health recently agreed to pay $2.14 million to settle allegations by the Department of Health and Human Services Office for Civil Rights Office (“OCR”) that its data security was inadequate.

In its investigation of St. Joseph’s handling of a 2012 data breach that exposed 31,800 patient medical records, OCR claimed St. Joseph did not change the default settings on a new server, which allowed members of the public to access via search engines the personal health information of 31,800 patients for a full year. By failing to switch off its servers’ default setting, St. Joseph potentially violated the HIPAA Security Rule’s requirement to conduct a technical and nontechnical evaluation of any operational changes that might affect the security of ePHI.

In addition to paying $2.14 million, St. Joseph Health agreed to implement a corrective action plan that requires it to conduct an enterprise-wide risk analysis, develop and implement a risk management plan, revise its policies and procedures, and train its staff on these policies and procedures. St. Joseph had conducted an enterprise-wide risk analysis in 2010, but the OCR deemed that to be inadequate because the analysis did not include an evaluation of the technical specifications of St. Joseph’s servers. Read more

https://hhhealthlawblog.com/wp-content/uploads/2024/05/logo_vertical-v2.png 0 0 admin https://hhhealthlawblog.com/wp-content/uploads/2024/05/logo_vertical-v2.png admin2016-10-26 21:11:552016-10-26 21:11:55Conduct a Thorough HIPAA Risk Analysis or Pay Big Fines

Office of the National Coordinator for Health Information Technology Issues Formal Guidance for Selecting and Negotiating Contracts with Electronic Health Record Vendors

October 10, 2016/in Health Information

by Teresa Locke, Holland & Hart LLP

On September 26, 2016, the U.S. Department of Health and Human Services’ (HHS) Office of the National Coordinator for Health Information Technology (ONC) released a practical and straightforward tool to assist health care providers as they select and negotiate the acquisition of an electronic health record system (EHR). The document’s title accurately encapsulates the content of the 53-page guide: “EHR Contracts Untangled: Selecting Wisely, Negotiating Terms, and Understanding the Fine Print.” The guide can be found at https://www.healthit.gov/sites/default/files/EHR_Contracts_Untangled.pdf. The new contract guide explains important concepts in EHR contracts and includes example contract language to help providers and health administrators in planning to acquire an EHR system and negotiating contract terms with vendors. Read more

https://hhhealthlawblog.com/wp-content/uploads/2024/05/logo_vertical-v2.png 0 0 admin https://hhhealthlawblog.com/wp-content/uploads/2024/05/logo_vertical-v2.png admin2016-10-10 15:04:182016-10-10 15:04:18Office of the National Coordinator for Health Information Technology Issues Formal Guidance for Selecting and Negotiating Contracts with Electronic Health Record Vendors

Resources for ACA Notice of Nondiscrimination: Beware October 16 Deadline

October 6, 2016/in ACA, Nondiscrimination, Interpreters and Translators

By Kim Stanger, Holland & Hart LLP

For those healthcare providers who have postponed creating the mandatory Notice and Statements of Nondiscrimination required by Section 1557 of the ACA, HHS has made it relatively easy for you to comply with the October 16 deadline by providing helpful resources: Read more

https://hhhealthlawblog.com/wp-content/uploads/2024/05/logo_vertical-v2.png 0 0 admin https://hhhealthlawblog.com/wp-content/uploads/2024/05/logo_vertical-v2.png admin2016-10-06 19:15:582016-10-06 19:15:58Resources for ACA Notice of Nondiscrimination: Beware October 16 Deadline

Check Your Business Associate Agreements: OCR Tags Health System for Outdated BAA

October 4, 2016/in HIPAA

By Kim Stanger, Holland & Hart LLP

The Office for Civil Rights (“OCR”) continues to emphasize the need for covered entities and business associates to have compliant business associate agreements (“BAAs”). Last week, the OCR announced a $400,000 settlement with a hospital system for failing to update its BAAs to include terms required by the 2013 HIPAA Omnibus Rule. In a press release, OCR Director Jocelyn Samuels stated,

This case illustrates the vital importance of reviewing and updating, as necessary, business associate agreements, especially in light of required revisions under the Omnibus Final Rule …. The Omnibus Final Rule outlined necessary changes to established business associate agreements and new requirements which include provisions for reporting.”

See Press Release here. Earlier this year, the OCR entered settlement agreements of $1,550,000 and $750,000 based on the covered entity’s failure to execute BAAs where the business associate had experienced a data breach. See reported settlements at https://www.hhs.gov/hipaa/newsroom/index.html. The lesson is clear: covered entities must have BAAs, and those BAAs must contain the required terms; failure to do so may subject the covered entity to liability for the business associate’s breach. Read more

https://hhhealthlawblog.com/wp-content/uploads/2024/05/logo_vertical-v2.png 0 0 admin https://hhhealthlawblog.com/wp-content/uploads/2024/05/logo_vertical-v2.png admin2016-10-04 22:00:262016-10-04 22:00:26Check Your Business Associate Agreements: OCR Tags Health System for Outdated BAA
Page 35 of 49«‹3334353637›»

Idaho Patient Act Timeline


View our Idaho Patient Act Timeline Guide

Holland & Hart

This blog is maintained by the Health Law practice group of Holland & Hart LLP. Visit the Holland & Hart website.

Subscribe to Email Updates

Enter your Email:

Contact

If you have any questions, please contact Kim Stanger.

More COVID-19 Articles


View more COVID-related articles on our Labor & Employment Blog

Categories

Archives

Disclaimer

This publication is designed to provide general information on pertinent legal topics. The statements made are provided for educational purposes only. They do not constitute legal or financial advice nor do they necessarily reflect the views of Holland & Hart LLP or any of its attorneys other than the author. This publication is not intended to create an attorney-client relationship between you and Holland & Hart LLP. Substantive changes in the law subsequent to the date of this publication might affect the analysis or commentary. Similarly, the analysis may differ depending on the jurisdiction or circumstances. If you have specific questions as to the application of the law to your activities, you should seek the advice of your legal counsel.

Privacy Policy

View our privacy policy.

© Copyright 2026 | Holland & Hart LLP - Enfold WordPress Theme by Kriesi
Scroll to top Scroll to top Scroll to top