Dental Practice Fined for Sharing Patient Data on Social Media

Written by

A dental practice in North Carolina has been slapped with a hefty fine after disclosing a patient’s protected health information (PHI) online.

The US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) launched an investigation into Dr. U. Phillip Igbinadolor, DMD. & Associates, PA, (UPI), in 2015 after receiving a complaint from a male patient.

The patient visited UPI’s office in Charlotte for dental treatment twice between October 2013 and March 2014. On or around September 28 2015, the patient left a negative review of UPI on the dental practice’s Google page, using a pseudonym to mask his identity. 

UPI posted a response to the review, dismissing the patient’s accusations as “unsubstantiated accusations.” When posting the response, the dental practice named the patient, the symptoms the patient had experienced and the treatment recommended but not provided to him. 

The response, which included three mentions of the patient’s full name, also featured the condescending and derogatory statement: “From the foregoing, it’s obvious that [Complainant’s full name] level of intelligence is in question and he should continue with his manual work and not expose himself to ridicule.”

Between 2016 and 2019, OCR requested various documents from UPI, including copies of the practice’s policies and procedures on responding to patients’ reviews online and on PHI disclosure and safeguarding.  

The practice variously responded by presenting OCR with irrelevant documents, submitting only some of the requested paperwork or by refusing or ignoring the office’s requests. 

In a statement released Monday, the OCR said: “Dr. U. Phillip Igbinadolor, DMD. & Associates, PA (UPI), a dental practice with offices in Charlotte and Monroe, North Carolina, impermissibly disclosed a patient’s PHI on a webpage in response to a negative online review.  

“UPI did not respond to OCR’s data request, did not respond or object to an administrative subpoena, and waived its rights to a hearing by not contesting the findings in OCR’s Notice of Proposed Determination.”

OCR imposed a civil monetary penalty of $50,000 upon UPI after finding that the practice had impermissibly disclosed the patient’s PHI and determining the violation to be “willful neglect not corrected.”

What’s hot on Infosecurity Magazine?