HHS Reaches Settlement With NJ Provider Over Potential HIPAA Privacy Rule Violations

June 05, 2023 - The HHS Office for Civil Rights (OCR) announced a settlement with Manasa Health Center, a psychiatry provider in New Jersey, over a potential HIPAA Privacy Rule violation. According to an April 2020 complaint to OCR, Manasa Health Center improperly disclosed the protected health information (PHI) of a patient in response to a negative online review.

OCR launched an investigation into the incident and discovered that Manasa had impermissibly disclosed the PHI of four patients by responding to negative reviews the patients had posted on Google Reviews with comments about the patient’s individual diagnoses and mental health conditions.

In addition, the investigation found that Manasa had failed to implement key privacy and breach notification policies as required by HIPAA. As a result of the investigation, Manasa paid $30,000 to OCR and agreed to implement a corrective action plan.

The corrective action plan requires Manasa to develop or revise its policies to comply with the HIPAA Privacy Rule, train workforce members on the organization’s privacy and security policies, and issue breach notices to all individuals whose PHI was disclosed without authorization.

“OCR continues to receive complaints about health care providers disclosing their patients’ protected health information on social media or on the internet in response to negative reviews. Simply put, this is not allowed,” said OCR Director Melanie Fontes Rainer. 

“The HIPAA Privacy Rule expressly protects patients from this type of activity, which is a clear violation of both patient trust and the law. OCR will investigate and take action when we learn of such impermissible disclosures, no matter how large or small the organization.”

This case is not the first time that a healthcare organization has faced penalties for responding to negative online reviews by exposing PHI. In December 2022, OCR reached a settlement with California-based New Vision Dental (NVD) after the practice allegedly disclosed PHI in response to negative Yelp reviews. NVD was ordered to pay $23,000 to OCR and implement a corrective action plan.