Skip to main content

Writing Google reviews about patients is actually a HIPAA violation

Writing Google reviews about patients is actually a HIPAA violation


A real one that resulted in a $50,000 fine

Share this story

A pattern of light blue face masks against a purple background.
Illustration by Alex Castro / The Verge

In the past few years, the phrase “HIPAA violation” has been thrown around a lot, often incorrectly. People have cited the law, which protects patient health information, as a reason they can’t be asked if they’re vaccinated or get a doctor’s note for an employer.

But asking someone if they’re vaccinated isn’t actually a HIPAA violation. That’s a fine and not-illegal thing for one non-doctor to ask another non-doctor. What is a HIPAA violation is what U. Phillip Igbinadolor, a dentist in North Carolina, did in September 2015, according to the Department of Health and Human Services. After a patient left an anonymous, negative Google review, he logged on and responded with his own post on the Google page, saying that the patient missed scheduled appointments. “Does he deserve any rating as a patient? Not even one star,” Igbinadolor wrote, according to the notice of proposed determination outlining the violation. (For the curious, the redacted HIPAA-violating Google post is on page 3.)

In the post, he used the patient’s full name and described, in detail, the specific dental problem he was in for: “excruciating pain” from the lower left quadrant, which resulted in a referral for a root canal.

That’s what a HIPAA violation actually looks like. The law says that healthcare providers and insurance companies can’t share identifiable, personal information without a patient’s consent. In this case, the dentist (a healthcare provider) publicly shared a patient’s name, medical condition, and medical history (personal information). As a result, the office was fined $50,000.

This isn’t an uncommon occurrence: a 2016 ProPublica investigation found that doctors regularly include details about patients’ health in response to negative Yelp reviews. And in 2019, another dentist was fined $10,000 for putting the information of multiple patients on Yelp.

The Office for Civil Rights at the Department of Health and Human Services, which enforces HIPAA, asked to see Igbinadolor’s office’s internal policies and procedures around personal health information and social media. As of fall 2020, the office hadn’t provided anything. The office should probably implement one easy policy to keep something like this from happening again: even if a patient is annoying, never post.