Manasa Health Center Fined $30,000 Over Disclosing Patient Information Online

The Department of Health and Human Services’ Office for Civil Rights agreed to settle the HIPAA violation case that started after a complaint received in April 2020.

By HFT Staff


The Department of Health and Human Services’ Office for Civil Rights (OCR) has agreed to settle a HIPAA violation case with a New Jersey provider of adult and child psychiatric services for $30,000. In April 2020, OCR received a complaint alleging Manasa Health Center had impermissibly disclosed patient information online when responding to a negative online review. The complainant alleged Manasa Health Center’s responded to a patient’s review and disclosed the patient’s mental health diagnosis and treatment information. 

OCR launched an investigation into the Kendall Park, New Jersey-based healthcare provider and discovered the protected health information of a total of four patients had been impermissibly disclosed in responses to negative Google Reviews and notified the practice about the HIPAA Privacy Rule investigation on November 18, 2020. In addition to the impermissible disclosures of PHI, which violated 45 C.F.R. § 164.502(a) of the HIPAA Privacy Rule, the practice was determined to have failed to comply with standards, implementation specifications, or other requirements of HIPAA Privacy Rule and Breach Notification Rules – 45 C.F.R. § 164.530(i). 

Manasa Health Center chose to settle the case with OCR with no admission of liability or wrongdoing. In addition to the financial penalty, Manasa Health Center has agreed to adopt a corrective action plan which includes the requirement to develop, maintain, and revise its written policies and procedures to ensure compliance with the HIPAA Privacy Rule, provide training to all members of the workforce on those policies and procedures, issue breach notification letters to the individuals whose PHI was impermissibly disclosed online, and submit a breach report to OCR about those disclosures. 

This is not the first time that OCR has imposed a financial penalty for disclosures of PHI on social media and online review platforms. In 2022, OCR agreed to a $23,000 settlement with New Vision Dental and imposed a civil monetary penalty of $50,000 on Dr. U. Phillip Igbinadolor, D.M.D. & Associates, P.A. In 2019, OCR settled an online disclosure case with Elite Dental Associates for $10,000. The HIPAA Privacy Rule does not prohibit HIPAA-regulated entities from responding to online reviews or using social media; however, protected health information must not be disclosed online without written consent from the patient. 

This is the 5th OCR HIPAA enforcement action in 2023 that has been resolved with a financial penalty. So far this year, $1,661,500 has been paid by HIPAA-regulated entities to resolve violations of the HIPAA Rules. 



June 21, 2023


Topic Area: Maintenance and Operations


Recent Posts

Texas Law Limits Backup Power Mandates for Senior Care Facilities

As Texas relaxes generator mandates, healthcare facility managers now face tough decisions about emergency power investments and resident safety.


Cyber Crossfire: Why Healthcare Is Becoming a Battleground in Global Conflicts

As geopolitical tensions escalate, hospitals and critical suppliers are increasingly targeted in cyberattacks.


UPMC Presbyterian Receives $65 Million Gift for New Bed Tower

The tower is projected to open for patient care in early 2027.


Premier Health Partners Falls Victim to Cyber Incident

The incident occurred in July 2023.


Backup Power's Expanding Role in Emergency Preparedness for Healthcare

Manufacturers discuss design strategies, code shifts and lessons learned from real-world disasters.


 
 


FREE Newsletter Signup Form

News & Updates | Webcast Alerts
Building Technologies | & More!

 
 
 


All fields are required. This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.