Oral Surgeon Faces Legal Action Over Response to Online Review

Case Study

Marc Leffler, DDS, Esq.
January 23, 2024

Reading time: 6 minutes

Patient privacy is a crucial aspect of oral and maxillofacial surgery, especially in the present digital landscape. In this case study, an OMS is sued after unintentionally disclosing protected health information (PHI) about a patient in response to an online review.

Key Concepts

  • Responding to online reviews
  • Protected health information (PHI)
  • Mitigating risk in online conduct

Background Facts

Dr. C had been in oral surgery practice, in an affluent community, for nearly 10 years. He had completed a formal residency training program and had regularly taken courses focusing on the full spectrum of facial cosmetics, particularly involving the use of injectable dermal fillers in the perioral areas. The State in which Dr. C practiced permitted oral surgeons, and in fact all dentists, to employ dermal fillers, so, combining that background with his significant training and experience over years, he felt comfortable providing this service to his patients.

R had been Dr. C’s patient for more than 4 years, seeing him exclusively for the injection of dermal fillers in and around her lips to smooth out the lines and wrinkles that she found esthetically unpleasing. She liked the fact that Dr. C performed this treatment so as to make very subtle changes in her appearance because she “didn’t want the whole world knowing” that her facial look was unnatural in any way.

Following R’s most recent visit for filler placement, Dr. C’s office sent her an email which linked to a popular online rating site with which the office had just begun a relationship. R gave Dr. C the top assessment category, and very carefully worded her narrative entry to read, “Dr. C is the best; he does great work and his staff is so friendly.” When Dr. C read the review, he was very appreciative of her kind words, and he responded in the public forum, “So happy we could make you even more beautiful with our magic injections”. R became incensed when she read Dr. C’s response, benign as he might have intended, because she saw her privacy as having been infringed upon by letting everyone who would read it know about her “little secret.” The next morning, R called Dr. C to tell him how upset she was about his posting. She pointed out that she had been very careful to be vague in her own post, to help his online presence while protecting what she had not wanted exposed to the public. Dr. C was repeatedly apologetic, but he was unable to calm his patient down, as she threatened him with various types of legal action. When their conversation ended, he immediately contacted the online site, requesting that his response be taken down, but the site had a number of criteria to be met, each of which took time, before the post could be removed. Dr. C contacted R to explain what he had done, but she became even more upset when he told her it would take some time to remove his post.

R reached out to an attorney friend of hers, wanting to sue Dr. C for malpractice. But the attorney explained to R that Dr. C had done nothing improper from a dental standpoint, and that she suffered no damage as a direct result of his care. When R asked whether Dr. C had done anything wrong, her attorney said that he might have violated her privacy rights under a federal law known as HIPAA, which protects a patient’s personal health information – including that she had been treated and what type of treatment she had received – except if she, as the patient, authorizes such disclosure.

In the days that followed, R filed a formal complaint with the appropriate government agency, as shown to her by her attorney. In a time period which R found excessively long, the agency representative contacted her, and obtained her verbal statement, copies of the online posts, and her authorization to speak with Dr. C about the full set of circumstances.


When Dr. C received a government request for his records regarding R and for an in-person meeting, he contacted an attorney to guide him through the process. At that meeting, under the advice of counsel, he explained that he had not intended to do anything but express his appreciation to R for her positive rating and comments, and that he had not realized that he was in violation of any law in doing so.

It was not long before Dr. C’s attorney received notice that a significant fine was being levied upon Dr. C, due to his having breached R’s private personal health information without her authority to do so. The attorney later explained to Dr. C that his intent was not at issue, but the mere disclosure of that information, without authorization or as part of an exception to the rule, constituted a violation for which he could be validly fined.

Dr. C paid the fine, and then learned that the State Dental Board had been provided with the records and findings, but it opted against taking any further action.


In these days of every restaurant, every hotel, and every concert you eat at, stay at, and attend asking for online reviews of your experiences, it is nether unusual nor surprising for oral surgery offices to do the same. But beware of HIPAA constraints before responding, no matter how terrible or how glowing that review might be. Not only can an investigation and penalty ensue following an unauthorized disclosure based upon responding to a negative online review, but the same result might come to pass even when responding to positive ratings given online.

Oral and maxillofacial surgeons are not traditional vendors, but instead health professionals who are vested with the obligation of protecting their patients’ privacy, not only ethically but statutorily as well. As such, oral surgeons must not divulge any information about their patients, absent explicit written authority from the patient or a rule exception, which usually – but not exclusively – involves the sharing of health information among multiple providers who are treating the patient and who have a need to know.

So, it cannot be emphasized enough that, before releasing anything about any patient, the oral surgeon must be in possession of a HIPAA-compliant document authorizing the release; in situations where an oral surgeon might believe that sharing medical/dental information with another provider is warranted, the safest approach is a consultation with an attorney familiar with this subject matter. That extra step might be the difference between compliance and a large fine. And even when sharing information appropriately, HIPAA requires that the methods for doing so include reasonable protections against the dissemination of that information to any person or entity other than specifically intended.

It should also be noted that, had the situation involved here included negligent treatment which injured the patient, leading to a malpractice lawsuit, the entire set of online events, and potentially the government actions in response, might be a source of intra-lawsuit litigation as to whether the issue could be explored in the usual discovery process and whether a jury might be able to be made aware of the events. That is not to say that it is a given that this issue would become a (distracting) part of a trial, but it is a potential unhelpful wrench that can be eliminated with due consideration in advance. Online responses to online stimuli might feel justified at the moment, but silence is often the better approach to take.

Additional Risk Tips content

Risk Tips

Oral and maxillofacial surgeons often face unhappy patients. In this case study, a patient who receives dermal fillers later files a Board complaint.

Risk Tips

In oral surgery, documentation is an essential element of practice. In this case study, the lack of detail in an OMS’s chart entry impacts the outcome of a malpractice case against her.

Risk Tips

Oral and maxillofacial surgeons must strictly adhere to state guidelines about records retention. In this case study, an OMS practicing in two neighboring states neglects to maintain records for the required duration in the state in which he is sued, affecting the legal outcome.

This document does not constitute legal or medical advice and should not be construed as rules or establishing a standard of care. Because the facts applicable to your situation may vary, or the laws applicable in your jurisdiction may differ, please contact your attorney or other professional advisors if you have any questions related to your legal or medical obligations or rights, state or federal laws, contract interpretation, or other legal questions.

MedPro Group is the marketing name used to refer to the insurance operations of The Medical Protective Company, Princeton Insurance Company, PLICO, Inc. and MedPro RRG Risk Retention Group. All insurance products are underwritten and administered by these and other Berkshire Hathaway affiliates, including National Fire & Marine Insurance Company. Product availability is based upon business and/or regulatory approval and/or may differ among companies.

© MedPro Group Inc. All rights reserved.