THE OKLAHOMA BAR JOURNAL 10 | MARCH 2026 Statements or opinions expressed in the Oklahoma Bar Journal are those of the authors and do not necessarily reflect those of the Oklahoma Bar Association, its officers, Board of Governors, Board of Editors or staff. schemes. In fact, the DOJ has an entire unit, staffed with 80 experienced white-collar prosecutors, focused exclusively on prosecuting health care fraud, including AKS violations.3 And if the regulators don’t detect the conduct, you can bet the False Claims Act bar will; Congress explicitly provided that AKS violations may form the basis of a False Claims Act lawsuit,4 including qui tam lawsuits brought by private plaintiffs. HEALTH CARE PROVIDERS CANNOT POST PICTURES FROM WORK OR RESPOND TO NEGATIVE ONLINE POSTS ABOUT THEM No one hates social media more than a hospital’s privacy officer. Why, you ask? Consider a few common scenarios: A group of new lab techs gathers around a table for a group photo, not noticing the lab order that is plainly visible in the resulting social media post, “First Day!” A labor and delivery nurse posts a picture of a brandnew family, “Look at Mom and Dad, so proud!” A physical therapist posts a photo of a happy but exhausted patient after a successful session, “Progress!” In each of the situations, the people posting the photos are happy and clearly proud of the work they are doing. Many employers would literally pay to get that type of positive, organic social media interaction. Enter the privacy officer, whose job it is to ruin the fun. What the privacy officer knows (and what our well-intentioned, if misguided, influencers will soon find out) is that disclosing “protected health information” (PHI) may violate the privacy rule5 that HHS implemented in connection with the Health Insurance Portability and Accountability Act (HIPAA), as amended. PHI is defined broadly to include most types of “individually identifiable health information,”6 almost certainly including the lab order and patients posted on social media. The privacy rule generally requires health care providers to obtain a written “authorization” prior to disclosing PHI.7 Verbal consent, especially in the context of social media posts, is typically not enough.8 The privacy officer knows, from much experience, that written authorizations are usually not obtained prior to making a spontaneous social media post. So the privacy officer will likely be forced to analyze the situation as a potential PHI breach, a laborious analysis dictated by HHS regulations,9 with the threat of HHS taking enforcement action lurking in the background. The privacy officer wonders, for perhaps the thousandth time, why they invented social media. It’s going to be a long day. The hospital’s chief marketing officer is also having a long day. One of the system’s employed physicians emailed this morning, demanding “DECISIVE ACTION” to address “THE INSIDIOUS MISINFORMATION ONE OF OUR PATIENTS POSTED ONLINE” (emphasis in original). The misinformation the physician is referencing is a Google review that accuses the physician of “malpractice that gave me a heart attack” (1 star). But, the physician points out, the patient’s heart attack “HAD ABSOLUTELY NOTHING TO DO WITH [the physician’s] QUALITY OF CARE AND EVERYTHING TO DO WITH THE PATIENT’S LOVE FOR FAST FOOD AND CHEESE CURDS” (emphasis in original). The physician would like the chief marketing officer to “GO ON THE OFFENSIVE” and post a detailed rebuttal explaining how the patient’s choices, and not the clinical decision-making of the physician, are to blame for the patient’s ailments. While marketing officers in other industries can and do rebut false reviews, our chief marketing officer is constrained by the same privacy rules that apply to the above social media posts. Disclosing the patient’s dietary choices and lifestyle, even to rebut a misleading public review, would likely involve a disclosure of PHI in violation of the privacy rule. HEALTH CARE PROVIDERS CANNOT PROVIDE SERVICES AT A DISCOUNT OR FOR FREE Helping people in need by either providing services, supplies or medications for free or at a discount sounds like a good thing, right? If a patient is having problems paying the full cost of a service or medication, providers often want to help by agreeing to waive their cost-sharing amounts under their health coverage as an accommodation to the patient. However, doing so can raise legal issues. From the payor’s perspective, there are two potential issues. First, payors typically contract with providers to pay, in part, based on the provider’s usual charges. The OIG has taken the position that routinely waiving copayments misrepresents the provider’s actual charges. Second, payors require copays and deductibles as a mechanism to curtail overutilization of services and reduce costs. Waiving cost-sharing is counterproductive to these goals.10 In the 1994 Special Fraud Alert: Routine Waivers of Copayments or Deductibles Under Medicare Part B,11 the OIG warned against the
RkJQdWJsaXNoZXIy OTk3MQ==