Sales and Consultation: 201-591-4350
Support and Service: 866-886-4442

The HIPAA Question We are All Asking.

Posted by Nancy Rausman - 11 August, 2016


Image by Stuart Miles courtesy of freedigitalphotos.netPart 1

Here’s a scenario: A practice gets a scathing online review by an unhappy patient. The doctor writes a polite response explaining her side of the story and offering an apology for the misunderstanding. The patient sues the doctor for violating his confidentiality.  It’s what nightmares are made of.

But does this patient have a case? What does HIPAA dictate about responding to online reviews? This new reality invokes quite a bit of uncertainty about if and how you can respond to negative reviews without violating HIPAA and what exactly implies consent.  So, we are going to (try to) clarify things a bit by taking a deeper look at the issues at hand.  

First things first. You shouldn’t avoid responding to reviews because you are weary of HIPAA.  The question is not whether to respond but how to respond and truthfully, the answer isn’t cut and dry. There are (at least) two sides that should be considered and each practice will have to choose for itself how strict it will be.  

Implied consent?

THE pivotal question we face is whether a patient posting a review of your practice, especially if it includes details about a visit, constitutes implied consent and whether this will suffice in a court of law.  

On one side, according to HIPAA expert, Dr. Joe DeLoach, as long as no protected health information (PHI) is revealed, a patient could be expressing an implied consent by initiating a post about services received, therefore if you reply without including any patient or personal medical information you could be in the clear. He warns to steer clear of answering medical questions or specific complaints that address personal information - stick to generalities and address specifics over the phone. He also recommends that practices include a statement in the office policy that it does communicate with patients through websites and social media but never releases PHI.

On the other side, there is literature that states that while a patient may refuse to agree with your privacy policy, that does not remove your obligations under HIPAA to fully protect that patient’s privacy - including even acknowledging that the person is a patient - without express authorization from the patient.

Another issue is that a complaint specifically referring to a product such as glasses or contacts may not technically admit to being a patient (anyone can come in with a prescription and purchase eyewear).

As you can see, there is not a definitive answer when it comes to consent and when it comes down to it, in the unlikely event that a patient takes you to court, that is where it would ultimately be decided.

In Part 2 in this series on the HIPAA question, I will provide some advice on safe ways you can respond to reviews that will both maintain your integrity (and your image) and steer clear of potential HIPAA violations.

However you look at the issue, the more reviews you have, the more positive reviews you will have to drown out those complainers, so the goal is to get more reviews. Need some help with your review strategy? We’re expert in that arena. Contact Daniel today at or phone (412) 532-6542.

Topics: Online Reviews, Reviews, Google Reviews, Yelp, HIPAA

Recent Posts

Can I Delete Reviews?

read more

The Secret to Your Patient History Forms

read more

Google Updates You Want to Know About

read more