HIPAA Considerations for Medical Practice Review Responses
More and more, patients are sharing their healthcare experiences on online review platforms such as Google and Yelp. These reviews shape your business’s reputation and have the power to prompt or dissuade new visitors. While you can’t control the content of reviews, you can influence how people perceive your business by responding with respect and sensitivity.
Reaching out to patients who have reviewed your service will humanize your business and demonstrate that their feedback matters. If their review is positive, you can thank them for their comments. If it’s negative, you can apologize and address the issues head-on. Your response is an opportunity for collaboration and transparency.
But before you begin responding to patient reviews, it’s important to understand how to do so in accordance with the privacy laws of HIPAA. When a patient posts a review that describes their experience with your business, they may state details about their medical history. This is their prerogative. However, legally, it does not forfeit their right to privacy and as a medical provider, it’s your duty to maintain it.
You cannot discuss any details about their medical needs, visit or even acknowledge that they are, indeed, a patient. This makes responding tricky, but not impossible. Follow the guidelines below to write effective, HIPAA-compliant responses.
1. Explain your consideration of HIPAA.
Help your audience understand that your generalized response is out of respect for the privacy of your patients. “Under HIPAA, I am unable to discuss the specifics of this user’s review.”
2. Cite company policies.
Since you are unable to discuss specifics, cite general company policies that correspond to the issue at hand. This helps communicate the values of your business without crossing HIPAA.
3. Be courteous and professional.
This is a best practice as a business owner. It’s difficult and unnecessary to win an argument with a frustrated patient so keep your responses helpful and diplomatic.
4. Say thank you.
Show your patients and visitors that you appreciate their feedback, whether it’s good or bad, by thanking your reviewers. This demonstrates that you respect their opinion and are open to constructive criticism.
Still not sure how to handle review responses in a HIPAA compliant way?
The best thing you can do is speak to your attorney and/or other HIPAA experts. Don’t have access to a HIPAA expert? Find one now! Don’t like dealing with lawyers? Believe me, you’ll like it less when one is presenting you with a HIPAA violation.
If you’d like to learn more about this topic and potential violations, check out the links below. Along with each article, you’ll find a quote that gets to the head of this matter:
1. Are physicians prohibited from responding to online patient reviews?
“Acknowledgement of a patient’s relationship with the provider might risk violating patient privacy protected by the Health Insurance Portability and Accountability Act (HIPAA) and applicable state laws. It is important to note that HIPAA does not explicitly prohibit physicians from responding to online reviews; physicians are free to respond and contribute to an online review forum, but they must maintain the privacy of the patient’s protected health information (PHI), even if the patient has already revealed personal information. While a patient is free to share any information about their experience in an online forum, physicians are prohibited from disclosing any patient-specific information.”
2. NJ Mental Health Provider’s Response to Negative Online Reviews Costs Practice $30,000 in OCR Penalty
“The OCR claimed that the provider included the complaining patient’s diagnosis and treatment of their mental health condition in the online response. The investigation that followed the complaint also revealed, according to the settlement materials, (i) responses by the provider to three other patients including protected health information and (ii) that the practice’s written policies and procedures were not HIPAA compliant.”
3. Handling Patient Reviews in a HIPAA Compliant Manner
“Never publicly discuss patient specifics. A patient can post anything they want about their visit with you, but it is a major HIPAA violation for you to say anything about them in a response.”
4. Disclosing Patient Information in Responses to Online Reviews: Recent OCR Enforcement Action Is a Cautionary Tale
“…when posting online content, healthcare providers must be mindful of one consideration unique to the healthcare sector: the federal Health Insurance Portability and Accountability Act (HIPAA). Enforced by OCR, HIPAA affords patients privacy rights and protections in their ‘protected health information’ (PHI). To this end, HIPAA prohibits ‘covered entities’ from disclosing an individual’s PHI, unless the disclosure is required or permitted by HIPAA or the individual has authorized the disclosure.”
References and Further Reading: