There are various methods of promoting your practice online. From a website to a social media page, an online presence can help drive patients to your business. Online review platforms, too, can be a way to raise awareness about your practice and gain new clients. When a current or former patient posts a review of their experience at your office, this can be a valuable source of feedback for you, your staff, and the public. Positive reviews can provide satisfaction to staff and may help to bring in new clientele. Reviews that offer constructive criticism can assist you with identifying areas of potential improvement and bettering your business. Unfortunately, some reviews, whether honest or sinister, can negatively impact your practice – one person with a seemingly bad experience can drive away both existing and potential patients. Whether your office is the subject of praise or criticism, you may want to respond to online reviews and comments about your practice. When responding in any public forum, healthcare providers should consider the potential risk of inadvertently disclosing patient-protected health information (PHI) and becoming the target of a complaint or enforcement action under the Health Insurance Portability and Accountability Act (HIPAA).
Such enforcement actions are not without financial and reputational consequences. For example, the Office for Civil Rights (OCR), part of the US Department of Health & Human Services and the agency responsible for HIPAA compliance matters, recently entered into a settlement agreement with a dental practice stemming from alleged impermissible disclosures of PHI in connection with the practice’s response to online reviews. The dental practice agreed to pay a $23,000 civil penalty and to implement corrective actions over two years. In a press release about the case, OCR emphasized the following:
This latest enforcement action demonstrates the importance of following the law even when using social media. Healthcare providers cannot disclose the PHI of their patients when responding to negative online reviews. This is a clear NO.
To help avoid the risk of a HIPAA-related civil penalty, Stericycle recommends keeping the following tips in mind whenever posting online about your practice:
Express Consent is Always Required For a Disclosure
You might think that when a patient publicly mentions that they visited your practice for medical care, they have impliedly permitted you to disclose their PHI. Keep in mind, however, that any disclosure by a healthcare provider of PHI, even an acknowledgment that a particular individual is a patient, requires express, written authorization from the patient. Even if you receive authorization, the patient can always withdraw their consent in the future, which could pose an additional risk if an online disclosure was previously made.
To Help Avoid Inadvertent Disclosure, Keep Responses General
If you think you need to respond to a review or post, your response should be general and should never address the reviewer on an individual level. For example, you might follow up to a post by encouraging anyone who has visited your office to contact you directly with feedback about the experience. Remember, never use a patient’s name in an online post without first getting their express consent.
When in Doubt, Don’t Respond
Abstaining from a response is the best way to help ensure that you do not accidentally violate the HIPAA Privacy Rule.
Establish HIPAA Policies and Train Your Staff About How to Comply
It is imperative for healthcare organizations subject to HIPAA to create and implement policies and procedures to help them comply. When there are proper safeguards and trained staff, you can reduce the risk of an impermissible disclosure of PHI and the reputational and financial costs that can come with it. Stericycle can help healthcare facilities that use our Steri-Safe® HIPAA compliance program by providing access to resources such as training and customizable templates for HIPAA policies and forms. Contact us to learn more about our Steri-Safe® HIPAA Training and Compliance Solutions.