How to Respond to Patient Reviews Without Violating HIPAA

How Can Healthcare Providers Respond to Online Patient Reviews Without Violating HIPAA?

Current and potential patients are taking to the internet to share opinions and make decisions about healthcare providers. Good reviews can convert prospective healthcare consumers into patients, while bad reviews, particularly if poorly handled, can damage a provider’s reputation. Because reviews are inevitable, providers should develop a strategy to curate a strong professional reputation online to attract new patients and maintain existing patients. A critical part of this strategy is developing a plan for responding to both positive and negative reviews—and doing so without violating patient confidentiality.  

Responding to patient reviews is more complicated than responding to a regular consumer’s review. For example, if a restaurant patron leaves a scathing review, the restaurant can respond by citing the patron’s own boorish behavior and poor tipping. On the other hand, should the patron leave a glowing review, the restaurant can thank the reviewer by name with added context related to their experience, meal, and/or interactions with employees. However, a healthcare provider that responds to a review risks violating the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations (“HIPAA”).  

HIPAA protects the privacy and security of health information that identifies an individual, which is referred to as Protected Health Information (“PHI”). HIPAA prohibits covered healthcare providers from sharing any PHI about a person unless an exception applies or the patient signs an authorization. PHI is broadly defined. The term includes not just medical records but also information that simply confirms that a person is or ever was a patient or has requested health care services.  

HIPAA applies to patients even in a non-medical context. The fact that an individual leaves an online review, good or bad, does not waive the individual’s rights to privacy or the provider’s obligations to keep PHI confidential. This can be frustrating for healthcare providers, as it creates a situation where those providers cannot defend themselves against damaging patient reviews, and even misinformation, without violating HIPAA.

Disclosing PHI in response to an online review can have serious consequences. If a provider discovers that its employee has wrongly disclosed PHI (such as by posting PHI as part of a response to an online review), the provider must determine whether the incident constitutes a breach under HIPAA and, if so, notify the patient in writing as well as the U.S. Department of Health and Human Services, Office for Civil Rights (“OCR”), which enforces HIPAA. Patients can also file complaints with OCR when they feel their privacy rights have been violated. Consider the following examples of healthcare providers incurring monetary penalties for violating HIPAA in this way:

• A hospital in California agreed to pay OCR $275,000 and enter into a Corrective Action Plan after disclosing a patient’s PHI to multiple media outlets¹ after the patient had allegedly complained to the media about the hospital.² The provider discussed the patient’s record with reporters in detail without first obtaining the patient’s authorization.

• OCR imposed a $50,000 penalty against a dental practice that disclosed a patient’s PHI in response to an online review.³ In response to a patient complaint on the practice’s Google page, the dental practice responded with anecdotal confirmation of an interaction between the patient and the practice.”⁴ The patient subsequently filed a complaint with OCR.  

• OCR imposed a $10,000 penalty against a healthcare provider for various instances of disclosing PHI on the provider’s review page.⁵ The healthcare provider also agreed to enter into a Corrective Action Plan, requiring the provider to develop policies and procedures, train its workforce, and report certain events to OCR.  

• A plastic surgery provider received a letter from OCR alerting the provider of a complaint filed by a patient’s mother alleging that the provider posted the patient’s PHI in its response to an online review.⁶  

Even if OCR does not enforce monetary penalties against the healthcare provider, an OCR investigation into the issue can still cost a healthcare provider time and money. To that end, an OCR investigation could uncover unrelated HIPAA violations and expose the provider to additional scrutiny.  

Even a well-meaning response to a positive review is technically a HIPAA violation if the response confirms or implies the reviewer’s status as a patient. Crafting a response to a patient review that acknowledges the sentiments expressed while neither confirming nor denying the reviewer’s status as a current or former patient can be a challenge. Not responding to patient reviews, however, also risks creating the perception that the healthcare provider is not interested in rectifying concerns and complaints expressed by reviewers online.  

Can a healthcare provider respond to online patient reviews without violating HIPAA? Yes. Responses should be drafted to generically describe the provider’s processes without confirming or denying that the reviewer is or has been a patient and without otherwise including PHI. There are a number of ways to capitalize on patient reviews while minimizing risk of violating HIPAA in the process. For example, a healthcare provider can work with legal counsel or its privacy officer to develop a procedure for responding to patient reviews as well as pre-approved responses. Another method that avoids additional time and cost of human intervention is to use an AI tool that does not have access to PHI and is trained to respond to patient reviews in a HIPAA-compliant manner, thus removing the human element to decrease the risk of violating HIPAA. Any AI vendor should be assessed to make sure that the vendor is monitoring the quality of responses and is willing to stand behind its compliance with HIPAA.