“How can we respond to our online reviews without violating patient privacy?”
It’s one of the most common questions we get from health and medical professionals. Last year, ProPublica asked Deven McGraw, the chief privacy officer for the Office for Civil Rights within the U.S. Department of Health and Human Services, for her thoughts.
“If the complaint is about poor patient care, they can come back and say, ‘I provide all of my patients with good patient care’ and ‘I’ve been reviewed in other contexts and have good reviews,’ ” McGraw said. But they can’t “take those accusations on individually by the patient.”
With this information coming from the top of the agency responsible for enforcing HIPAA, we wanted to build a resource that expands on that guidance for health and medical providers to reference when responding to reviews. We turned to Dr. Danika Brinda of Planet HIPAA, an expert on patient privacy and frequent consultant on the matter, for advice. Check out Dr. Brinda’s guest blog post below to find out what she believes are the best ways for health and medical professionals to respond to online reviews.
By: Danika Brinda
Online reviews are an important part of a healthcare organization’s identity: 84% of consumers turn to review sites to find a doctor. Many organizations want to engage and respond to reviewers, and every organization has an obligation to protect patient privacy under the Health Insurance Portability and Accountability ACT of 1996 (HIPAA), as well as state privacy laws. Even the most savvy organizations may have questions about how to respond to reviews and maintain patient privacy.
Even though HIPAA comes from a pre-online-review world, the concepts and practices of HIPAA apply today more than ever. In short: Healthcare organizations and providers are not allowed to use or disclose patient information without explicit prior authorization from the patient. Non-compliance with these patient privacy laws can — and has — led to corrective action plans and millions of dollars in fines.
But don’t panic! Medical professionals can engage on Yelp without violating patient privacy. They do it every day! Take a look at our guide. It’s got everything you need to know to connect with your patients on Yelp while protecting their privacy.
Common Myths About Online Reviews, Patient Privacy, And HIPAA
Myth 1: A patient’s review is an authorization for the provider or practice to disclose information regarding that patient.
FALSE. If the patient chooses to post a positive or negative review about a healthcare organization or provider, they haven’t provided the right or authorization to release any patient-specific information in response.
Best Practice: Healthcare organizations and providers should make sure they are not writing comments that would confirm that the patient actually received any healthcare services, or any specific comments regarding the patient’s healthcare services.
Myth 2: If the patient posts private information about a provider or a healthcare organization online, then the healthcare organization or provider has the right to respond to the individual who posted the review in the same format.
FALSE. When a patient provides detailed and specific information about an experience with a provider or healthcare organization, they still have not provided authorization to the provider or healthcare organization to respond back with specific patient information and details.
Best Practice: Just like with Myth 1, comments should not confirm that the patient actually received any healthcare services with the organization or practice. Information gained through the course of a patient’s care should never be shared on a public site without proper patient authorization.
Myth 3: Since the patient posted a review on Yelp, a provider or healthcare organization can publish that information to a testimonial page they manage, such as a website or other social media.
FALSE. A healthcare organization is not allowed to use protected health information without prior authorization from a patient, even when a patient elects to post it on an online platform like Yelp. A Yelp review that a patient has posted is not considered an authorization for a healthcare organization to use that information for testimonial or other healthcare operations purposes. In 2016, a physical therapy office was fined $25,000 and entered into a three-year corrective action plan for posting patient testimonials on its website without first getting authorization from the patient.
Best Practice: Get written consent (authorization) from patients before you share or embed their reviews.
Responding To Reviews And Maintaining Patient Privacy
On Yelp there are two ways to respond to reviews. The first is a direct message. The second is a public comment. Direct messages go to the reviewer’s inbox directly and public comments get posted live to the provider’s Yelp page. Either way, when responding to reviews it is important to have good practices established to make sure your organization and your patient’s privacy are protected. In both scenarios, the goal should be to take the conversation offline and to a private channel.
Public Response:
The best practice in a public response is to never release any patient information or confirm that a patient was seen by the organization.
Example 1:

Compliant? NO
While the provider didn’t provide specific details about the office visit, they did confirm that the patient was seen at the facility and that they are looking forward to future visits. This confirmation would be a violation of HIPAA.
Corrected Response:
“It is our policy to provide the best care to patients. Thank you.”
This is a specific comment that doesn’t provide any specific patient information or confirm that the reviewer was a patient. Instead, it focuses on the policy of the organization and provides a polite thank you.
Example 2:

Compliant? YES
This is a good response. It states that the healthcare facility aims to provide the best care possible. The responder does not confirm that the reviewer was an actual patient. It is vague, and specific to the policy of the organization. In no way does this violate HIPAA or state laws.
Besides responding to Yelp reviews as public comments, a healthcare organization or provider can respond using Yelp’s Direct Message. You can learn more about how to respond via direct message here. Here are a few case scenarios on how to respond using Yelp’s Direct Messages:
Direct Messages:
The best way to use the direct message feature on Yelp is to send a quick thank you to the reviewer, or as the first step in moving the conversation offline. Direct messages should have minimal information and request that the individual contact you directly if follow-up is necessary. Healthcare organizations and providers should never provide medical treatment or include specific patient treatment details using this format.
Review 1:

Direct Message:

Compliant? YES
If you want to make sure you are responding to positive and negative comments received, send a direct message to the patient thanking them for the review. Remember, you want to be vague in your response and not include any patient information. Even though you’re using a non-public way of communicating only with the individual who posted the review, you don’t want to provide too much information in an electronic format. You could always leave a handwritten thank-you note in their chart to deliver the next time they visit your office.
Review 2:

Direct Message:

Compliant? PROBABLY NOT
It is best to err on the side of caution and not assume the identity of the reviewer. You don’t want to provide too much information when communicating with the patient. Focus on the organization’s policy and work to move the conversation offline.
Corrected Response:
“We are sorry about your experience at our organization. We are committed to providing the best patient care experience. Please feel free to contact us at [contact person/information].”
Remember: Keep it brief, keep it general, and move the conversation offline.
Yelp is a powerful tool for healthcare organizations and providers. It allows patients or potential patients to evaluate healthcare organizations and providers prior to getting services. That means that patients can take an active role in searching for healthcare organizations and providers with the services and quality they’re looking for. It is easy to maintain patient privacy and successfully have patients, healthcare organizations, and providers use Yelp.
About the Author:
Danika E. Brinda, PhD, RHIA, CHPS, HCISPP is the Owner of Planet HIPAA and TriPoint Healthcare Solutions. Dr. Brinda is an expert in healthcare privacy and security with over 13 years of experience. Her specialties include HIPAA compliance program establishment, risk analysis/assessment, risk mitigation, privacy and security policy creation, privacy and security education, business associate HIPAA compliance program establishment, and evaluating best practices in privacy and security. As a nationally-recognized speaker on healthcare privacy and security topics, Dr. Brinda has worked closely with both covered entities and business associates regarding HIPAA compliance ranging from sole provider officers to large integrated healthcare systems. Dr. Brinda is also an Associate Professor in the Health Informatics and Information Management Department at The College of St. Scholastica in Duluth, MN. Her focus on HIPAA is to make it work for your organization and for your patients. Everyone can be HIPAA compliant!
Resources:
Department of Health and Human Services. (2013, June 13). Shasta Regional Medical Center settles HIPAA privacy case for $275,000. Retrieved from http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/SRMC/index.html
Department of Health and Human Services. (2016, February 16). Physical therapy provider settles violations that it impermissibly disclosed patient information. Retrieved from http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/complete-pt/index.html
Department of Health and Human Services. (n.d.). Top five issues in investigated cases closed with corrective action by calendar year. Retrieved from http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/data/top-five-issues-investigated-cases-closed-corrective-action-calendar-year/index.html
The information above is provided for educational and informational purposes only. It is not intended to be a substitute for professional advice and may not be suitable for your circumstances. Unless stated otherwise, references to third-party links, services, or products do not constitute endorsement by Yelp.