HIPAA and Online Reviews: What Your Practice Needs to Know

A digital presence is essential for maintaining a thriving business, and healthcare practices are no exception. For patients seeking a healthcare provider, they use search engines, your website, and online review sites to understand more about you and your practice. Ninety-three percent of patients consider online reviews in their decision-making process of finding a new provider. Online reviews can help patients gauge your communication skills, quality of care, or previous patient satisfaction. What are the best practices around responding to these online reviews? Or should you not respond at all?

HIPAA Rules for Online Reviews

While the consensus for most businesses is to publicly respond to online reviews, healthcare professionals are limited in what they can communicate in a public forum due to HIPAA.

Even though HIPAA doesn’t prohibit healthcare professionals from responding to online reviews, it does apply to the content of the response and a patient’s privacy. Responses cannot include any of the patient’s protected health information (PHI), even if the patient has revealed their own personal information.

PHI refers to any information relating a patient’s past, present, or future:

  • Physical or mental health condition,
  • Health care provided,
  • Payment of health care.

The US Department of Health and Human Services (HHS) has 18 common health information identifiers that can’t be included online as part of the HIPAA Privacy Rule. Click to view the full list

Recent HIPAA Violations Regarding Online Reviews

There have been cases in recent years of HIPAA violations relating to responses on online reviews and revealing PHI.

In 2019, Elite Dental Associates was fined $10,000 for disclosing a patient’s name, details of their health condition, treatment plan, insurance, and cost information in response to a negative online review.

In 2021, a dental practice in North Carolina disclosed a patient’s PHI in response to a negative online review. The practice did not respond to OCR’s data request or the administrative subpoena and waived its rights to a hearing by not contesting the findings in OCR’s Notice of Proposed Determination. OCR imposed a $50,000 civil money penalty.

In 2022, New Vision Dental in California, disclosed PHI in a response to an online review. A settlement was reached that included payment of a $23,000 fine and adherence to a Corrective Action Plan by the OCR for two years.

Monitoring Online Reviews

A third of patients have posted an online review of their healthcare provider in the last year. Ensure your practice is monitoring reviews on third-party websites. Below is a list of the top go-to places to find patient reviews:

  1. Google/search engine
  2. Your practice’s website
  3. Facebook
  4. Yelp
  5. WebMD
  6. Healthgrades
  7. Rate MDs

By keeping an eye on the reviews of your practice, you can gauge the kind of feedback your practice garners. Even with negative reviews, patient retention and maintenance of your online reputation are possible. Sixty-four percent of patients claimed that they would go back to a practice if the practice addressed a negative review.

The Do’s and Don’ts of Responding

While healthcare practitioners know that online reviews are inevitable, most don’t have a plan in place for how to respond in a HIPAA-compliant way.

What to do:

  • Have established policies and procedures to ensure HIPAA-compliance in responses to online reviews and social media.
  • Limit who has access to respond to online reviews.
  • Report negative reviews to the Privacy/Security Officer, or Office Manager.
  • Check the rule of the Malpractice Insurance your practice uses – some forbid responses to any reviews.
    • If able to reply:
      • use a generic template response for consistency and ask to take the conversation offline.
        • Example template for negative reviews: We appreciate your feedback and are committed to providing the best patient care. Due to federal regulations, complaints cannot be addressed online. If you have had a negative experience with our practice, please contact us at [phone number]/[email]. We would love the opportunity to discuss and resolve your issue.
        • Example template for positive reviews: Thank you for leaving us a positive review and sharing your feedback with us and the community.  We are pleased to hear you had a positive experience!

What not to do:

  • Don’t acknowledge that the reviewer is a patient at your office or disclose any information about them. Even if the reviewer discloses personal information as it relates to their experience with your practice, you do not have permission to disclose, or even acknowledge, any patient information in the response.
  • Don’t respond immediately. Follow your online review process for how to respond appropriately to remain HIPAA-compliant.
  • Don’t forget to ask for reviews. Soliciting online reviews to your practice while patients are in-office can help garner positive reviews and build your online reputation. It also opens up an in-person conversation for feedback before a potentially negative review is written.
  • Don’t ignore criticism. You can look at a review from a patient’s perspective to determine if your office can do anything differently.

While HIPAA regulations can make the process of replying to online reviews more challenging, don’t let that intimidate you from not responding at all. By creating and following your office’s online review response plan, you can make sure that your office stays compliant when engaging with your online audience.