No one likes a bad review. It is much more common for an unsatisfied customer to post a negative review than it is for a happy customer to post a positive review. Most business advice sites recommend responding to both good and bad reviews because it helps resolve issues and actually wins back customers. However, HIPAA is a tricky and sometimes complicated topic healthcare entities must consider compared to other industries, like foodservice, when replying to an online review.
Responses to both good and bad reviews or social media posts carry the same risk of a breach or potential complaint to the OCR. Recently, a response to a negative review that resulted in a breach cost a dental practice $50,000 in the form of an OCR penalty. Posting an angry response to a negative review can not only cost you a lot in penalties, but it can also cost you a lot of business. Even though it is the patient who posts information about their visit or health condition, if your practice’s reply acknowledges that they are a patient and/or provides more information about them or their condition, it is a breach of their PHI. Also, since it is hard to verify someone’s identity on most websites, consider that the post might be from an imposter. .
Posts about patients made by employees from personal social media accounts are also HIPAA violations. Sometimes these posts are made accidentally, like when employees take a birthday picture together, a patient could be in the background, or an employee may post about a patient who is a friend or family member or who has come to feel like a friend or family member. Intentional posts are rare but have happened. Posts made from a practice-owned social media account can only be made if the patient has signed a proper HIPAA Authorization.
Reducing the likelihood of a mistake takes a few easy steps and some reminders from time to time. Here are a few ideas to avoid an OCR investigation and penalty, breach, and/or an ethical issue:
- Avoid the urge to reply right away to a negative review.
- Reduce or restrict the ability to reply to reviews under your practice’s profile to 2-3 people. Consider having your privacy officer read the reply before it is posted.
- Use a consistent, positive template response for consistency, even for good reviews. Remember the goal is to avoid disclosing more information about the patient/poster.
An example of a template to consider using for a positive review: “We appreciate your feedback! We are committed to providing the best patient care. Thank you.”
Do not ask the patient/poster for anything such as “spread the word” about your practice or send them a direct message. If you’d like, you can add your phone number and/or email at the end. “You may contact us at [phone number/email].”
An example of a template to consider for a negative review: “We appreciate your feedback and are committed to providing the best patient care. Due to federal regulations, complaints cannot be addressed on social media. If you have had a bad experience with our practice, please contact us at [phone number/email]. We would love the opportunity to discuss and resolve your issue.”
Be sure your employees are aware of this process and know who the point of contact is for these issues. If the patient contacts you with their issue, be willing to have them fill out a patient complaint form and work to resolve the issue with them.
TMC clients not only have immediate access to forms and guidance in our Client Portal but have a personal consultant as well as easy access to expert support by contacting Client Services.