A healthcare organization’s online presence is an important component of its reputation. Occasionally, dissatisfied patients will post negative reviews about healthcare services on social media and customer review platforms such as Yelp or Google.

Healthcare organizations and providers may attempt to mitigate the effects of these negative reviews by responding to a patient’s review. In doing so, providers must take precautions to safeguard patient privacy and protected health information (PHI).

A recent HIPAA settlement involving a healthcare provider and the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR), underscores the importance of proceeding cautiously in responding to online reviews.

Potential Consequences of Responding to Negative Online Reviews

In June, HHS-OCR announced a settlement with a New Jersey healthcare provider of psychiatric services who disclosed PHI when responding to negative patient reviews online.

OCR conducted an investigation and found that the provider violated the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule by impermissibly disclosing four patients’ PHI, including specific information about the patients’ diagnoses and treatment of their mental health conditions. OCR also found that the provider failed to implement appropriate policies and procedures with respect to PHI.

As part of the settlement, the provider agreed to pay $30,000 to OCR and to implement a corrective action plan (CAP) to resolve potential violations.

In response to continuing OCR complaints about similar violations, OCR Director Melanie Fontes Rainer stated, “The HIPAA Privacy Rule expressly protects patients from this type of activity, which is a clear violation of both patient trust and the law. OCR will investigate and take action when we learn of such impermissible disclosures, no matter how large or small the organization.”

Tips for Responding to Negative Online Reviews

Set policy. Healthcare organizations and providers must be mindful of legal and ethical obligations when considering how to respond to negative reviews on social media and the internet.  Healthcare organizations should develop specific policies addressing the disclosure of PHI on the internet and social media that are compliant with HIPAA and other state and federal privacy laws. Once guidelines are established, providers should regularly review and train staff on policies and best practices.

Stay informed. Providers should stay up to date on ethical guidance on these issues. For example, the American Medical Association has published guidance on this topic, as well as ethical opinions: E-2.3.2 Professionalism in the Use of Social Media and D-478.980 Anonymous Cyberspace Evaluations of Physicians.

Other Dos and Don’ts of responding to negative online reviews are shared below:

Dos

  • Instead of responding online, consider reaching out to the patient individually to address their concerns.
  • If you choose to respond, limit the response to a discussion of the provider’s relevant policies and procedures.
  • Consult legal counsel if you have concerns about how to appropriately respond while complying with HIPAA and state privacy laws.

Don’ts:

  • Do not respond immediately. If you choose to respond, take the time to form a compliant and professional response.
  • Do not disclose any information about the patient, including the fact that the person is a patient.
  • Do not be discouraged. Approach reviews as insight into how to improve in the future.

If you have questions about your HIPAA compliance, contact Liz Heddleston, Jamie Wood or any member of the WRVB Health Law team.

This article was authored with the assistance of Summer Associate Nicole Chaney. Nicole is pursuing her JD at the Wake Forest School of Law.