On-Line Reviews Can Equate to a HIPAA Trap

By: Kelli Carpenter Fleming, Burr & Forman, LLP

With almost every facet of our lives being conducted online these days, more and more consumers are turning to online reviews and comments to make business decisions. In addition, more and more businesses, including healthcare providers, are building up their online presence to achieve better search results and bolster marketing efforts.

However, unlike other industries, healthcare providers must be careful when addressing and responding to online reviews, as they could run afoul of state and federal healthcare privacy laws. The Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) protects patient health information, including whether or not someone was a patient of a particular healthcare practice or received services from a specific healthcare provider. Thus, if a healthcare provider responds to an online review in a manner that confirms that the reviewer (or someone else) was a patient or includes details about the services rendered, that response could run afoul of HIPAA. In fact, a North Carolina dental practice was recently fined $50,000 for disclosing a patient’s health information in response to a negative online review and failing to cooperate with the government investigation into the matter. 

While providers may naturally want to defend themselves against a negative review, their hands are a bit tied due to HIPAA prohibitions. The safest approach when dealing with online reviews is to not respond at all, as it is sometimes difficult to craft an appropriate response without running afoul of HIPAA. If a provider feels the need to respond, the provider should only provide a general response that in no way confirms whether or not someone was a patient. For example, “Please feel free to call our office at XXX-XXX-XXXX to address any concerns.” Alternatively, instead of responding, providers should approach the reviewer directly via telephone to address the complaint. In addition, practices may also encourage positive reviews online by providing information to patients on posting such reviews in an effort to over-shadow any negative reviews.

Regardless, healthcare providers should never post anything online that could identify someone as a patient of the provider without the patient’s express, written authorization. Doing so could result in a HIPAA violation.

Kelli Fleming is a Partner at Burr & Forman LLP practicing exclusively in the firm’s healthcare group. Kelli may be reached at (205) 458-5429 or kfleming@burr.com.