As online ratings ramp up, physicians can get miffed when patients post bad patient reviews. After all, these play a role in their online reputation, and it’s tempting to want to respond. But unlike other businesses, federal law prohibits doctors from disclosing their patients’ identify in any way. Post the wrong thing and you risk causing more harm than good.
HIPAA makes it ethically difficult for physicians to respond to online reviews, even those that are specious or untrue. Under the HIPAA regulations, doctors, nurses, and “covered entities” cannot disclose personal health information without the patient’s written authorization. That includes the patient’s name, age, address and phone number diagnosis, treatment, payment or anything else that could be construed as PHI.
At the same time, patients have the right to talk about their medical experiences in any way that they wish to online.
In a recent article in The Washington Post, Pro Publica’s Charles Ornstein wrote their investigative news team identified more than 3,500 one-star reviews on Yelp where patients mention HIPAA or privacy. Many of those that elicited responses sparked disputes over patient privacy.
The problem isn’t limited to lashing back against poor reviews. In February, Los Angeles-based CompletePT Pool & Land Physical Therapy agreed to pay $25,000 to settle HIPAA violations for posting patient testimonials, complete with names and photos, on its website without first getting permission.
To help providers navigate this potential minefield, HHS’ Office for Civil Rights is updating its guidance on application of HIPAA to social media, a spokeswoman said. No timeline for its release was given.
What can and can't be done now
In the meantime, what should doctors do when patients post negative reviews online? Rebecca Herrold, a privacy consultant in Des Moines, Iowa, says the best thing is to not respond. “When people see something posted about them online, especially if they perceive it to be untrue or hurtful to their business or to them personally, they need to put a brake on it before they react,” she tells Healthcare Dive.
Even if the comment is positive, it’s best not to respond because doing so risks disclosing the patient’s name, she says. Here are five tips for staying HIPAA-compliant in the age of social media:
1. Keep a cool and level head.
Providers need to realize that no matter what anybody says about them, even if it’s patently untrue, they cannot divulge anything online that’s related to the patient’s treatment or operation because that could reveal the name of the patient.
“A lot of doctors and nurses mistakenly believe that as long as they don’t use the written name of a patient or other types of protected health information, that it’s okay to post photos,” Herrold says. “But that’s not true, because PHI items include images that can be associated with the patient.”
If a physician posts a photo in response to online comments, they’re associating the image with the person who made the comments links the photo to the patient, she adds.
2. Establish social media use policies and procedures.
These need to be documented and communicated to all staff within the practice, and then followed consistently, says Herrold. “Make sure that everyone understands if something is online, they cannot respond to it or post photos or videos or anything like that.”
3. Give notice to patients.
Include the social media policy in your notice of privacy practices, and let patients know you won’t communicate with them about their treatment or diagnosis through any social medial venues.
Physicians should let patients know how they will communicate with them — e.g., by phone, in person or some other secure way — but that they won’t provide responses to questions about care or other concerns online, Herrold says.
4. Don’t get set up.
With the ease of social media, it’s tempting to vent about misdiagnoses or treatments gone. Dissatisfied patients may also want to steer other potential clients away for a particular doctor.
But Herrold says physicians should also beware of “baiting posts” that are intended to get a response that could lead to legal action. “There’s a lot of bad information that’s posted by others in an attempt to try to financially benefit” from tripping up a doctor on HIPAA rules, she says.
5. Have a good privacy lawyer.
When damaging statements are posted online, physicians should have someone they can talk to who can respond in an appropriate way on their behalf.
Herrold advises doctors to never take matters into their own hands. “Let the lawyer who knows the laws and the impact of actions be the one to make the decision for how to proceed with anything that could be hurting [the physician’s] business,” she says.
After all, she adds, a $200 investment in an hour of advice is a lot cheaper than a lawsuit over potential HIPAA violations that occurred online.