As a healthcare provider, you want to ensure your brand has a positive image. After all, most people look up a physician or practitioner's name on the Internet before making their first appointment. And if your practice has a negative image, it could deter those prospective patients from visiting your practice. However, you should think twice before responding to negative reviews about your practice, as this could be a violation of the Health Insurance Portability and Accountability Act (HIPAA) of 1996.
HIPAA consists of several rules, including the Security Rule, Privacy Rule, and Beach Notification Rule, each of which has its own specific purpose. One of the stipulations in the Privacy Rule is that covered entities can not use or otherwise disclose a patient's personal health information without first obtaining the patient's consent.
So, how does this pertain to responding to negative reviews? Well, if a covered entity responds to a negative review, and that review contains personally identifiable information, it could be a violation of the HIPAA Privacy Rule. This doesn't necessarily mean that all cases of responding to negative reviews are a violation of HIPAA. Rather, it depends on the content within the review itself, and whether or not that content is classified as Protected Health Information (PHI).
Back in 2013, Shasta Regional Medical Center agreed to pay $275,000 as part of a settlement over allegations that it violated HIPAA for disclosing a patient's PHI to the media in response to a negative article. The Medical Center had been portrayed negatively in the article, and it wanted to provide clarity by publishing the patient's PHI. But Shasta Regional Medical Center did not first obtain the patient's consent before disclosing their PHI, resulting in a violation of the HIPAA Privacy Rule.
So, what should you do if you discover a negative review about your healthcare practice? One option is to contact the reviewer directly to see if you can rectify his or her problem. In many cases, responding to the user directly is enough to turn a negative review into a positive review.
Another option is to focus your efforts on attracting positive reviews. If your healthcare practice has a significant number of positive reviews, it will likely drown out the few negative reviews.
Above all else, though, make sure you that you do not post any personal health information when responding to reviews, good or bad. Even if your intentions are good, responding to reviews with PHI included is a violation of the HIPAA Privacy Rule, which could land you in hot water with the Office for Civil Rights (OCR).