Do.Not.Respond.To.Reviews.
If you are a covered entity and responding to comments or reviews on social media you are 1. probably taking advice from marketers and reputation managers, and 2. definitely violating HIPAA. This mistake is easy to avoid – don’t follow advice like this without talking to your lawyer, or another legal HIPAA expert.
The HIPAA Privacy Rule requires that covered entities NOT disclose any protected health information about patients in their care without a prior written HIPAA authorization. It doesn’t matter that “the patient spoke first”. There is no exception in HIPAA for covered entities disclosing information that was first self-disclosed. There is no such thing as “implied consent”. Period. Remember, protected health information can be as simple as a person’s name. It does not have to include medical or diagnosis details.
There are marketing companies who specialize in healthcare that do not actually know HIPAA law, and they encourage the use of patient reviews to help expand a business. When a bad review appears, marketing advisors have strategies on how to respond to manage the negative images. When you respond to a review though, if the patient used their name or any other identifier, you have made an unauthorized disclosure.
We have seen some of this advice, given in webinars and on blogs, that claims health care providers can get around the HIPAA authorization requirement as follows:
Bad HIPAA Advice
From a marketing consultant/advisor:
Add language to patient registration form that says,
- If patient posts to social media,
- They waive their HIPAA Privacy Rights, and
- The health care provider will respond (defend) using patient information.
WRONG – adding general language to a patient registration form is not a valid HIPAA authorization. A HIPAA authorization must contain specific elements and statements to be valid. Anything that does not contain all the specifics elements and statements will not hold up.
You Own and are Responsible for Your Facebook Page
We have written about the unique qualities of a covered entity’s Facebook page before. Unlike reviews on Yelp, on Facebook, any reviews, recommendations or comments on your page are your responsibility, no matter who wrote them. You are expected, by Facebook, and by the Office for Civil Rights (OCR), the agency that enforces HIPAA, to follow the law and control the content yourself. Patients don’t need to follow HIPAA, nor do their friends and family, or anyone else (who is not a covered entity or HIPAA business associate). If it’s posted, you own it.
On a site like Yelp however, you do not own the page or the content. Reviews that contain PHI may be published on Yelp, and as long as you do NOT respond, you have not violated HIPAA.
Yelp Provides HIPAA Guidance
It is interesting that Yelp actually has published guidance about whether and how health care providers may respond to reviews. We agree with Yelp’s advice.
They illustrate what NOT to do with an example of a patient posting a comment as follows:
I came in to XXXXXXXX for their hydration services post weigh-in for a fitness competition. Loved the atmosphere and the Dr. and Nurses were great! I feel so much better now after getting fluids, b12 and electrolytes.
And the health care provider’s response on Yelp was:
Hi XXXXXXX. I am so glad you came in yesterday and that is was a great experience for you. Whenever you’re in town we are here for you!
Yelp commented:
While the provider didn’t provide specific details about the office visit, they did confirm that the patient was seen at the facility and that they are looking forward to future visits. This confirmation would be a violation of HIPAA. (italics added for emphasis)
Yelp advises instead to either provide NO response, or only say “It is our policy to provide the best care to patients.”
Good advice.
Testimonials are Easy to Make HIPAA Compliant
Another option is to use testimonials from patients instead. A testimonial is not a spontaneous comment or review. Instead, if a patient wants to give you a positive comment, you can obtain a valid written HIPAA authorization from them in advance, with the right elements and statements, so that the patient fully understands their HIPAA rights. They should write the testimonial themselves, just as they would a review, and you can post it on your website and/or your Facebook page.
Follow the Law with The HIPAA E-Tool®
Wishful thinking won’t save you from a HIPAA investigation and fines. If you want to use social media to market your healthcare services, make sure you get the best advice – HIPAA is a specialized area of the law, and the regulators will not accept a defense that a consultant told you it’s okay. You are responsible, whether you know the rule or not.
At The HIPAA E-Tool® all the rules are incorporated into policies to comply with the Privacy, Security and Breach Notification Rules. Forms and procedures are provided to support the policies and answer your questions. And help is a phone call away if you’re not sure.
Photo by Joshua Hoehne on Unsplash