How to Respond to Online Reviews and Remain HIPAA Compliant
March 21, 2018
By Maddie Langston, IDOC Practice Marketing Consultant
I’m often asked for guidance on how to respond to negative reviews written by patients of optometric practices on Google, Facebook and Yelp, and most O.D. owners and staff are surprised when I tell them that just because someone publicly announces through a review that they were indeed a patient at the practice, that does not grant the practice authorization to respond in kind. The public facing response should not identify the reviewer as a patient of the practice and should not address specific details of their experience as a patient at the practice to ensure they remain HIPAA compliant.
I’m not sure how many patients understand this quirk, so if you’ve already broken the rule by simply saying something like “thanks, Maddie, for visiting us the other day and for your kind words!” in a response to a review, don’t panic. As I stated earlier, most people with whom I work on drafting a response to review have no idea that HIPAA places constraints on how they address patients online, particularly if the patient seems to have no problem telling the world they were at the practice as a patient and relating specific details from the experience which often includes details about their health.
So, how should the practice respond to an online review and remain compliant with HIPAA? I’m going to present a hypothetical review and we’ll look at a non-compliant response versus an acceptable response.
Google Listing review:
I was frustrated because I had to wait a long time AND their glasses were super expensive. Don’t recommend.
Hi, Reviewer – thanks for the feedback. Unfortunately, you arrived 30 minutes prior to your appointment time and we were unable to accommodate you early. We were also careful to show you a collection of eyewear which is completely covered by your vision plan – so we honestly don’t understand why you felt our glasses were too expensive. Please feel free to contact us with any additional questions or concerns. Sincerely – O.D. and Team
Hi, Reviewer. At IDOC Vision Care, we strive to minimize patient wait times and adhere to seeing patients at their scheduled appointment times. We are also proud to offer a beautiful collection of eyewear in a wide variety of price ranges to suit most budgets and accommodate many vision plans which offset out of pocket expenses for patients. Thank you for your feedback. Yours in Good Health, O.D. and Team
While the non-compliant response feels much more satisfying to write because clearly the patient was in the wrong, the practice cannot address the reviewer specifically or list details of the experience because that is in violation of HIPAA. The compliant response speaks to general policies of the practice, so it’s not violating HIPAA in any way. Not once in the compliant response did the practice mention any specific detail of the patient’s experience, or even admit that the reviewer was ever a patient at the practice. It may feel frustrating or even disingenuous to write an online response in this way but it’s ultimately much more professional and HIPAA compliant.
There is an excellent resource which provides more examples of reviews, along with compliant and non-compliant public responses on Yelp written by Dr. Danika Brinda of Planet HIPAA - https://www.yelpblog.com/2016/12/experts-guide-patient-privacy-online-reviews. You may want to forward the article to all practice staff who may be called upon to respond to online reviews so that everyone understands how to write a compliant response. Key points include the following:
1. Healthcare providers should not write comments that would confirm the patient received any healthcare services, or any specific comments regarding the patient’s healthcare services.
2. A healthcare organization is not allowed to use protected health information without prior authorization from a patient, even when a patient elects to post it on an online platform like Yelp. A Yelp review that a patient has posted is not considered an authorization for a healthcare organization to use that information for testimonial or other healthcare operations purposes.
Online reviews can serve as a powerful tool in your marketing plan and a strategy to acquire good reviews from happy patients should be developed for your practice, but some care and caution should be used when responding to reviews in a public forum to ensure you remain HIPAA compliant.
Maddie Langston brings extensive experience in marketing and sales administration and has developed strategies to drive sales for various industries. Most recently, Maddie developed marketing programs for a national network of independently owned auto repair service centers. She earned a Bachelor of Arts degree in English from Liberty University. Maddie and her husband Jim have a teenage son and two beagles. She enjoys reading, watching documentaries and hiking in her spare time. For questions or comments about this article, please contact firstname.lastname@example.org.