HIPAA Guidelines To Remember While Responding To Patient Reviews

The challenges of online reputation management are different for a medical practice when compared with other small and medium businesses. The simple reason being that patients wouldn’t want their healthcare provider to talk about them or their medical needs publicly. HIPAA guidelines exist to protect patients’ privacy and you as a healthcare provider should know how to stay compliant.

Let’s imagine a relatively simple situation. A patient with a food allergy is rushed to your medical practice. They have swollen lips, hives and aren’t able to communicate other symptoms. The patient is in distress. You, the healthcare provider, manage to get the situation under control quickly. Working with your staff, you give the patient the attention they need and the danger passes. Your patient is very grateful and praises your practice.  

If you post about your patient online and mistakenly violate HIPAA guidelines, you could end up paying a huge fine or even face imprisonment. So, before you rush to post about success stories online, learn everything you can about HIPAA guidelines. 

What Is HIPAA?

HIPAA stands for the Health Insurance Portability and Accountability Act of 1996. The act restricts medical professionals in how they can interact or communicate with their patients online. HIPAA guidelines are in place to protect patients’ privacy. Violating HIPAA guidelines while responding to patient reviews is easier than you might think. With a simple mistake (think human error, everyone has bad days, doctors included) you could end up breaking HIPAA compliance rules. Worry not, there are ways to avoid HIPAA violations. Following a few basic guidelines can help you follow HIPAA compliance rules while responding to feedback.

Even though HIPAA came into the picture before the review-world came into existence, the concepts of HIPAA still apply. Patient reviews are a vital part of a healthcare organization’s identity. It’s every doctor’s responsibility to protect the patient’s privacy.

Even the most knowledgeable organizations can struggle with how to respond to patient reviews while maintaining patient confidentiality. Below are guidelines to help you stay connected with your patients on review sites like Google and Facebook while preserving their privacy.

HIPAA Guidelines

1. Keep the patient’s privacy intact.

HIPAA guidelines for patient confidentiality may look complex. But, they all percolate down to one essential point – not sharing your patient’s personal information. This means not even specifying that the reviewer visited you since that is a personal detail. For example, rather than saying “So glad you enjoyed your visit, come back again soon!” an ideal HIPAA compliant response would be:

“Thank you for your feedback! We strive to provide the best services to all our patients.

This response does not provide any specific information about the patient or the visit. It shows appreciation and also emphasizes the organization’s policy. It’s also important to respond to reviews without referring to the reviewers as patients.

Here is a great example of a HIPAA compliant response to a patient review:

hipaa guidelines

There’s absolutely no mention of the patient’s medical information in the response.  Notice how there’s no specific mention of the patient’s medical issue or appointment either, making it the perfect response.  

2. Avoid disclosing the patient’s medical issue.

Instead of inadvertently declaring protected information like a medical diagnosis, avoid the issue entirely. What if the patient refers to the symptoms in their review? If you think that then it is alright for the healthcare provider to mention details — well, you are wrong. Even if the patient reveals their diagnosis, the doctor is in violation of HIPAA guidelines if their reply repeats the information. The easiest hack is to avoid. 

3. Take critical issues offline.

If something feels urgent (hey doctors, we know it’s actually a matter of life and death in your profession) and there is no way to respond without asking for more information — take it offline. You wouldn’t want to brush aside their fears with a generic reply or violate HIPAA guidelines either by asking questions that reveal personal details either. The best route to take it to message the patient personally or ask them to get in touch with you via phone or email. In your response, you can mention your contact details and even invite them to visit your medical facility. 

If the urgency also involves the patient’s unhappiness with care received, a private communication channel might help you get to the bottom of it easily. Getting more insight into why a patient is unhappy will help you to resolve the issue faster. If you address the concern by personally getting in touch with the patient, you may even persuade them to remove or edit the negative post. Now, this is a win-win. 

4. Avoid sharing confidential information via personal messages.  

Address the patient’s negative reviews and concerns through direct contact channels like personal messaging and avoid unwanted disclosures, breach of data or breach of patient privacy.

HIPAA’sSecurity Rule mandates that all electronically protected health information (ePHI) is free from any of the HIPAA violations mentioned earlier. However, social media messaging services do violate HIPAA’s standard for compliance. Patient data or health documents should never be distributed using these messaging services.   

What is PHI (Protected Health Information)?

The HIPAA Privacy Practice applies to “protected health information” (PHI). The definition of PHI is “independently identifiable health information”. Data, including demographic information, that relates to the patient’s physical or medical condition in the past, present or future is “Independently identifiable health information”.  

PHI can be held or transferred by a covered entity or its business associate, in any form, whether electronic, paper or oral. Independently identifiable health information also covers several basic identifiers (e.g., name, address, birth date, and social security number). There are over 18 identifiers that make health information PHI, including email addresses, health plan beneficiary numbers, biometric identifiers, among others. Make sure to keep yourself updated on what comprises PHI, just to be sure to follow HIPAA compliance rules.

5. Don’t share your patient’s pictures on social media.

A picture is worth a thousand words. Do you really want to write a thousand words about your patients on social media? Thanks to smartphones, photos seem to be the easiest way to communicate. If I had a dollar for every time I heard “Show and don’t tell” in writing school, I’d be able to pay off my students loans in one payment. While this is great advice for everybody else, it doesn’t apply to doctors and healthcare providers. 

If you love your patient’s positive review and want to share their pictures as a part of your response, think twice. According to HIPAA guidelines, posting a patient’s pictures on social media websites like Facebook is a violation. 

While it may seem inoffensive or harmless, especially if the patient’s name is left out, someone may still recognize them (thanks to all the facial recognition software used on these social media) and that becomes an infringement of the patient’s privacy. So, even if you’re celebrating something as significant as a patient’s recovery from an illness or horrible injury, sharing their photos is a major violation of HIPAA’s book. Again, the best route to take is to avoid posting photos altogether.

6. Create a response strategy for your reviews.

Work with your team and create a policy on how you can respond to different types of reviews while complying with HIPAA guidelines. Study different scenarios to identify various types of patient reviews. After careful study, create standard response templates for each scenario.

For instance, for all negative responses, you may say something like: “We deeply regret the inconvenience. Kindly get in touch with us at [Contact Number] or [Contact Email ID] so that we can address your concern.”

For all positive patient feedback, you might say that “It is our goal to provide the best care to patients. We appreciate your feedback.”

This works well for review sites like Facebook and Google. However, in the case of Twitter, you may have to abbreviate your response to stay within the character limits.

Worried About Breaking HIPAA Guidelines? BirdEye Is A Practical Solution

As a healthcare provider committed to serving as many patients as possible, you should continually work towards increasing your positive reviews. Patients that have a  bad experience are most likely to write reviews to vent. You are also more likely to have to respond to negative reviews and provide clarifications. Consistently requesting all your patients to leave a review can balance the proportion of positive and negative reviews. This will also ensure that your medical practice has a solid online reputation. 

Constantly generating new reviews is not an easy task without the right tools in place. With BirdEye’s HIPAA-compliant software, you can send review requests to your customers soon after their office visit. With tools like “drip campaigns,” you can automate the review generation process across a variety of review sites. Let BirdEye do all the heavy lifting when it comes to your medical practice’s online reputation management. You do what you do best — saving lives.


Share this article