Due to HIPAA (Health Insurance Portability and Accountability Act of 1996), medical professionals are restricted in how they can interact or communicate with their patients online. Violating HIPAA while responding to patient reviews is easier than you might think — but it can be avoided. Following a few basic guidelines can help you stay HIPAA compliant while responding to feedback.
Even though HIPAA came into the picture before the review-world came into existence, the concepts of HIPAA still apply. Patient reviews are a vital part of healthcare organization’s identity. It’s every doctor’s responsibility to protect patient privacy, though wanting to respond. Even the most knowledgeable organizations can struggle with how to respond to patient reviews while maintaining patient confidentiality.
Below are guidelines to help you stay connected with your patients on review sites like Google and Facebook while preserving their privacy.
1. Keep the patient’s privacy intact
HIPAA regulations for patient confidentiality may look complex, but they all percolate down to one essential point — not sharing your patient’s personal information.
This means not even specifying that the reviewer visited you, since that is a personal detail. For example, rather than saying “So glad you enjoyed your visit, come back again soon!” an ideal HIPAA compliant response would be:
“Thank you for your feedback! We strive to provide the best services to all our patients.”
This response does not provide any specific information about the patient or the visit. It also shows appreciation and emphasizes the organization’s policy. It’s also important to respond to reviews without referring to the reviewers as patients.
Here is a great example of a HIPAA compliant response to a patient review:
There’s absolutely no mention of the patient’s medical information in the response. Notice how there’s no specific mention of the patient’s medical issue or appointment.
2. Avoid disclosing the patient’s medical issue
Instead of inadvertently declaring protected information like a medical diagnoses, avoid the issue entirely. Even if the patient reveals their diagnosis, the doctor is in violation of HIPAA if his reply mentions the diagnosis.
3. Take critical issues offline
Message the patient personally or ask them to get in touch with you via phone or email. In the response itself, you can mention your contact details and even invite them to visit your medical facility.
If you address the concern by personally getting in touch with the patient, you may persuade them to remove or edit the negative post.
4. Don’t share your patient’s pictures on social media
If you love your patient’s positive review and want to share their pictures as a part of your response, think twice. According to HIPAA, posting patient’s picture on social media websites like Facebook is a violation. While it may seem inoffensive or harmless, even if the patient’s name is not mentioned, someone may recognize them and that becomes an infringement of the patient’s privacy. Even if you’re celebrating something as significant as a patient’s recovery from an illness or injury, sharing their photos is a major violation in HIPAA’s book.
5. Avoid sharing confidential information via personal messages
Address the patient’s negative reviews and concerns through direct contact channels like personal messaging and avoid unwanted disclosures, breach of data or breach of patient privacy.
HIPAA’s Security Rule mandates that all ePHI (electronically protected health information) is free from any of the violations mentioned earlier. Social media messaging services violate HIPAA’s standard for compliance. They should never be used to distribute patient data or health documents.
PHI (Protected Health Information)?
The HIPAA Privacy Practice applies to “protected health information” (PHI). The definition of PHI is “independently identifiable health information”. “Independently identifiable health information” is data, including demographic information, that relates to the patient’s physical or medical condition in the past, present or future. PHI can be held or transferred by a covered entity or its business associate, in any form, whether electronic, paper or oral. Independently identifiable health information also covers several basic identifiers (e.g., name, address, birth date, and social security number). An individual receiving medical services from a doctor may also be considered PHI.
6. Create a response strategy for your reviews
Work with your team and form a policy on how you can respond to different types of reviews while complying with HIPAA regulations. Study different scenarios to identify different types of patient reviews. Then create standard response templates for them.
For instance, for all negative responses, you may say something like: “We deeply regret the inconvenience. Kindly get in touch with us at [Contact Number] or [Contact Email ID] so that we can address your concern.”
For all positive responses, you might say that “It is our goal to provide the best care to patients. We appreciate your feedback.”
This works well for review sites like Facebook and Google. However, in case of Twitter you may have to abbreviate your response to stay within the character limits.
A practical solution
Continually work towards increasing your positive reviews. Patients that have a bad experience are most likely to write reviews. You are also more likely to have to respond to negative reviews and provide clarifications. Requesting patients leave a review can balance the proportion of positive and negative reviews.
Constantly generating new reviews is not an easy task without the right tools in place. With BirdEye’s HIPAA compliant software, you can send review requests to your customers soon after their office visit. With tools like “drip campaigns,” you can generate a steady stream of authentic reviews, distributed across a variety of review sites.