Question

Welcome to a Bite-Size HIPAA® Q&A article, where we answer your questions about how HIPAA applies to your dental practice. We recently received the following question in our Bite-Size HIPAA® Q&A inbox. The writer says:

"Hey Todd, I was hoping you could provide our practice with a little clarity in what seems like a murky area. The company we’ve engaged to help with our Internet marketing efforts has advised us to reply to every Google review, especially the negative ones. I recall a dental practice getting fined by Health and Human Services not too long ago because of the way they replied to such a review. What’s the appropriate way to respond to a negative online review, according to HIPAA?"

Thank you for your question! Responding to negative reviews can be difficult to do, especially when they’re unfair. Marketing experts tell us that this activity is vitally important for managing your practice’s reputation online, but how can you respond in a way that makes your patients feel valued, adequately addresses the reason for the review and, most importantly, so your dental practice doesn’t break the law? There have been fines of up to $50,000 given to dentists in the past few years for responding to reviews inappropriately, so this is an area of concern. Let’s see what the HIPAA law has to say about responding to online reviews.

Is It PHI?

Our first step is always to ask if the information we are dealing with is considered protected health information. This is the primary point of concern when it comes to responding to online reviews. PHI includes any data about a healthcare treatment or payment that could be linked to a particular person. The simple fact that an individual is a patient at your practice is protected health information. So, even acknowledging that you saw them at the practice for treatment is a disclosure of PHI. This means that when you are responding to reviews, you cannot write anything about the patient’s treatment, payment, or even confirm they are a patient.

Three Exceptions

Remember, our basic rule is that you cannot disclose PHI without patient authorization unless there is a specific permitted disclosure rule that applies. The reason we can’t disclose any PHI in response to the review is because you don’t have the patient’s authorization and none of the permitted disclosure exceptions in the law apply(treatment, payment, healthcare operations).

The HIPAA Law

It may seem like you can reply with specific details since the patient is the one who “outed” themselves and made the initial disclosure by writing their review.  While I think this makes logical sense, this is an instance where HIPAA may be a bit behind the times. HIPAA requires you to have a patient's authorization before disclosing PHI and it has six very specific requirements for what makes a patient authorization valid. We have a form validation tool in Bite-Size HIPAA® to help you make sure your authorizations are valid. Stated clearly, a patient leaving an online review does not authorize a provider to post their PHI on the Internet. Any of it. Even if it was already disclosed in the initial review posted by the patient.

With this in mind, how do you keep both the marketing gurus and privacy officials happy?

We identify several specific best practices for responding to online reviews in Bite-Size HIPAA®, but in an effort to keep this video brief, a good golden rule for online responses is to direct patients to contact the practice directly and confidentially to address concerns or complaints. Don’t use social media to resolve issues with patients. Use secure and private methods of communication, like email or phone calls.

Instead of responding defensively focus on telling your brand story, emphasize your policies, procedures, standards, commitment to patient care, and education. Close with an invitation to connect using a more secure method of communication to address their experience which, by the way, publicly acknowledges your practice’s commitment to confidentiality.

Summary

Let me finish with a specific example. If somebody posts a review stating that your front office staff is rude, you could respond by saying,

“We are committed to ensuring every patient is treated with the utmost respect and care. Our staff receives quarterly training on customer service and we hold each other to the highest standards of patient care. Because we’re committed to maintaining the privacy of our patients, we have a policy that prohibits us from discussing patient matters on public forums. We love talking to our patients using secure methods. Please call our office any time.”

Have a HIPAA Question

If you have a HIPAA question related to the day-to-day operations of your dental practice, feel free to send it my way. My email address is todd(at)bitesizehipaa(dot)com. I can’t promise I’ll be able to get to every question submitted – but I’ll do my best to find the most applicable ones to address in future Bite-Size HIPAA® Q&As.