Skip to main content

GUEST POST: Is Responding to Healthcare Reviews a HIPAA Violation?

Like any other business, health care providers must navigate the challenges presented by their online reputation in the form of healthcare reviews.  Reviews on sites like HealthGrades, RateMDs, Vitals, and Yelp can greatly impact a provider’s bottom line, especially for smaller providers, as ninety percent (90%) of consumers use online reviews to evaluate providers.

For providers not receiving, encouraging, or promoting patient reviews, the question is, why not?  Unlike other professions, medical providers are highly regarded, and their reviews are generally favorable, making them a valuable marketing tool.  At the same time, however, it is important to remember that, like all other aspects of their work, health care providers’ conduct on review sites is regulated and subject to applicable ethics rules.

As the joint Guidelines for Online Medical Professionalism issued by the American College of Physicians (ACP) and the Federation of State Medical Boards (FSMB) explains,

Maintaining trust in the profession and patient-physician relationships requires that physicians consistently apply ethical principles for preserving the relationship, confidentiality, privacy, and respect for persons to online settings and communications.

Assessing Negative Healthcare Reviews

healthcare reviews

So what should a provider do when they are faced with a negative review?  Read it and count to ten.  Review sites provide valuable information to consumers based on the concept of the wisdom of the crowd.  These sites are also providing valuable information on your practice if you take the time to listen.

A Journal of Medical Practice Management report found that 96% of negative reviews of doctors have nothing to do with the quality of care.  The report’s author explained, that the “nearly unanimous consensus is that in terms of impact on patient satisfaction, the waiting room trumps the exam room.” Suppose you have already lost a patient before you even say “hello,” that is something you need to know and address.

Not all negative reviews have value or are even legitimate.  While not all reviews provide identifiable information on the reviewer or even the dates of service, if you can demonstrate that the review’s author was never a patient or abusive or offensive, you can flag the review. The review site may elect to remove the review at its discretion.  Under federal law, review sites are not liable for the content of the reviews or failing to remove them, so you are relying on their discretion and goodwill.

If the review is not removed, keep in mind that under the crowd’s wisdom, one negative review in a sea of positive reviews may say more about the reviewer than a provider’s practice.

How Not to Respond to Healthcare Reviews

If a provider believes that a negative review requires a response, it is worth highlighting off-limits responses.  The first is to attempt to “put the genie back in the bottle” and add non-disparagement or other contractual restrictions on providing reviews to the litany of papers that new patients sign.

Attempts to suppress reviews are counterproductive since they limit the number of reviews and make a provider more vulnerable to a negative review.   As Jeffrey Segal, founder of Medical Justice who once sought to block such reviews, explains:

For doctors who get bent out of shape to get rid of negative reviews.  If they only have three reviews and two are negative, the denominator is the problem. … If you can figure out a way to cultivate reviews from hundreds of patients rather than a few patients, the problem is solved.

The Consumer Review Fairness Act of 2016 and some state laws make it a deceptive trade practice to restrict the ability of a consumer to make a review of the provider.  More importantly, the Department of Health and Human Service’s Office of Civil Rights, which enforces compliance with the privacy provisions of the Health Insurance Portability and Accountability Act (HIPAA), has held that such provisions are void.

In one case (Private Practice Ceases Conditioning of Compliance with the Privacy Rule), HHS intervened where a provider restricted patients from “directly or indirectly publishing or airing commentary about the physician, his expertise, and/or treatment in exchange for the physician’s compliance” under HIPAA since “a covered entity’s obligation to comply with all requirements of the Privacy Rule cannot be conditioned on the patient’s silence.”

An opposite response, flooding review sites with fake reviews (also known as Astroturfing), is equally problematic.  Not only could it lead to a review site banning such a provider, but it is a deceptive trade practice that has led to enforcement actions with six-figure settlements and could lead to disciplinary proceedings under state ethics rules.

If the review is demonstrably false, not an opinion, and causing significant damage to the provider, they could sue for defamation, but this is really only a viable option in extreme cases or where reviewing party is a competitor.  Aside from the cost of such litigation and risks of exposure through an anti-SLAPP motion in which the reviewer claims the lawsuit improperly seeks to punish the legitimate exercise of their First Amendment rights, litigation risks giving broader exposure to the offending post (also known as “the Streisand Effect”) and/or retaliatory action by the review site.  As Santa Clara University Law School Professor Eric Goldman has pointed out, “Doctors rarely win in court, and even worse, some doctors ultimately must pay the attorneys’ fees of their patients as well as their own.”

healthcare response

When and How to Respond

If the review permits direct communication with the reviewer, a provider may reply something to the effect of “thank you for raising your concerns. We will reach out to you directly to discuss this further.”  If direct communication is not permitted, the provider could provide a similar response but invite the reviewer to contact the provider directly.

Before a provider responds to a negative review on the review site other than to say, “Thank you, we are committed to providing quality care and appreciate the feedback.” for a positive review. They must determine whether other reviews or online commentators provide sufficient rebuttal.  Happy patients speaking in the provider’s response may be enough.

Should a provider deem it necessary to respond, it must be mindful of the requirements of HIPAA.  The fact that a patient has submitted a review and/or provided some HIPAA-protected information in the process does not constitute a waiver.  Any provider response must not reveal any HIPAA-protected information or even acknowledge that the reviewer was a patient.

It is best to speak only in general terms.  For example, should a review complaining about a surgical procedure in which a patient experienced complication, the response could state that “we are committed to providing quality medical care to our patients, in doing so it is our policy to fully explain the risks associated with the procedure and potential complications and to have a patient acknowledge this disclosure. We appreciate your feedback and your concerns and would be happy to talk with you further about them.”  HIPAA does not allow for anything more than that.

The Healthcare Review Trophy

Finally, if a patient writes a glowing review of a provider who wishes to share it on their website or elsewhere, HIPAA requires that the provider obtain the patient’s consent before doing so.  Once obtained, the provider is free to be five-star braggadocious.

DISCLAIMER: The information contained in this blog post is provided for informational purposes only and should not be construed as legal advice on any subject matter. You should not act or refrain from acting based on any content included in this site without seeking legal or other professional advice.

Guest Writer Bio:

healthcare reviews Bennet Kelley is the founder of the Internet Law Center in Santa Monica, California.  He has had leadership roles with the California Lawyers Association’s Internet & Privacy Law and Technology, Internet and Privacy Committees and was named one of the Most Influential Lawyers in Digital Media and E-Commerce by the Los Angeles Business Journal.