As consumers increasingly turn to online reviews before making a purchase, more and more businesses are building up their online presence to influence decision-making and bolster marketing efforts. But leveraging online reviews in this way can create significant problems for healthcare providers, who are subject to state and federal healthcare privacy laws. 

Unlike other industries, healthcare providers must be careful about what their online marketing efforts look like in the context of addressing and responding to online reviews. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that protects patient health information. Under HIPAA, simply disclosing whether someone was or was not a patient of a particular healthcare provider or facility can be prohibited. 

Thus, if a healthcare provider responds to an online review in a manner that confirms the reviewer (or someone else) was a patient or includes details about the services rendered, that response could run afoul of HIPAA. 

In December 2022, the Office for Civil Rights (OCR), the federal agency overseeing HIPAA compliance, announced a settlement with a dental practice over a HIPAA violation after the dental practice disclosed protected health information in response to an online review. OCR received a complaint alleging that the dental practice “habitually disclosed” patient names, treatment and insurance information on the online forum Yelp in response to posts that might not have originally mentioned the patient’s name or insurance information. 

After an investigation, OCR determined that the dental practice had compromised protected health information in violation of HIPAA. The practice was fined $23,000 and entered into a Corrective Action Plan with OCR. A similar OCR settlement occurred in 2019 when another dental practice was required to pay $10,000.

Healthcare providers may naturally want to defend themselves against a negative online review, as it is only fair that they are able to defend themselves and the care provided when someone is negatively addressing the provider online. However, their hands are somewhat tied due to HIPAA prohibitions. There is no provision in HIPAA that allows a healthcare provider to disclose patient information in response to a negative public posting on a website or via social media.  

Some might assume that because the patient has offered certain information in a public forum, then the provider could in turn respond with similar information to rebut the negative comments, but that is not the case. One might also assume that because the patient has made their health condition an issue in an online posting, the patient has either waived the right to the protections afforded under HIPAA or has impliedly authorized such responsive disclosure by the provider. However, that is also not the case, as no such waiver or implied authorization exists under HIPAA.

Therefore, if a patient posts information online about his or her health condition or treatment by a healthcare provider, it does not authorize the provider to disclose any information about the patient or the services rendered. Instead, the safest approach when dealing with online reviews is to not respond at all, as it is sometimes difficult to craft an appropriate response without running afoul of HIPAA. 

If a provider feels the need to respond, which is understandable, the provider should only provide a general response that in no way confirms whether someone was a patient. For example, “Please feel free to call our office at XXX-XXX-XXXX to address any concerns.” Alternatively, instead of responding, providers may approach the reviewer directly via telephone to address the basis for the complaint. Providers may also encourage positive reviews online by providing information to patients directly on posting such reviews in an effort to overshadow any negative reviews that are available online. 

Regardless, healthcare providers should never post anything online that could identify someone as a patient of the provider without the patient’s express, written authorization. While providers naturally will want to defend themselves against negative online posts, doing so could result in a HIPAA violation. Healthcare providers should review their current policies related to the use and disclosure of protected health information and specifically confirm that they address the use and disclosure of patient information online, including prohibiting the use of patient information in responding to reviews.

Kelli Fleming is a partner at Burr & Forman LLP practicing exclusively in the firm’s healthcare group. Kelli may be reached at (205) 458-5429 or [email protected]

Angie Smith is a partner at Burr & Forman LLP practicing exclusively in the firm’s healthcare group. Angie may be reached at (205) 458-5209 or [email protected].

The opinions expressed in McKnight’s Long-Term Care News guest submissions are the author’s and are not necessarily those of McKnight’s Long-Term Care News or its editors.