Resource Center > Doctors > Online reviews and HIPAA: What you need to know about responding to patient reviews

Online reviews and HIPAA: What you need to know about responding to patient reviews

 | Updated
by Jennifer Bridges  @JenBridgesRD

A female doctor standing with her arms crossed

This post has been modified to reflect new information since its original publication.

HIPAA adds extra complications for healthcare providers facing negative online reviews. The common wisdom for most businesses is to respond to all negative feedback publicly. However, HIPAA levies large fines and penalties against providers who reveal personal health information without patient consent.

It’s no wonder then that most healthcare providers are gun-shy when it comes to responding to online reviews. Fewer than one in five have a process for dealing with bad reviews, even though more than 80% of providers are concerned about the damage reviews can cause.

That said, there are HIPAA-compliant ways of dealing with patient reviews, and you should definitely incorporate review responding into your practice routine.

Why responding to online reviews is so important

Especially given that healthcare can be a life-and-death matter, prospective patients pay a lot of attention to a provider’s online reviews. In fact, 94% of people use online reviews to evaluate physicians, and 75% say that review sites have influenced their choice of provider. As such, negative reviews on sites like Vitals.com, Healthgrades.com, RateMDs.com, Google, and Yelp can be especially damaging—destroying your online reputation and turning away prospective patients.

“Reviews are a trust issue—and should be viewed with a grain of salt; market research shows that some people leave fake reviews or inaccurate reviews—but they still are valuable as the majority will leave authentic info on how they were treated, the experience in the office, and the doctor … They also tell other physicians which specialists they would trust referring their patients to.”Karla Jo Helms, founder and chief Evangelist of JoTo PR Disruptors

Are online reputation issues hurting your practice? Find out with our free Reputation Report Card. Start Your Scan

The good news is that most patients tend to write positive reviews. But when negative reviews do pop up, you can often turn them into good reviews by responding promptly in a caring, professional, and HIPAA-compliant manner.

These online interactions show potential customers how much you care about your patients’ satisfaction, which can significantly boost your online reputation. Moreover, responding thoughtfully to a negative review can cause two-fifths of viewers to overlook it.

“In running a doctor review site, we can see the power of monitoring and managing reputation. For instance, a significant number of provider responses to negative reviews results in a removal or star improvement. Additionally, thoughtful responses can largely mitigate the negative effects to future readers.”—Ted Chan, CEO of CareDash.com

But you shouldn’t just respond to bad reviews; you should also respond to good reviews. In fact, 70% of people believe it’s important for healthcare providers to respond to all reviews online. Doing so not only demonstrates that you listen to your patients, but it also shows that you truly value them and are grateful for their feedback.

“Online reviews and directory listings may not seem that important but they play a crucial role in maintaining a steady flow of patients choosing you over somebody else and ultimately that’s what keeps the lights on.”Garrett Smith, founder and CEO of InboundMD

What you can (and can’t) include in your response

Some providers, like the one in the review below, mistakenly believe that the HIPAA guidelines prevent them from responding when someone attacks their reputation in a negative review:

Source: www.consumeraffairs.com

This is not entirely accurate. You are free to respond, but you must do so in a way that keeps patients’ protected health information, or PHI, private. PHI goes beyond a person’s health records and the fact that they were a patient of yours. It includes anything that someone can use to identify a patient, including the individual’s:

  • Name
  • Email address
  • Phone number
  • Birthdate
  • Appointment dates/times
  • Test results
  • Diagnoses
See your online reputation the way your patients do. Get your free Reputation Report Card. Start Your Scan

But what if a patient has already revealed his or her personal health information in his or her online review? Doesn’t this authorize a provider to acknowledge that the person is a patient? After all, this individual has already admitted this in the review. The answer is “no.” Per HIPAA regulations, regardless of what a patient says in his or her review, you are NOT authorized to release any private health information in your response.

According to Deven McGraw, the deputy director of health information privacy at the Department of Health and Human Services Office for Civil Rights (OCR), which enforces HIPAA regulations, health providers replying to an online review can talk in general terms about how they treat patients. But they must have a patient’s permission before discussing any individual cases. Just because a patient has rated you doesn’t mean you get to rate them in return.

McGraw explains, “If the complaint is about poor patient care, they can come back and say, ‘I provide all of my patients with good patient care’ and ‘I’ve been reviewed in other contexts and have good reviews.’” However, they can’t directly address individual patient concerns.

Are online reputation issues hurting your practice? Find out with our free Reputation Report Card. Start Your Scan

One dental marketing firm suggests using these best practices when replying to online reviews:

  • Don’t acknowledge whether the reviewer has ever been a patient.
  • Focus on general office policies.
  • Use generic language whenever possible.

Examples of good and bad responses

You can see how to employ these best practices in the responses to this negative review:

Review: “I had to sit in the waiting room for over an hour before seeing the doctor. But what made it worse was that person at the front desk was rude and dismissive when I asked how much longer it would be. When I finally went in, the doctor only spent 10 minutes with me and didn’t seem to listen to my complaints.”

  • Non-HIPAA-compliant response: “We’re sorry your appointment experience was unsatisfactory. Please let us know how we can make it right.”
  • HIPAA-compliant response: “Our policy is to schedule plenty of time between patients in order to avoid long waits. We strive to deliver the best care possible to all our patients, but we occasionally fall behind schedule because of emergencies. We value your feedback and want to thank you for taking the time to share it. You can contact our Office Manager Debbie at (email address) if you have any further comments or suggestions.”

The first response violates HIPAA by acknowledging that the reviewer is a patient. The second response, in contrast, uses generic wording and only addresses the office’s policies. It avoids confirming that the reviewer was ever a patient and moves the conversation offline, where you can address it directly.

If you are responding to a positive review, the rules are the same, as shown below:

Source: birdeye.com

For more information

Don’t let patient reviews intimidate you. Although HIPAA regulations certainly make the process of replying to online reviews more challenging, it is not an impossible task. In fact, replying to reviews is often a quick and effective way to influence the public’s perception of you, especially when you combine this tactic with other reputation management techniques.

To learn more about managing your online reputation and responding to online reviews, see the following articles: