Report Warns Providers Of HIPAA Violations When Responding To Negative Online Reviews

ProPublica, a public interest investigative newsroom, recently identified more than 3,500 one-star medical reviews on Yelp in which patients complained about privacy issues. ProPublica determined that "in dozens of instances, responses to complaints about medical care turned into disputes over patient privacy." For example, ProPublica noted consumers giving providers negative reviews on Yelp and providers responding with details about the "patients' diagnoses, treatments and idiosyncrasies."

As more and more patients use online review platforms to select their providers, many providers are paying close attention to reviews. However, providers need to balance their business concerns with their Health Insurance Portability and Accountability Act (HIPAA) compliance obligations when responding to negative reviews. "Health professionals are adapting to a harsh reality in which consumers rate them on sites like Yelp, Vitals and RateMDs much as they do restaurants, hotels and spas. The vast majority of reviews are positive. But in trying to respond to negative ones, some providers appear to be violating [HIPAA]," ProPublica reported.

Legal issues that providers should be aware of when responding to online criticism include:

1. Is the entity subject to HIPAA? Individuals, organizations, and agencies that meet the definition of a covered entity are subject to HIPAA. This includes health care providers, such as doctors, clinics, psychologists, dentists, chiropractors, nursing homes, and pharmacies, health plans, and health care clearinghouses, but only if they transmit information in an electronic form in connection with certain standard transactions, such as electronic claims submission, benefit eligibility inquiries, referral authorization requests, and other transactions. If a covered entity engages a business associate to help it carry out its health care activities and functions, the covered entity must have a written business associate contract requiring the business associate to comply with certain HIPAA requirements.
2. What is considered protected health information? The HIPAA Privacy Rule applies to "protected health information" (PHI), which is all "individually identifiable health information" held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. "Individually identifiable health information" is information, including demographic data, that relates to: the individual's past, present, or future physical or mental health or condition; the provision of health care to the individual; or the past, present, or future payment for the provision of health care to the individual; and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual. Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number). The fact that a particular individual received health care services from a health care provider may be considered PHI, so providers should keep this in mind when evaluating online reviews.
3. Does disclosure by the patient of their own PHI constitute a waiver of the privacy right? No. A covered entity must obtain the individual's written authorization for any use or disclosure of PHI that is not for treatment, payment, or health care operations or otherwise permitted or required by the Privacy Rule. A patient disclosing their health information does not constitute the necessary authorization needed for the provider to disclose the information.
4. What are some practical solutions? A provider may legally respond to reviews in a number of ways:
   1. Increase positive reviews instead of responding to negative ones—Often patients with a negative experience are more likely to write a review online. Inviting all patients to provide a review may increase the ratio of positive reviews to negative reviews.
   2. Respond with a general treatment philosophy—The provider must be careful to not reveal information that could identify the individual. The provider should respond only with general information about the provider's normal practice and commitment to patient care, while not revealing the identity of the patient or acknowledging that the person was a patient.
   3. Treat the conflict offline—A provider could respond to the review by inviting the individual to call their office to discuss the review. Again, the provider should be careful to not acknowledge the person was a patient.

The U.S. Department of Health and Human Services Office of Civil Rights enforces HIPAA and may impose significant fines for each violation. Providers also need to be mindful of state privacy laws that often apply to a broader category of health information and have additional restrictions on permissible uses and disclosures of PHI without a patient authorization.

Originally, this post was an alert sent to the American Health Lawyers Association's (AHLA) Health and Information Technology Practice Group Members. It appears here with permission. For more information, visit AHLA's website.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.