Handling Patient Reviews in a HIPAA Compliant Manner
When choosing a new doctor many prospective patients look to previous patient reviews to determine if they should schedule an appointment with that practice, or go another direction. Additionally, providing testimonials on your practice’s website can be a key differentiator. Although reviews and testimonials can be great marketing tools for a doctor’s practice, it is important to keep HIPAA’s Privacy Rule in mind before you post anything.
HIPAA’s Privacy Rule
The Health Insurance Portability and Accountability Act (HIPAA) provides a set of standards in which protected health information (PHI) can be handled. PHI is any health information that is individually identifiable, meaning health information that can be linked to a specific patient.
Under HIPAA, health information includes demographics, financial information, and information on a patient’s condition or treatment. Individually identifiable information includes anything that can identify a patient such as name, date of birth, date of treatment, location, and Social Security number, to name a few.
Responding to Patient Reviews While Maintaining HIPAA Compliance
When responding to patient reviews, whether positive or negative, doctors must tread lightly. It can be difficult to navigate what you can and cannot say when responding to patients in a public forum. Doctors must keep in mind the “individually identifiable health information” rule and should keep their responses vague. Something as mundane as saying “thanks for coming in” or “it was great to see you” are considered HIPAA violations as they confirm that that person is a patient. However, a simple “thank you” is permitted as you are not confirming that you saw the patient. Even when a patient provides details about their treatment, doctor’s are prohibited to acknowledge the information.
To clarify what responses are appropriate, the following are ways in which you can respond:
Acknowledging a patient review without confirming that the person is a patient
Noncompliant: Thank you for coming in!
Compliant: Thank you!
Providing information on your practice’s standards of service or policies
Noncompliant: I’m sorry to hear that you had a long wait.
Compliant: Patient wait time, on average, is… however, there are occasional delays in our schedule.
Asking the patient to contact you so that you may discuss their concerns in private
Noncompliant: Please call us to address your concerns.
Compliant: Please give our office a call.
To ensure that your responses are HIPAA compliant, practices should consider creating a set of standard responses that address common concerns. This allows you to answer questions quickly and in a HIPAA compliant manner. Many doctors choose not to respond to reviews out of fear of breaking the law, however responding to reviews shows patients that your practice cares about patient experience.
Patient Testimonials and HIPAA Compliance
Patient testimonials can provide credibility for a doctor’s practice. HIPAA law allows testimonials under certain conditions. You may post a patient testimonial, that directly identifies a patient, with written permission from that patient. It is also permitted to provide a patient testimonial that has been de-identified without patient consent; to be considered de-identified, the testimonial cannot include any information that may link it to a specific patient.
Consumers increasingly look to the internet before making decisions, even when that decision is what doctor they should choose. When handled correctly, responding to patient reviews and patient testimonials are easy marketing tools doctor’s practices can implement to catch a prospective patient’s attention.
Do you Need Help with your HIPAA Compliance?
Compliancy Group simplifies your compliance allowing you to confidently focus on your business. Our cloud-based compliance software, the Guard™, can be accessed from any device connected to the internet. In addition, the Guardstores all that you need to prove your “good faith effort” towards compliance in one convenient location. Find out more about how Compliancy Group can help you with your HIPAA compliance needs!
HIPAA and State Privacy Compliance
Satisfy state and federal HIPAA laws with streamlined software.