Yelp and HIPAA Compliance
Prospective patients seeking “a good doctor to visit” often begin their search by consulting online review sites. The number of these sites has proliferated in recent years. Popular sites include Healthgrades, Vitals, RateMDs, WebMD, Zocdoc, Google My Business, Facebook, and Yelp. When a patient decides to treat with a doctor because the doctor received favorable online reviews, the patient himself or herself may choose to leave his or her own review. Many patients may take advantage of the review sites to post reviews about healthcare professionals that are misleading or even flat-out false. Healthcare providers might understandably wish to counter what a particular patient wrote with factual detail to “refute” a review. However, the HIPAA Privacy Rule places constraints upon what information a doctor can reveal when responding to a patient review. This article focuses on Yelp and HIPAA Compliance when using Yelp.
Yelp and HIPAA: The HIPAA Privacy Rule
Under HIPAA, covered entities – healthcare providers, health plans, and healthcare clearinghouses – that transmit information in connection with HIPAA-covered transactions (HIPAA-covered transactions are transactions that involve the transmission of information between two parties to carry out financial or administrative activities related to health care), must maintain the privacy and security of patient protected health information (PHI). PHI is health data that is created, received, stored, or transmitted by covered entities and their business associates in relation to the provision of healthcare, healthcare operations, and payment for healthcare services.
PHI is any health information that is individually identifiable, meaning health information that can be linked to a specific patient. Protected health information includes all individually identifiable health information, including demographic data, medical histories, test results, insurance information, and other information used to identify a patient or provide healthcare services or healthcare coverage. Individually identifiable information includes anything that can identify a patient such as name, date of birth, date of treatment, location, and Social Security number.
A covered entity may not disclose PHI on social media unless a patient has authorized a patient to do so in writing. Such disclosure violates the HIPAA Privacy Rule.
Yelp and HIPAA Compliance: What May Covered Entities Post?
Covered entities may post information on Yelp, such as health tips, details of events, new medical research and discoveries, and staff biographies, without violating the HIPAA Privacy Rule. This information does not contain PHI.
Likewise, in response to specific patient reviews, covered entities may, on Yelp, make generic statements about their practices, as long as such statements do not contain PHI. Permissible generic statements include: “Thank you for your feedback,” “We strive to provide quality service to all patients,” and the like. These statements do not contain or confirm details of either specific patients or their visits.
A covered entity also may, in response to an online review expressing a concern or criticism, message the patient personally (offline), by asking the patient to contact the covered entity via phone or email. This covered entity response is not a public disclosure, and does not discuss specific PHI. As such, there is no HIPAA Privacy Rule violation.
Yelp and HIPAA Compliance: What CAN’T Covered Entities Do?
As a general matter, the HIPAA Privacy Rule prohibits covered entities from disclosing protected health information on social media and social media channels. Since Yelp is a social media tool, covered entities may not disclose protected health information on Yelp, unless a patient has first given the covered entity written authorization to do so. The prohibition of covered entity use of PHI on social media sweeps broadly. Covered entities may not, either on their own initiative, or in response to a patient review – positive or critical – include any text, images, or videos about or relating to specific patients that identifies those patients.
The following scenarios demonstrate how a covered entity response can result in patient identification:
- In response to a patient review in which the patient describes details of an office visit, the covered entity says “thanks for coming in,” or “it was great to see you.” Since the patient has stated he or she treated with the covered entity, the covered entity, by saying “Thanks for coming in,” or “It was great to see you,” has, in effect, confirmed the fact that a specific patient treated with the covered entity. This confirmation by the covered entity violates the HIPAA Privacy Rule; the covered entity has disclosed PHI without patient authorization.
- In response to a patient review complaining of a long wait time, the covered entity replies to the patient on Yelp by stating, “I’m sorry to hear that you had a long wait.” This reply confirms that the patient visited the office – in other words, it is PHI, which confirms a treatment detail. As such, the reply violates the HIPAA Privacy Rule. Likewise, when a patient review indicates the patient had specific concerns, a covered entity Yelp reply stating, “Please call us to address your concerns,” is acknowledging the fact that a specific patient had specific health concerns. Such concerns are PHI – and may not be disclosed by the covered entity without prior written authorization allowing a covered entity to disclose them.
In addition, covered entities, on Yelp, may not describe prognoses, diagnosis, symptoms, or courses of treatment, even if a patient who has identified himself or herself by name has asked that the covered entity do so. Such description discloses PHI, and is not permitted under the Privacy Rule.