Report Warns Providers of HIPAA Violations When Responding to Negative Online Reviews

25 July 2016 Health Care Law Today Blog
Authors: Jacqueline N. Acosta

ProPublica, a public interest investigative newsroom, recently identified more than 3,500 one-star medical reviews on Yelp in which patients complained about privacy issues. ProPublica determined that “in dozens of instances, responses to complaints about medical care turned into disputes over patient privacy.” For example, ProPublica noted consumers giving providers negative reviews on Yelp and providers responding with details about the “patients’ diagnoses, treatments and idiosyncrasies.”

As more and more patients use online review platforms to select their providers, many providers are paying close attention to reviews. However, providers need to balance their business concerns with their Health Insurance Portability and Accountability Act (HIPAA) compliance obligations when responding to negative reviews. “Health professionals are adapting to a harsh reality in which consumers rate them on sites like Yelp, Vitals and RateMDs much as they do restaurants, hotels and spas. The vast majority of reviews are positive. But in trying to respond to negative ones, some providers appear to be violating [HIPAA],” ProPublica reported.

Legal issues that providers should be aware of when responding to online criticism include:

  1. Is the entity subject to HIPAA? Individuals, organizations, and agencies that meet the definition of a covered entity are subject to HIPAA. This includes health care providers, such as doctors, clinics, psychologists, dentists, chiropractors, nursing homes, and pharmacies, health plans, and health care clearinghouses, but only if they transmit information in an electronic form in connection with certain standard transactions, such as electronic claims submission, benefit eligibility inquiries, referral authorization requests, and other transactions. If a covered entity engages a business associate to help it carry out its health care activities and functions, the covered entity must have a written business associate contract requiring the business associate to comply with certain HIPAA requirements.
  2. What is considered protected health information? The HIPAA Privacy Rule applies to “protected health information” (PHI), which is all “individually identifiable health information” held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. “Individually identifiable health information” is information, including demographic data, that relates to:  the individual’s past, present, or future physical or mental health or condition; the provision of health care to the individual; or the past, present, or future payment for the provision of health care to the individual; and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual. Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number). The fact that a particular individual received health care services from a health care provider may be considered PHI, so providers should keep this in mind when evaluating online reviews.
  3. Does disclosure by the patient of their own PHI constitute a waiver of the privacy right? No. A covered entity must obtain the individual’s written authorization for any use or disclosure of PHI that is not for treatment, payment, or health care operations or otherwise permitted or required by the Privacy Rule. A patient disclosing their health information does not constitute the necessary authorization needed for the provider to disclose the information.
  4. What are some practical solutions? A provider may legally respond to reviews in a number of ways:
    1. Increase positive reviews instead of responding to negative ones—Often patients with a negative experience are more likely to write a review online. Inviting all patients to provide a review may increase the ratio of positive reviews to negative reviews.
    2. Respond with a general treatment philosophy—The provider must be careful to not reveal information that could identify the individual. The provider should respond only with general information about the provider’s normal practice and commitment to patient care, while not revealing the identity of the patient or acknowledging that the person was a patient.
    3. Treat the conflict offline—A provider could respond to the review by inviting the individual to call their office to discuss the review. Again, the provider should be careful to not acknowledge the person was a patient.

The U.S. Department of Health and Human Services Office of Civil Rights enforces HIPAA and may impose significant fines for each violation. Providers also need to be mindful of state privacy laws that often apply to a broader category of health information and have additional restrictions on permissible uses and disclosures of PHI without a patient authorization.

Originally, this post was an alert sent to the American Health Lawyers Association’s (AHLA) Health and Information Technology Practice Group Members. It appears here with permission. For more information, visit AHLA’s website.

This blog is made available by Foley & Lardner LLP (“Foley” or “the Firm”) for informational purposes only. It is not meant to convey the Firm’s legal position on behalf of any client, nor is it intended to convey specific legal advice. Any opinions expressed in this article do not necessarily reflect the views of Foley & Lardner LLP, its partners, or its clients. Accordingly, do not act upon this information without seeking counsel from a licensed attorney. This blog is not intended to create, and receipt of it does not constitute, an attorney-client relationship. Communicating with Foley through this website by email, blog post, or otherwise, does not create an attorney-client relationship for any legal matter. Therefore, any communication or material you transmit to Foley through this blog, whether by email, blog post or any other manner, will not be treated as confidential or proprietary. The information on this blog is published “AS IS” and is not guaranteed to be complete, accurate, and or up-to-date. Foley makes no representations or warranties of any kind, express or implied, as to the operation or content of the site. Foley expressly disclaims all other guarantees, warranties, conditions and representations of any kind, either express or implied, whether arising under any statute, law, commercial use or otherwise, including implied warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Foley or any of its partners, officers, employees, agents or affiliates be liable, directly or indirectly, under any theory of law (contract, tort, negligence or otherwise), to you or anyone else, for any claims, losses or damages, direct, indirect special, incidental, punitive or consequential, resulting from or occasioned by the creation, use of or reliance on this site (including information and other content) or any third party websites or the information, resources or material accessed through any such websites. In some jurisdictions, the contents of this blog may be considered Attorney Advertising. If applicable, please note that prior results do not guarantee a similar outcome. Photographs are for dramatization purposes only and may include models. Likenesses do not necessarily imply current client, partnership or employee status.

Related Services