The U.S. Department of Health and Human Services, Office of Civil Rights (OCR) recently entered into a settlement agreement with a private dental practice following a violation of the HIPAA Privacy Rule. The settlement stems from a report that the dental practice received a patient complaint on their Yelp page and they publicly responded with some of the patient’s person health information (PHI). OCR’s investigation went on to find that public disclosure of PHI had actually affected multiple patients of the practice. The dental practice will now be paying a $10,000 fine and have to comply with a corrective action plan, which includes developing policies and procedures to ensure that interactions with patients on social media are compliant with the HIPAA Privacy Rule.
This settlement agreement is a good reminder of the importance of developing policies and procedures for interacting with patients on social media and ensuring that staff is properly trained on them, as to avoid unauthorized disclosures of PHI and to protect an organization’s reputation.
Online Reviews, Social Media, and HIPAA
As social media continues to become more prominent in our society, online reviews can have a tremendous effect on consumer habits; healthcare organizations and providers are no exception. Patients are making choices about where they are going to seek their healthcare based on reviews, so it is crucial that providers and organizations are being responsive to the experiences and needs of reviewers. Even more important than online engagement is the need for organization to maintain compliance with the HIPAA Privacy Rule. Developing specific policies and procedures for responding to these reviews can be a helpful tool as organizations strive to provide the best care and experiences for their patients.
Here are five helpful tips for healthcare organizations looking to develop policies and procedures for responding to reviews in a HIPAA-compliant manner.
1. Never acknowledge that the reviewer was a patient.
Although the reviewer may identify themselves as a patient, it may be a HIPAA violation for the organization or provider to acknowledge that the reviewer was actually a patient. Never repeat the reviewer’s name in your response, and never respond with information that would share why they were seeking care, or discuss financial information. Remember it is not a valid excuse to say that you never used the patient’s name – there are 18 identifiers protected by HIPAA, including dates of service, and geographic data. Further, you could be in violation of a disclosure even with indirect identifiers if, when combined with other information, the identity of the individual may be pieced together.
2. Develop a template for responses.
When sites allow for a response, it is important to engage to show people that the organization is responsive and cares about feedback. Using templates in the response can help to ensure HIPAA compliance.
3. Take conversations private, but not to private messages.
Giving people an opportunity to talk about their feelings and experiences is important, but organizations should not engage in these conversations online. Private messages may seem private, but they are still subject to HIPAA and cannot contain PHI. It is best to engage in these conversations over the phone or in person. Email may also be an option for communication if proper authorization has been received.
4. Don’t share pictures of patients on social media.
Don’t share pictures of patients even if you think they are de-identified. People may recognize a photo based on someone’s birthmarks, moles or general familiarity with their form. With proper consent it may be appropriate to share pictures, but it is best to avoid sharing photos altogether if you can.
5. Always be courteous.
Regardless of the review being positive or negative, it is important to take the time to thank the reviewer for taking the time to give their feedback. Being courteous, even to negative reviews, will show potential patients that you value feedback and are striving to improve the organization.
Examples of Responses that are HIPAA-Compliant
Here are some potential templates for responses to both positive and negative reviews.
HIPAA-Compliant Responses to a Positive Review
- Thank you for your review. We strive to provide high quality care.
- Thank you for taking time out of your day to share those kind words. Our goal is to provide high quality care, so your feedback is appreciated.
HIPAA-Compliant Responses to a Negative Review
- Our goal is to provide high quality care, so your feedback is appreciated. Please call us at [phone number] or email us at [email address] so we can learn more.
- We deeply regret the inconvenience. Please call us at [phone number] or email us at [email address] so we can learn more.