Anyone managing a healthcare organization’s online reputation knows that responding to patient reviews is a must. But in this industry, not just anything goes. HIPAA-compliant reviews are the law of the land.
Under HIPAA Privacy Practice regulations, the onus is on doctors, providers and practices to protect their patients’ privacy while responding on public forums.
In brief, HIPAA applies to protected health information (PHI), defined as “independently identifiable health information.” It encompasses most data that relates to a patient’s physical or medical condition in the past, present or future. PHI also covers basic identifiers, including name, address, birth date, and social security number – it even covers the acknowledgement of a patient receiving care.
That’s a lot of PHI to consider when you’re replying to public reviews of your organization. We asked resident expert Hannah Borchik, customer success manager at Binary Fountain, for some tips on HIPAA-compliant responses to online patient reviews.
Make a Response Plan
The first step is to collaborate with your marketing and patient experience teams to form policies around your replies that follow HIPAA guidelines. Track your online reputation to identify the different types of patient reviews and test your policies and responses to all scenarios. Then create response templates that your colleagues can customize for individual reviews.
“It’s very important for businesses to have a scaled review response strategy,” Borchik said. “Every single person potentially responding to reviews needs to operate under the same guidelines as everyone else. Make sure you collaborate with each other and that the business has one voice.”
Borchik says strategy comes first, and brand managers shouldn’t freely respond to reviews as they come in. She recommends creating a list of 20 compliant responses to positive comments and 20 compliant responses to negative comments.
“Having that in front of you brings together the organization’s strategy,” she said, “and makes you sound.”
Protect Patient Information at All Costs
The most important part of any response to a HIPAA-compliant review, Borchik said, is to keep the patient’s privacy intact. Here are general guidelines for avoiding the disclosure of PHI:
- Do not acknowledge a reviewer as a patient – not even confirming or denying that they visited you. That means don’t acknowledge them by name, don’t tell them to feel better, and most importantly, don’t talk about their specific health concern.
- Even if a patient reveals their diagnosis in a review, healthcare providers are violating HIPAA guidelines if their reply mentions the diagnosis.
- Don’t respond defensively, even if you’re trying to be helpful. Any specific services or policies you mention could violate HIPAA guidelines.
Many of these obstacles have simple alternatives. For example, if a review says their doctor was rude about their diabetes treatment, you should not respond that the doctor is sorry about being rude about their diabetes. You should respond that your organization is very sorry about the experience.
“Be as broad in your response as possible,” Borchik said. “Instead of, ‘We’re glad you had great experience in the office,’ say, ‘We’re glad you had a great experience.’
“Being too canned is also a no-no,” she continued.”Using the same response every time can hurt your SEO and doesn’t make patients feel very heard. It makes it sound like a robot is responding to reviews, not a human.”
Here’s an example of a review response that violates HIPAA:
And here’s an example of a review response that is HIPAA compliant:
And being careful doesn’t mean being cold, Borchik reminds us: “Make sure it is direct, warm and open, but does not acknowledge the illness they’re talking about.”
Take it Offline
In your responses, especially to negative reviews, invite reviewers to reach out to address their concerns through private channels, like a phone call or email. That way, you will avoid unwanted disclosures or breaches of patient privacy.
But wait, there’s more. HIPAA’s Security Rule says that all ePHI (electronically protected health information) is free from the standard violations mentioned earlier. But social media messaging services violate its standard for compliance, and should never be used to distribute patient data or documents.
“Take the conversation fully offline, meaning no private messages and no direct messaging – there’s always a chance that it’s a HIPAA violation,” Borchik said. “If you share any part of that medical information without their consent, even if you’re responding directly to them, that’s a HIPAA violation. So instead, say, ‘Here’s our email or phone number.’
“If you really want to have full service recovery, it’s about calling that patient or having them get in touch, in order to fix that issue or to make organizational changes.”
Interested in learning more? Here are some other materials that may help:
- How VITAS Healthcare Responds to 100% of Reviews
- Customer Review Campaigns: What You Need to Know
- Why All Reviews Matter: The Importance of Review Volume
About the Author
Content Marketing Specialist