How to Handle PHI from Online Reviews | Binary Fountain

August 24, 2017

How to handle PHI from online reviews and surveys

By: John McFeely

There’s no question that online patient reviews are growing more important to healthcare organizations and their providers. Why? Because of the new digitally-empowered healthcare consumer rules: 72 percent of patients today use online reviews when choosing a provider and over 80% say they believe an online review as if it came from a friend.

The sheer number of online comments and reviews on sites like Facebook and Google plus healthcare specific sites like Healthgrades and RateMDs make it much more likely that protected health information (PHI) will show up online.

It is vital that a healthcare organization establish a process for handling situations where a patient posts an online review or comment related to their physicians or facility – and reveals their PHI. Though it is not illegal for patient to disclose their own PHI, physicians and practices have to be careful.

The Health Insurance Portability and Accountability Act (HIPAA) imposes stiff financial penalties for privacy breaches and exposures of PHI. The legal tangle that can result is reason enough to be proactive on privacy.

What is Protected Health Information?

Protected health information, or PHI, generally refers to a variety of patient information including medical history, laboratory results, diagnoses and treatments, insurance information and other data needed to identify an individual and provide care.

How is PHI Used?

Protected health information helps medical facilities acquire a patient’s medical history in providing care and treatment decisions. But how to communicate this information is what HIPAA is all about. Generally, it requires healthcare professionals to use care in using, storing or disclosing information the patient does not want to be disclosed. If there is no healthcare need for someone to have that patient information, it must be protected!

Rules and Regulations of Protected Health Information

The Health Insurance Portability and Accountability Act of 1996, or HIPAA, is the primary law that governs the regulations around PHI. The HITECH (Health Information Technology Act for Economic and Clinical Health) act in 2009 also limited the types of PHI medical facilities can collect from patients and sets boundaries on how that information can be used.

For example, organizations cannot sell PHI unless it is for public health activities, research, treatment, services rendered, or the merger or acquisition of a HIPAA-covered entity.

Some things covered in HIPPA:

  • Gives patients the right to examine and obtain a copy of their own health records.
  • Sets boundaries on the use and release of medical records.
  • Creates appropriate safeguards to protect the privacy of health information.
  • Allows patients to know how their information is being used and distributed.
  • Establishes civil and criminal penalties for healthcare providers who violate patient privacy rights.

Online Reviews and PHI

Now that you know about PHI, you can see why it’s so important to protect patient information. Unfortunately, that has become harder with the prevalence of online reviews of medical facilities and the need for transparency with patient experience surveys.

Establishing Procedures for Monitoring Reviews with PHI?


The ‘early warning system’ for dealing with PHI is your reputation management policy and the tools you use to maintain it. Make sure you are monitoring online mentions of your facilities and providers for potential trouble: watch for addresses, names, procedures, and other signs of exposed PHI.

When it comes to managing reviews on your facility’s provider pages, Binary Fountain recommends publishing all comments from patient experience surveys, whatever the sentiment. After all, they are already published on the internet if it is on a rating site. This transparency can give patients confidence in the healthcare provider.

Comments should be monitored for PHI (along with profanity and libelous comments), with the identifying content being removed before it’s published, in accordance with the HIPAA privacy rule. This is a best-practice approach that reflects industry standards.

When monitoring third-party online rating and review sites, your editing tools should include templates that help ensure consistency of response, so that the reply is appreciated as genuine, rather than canned or robot-like. You should analyze patient feedback from a multitude of online sources to ensure maximum coverage: social media, review sites, advocacy forums, blogs and others.

Responding to PHI Leaks

In situations where there is potential PHI exposure, it’s essential to adopt and follow a written response procedure that immediately directs Legal, Patient Advocacy and Customer Care staff as appropriate to the individual case.

In coordination with them, your response should come within a couple days – hours, if possible. The longer PHI sits exposed to public view, the more troublesome it is.

Often, a patient may disclose some information and include a complaint about the physician. The physician’s immediate response is to defend themselves online. However, this is almost never the correct course of action.

Instead, apologize that the patient is unhappy and take the conversation offline rather than risking an online back-and-forth that could worsen the situation. Remind the patient that removing PHI is in their best interest – not just yours.

Also, if the PHI is disclosed in a complaint or negative review, the provider appears to the public as neglectful and uncaring. In this case continue to take the conversation offline and help them contact a patient relations staffer.

Are you prepared?

It’s vital to have in place a reputation management program that actively seeks comments, and that actively engages with consumers. So, when’s the best time to prepare your response to comments, complaints or reviews that potentially expose PHI? Now, before the next comment is posted!

Binary Fountain can help you monitor online reviews for potential protected health information leaks. Request a demo today!

About the Author

John McFeely
Sales Director

Request a Demo