How NOT to Respond to a Bad Online Review About You
HIPAA has been around long enough that we all should know by now that protected health information (PHI) must not be shared with unauthorized individuals unless the Privacy Rule permits disclosure, the patient authorizes disclosure, minimum necessary, etc. It is difficult to keep that perspective, however, when reading a negative online review – about yourself.
A provider did not seem to keep that perspective when they responded to a negative review on Google. In 2015, Dr. U. Phillip Igbinadolor, D.M.D. & Associates responded to a 2013 Google review and impermissibly disclosed the patient’s name, symptoms, and recommended a treatment by a different provider. The dentist mentioned the patient three times by name and made derogatory statements about the patient’s intelligence: “From the foregoing, it’s obvious that [patient’s name] level of intelligence is in question, and he should continue with his manual work and not expose himself to ridicule.” The patient filed a complaint with the Department of Health and Human Services – Office for Civil Rights (OCR) soon after the dentist’s response was published.
Between 2016 and 2019, the dentist did not cooperate with OCR’s investigation. The dentist did provide OCR a copy of the Notice of Privacy Practices but did not provide policies and procedures or documentation that HIPAA training was provided. In 2016, OCR requested the dentist remove his response to the patient; as of the date of this writing, the dentist’s response remains online.
After three years of refusing to cooperate with OCR and resolve the matter by informal means, the OCR imposed a $50,000 civil monetary penalty for “willful neglect not corrected” for one instance of PHI impermissibly disclosed.
The practical lessons here are as follows:
- Have a social media policy and HIPAA privacy policies and procedures. Document that you have trained your staff annually on them. See MB Health Law – Social Media Tips
- Determine whether and how you will – or will not – respond to all online reviews. It is important to be consistent in responding to all reviews, not just the positive reviews or only the negative reviews.
It is okay to not respond to online reviews! There are many practices, clinics, hospitals, etc. who do not respond online to reviews. If you choose to respond to online reviews, though, we recommend posting oblique statements. Be sure to not discuss the procedure, person, or any details that do identify or can be used to identify the patient. Examples of oblique statements are:
- “Thoughtful reviews are a joy to read. Thank you.”
- “We take feedback seriously. Thank you.”
- “It is our policy to provide the best care to patients. Thank you.” (Note: this does not say “our patients” – because that would confirm the person is a patient)
- “We aim to deliver the highest quality patient care. We love to hear about positive experiences. Thank you for sharing this feedback!” (Note: again, this does not say anything about the person being your patient; they could be a patient for any practice, not yours.)
If you recognize the person posting, you may also consider contacting the patient directly to find out what they perceive the issue to be and determine whether you can remedy it; this depends on the patient and the situation. If you do not recognize the person posting, again, an oblique statement that does not mention PHI (name of person, treatment, etc.) is appropriate. For example: “Thank you for sharing your experience. Please contact our office to discuss your concern.”
Does your practice have a Notice of Privacy Practices? If not, your profession’s national organization or association may have one you can easily download. If you have a social media presence and do not have a Social Media Policy, please consider implementing one. Make sure it addresses patient privacy and HIPAA as well as the consequences for violation of the policy by staff.
For further information contact us.