You’re going about your day going from patient to patient when one of them says something seemingly innocuous online. “You were much better than your reviews said you’d be!” It’s a backhanded compliment out of nowhere, but suddenly your day is ruined. You check up on your reviews, and sure enough, some people have left some unflattering remarks about your medical practice. Not just that, but you know for a fact that these remarks aren’t just unfair, but maybe they’re even untrue. You shoot off a quick response to try and correct the situation and go about your day.

Unfortunately, you may have just violated HIPAA without knowing it, even if you were careful in your response. Even if you don’t say anything very specific about a patient visit, you could still have violated HIPAA. There is a very careful art when it comes to how to respond to negative patient reviews online. This is in part because anything you say about any visit is automatically tied back to the person who made the review. This allows information to be determined about your patient and your relationship with them, which can put you in violation.

So, what should you do about this? Just let patients say anything and everything without responding? Well, not quite. There is a very careful and measured approach you can learn to craft HIPAA-compliant responses for social media and online reviews.

HIPAA Compliance and Online Reviews

This is territory that we all need to be aware of these days. A vast majority of consumers trust online reviews as much as personal recommendations, and most people today use reviews to find doctors. This means that a huge portion of your patients will have had their opinions shaped by what other people have said about you on the internet before they even come in. This also means that we need to be 100% certain that as we respond to these reviews, we are on the level and compliant with the law.

The number one way that you can start off on the right foot when it comes to online reviews and HIPAA compliance is 100% de-identification. When you respond to a review, you cannot outright or by implication confirm any information about a patient, even if they disclosed it themselves.

De-identification requires that you not accidentally or on purpose confirm any of the following information:

Confirming any of these small points of information will land you in hot water (and may have already landed you in hot water). When you’re responding to someone online and acknowledging that you, in fact, treated them, you have already confirmed that a patient treated by you has at least the username and IP address associated with the post, if not also their name, photos of them, and much, much more that they may have included in their post. Remember that this all counts as a breach of HIPAA, even if they were the one to disclose it.

How Should You Respond Then?

A good way to get a handle on what to do is to see a bad example and look for how we can fix it. Let’s take the following review and see how two different responses do and do not work inside of a HIPAA-compliant framework.

Example Review:

“The wait for my appointment was entirely too long, taking well over an hour. I asked the person at the desk how long it would be, but they didn’t even respond to my question, instead dealing with paperwork for other clients. The doctor was inattentive when I finally got in and said that I should lose weight to treat my chronic sleep apnea, which I have been working on, but I was looking for help between now and then, which they didn’t even attempt to provide.
– Tom Smith

In this review, the (fake) patient disclosed that they had been treated at the clinic, their name, that they have sleep apnea, that they were diagnosed as overweight, and that they aren’t being given other treatments to help with the sleep apnea right now. So, what would be a bad response here?

Non-HIPAA-compliant response:

“We’re very sorry that we were unable to make your appointment a good one. Please contact us to let us know how to make it right.”

From an interpersonal perspective, an apology seems like the right thing to do, but you’ve just inadvertently told everyone who looks at that review that the patient is, in fact, being treated by your office and that anything else they said about their health might be true. As a medical professional, you simply cannot do this, as hard as that may be to accept. Now let’s see one that works.

HIPAA-compliant response:

“As a matter of policy, we endeavor to schedule enough time to see each patient promptly and avoid wait times so that we can respect our patients’ time and health. Every day, we do our best to deliver the highest standard of care to our patients. Occasionally, emergencies and other factors can cause the wait time for our patients to fall short of that ideal. Thank you for taking the time to give feedback, as it helps us do better. Please contact our head office directly at (email address) to discuss any further comments or suggestions.”

This completely avoids any confirmation of whether the patient was in the office or not, thus staying HIPAA-compliant. It also gives the patient an avenue for further recourse that actually lets you help them, rather than letting them sit online spreading more bad reviews about you and your business. It may at first seem unnatural to stay vague, particularly when facing particular negative claims, but all reviews need to be treated this way to stay on the right side of HIPAA.

Tips for a HIPAA-Compliant Responses to Reviews

Here are a few tips for giving a good HIPAA response for online reviewers:

Keep It Anonymous

We’ve already covered this, but it needs to be said again – confirm nothing about your patient. This will keep you out of hot water.

Criticize Cautiously

Any time that you put out criticism in the online space, there is a possibility for blowback or misinterpretation. Take a big breath and sleep on it before you respond to any criticism leveled at you, and after you write something, take another big step back before you send it. When emotions run high, judgment gets impaired.

Stake Your Claim

Remember to register on My Google Business, Yelp, and other platforms as the proprietor of your medical establishment. This will help you get notified when things do happen online that need your attention.

Follow Up Offline

Encouraging people to contact you or your office directly will help you not only to deflate the incoming stream of negative reviews you have to deal with, but it will also help you direct the conversation back to improving patient care, which is what we all really want anyway.

Focus on Positive

If there’s something positive (and anonymous) that you can say about your business practices, do so. You have space, and you can always use it to say things about how you run the office that doesn’t say anything about the patient.

Use Templates

An amazing tool to avoid running afoul of these easy mistakes is to make a template ahead of time for general use. If you’ve created one that’s applicable, it will save you a lot of time and guesswork about what you should and shouldn’t do. It doesn’t have to be entirely unique — it just has to say what’s true, not ID the patient, and direct the patient to contact you.

DON’T Contact Without consent

If you call someone who made a negative review, it could be construed as harassment. Let the patient reach out to you and suggest a way to do so. That way, there can be no mistake about your intentions.

DON’T Alter Content

Once you’ve posted something, it’s out there. Chances are that if someone had a strong reaction, they’ve screenshotted it, so they have a copy even if you change your wording later. Take the time to get it right the first time and then consider the matter done.

DON’T Dirty Delete

When you get a negative review, your first instinct might be to make it go away. This is only going to infuriate the original poster and potentially get you into even hotter water.

Getting Help with Your Online Reviews

These are the kinds of issues that can make or break your practice and which significantly distract from the business of actually running it. If you find that you’re spending time dealing with these kinds of reviews, it is probably time to get help. A third-party consultancy that is trained in HIPAA and in responding to reviews like these can be a huge time saver and prevent you from accidentally taking on unnecessary liability.

Eminent SEO has special training in assisting medical and healthcare clients with compliance, along with a range of digital marketing services. We will be happy to help set the record straight for you and make sure that you can spend your time practicing medicine rather than defending your reputation. Contact us today, and see what we can do to lighten your load.

Jenny Weatherall

CEO, Business Consultant, Researcher and Marketing Strategist

Jenny Weatherall is the co-owner and CEO of Eminent SEO, a design and marketing agency founded in 2009. She has worked in the industry since 2005, when she fell in love with digital marketing… and her now husband and partner, Chris. Together they have 6 children and 3 granddaughters.

Jenny has a passion for learning and sharing what she learns. She has researched, written and published hundreds of articles on a wide variety of topics, including: SEO, design, marketing, ethics, business management, sustainability, inclusion, behavioral health, wellness and work-life balance.

More Posts - Website

Follow Me: