This story was originally published on the Texas Medical Liability Trust’s website.
A dental practice in Dallas was recently fined $10,000 by the Office of Civil Rights (OCR) after publishing protected health information (PHI) in response to a patient review on Yelp, a social media platform.
In a complaint filed with the OCR, a patient reported that Elite Dental Associates posted their name, details of their treatment plan, insurance, and cost information in a comment on the Yelp review page.
While investigating the complaint, the OCR discovered that the practice had responded to several patient reviews on Yelp and revealed patient information in the process.
“Social media is not the place for providers to discuss a patient’s care. Doctors and dentists must think carefully about patient privacy before responding to online reviews,” said OCR Director Roger Severino.
The OCR also found that Elite Dental Associates did not have policies or procedures addressing the release of PHI on social media or public platforms. The practice also failed to create a sufficient Notice of Privacy Practices.
Along with the $10,000 fine, the practice implemented a corrective action plan with the following requirements.
- Develop, maintain, and revise federally approved PHI policies and standards and distribute to all employees;
- Train employees on PHI policies and procedures;
- Revise policies and procedures annually;
- Revise authorization forms and the Notice of Privacy Practices to comply with the HIPAA Privacy Rule;
- Identify Elite employees who must be contacted in the event of a HIPAA violation or questions; and
- Apply sanctions to those who fail to comply with policies.
Risk management considerations
Yelp is one of the most popular physician review sites used by patients. A survey found 61% of patient respondents read online reviews before choosing a physician, and 20% used online reviews to evaluate their current physician.
As more people go online to research products and services, online reputation management has become increasingly relevant for physicians. Online reputation management often involves addressing reviews on sites like Yelp.
Because of the HIPAA Privacy Rule, physicians cannot respond to online reviews in any way that reveals PHI. Even if a patient discloses their own personal information in a review, physicians cannot respond with the same level of disclosure.
What you CAN do:
- Speak in person with the patient who wrote the review. Listening to the patient will allow you to thoroughly understand their feedback and propose productive solutions. Sometimes, patients will remove negative reviews after a face-to-face conversation, and may even post a positive review to show the practice is listening.
- If you choose to respond to the complaint, reply with something general that moves the discussion offline. “At our medical practice, we strive to provide the highest levels of patient satisfaction. However, we cannot discuss specific situations due to patient privacy regulations. If you are a patient and have questions or concerns, please contact us directly at [phone number].”
- One bad review will not destroy your reputation. People who browse online reviews typically do not consider one bad review as representative of the practice.
What you CAN'T do:
- Respond impulsively. Wait and respond in a measured, productive way.
- Disclose any information about the patient. Even acknowledging that the reviewer is a patient is a violation of HIPAA.
- Ignore criticism. Instead, take criticism as an opportunity to improve your practice or your policies from the patient’s point of view.
- Avoid online reviews. Most online reviews are positive and provide positive information.
If you use a reputation management company
Many physician practices use outside vendors to manage their social media presence and help respond to online reviews. There are hundreds of companies offering these services; however, physicians are urged to be cautious when choosing a reputation management company.
Make sure the company has experience in health care and understands the constraints that are placed on physicians in responding to online reviews. We’ve had several incidents reported to TMLT in which a social media company told the practice how to respond to a review, and the suggested response was a violation of HIPAA.
Other companies may offer to post reviews on behalf of physicians. But where do these reviews come from? It is unethical and dishonest to post reviews on these sites that are not from actual patients. Physicians are held to a different standard than other businesses and posting fake patient reviews is problematic.
Of course, it is acceptable to ask patients to review you. Contact patients (through their preferred, HIPAA-approved method) after their visit and encourage them to let you know how you’re doing. The next time you receive a thank you note or email from a patient or family member, encourage that person to post their comments on your website, on your LinkedIn profile, or on physician rating sites.
TMA Can Help
The Texas Medical Association’s Education Center features several continuing medical education courses to help you improve your online presence, including:
Also check out “Searching for a Better Online Reputation” from the April 2019 edition of TMA’s Texas Medicine magazine.
Reprinted with permission from Texas Medical Liability Trust.