Another Dentist in Hot Water for a HIPAA Violation Due to Responding to an Online Review
By Gracie Hogue, BM
On December 14, 2022, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services announced a settlement with a dental practice in California over the impermissible disclosure of patient protected health information (PHI) in response to online reviews, and other potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. The practice used social media inappropriately responding to a negative online review that disclosed Protected Health Information. The dental practice paid $23,000 to OCR and agreed to implement a corrective action plan (CAP) to resolve this investigation.
Here are options to avoid crossing the line of HIPAA violations when addressing a negative review online:
1. If the author of the negative review can be determined, you may contact that person offline to address the stated concerns. Keep documentation of the communications between your practice and the negative reviewer in the said patient's file. If the negative comment from the patient is valid and corrective action has taken place in the practice, privately thank the patient for letting you know about the issue. You can let them know that their concerns have helped the practice to improve. This could even improve the patient's view of the practice, and the practice's relationship with the patient may not have to be soured in the long run.
2. If the practice does feel the absolute need to respond to the social media post, never confirm or deny that the reviewer is a patient of the practice (even if it is a good review!). Even if their online identity is ambiguous or hidden, do not confirm or discuss the dental or medical treatment that was provided or alluded to in the review. When responding to reviews via social media, limiting the response to being a generic or standardized response is key, such as one of these options:
“According to state and privacy laws, we are precluded from commenting on patient treatment. However, we are always available to discuss concerns with our patients. Patients are welcome to contact us directly.”
“In order to protect our patients’ privacy, all patient concerns and complaints are resolved directly by [name of practice] and not through social media.”
“At [name of practice], we strive for the highest levels of patient satisfaction. However, we cannot discuss specific situations due to patient privacy regulations. We encourage those with questions or concerns to contact us directly at our office.”
In alignment with this, have your Patient Privacy Practices posted on the practice's website and in the practice's building in a place where it can be seen by patients, such as the lobby or front desk area.
Are you worried about paying hefty HIPAA fines? Schedule your HIPAA risk assessment and training to start the new year out right! Contact us at (931) 232-7738.