How to Handle Bad Online Reviews

by Dr. Jeff Brown

Not responding to negative posts may give other readers the impression the review is legitimate, so your instinct is to fight false claims being made against your business. While the HIPAA does not specifically address handling online reviews, it is possible to extrapolate what is and isn't permitted.

Patient self-disclosure

Patients can disclose their own information as much as they want, but healthcare providers should not actively aid the patient in the disclosure. In the case of a review, the patient is the one who initiates the public disclosure of protected health information (PHI); therefore, you are not at fault of anything... yet.

Avoid acknowledgement of patient status

At the root of online reviews is the reasonable assumption that the person leaving the review is a patient of the provider for which the review is intended. Since healthcare providers are precluded from identifying patients in any way, the mere act of acknowledging the reviewer is a patient would be a HIPAA violation. This doesn't mean you can't respond, you just can't aid in the patient's self disclosure.

Here is an example of a possible reply to a bad review. Notice the absence of patient status being acknowledged.

Our privacy policy prevents us from responding directly to this post; therefore, we are unable to legally refute this person’s opinion. For people interested in our office, please make an informed decision by seeking information from a variety of sources.

Clinical information disclosure

The typical review, good or bad, will usually contain some form of clinical information. Confirming clinical information is far more precarious than patient status acknowledgement. Avoid posting anything related to the symptoms or treatment of an individual online.

Even when a patient posts a raving review of your masterful skills, never add to the disclosure already made by the patient.

If you have a happy patient wanting to tell everyone about their great experience, it's best to guide them to authorizing the use of their post as a testimonial by getting a signature.

Of course, you may still reply with a "Thank you!" After all, the HIPAA doesn't exist to take away human decency; quite the opposite in fact.

DISCLAIMER: Because of the generality of this article, the information provided herein may not be applicable in every situation and should not be acted upon without specific legal advice based on particular situations.

See More HIPAA Topics