Everything You’re Being Told About Getting Patient Reviews is Wrong

Navigating The Patient Reviews HIPAA Minefield

Everything You’re Being Told About Getting Patient Reviews is Wrong


Every single day, without fail, I see marketing companies practically screaming at healthcare practitioners, evangelically advocating for the collection and publication of patient reviews.


They shout the usual benefits such as attracting new patients and enhancing the overall reputation of a healthcare practice. They champion the local SEO value of patient reviews and it’s easy as a healthcare practitioner to read this and think “yep, that’s what we need to be doing”.


Don’t get me wrong, if you’re selling sneakers or pet products online then it’s great to take a fast and furious laissez-faire approach to collecting, publishing and responding to reviews.


But…there’s always a ‘but’, right?


When it comes to all types of healthcare providers, this tsunami-like push for patient reviews creates a tricky situation with HIPAA. One that needs to be navigated with care, precision and a compliance mindset.


For many healthcare providers including Psychiatrists, Doctors, Dentists, Therapists and Psychologists this means an immediate stop-check.


Over the past few months I’ve been seeing more and more healthcare practitioners following a herd mentality when it comes to publishing and responding to patient reviews.


Patient Reviews are a minefield of HIPAA violations


The act of responding to or discussing patient reviews can inadvertently lead to the disclosure of Protected Health Information (PHI) and a violation of HIPAA privacy rules. Absolute care must be taken to navigate these interactions.


Examples of HIPAA considerations when it comes to patient reviews


Example One: Reviews on Third Party Platforms such as Yelp


A patient leaves a review on a platform such as Yelp. They talk about the therapy they’ve received and their condition. The Covered Entity healthcare provider did not solicit the review, and the reviewer left the comment of their own volition.


HIPAA Consideration: If the healthcare provider responds to this review they risk confirming that the reviewer was indeed a patient, and publicly confirming the reviewer’s treatment.




Just because a patient breaches their own privacy it does not relieve the Covered entity of their legal obligations. If a patient voluntarily shares their own private health information publicly, such as in a review, it does not relieve the Covered Entity of its legal obligations under HIPAA.


The Covered Entity is still required to protect the patient’s privacy and cannot disclose PHI without proper authorization, regardless of the patient’s actions.


Example Two: Healthcare provider decides to publish reviews on its own website


A healthcare provider decides to publish Patient Reviews on its own website. These reviews include the patient’s name. The healthcare provider did not get express written permission from the patient and even if they did so, did not include a HIPAA disclaimer about the patient waiving their rights to privacy.


In this instance the provider has confirmed publicly that the reviewer is a patient of their practice, and has de facto confirmed they agree and reinforce the contents of the review.


By publishing the review on their website they are, in legal terms ‘using the modern day equivalent of a megaphone’ to broadcast the patient’s identifiable health information, even by simply confirming that the reviewer is a patient.


The covered entity has breached HIPAAs privacy rule for each and every review published. There could be a reasonable argument for a Tier 2 Fine to apply to each and every patient review violation i.e. a violation that the covered entity should have been aware of but could not have avoided even with a reasonable amount of care (but falling short of willful neglect of HIPAA Rules).


The HIPAA Tier fines are:


  • Tier 1: Minimum fine of $100 per violation up to $50,000
  • Tier 2: Minimum fine of $1,000 per violation up to $50,000
  • Tier 3: Minimum fine of $10,000 per violation up to $50,000
  • Tier 4: Minimum fine of $50,000 per violation


Example Three: Healthcare provider replies to a negative review on a third party platform in detail


A patient leaves a negative review. It happens. Especially for mental health related practices and it can kill the reputation of a provider. The first reaction is to go into defense mode. You’ve been told so many times that getting reviews is essential but now you’ve gotten a negative review and you’re witnessing first hand the double-edged sword of online reviews.


The natural inclination for many providers is to defend their practice. In their eagerness to rectify the situation a provider might respond in detail to the negative review. This response could inadvertently disclose personal health information or acknowledge the patient’s specific treatment, leading to a HIPAA violation. Even the most well intentioned replies often cross the line into disclosing protected health information.


Recent HIPAA fines underscore the risks healthcare practitioners face when replying to negative online reviews. For instance, psychiatric practice, Manasa Health Center LLC, was fined $30,000 for responding to a patient’s online review “in a manner that disclosed the patient’s mental health diagnosis and treatment details”, violating HIPAA regulations.


Similarly, a notable case involved New Vision Dental, which was fined $23,000 by the OCR for “responding to Yelp reviews in a way that disclosed patients’ protected health information, including names and detailed treatment information.”


In another case, a dental office was fined $10,000 for revealing a patient’s PHI, including their full name and insurance information in a response to a Yelp review.


Example Four: a healthcare provider uses a reputable third p[arty platform to actively collect reviews on its behalf.


In this instance the covered entity would share the names and email addresses of patients with the review collecting platform so the review platform can then contact the patient and encourage feedback and reviews. The third party provider then publishes these reviews and the covered entity can respond directly on the review platform.


Firstly, the review provider must have signed a Business Associate Agreement with the Covered Entity for the handling and use of ePHI. If the Covered Entity does not have a BAA in place this is a potential HIPAA violation.


Secondly, has the patient given their express permission to the covered entity for the review platform to contact them regarding their medical treatment? Likely not. And if they have, did the Covered Entity actually explain in clear and unambiguous language what it meant for their privacy?


It’s essential to consider the nature of the consent obtained from patients.


For a healthcare provider to share names and email addresses with a third-party review platform, explicit patient consent is necessary, not only for the sharing of contact details but also for the purpose behind it.


This consent must be informed, meaning patients must fully understand that their information will be used for collecting feedback and the implications it has for their privacy.


HIPAA Compliant Online Patient Reviews


When reviews are published, care must be taken to ensure that no ePHI is disclosed in the process. This includes the content of the reviews themselves and any responses by the covered entity.


Responding to reviews on such platforms must be done with caution to avoid revealing anyPHI, even if the patient has disclosed their own health information in their review.


The review collection process must ensure reviews are collected and shared in a way that respects patient privacy and complies with all applicable regulations.


It also means that any public facing responses or interactions with the reviews must be managed to prevent the inadvertent disclosure of PHI.


While using a third-party platform to collect patient reviews can be beneficial for gathering feedback, it throws up several HIPAA compliance challenges.


Covered entities must ensure they have proper BAAs in place, obtain explicit and informed patient consent and carefully manage how they interact with these reviews to maintain compliance with HIPAA regulations.


Finally, as if it even needs to be said… don’t fake your reviews. The FTC isn’t fond of it!


Worried About Your Healthcare Website’s HIPAA Compliance?


HIPAA Digital is a premier provider of HIPAA compliant website, hosting and marketing solutions, trusted by healthcare providers and businesses across the United States to protect their health information from breaches, threats and vulnerabilities.


We manage everything at a reasonable monthly rate, giving you the peace of mind to focus on your patients.

Share it :
Get free tips and resources right in your inbox, along with 10,000+ others