Online patient reviews can pose HIPAA minefield

[ad_1]

Healthcare organizations continue to build up their web presence in the push toward consumerism—taking a cue from other industries so patients can easily search for and find their services online.

But unlike retail, hospitality and food, healthcare companies run the risk of violating federal privacy laws when responding to patient reviews online.

Seventy-two percent of adults say they read online reviews when choosing a new healthcare facility or physician, according to a report from Reputation, an online reputation management company.

And patients are supplying that information.

Hospitals received 50% more reviews last year compared to 2020, per the report. Physicians received 58% more reviews.

Patients do their research before selecting a doctor, and most of that research involves online reviews, said Lauren DeRitis, a marketing coordinator at Philadelphia-based Rothman Orthopaedic Institute.

“They’re looking at the reviews of what other people say,” she said. “We have to take it seriously.”

DeRitis manages online reviews and profiles for the group’s offices and physicians on sites like Google, Healthgrades and RateMDs. On Google alone she’s managing nearly 500 profiles, including business profiles for every physician and every location a physician practices at, to help them show up when a potential new patient searches for doctors in their area.

Online business profiles have become a focus for Google’s health arm.

Google recently rolled out new features to its business profiles for healthcare facilities and physicians, so patients can see appointment availability and information on what insurance physicians accept and what languages are spoken at their practices. Profiles corral information from various sources and a provider can claim their profile to update those details.

Online profiles and reviews can be a boon for smaller practices looking to rank higher in results from Google and other search engines, so that new patients can find them more easily.

But healthcare providers must make sure they don’t run afoul of the Health Insurance Portability and Accountability Act when publicly responding to patient reviews online.

HIPAA is a particular point of concern when responding to negative reviews, where providers might want to defend themselves against patient complaints about a physician, wait time or bills.

A dental practice in North Carolina was recently slapped with a $50,000 fine by the Health and Human Services Department agency that enforces HIPAA after disclosing a patient’s medical data online when responding to a negative review on the practice’s Google profile, in which the patient used a pseudonym. The practice disclosed the patient’s real name and details of their medical visit.

HIPAA breaches can be “extremely detrimental to a practice,” said Anders Gilberg, senior vice president of government affairs at the Medical Group Management Association.

Providers could receive costly fines, and it can harm their reputations, he said.

“I don’t think everybody realizes the scope and ramifications if you do this incorrectly,” he said.

The safest thing to do is not respond to negative reviews at all, said Brad Rostolsky, a partner in law firm Reed Smith’s life sciences health industry group who focuses on privacy and security.

It’s natural to see criticism and want to defend a person or business’ professional reputation.

“But it’s going to be really tricky to do that when you’ve got an overarching HIPAA confidentiality restriction on what you can say,” he said.

Patients can share their own medical data online, posting in-depth details about their health history and what physician they saw, but healthcare providers are bound by HIPAA and can’t disclose medical data publicly.

Even acknowledging publicly that a commenter is a patient or referencing their reason for a medical visit could be a HIPAA breach.

If there’s a complaint a provider wants to address, it’s best to see if the organization can figure out who the commenter is and reach out to them directly, not on the review site.

Physicians and other staffers who might be criticized publicly should not to respond to comments online in anger. If someone has a strong desire to respond to a comment on a review site, it’s important to have someone focused on compliance and privacy review the response before posting.

Rather than commenting on negative reviews, providers might be better served by encouraging patients who had positive experiences to write reviews, Rostolsky said.

Some providers hang signs at their offices with where to leave reviews or have front-desk staff suggest patients leave a review after check-out.

Gilberg suggested organizations incorporate guidance on how to respond to reviews into their social media polices. Ideally, they will appoint a designated staffer to check review websites and respond to comments with response templates OK’d by a lawyer, so they can post without potentially violating HIPAA.

It’s critical to move conversations about a patient’s experience to a private discussion through email or a phone call, and not continue it publicly.

DeRitis said she responds to every negative review posted about a Rothman office or physician. Other staff members are tasked with responding to the positive reviews.

Rothman uses a software platform to aggregate online reviews across the internet, so it’s easy to stay up to date on what’s being posted. Only about 2-3% of reviews associated with Rothman are negative, according to DeRitis.

It’s helpful to respond to negative reviews both to address a patient’s complaint, as well as to show others reading reviews that the group is responsive and listens to patient concerns.

DeRitis also sends monthly reports to physicians and Rothman’s leadership that elaborates which markets are receiving reviews and what that feedback is.

DeRitis keeps the responses to online reviews general—such as saying she’s disappointed to hear about the experience—and includes an email address where she encourages commenters to reach out to her directly. If she’s unsure whether something’s OK to include, she’ll also consult with the group’s compliance team. If it’s a clinical complaint posted on a physician’s individual profile, she’ll loop them in, too.

Only a small subset of patients actually reach out to her directly. For those who do, she’ll figure out what the next steps are. That could mean apologizing to a patient who had a long wait time—and following up with an office manager or particular physician if that becomes a trend—or getting a patient in touch with the billing team to address a billing issue.

“We take it offline, so that we can get into the detail of it,” DeRitis said.

[ad_2]

Source link