The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that prohibits the disclosure of protected health information (PHI) without patient consent. PHI is defined as “health information that can be used to identify an individual” and includes data related to a patient’s medical or physical condition, and identity. HIPAA extends to online review management, and since responding to reviews is essential to a healthcare organization’s online reputation, healthcare marketers must follow HIPAA guidelines when crafting review responses. Below are best practices to consider when handling online reviews, and some examples of HIPAA-compliant responses.
Best practices for HIPAA-compliant review responses
Avoid a HIPAA violation by following these quick tips:
- Have an internal plan. Collaborate internally to develop review response policies, including identifying who will be responding to reviews and creating templates that can be customized for positive and negative reviews.
- Protect PHI in your response. Remove all detail about a patient’s diagnosis, treatment, condition, and visit, and do not confirm or deny them as a patient.
- Respond broadly. Stick to general responses like, “Thank you for your feedback” or “Thank you for taking the time to leave us a review.”
- Take the conversation offline. Give the reviewer the opportunity to further discuss their comments by providing them with a phone number or email address for your office or patient experience team. This also helps prevent further online conversations that could violate HIPAA.
Keeping these tips in mind, below are some real examples of review responses that either violate or follow HIPAA guidelines.
