How Many Stars? A Guide for Healthcare Providers in Responding to Negative Online Reviews

‘Tis the season for holiday shopping—including scrolling through online product reviews. Just like reviews for that perfect new grill or an inflatable T-rex costume, online reviews are readily available for healthcare providers, often condensing a provider’s public reputation to a simplistic five-star rating system. At best, online reviews can help healthcare consumers identify and validate their choices for healthcare providers. At worst, a few unfiltered comments by disgruntled patients can disproportionately damage a healthcare organization’s reputation. When faced with a negative online review that is disparaging, inaccurate, and inflammatory (or worse), what can a healthcare organization do?

While healthcare organizations are generally not prohibited from responding to online reviews, the practical and legal risks of such responses can often make things worse, not better. For example, responses to online reviews must fit within narrow guardrails to avoid potentially costly violations of patient privacy under the Health Insurance Portability and Accountability Act (HIPAA) and applicable state laws.

For example, the Department of Health and Human Services’ Office for Civil Rights (OCR) recently imposed a hefty penalty of $30,000 and imposed a corrective action plan for disclosing Protected Health Information (PHI) in response to negative online reviews in violation of the HIPAA Privacy Rule. (LINK: HHS Office for Civil Rights Reaches Agreement with Health Care Provider in New Jersey That Disclosed Patient Information in Response to Negative | HHS.gov) In an investigation, OCR had found that the provider impermissibly disclosed four patients’ PHI, including information about the patients’ diagnoses and treatment of their mental health conditions. OCR also found that the provider failed to implement adequate policies and procedures to protect patient privacy.

In a separate settlement, OCR imposed a $23,000 fine on a dental clinic for improperly using social media in disclosing PHI in response to reviews. (LINK: HHS Civil Rights Office Enters Settlement with Dental Practice Over Disclosures of Patients’ Protected Health Information | HHS.gov) In response to that action, OCR Director Melanie Fontes Rainer stated:

This latest enforcement action demonstrates the importance of following the law even when you are using social media. Providers cannot disclose protected health information of their patients when responding to negative online reviews. This is a clear NO. OCR is sending a clear message to regulated entities that they must appropriately safeguard patients’ protected health information. We take complaints about potential HIPAA violations seriously, no matter how large or small the organization.

Thus, both small and large healthcare organizations could face significant penalties for inappropriate responses. Beyond the constraints of HIPAA and state privacy laws, healthcare organizations must consider potential other negative consequences of responses to negative online reviews.

The Risks of Responding to Online Reviews

• HIPAA and State Privacy Law Violations: The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule imposes strict regulations on the disclosure of patient information. Responding to a review with specific patient details, even inadvertently, can constitute a HIPAA violation. Even acknowledging that the writer of a review was served by the healthcare organization likely violates the HIPAA Privacy Rule. This applies even if a patient has revealed personal information about themselves or their care in the review itself. Many states have privacy laws that could also be implicated.
• Escalation: Engaging in online disputes with patients may escalate the situation and potentially garner more attention for a negative review. Responding emotionally or defensively can harm the provider’s professional reputation and exacerbate the impact of a negative review. Even a polite response from a healthcare provider to a negative review can backfire, leading to a public response from the writer, additional negative reviews, or even licensure board complaints.

General Recommendations for Responding to Online Reviews

Despite the potential risks in responding to online reviews, healthcare providers are not required to sit by passively and may be judicious in responding to reviews. In some situations, timely and appropriate responses could demonstrate a commitment to patient satisfaction and can mitigate the impact of negative reviews. Below are a few recommendations for a healthcare organization that chooses to respond to negative reviews:

• Protect Patient Privacy

Never disclose patient-specific information in a public forum. If the review references a particular incident, healthcare organizations may wish to offer a general, neutral response about the policies of the organization without addressing any details about the specific patient experience described in the review. A response should never acknowledge or otherwise revealing that the writer was a patient and should include no other type of information specific to the writer.

• Consider Taking the Conversation Offline

In response to an online review from a patient who is publicly identified in the review, consider reaching out to the writer directly to ask them to explain their concerns and offer to troubleshoot any issues.

• Maintain Professionalism

Always respond in a professional and courteous manner. Avoid emotional or defensive language.

• Set Clear Policy

Healthcare organizations should set clear polices for the appropriate use of social media and any responses to online reviews that are compliant with HIPAA and other applicable privacy laws. For some organizations, it could be helpful to develop a template response for negative reviews that expresses neutral gratitude for feedback, and a general commitment to improving patient experience, while respecting patient privacy. Any staff with access to social media or other online accounts with the ability to respond to reviews should be trained in specific policies and best practices, and policies periodically reviewed and updated.

• Seek Legal Advice:

Consult with legal counsel if there are questions about how to comply with privacy laws and before responding to particularly sensitive, untruthful, or inflammatory reviews. In some situations, legal counsel may advise further action to address untruthful or defamatory statements that are likely to damage the organization’s reputation if unaddressed.

Conclusion

Online reviews are a reality that healthcare providers cannot afford to ignore. While the desire to address negative reviews is understandable, the risks associated with responding inappropriately necessitate a cautious and strategic approach.