Some healthcare providers have violated patient privacy and HIPAA Rules when responding to negative comments on Yelp and similar review sites according to a recent ProPublica report.
For the report, ProPublica was provided with access to around 1.7 million Yelp reviews of healthcare providers. The researchers used a tool to sift through the reviews and isolated approximately 3,500 one-star ratings of healthcare providers – the lowest possible rating on the review site – that mentioned “Privacy” or “HIPAA”.
ProPublica researchers discovered “dozens” of instances where healthcare providers had breached HIPAA Rules when responding to comments. In some cases, the responses to the negative comments involved the disclosure of patients’ protected health Information.
ProPublica cited one example of a Californian chiropractor that replied to a negative comment from a patient and included details of the procedures he had performed and information about her medical condition. Another example involved a dentist who responded to a comment about an alleged unnecessary tooth extraction. The dentist wrote “Due to your clenching and grinding habit, this is not the first molar tooth you have lost due to a fractured root,” and explained that “This tooth is no different.”
Disclosing any details of medical procedures performed or personal information about patients in website comments is a violation of patient privacy and a violation of the Health Insurance Portability and Accountability Act. Even when no PHI is disclosed in the comments, healthcare providers have breached HIPAA Rules simply by confirming that the commenter is one of their patients.
Even when a patient posts a comment about a physician or other healthcare provider, they have not given their permission for any information about them to be disclosed. That includes their status as a patient of a particular healthcare provider.
While hotels and restaurant owners can respond to negative Yelp comments and can provide their points of view, healthcare professionals must exercise restraint and not enter into comment discussions with patients. This does not mean that healthcare providers do not get the right to reply, only that any responses to negative comments should not refer to individuals.
ProPublica contacted Deven McGraw, Deputy Director for Health Information Privacy at the Office for Civil Rights, who explained that any responses to negative comments should be general in nature and that providers should never “take those accusations on individually by the patient.”
The Office for Civil Rights (OCR) and state attorneys general can issue heavy fines for HIPAA violations and breaches of patient privacy. In 2013, Shasta Regional Medical Center agreed to pay the OCR $275,000 after the impermissible disclosure of a patient’s protected health information to the media. Healthcare providers that disclose PHI when responding to comments on review sites may find they too will have to pay a substantial financial penalty for breaching HIPAA Rules and violating patient privacy.