Online Reviews and HIPAA Compliance
Online reviews are critical for success in our modern business world. Many of us turn to online reviews when searching for a new health provider, but HIPAA compliance issues complicate how providers can use online reviews.
Savvy health care marketers want to use online reviews to attract new patients. But how can they do so while also protecting sensitive data and complying with HIPAA?
Online Reviews and Medical Marketing
Online reviews are extremely popular and are often consulted by patients looking for new providers. Google, Yelp, and Facebook are just a few of the most common review websites that people visit. Skilled digital marketers in every industry recognize the power of a positive review and want to incorporate online reviews and testimonials into their marketing strategies. How many times have you been contacted and asked to leave a review after visiting a restaurant, supermarket, or retail store?
However, when it comes to the health care industry, it’s not as simple as sending off an automated email or survey. Health care marketers need to keep HIPAA compliance in mind when crafting their review campaigns.
The HIPAA Compliance Issues Involved In Asking For Online Reviews
A traditional email campaign to request a review is quite simple. The sender creates a message that says something like “Thanks for visiting Dr. Smith’s office today. We hope you had a positive experience and we would appreciate your feedback. Please click here to leave a review on Google.” You may not realize it, but this simple ask is more complicated than it seems from a HIPAA compliance perspective. Why? Because even the most seemingly mundane details constitute electronic protected health information (ePHI).
ePHI is defined as “individually identifiable health information” relating to:
- An individual’s past, present or future physical or mental health or condition,
- The provision of health care to the individual, or
- The past, present, or future payment for the provision of health care to the individual.
A patient’s name and even their email address are considered individually identifiable information, while asking for a review of their appointment clearly relates to the “…provision of health care to the individual.”
Most messages that ask for an online review include ePHI and must be protected. If this information isn’t adequately secured, the message will be sent in violation of HIPAA. These violations can result in significant penalties for your organization.
How Can You Ask For Patient Reviews And Maintain HIPAA Compliance?
Is it possible for healthcare marketers to solicit patient reviews via email? Keeping the message content as generic as possible may help you avoid a violation. However, when it comes to HIPAA and patient security, we always recommend stepping up your game.
Sending normal emails or text messages is risky, but a HIPAA-compliant email solution allows you to circumvent this problem. Services like LuxSci’s Secure Marketing and Secure High Volume Email are designed with HIPAA compliance in mind. They have the appropriate protections (including message encryption) in place to keep ePHI secure.
Using these services allows you to ask patients for online reviews, all in a HIPAA-compliant manner. Not only will this help your company get more positive online reviews, but LuxSci’s solutions allow you to automate the whole process. You can set up the systems to automatically email patients after they have an appointment, making it simple for your company to boost its online reputation.
How To Respond To Online Reviews While Maintaining HIPAA Compliance
Most marketers know that it is a good practice to respond to patient reviews, whether they are positive or negative. However, public correspondence regarding patient appointments can be a nightmare when it comes to HIPAA compliance.
Even acknowledging that a patient had an appointment with your organization can be a HIPAA violation, because it combines details of their health care with individually identifiable information in a public forum.
This means that even if a patient publicly writes about their medical conditions or treatments, you can’t acknowledge them. This means messages like “Thanks so much! We’re glad Dr. Smith was able to stitch you up.” or “We’re sorry to hear you had a bad experience refilling your anti-depressant prescription. How can we fix the situation?” are off-limits.
It’s counter to how most marketers would like to reply, but for compliance reasons you cannot acknowledge their visit or the specifics. A HIPAA-compliant message could be something like* “We really appreciate your review.” It may seem impersonal, but the law is the law, and you face huge fines if you disobey it.
(*Please note that this is not intended as legal advice. You should consult a lawyer if you have questions about online reviews and compliance.)
Responding To Online Reviews In A HIPAA-Compliant Manner
There are many situations where you may want to give a more sincere reply than the example above, especially if a patient had a negative experience. If the review is not anonymous, we recommend having a staff member reach out privately.
It’s best to see these as opportunities to listen to your patients and try to rectify the situation. By taking the right approach, you can turn a negative review into a positive experience.
However, you can’t have a detailed discussion about the online review on the website while still maintaining your HIPAA compliance. This means that you need a way to reach out to your patients without violating the regulations. LuxSci’s Secure Email is perfect for these kinds of situations, because it is designed from the ground up to be HIPAA-compliant. You can email your patients to discuss the situation without worrying about exposing their ePHI and violating the law.
Contact LuxSci now to find out how you can use our services to reach out to your patients and collect reviews that drive new business.