HIPAA Still Applies to Patients’ Online Reviews of Providers

In an era of online dialogue, healthcare providers still need to remain alert regarding their obligations under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). As tempting as it may be to respond to patients’ criticisms and praise online, healthcare providers, as “covered entities” under HIPAA, should think twice before clicking “post.”

It’s becoming more common to see patient reviews of physicians or other healthcare providers on websites such as Yelp, Facebook, Healthgrades, and WebMD. One 2018 survey found that three-quarters of patients use online reviews as the first step in finding a new physician, and that 94% of the survey participants used online reviews to evaluate physicians. A patient may discuss his or her experiences on a personal Facebook page or even post on the provider’s professional page. When a patient has a negative experience, such posts may be defamatory in nature; on the positive side, consumer reviews can be used by physicians to improve their practice.

Covered entities and their business associates are required to comply with HIPAA, which prohibits disclosure of protected health information (PHI) unless the patient consents or the disclosure is permitted by the statute. PHI may exist in any form or medium and includes information collected by a healthcare provider that relates to the physical or mental health condition of an individual, care provided to an individual, or payment for the provision of care to the individual, if the information identifies, or can be used to identify, the individual.

HIPAA protection is not waived when a patient discloses his or her own information online. In such event, a covered entity remains bound by HIPAA’s privacy protections. Responding to a patient’s website post discloses PHI merely by revealing that the person is a patient in that covered entity’s practice. In addition, disclosing PHI to the media, online or verbally, is not a permitted disclosure under HIPAA, as previously discussed here.  Such a breach under HIPAA can lead to further consequences such as employment sanctions or termination, professional sanctions, and even a fine by the U.S. Department of Health and Human Services.

If a healthcare provider wishes to have a post removed from a web page, the provider can reach out to the website itself to request that the post be taken down. However, if the post does not violate the site’s Terms of Use, this request is likely not to be successful. Legal counsel may be helpful in communicating with the website owner and in evaluating other possible legal claims, particularly if the comments in the patient’s posting may be considered defamatory.