Reviews

The Guide to Crafting HIPAA-Compliant Review Responses

February 07, 2019

See customer feedback from over 100 review sites in one place

Request a demo

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) protects a patient’s health information, and it also extends to responses to patient reviews online. This means that healthcare marketers need to write HIPAA-compliant responses to reviews.

Specifically, you need to be able to reply to a review without referring to any specifics about medical care or the patient’s identity—which could be construed as “patient data”.

This tightrope act might sound daunting, but it’s actually easier than you think. We’ll use this guide to provide some best practice tips when handling future reviews, but we’ll also show off some real-world examples to give you a better idea of how to craft HIPAA-compliant responses.

The Cost of Non-Compliant Responses to Patient Reviews

The best way to tell if a review response is HIPAA-compliant is to see if it goes into detail about the patient’s treatment or mentions specifics about their visit. Responders who bring up these details are potentially violating HIPAA guidelines.

The penalties for breaking HIPAA rules fall into four tiers, with each level of severity carrying increasing amounts of financial obligations:

  1. If you didn’t know you violated HIPAA guidelines and “by exercising reasonable diligence would not have known” that you violated the rules then the penalty can range between $100 – $50,000 per violation.
  2. Violating the rules “due to reasonable cause” and not because of to willful neglect will cost you $1,000 – $50,000 per violation.
  3. Breaking the rules because of willful neglect and correcting the mistake in the appropriate amount of time amounts to $10,000 – $50,000 per violation.
  4. Violating HIPAA guidelines because of willful neglect and not correcting it in time nets the highest penalty at a flat $50,000 per violation.

The maximum total amount penalized to the offending group is $1.5 million per year.

4 Tips for a HIPAA-Compliant Response

The penalties above not only hurt a healthcare group financially, but it also has the potential to negatively impact its reputation. So how you do you avoid these pitfalls and effectively respond to reviews?

  • Have a plan in place, aka, keep a cool head. The most important thing when responding is that it shouldn’t be impulsive. Always strive to maintain a calm tone and have a professional writing “voice” when responding.
  • Say “Thank You.” Part of that “voice” involves showing your appreciation for the feedback whether it’s positive or negative. Saying “Thank You” shows that you take every piece of feedback seriously in order to further improve the patient experience.
  • Provide a general response. Avoid those huge HIPAA fines by sticking to general phrases like “We take your feedback seriously” or “We strive to always improve our patient experience.” In any case, make sure that you avoid referencing any specifics about the patient’s visit or their treatment. Even if the reviewer mentioned specifics about their treatment or visit, don’t acknowledge it. Instead…
  • Take the conversation offline. The best way to help patients with issues or additional comments is by directing them to a specific number or department where they can freely discuss specific issues. It also relieves you of any potential breaches of HIPAA guidelines in further online conversations.

So how do these tips work in a real-world scenario? We’re glad you asked.

Examples of HIPAA-Compliant Responses

As a precautionary measure, Saran Zamora, the marketing coordinator at Nicklaus Children’s Hospital, and her team utilize pre-drafted responses.

“We have carefully drafted responses that we post whenever the site allows for a response,” she says. “These responses never ask for any personal health information but rather are crafted to let the reviewer knows we are aware of the comment and we encourage him or her to contact us directly. The response provides a phone number. The idea being not to address the comment directly online, but to provide the reviewer an avenue to directly communicate with us.”

Zamora’s approach allows her team to respond to every review in a professional manner that doesn’t bring up specifics. Furthermore, the response also encourages reviewers to go offline if they want to bring up additional details about their experience.

We also recently talked about the importance of a healthcare listing on Yelp, and that’s where we can see more examples of patient review responses in action. Specifically, Dr. Danika E. Brinda of Planet HIPAA wrote a Yelp blog post that provided the examples below, which fall into two separate categories.

Responding to a Public Review

Take a look at the response to this patient review. Spoiler alert: it meets HIPAA guidelines.

HIPAA compliant review responses

Image courtesy of Yelp

Here’s why: it’s a general response that doesn’t go into any details. It doesn’t explicitly say that the reviewer was a patient at the hospital, and if they were, the response doesn’t provide any details about their visit or treatment. Instead, the response is a simple “thank you” for the review while also touting the hospital’s mission of providing excellent patient care.

Responding to Direct Messages

Unlike reviews, responding through direct messages on sites like Yelp are kept private between you and the patient. However, it’s still important to remember HIPAA guidelines in your response.

HIPAA compliant review responses

HIPAA compliant review responses

Images courtesy of Yelp

As always, remember to keep responses as general as possible. The response above doesn’t include specific information about the patient or their visit. What’s even more important is that the responder encouraged the patient to make additional comments offline.

This ensures that future communication about the patient experience and other specific items is strictly between the reviewer and the provider. Furthermore, any digital footprint of the review and subsequent responses, whether they are public or private, is free of any HIPAA violations.

related posts

How to Claim Your Business on Citysearch
How To Claim Your Business On Urbanspoon
How to Claim Your Business on Insider Pages

Try ReviewTrackers for two weeks, no credit card required.

See all your reviews in one dashboard. Respond to customer faster. Generate 3 times more reviews with email and SMS campaigns.
Start my free trial