Online Reputation Management News | Widewail Blog

How to Maintain HIPAA Compliance When Responding to Patient Reviews

Written by Content Marketing Specialist | August 22, 2022

Review response is essential to any business’s reputation management strategy. For healthcare providers, HIPAA privacy requirements demand more attention to detail in review responses, but it’s not as challenging as it may seem. 

Reviewers often publicly share personal information in their reviews, such as their names or details of their visits. As a care provider, it may feel natural and more engaging to acknowledge these facts in your responses. This is where it gets tricky. 

Any reference to or acknowledgment of a patient’s personal health information is a potential violation of HIPAA guidelines, which can cost a HIPAA-covered entity anywhere from $100 to $50,000 in fines. After reading that, you may be thinking, why take the risk of responding at all? 

The answer is simple. 77% of patients use online reviews as the first step in finding a doctor. Your online reputation is a critical factor in earning the trust of prospective patients and your responses give a first look into the service they will receive if they choose a certain physician or clinic. Further, responding gives you the opportunity to connect with your existing patients, maintain their trust, and show them you care. 

So, how do you make your patients feel heard while remaining HIPAA compliant? In this article, we’ll explain how the team behind Widewail Engage handles responses for our healthcare clients, following HIPAA privacy requirements. We'll also provide some real-world examples to demonstrate what a HIPAA-compliant response looks like. 

4 Tips for writing HIPAA-compliant review responses:

  • Don’t use the reviewer’s name
  • Keep replies vague
  • Promote your practice’s values and services
  • Attempt to take the conversation offline

Our expert response team takes care to personalize and tailor responses to each reviewer’s individual experience. However, in following HIPAA guidelines, our approach looks a little different. The main rules we adhere to for HIPAA-covered practices are as follows:

Don’t use the reviewer’s name 

While it may seem impersonal to avoid addressing the reviewer directly, using a name is a direct HIPAA violation, and should be avoided.

Keep replies vague 

Refrain from using words like “patient,” “you,” or “your.” This type of phrasing inherently acknowledges the reviewer’s personal experience with your office. It also puts you at risk of confirming/denying a fact about their visit, which violates HIPAA privacy guidelines.   

Promote your practice’s values and policies

Instead of addressing the specifics of a review in your response, use it as an opportunity to promote your practice’s goals. Focus on what you expect for your patients generally, and share it as it pertains to their feedback.

For example, if your patient had a longer wait time than expected, don't apologize for the inconvenience and risk violating HIPAA guidelines. Instead, reiterate that your practice “strives to provide the shortest wait times possible, and will work to improve in the future.” With this, you indirectly address their feedback and bring the focus back to your office. 

Take it offline 

Inevitably, your practice will receive some negative feedback, and it’s only natural to want to address it in your response. However, the most appropriate and HIPAA-compliant way to react is to offer the reviewer a way to reach you directly, whether that be via phone or email. Independent of HIPAA, this is a general best practice. Suggesting an offline connection allows patients to share their experiences in a private setting while demonstrating that you value their feedback. It also protects you from oversharing and violating any privacy guidelines. 

 

 

HIPAA-Compliant Positive Review Response Example

Now that you know more about how to avoid those expensive HIPAA fines in your review responses, let’s see a couple of real-world examples: 

This response meets HIPAA standards perfectly. It doesn’t address the reviewer by name, nor does it confirm/deny that the reviewer was ever a patient at this practice. Rather, the response offers gratitude to the reviewer, while promoting the doctor’s goals and values. 

HIPAA-Compliant Negative Review Response Example

Negative reviews for HIPAA-bound entities often contain very sensitive and personal information, which is why it’s important to take the conversation offline as soon as possible. This response directs the reviewer to reach out to discuss their concerns, rather than addressing or acknowledging them online, ensuring HIPAA compliance. It also promotes the practice’s goals in general, which helps make the reviewer feel heard. 

All in all, when writing HIPAA-compliant responses, it’s important to remember why you are responding in the first place. You want your responses to portray your practice in a positive light online, promote trust, and demonstrate gratitude for your patients. With a review response service like Widewail Engage, you can be confident that your responses will adhere to HIPAA guidelines while keeping your practice competitive in online reputation and search engine rankings.