Some healthcare organizations have violated patient privacy and HIPAA Rules when responding to negative critiques on Yelp and otherreview sites according to a recent ProPublica report.
For the report, ProPublica was given with access to around 1.7 million Yelp reviews of healthcare suppliers. The researchers used a tool to sift through the reviews and isolated around 3,500 one-star ratings of healthcare providers – the lowest potential rating on the review site – that mentioned “Privacy” or “HIPAA”.
ProPublica researchers foundd “dozens” of instances where healthcare providers had violated HIPAA Rules when responding to comments. In some cases, the responses to the negative comments included the disclosure of patients’ protected health Information.
ProPublica referred to one example of a Californian chiropractor that replied to a negative comment from a patient and included details of the procedures he had carried out and information about her medical condition. Another example involved a dentist who replied to a comment about an alleged unnecessary tooth extraction. The dentist wrote “Due to your clenching and grinding habit, this is not the first molar tooth you have lost due to a fractured root,” and outlined that “This tooth is no different.”
Disclosing any details of medical procedures completed or personal information about patients in website comments is a breach of patient privacy and a violation of the Health Insurance Portability and Accountability Act. Even when no PHI is disclosed, healthcare providers have breached HIPAA Rules by stating that the commenter is one of their patients.
Even when a patient publishes a comment about a physician or other healthcare provider, they have not given their permission for any data about them to be disclosed. That includes their status as a patient of a particular healthcare organization.
While hotels and restaurant owners can reply to negative Yelp comments and can provide their points of view, healthcare workers must exercise restraint and not enter into comment discussions with patients. This does not mean that healthcare providers do not have the right to reply, only that any responses to negative comments should not refer to individual people.
ProPublica contacted Deven McGraw, Deputy Director for Health Information Privacy at the Office for Civil Rights, who said that any responses to negative comments should be general in their nature and that health care organizations should never “take those accusations on individually by the patient.”
The Office for Civil Rights (OCR) and state attorneys general can issue massive fines for HIPAA violations and breaches of patient privacy. In 2013, Shasta Regional Medical Center agreed to pay the OCR $275,000 after the impermissible disclosure of a patient’s protected health data to the media. Healthcare providers that disclose PHI when replying to comments on review sites may find they too will have to pay a large financial penalty for breaching HIPAA Rules and violating patient privacy.