Responding to Negative Yelp Comments Breached HIPAA

by | Sep 26, 2017

Some healthcare organizations have violated patient privacy and HIPAA Rules when responding to negative critiques on Yelp and otherreview sites according to a recent ProPublica report.

For the report, ProPublica was given with access to around 1.7 million Yelp reviews of healthcare suppliers. The researchers used a tool to sift through the reviews and isolated around 3,500 one-star ratings of healthcare providers – the lowest potential rating on the review site – that mentioned “Privacy” or “HIPAA”.

ProPublica researchers foundd “dozens” of instances where healthcare providers had violated HIPAA Rules when responding to comments. In some cases, the responses to the negative comments included the disclosure of patients’ protected health Information.

ProPublica referred to one example of a Californian chiropractor that replied to a negative comment from a patient and included details of the procedures he had carried out and information about her medical condition. Another example involved a dentist who replied to a comment about an alleged unnecessary tooth extraction. The dentist wrote “Due to your clenching and grinding habit, this is not the first molar tooth you have lost due to a fractured root,” and outlined that “This tooth is no different.”

Disclosing any details of medical procedures completed or personal information about patients in website comments is a breach of patient privacy and a violation of the Health Insurance Portability and Accountability Act. Even when no PHI is disclosed, healthcare providers have breached HIPAA Rules by stating that the commenter is one of their patients.

Even when a patient publishes a comment about a physician or other healthcare provider, they have not given their permission for any data about them to be disclosed. That includes their status as a patient of a particular healthcare organization.

While hotels and restaurant owners can reply to negative Yelp comments and can provide their points of view, healthcare workers must exercise restraint and not enter into comment discussions with patients. This does not mean that healthcare providers do not have the right to reply, only that any responses to negative comments should not refer to individual people.

ProPublica contacted Deven McGraw, Deputy Director for Health Information Privacy at the Office for Civil Rights, who said that any responses to negative comments should be general in their nature and that health care organizations should never “take those accusations on individually by the patient.”

The Office for Civil Rights (OCR) and state attorneys general can issue massive fines for HIPAA violations and breaches of patient privacy. In 2013, Shasta Regional Medical Center agreed to pay the OCR $275,000 after the impermissible disclosure of a patient’s protected health data to the media. Healthcare providers that disclose PHI when replying to comments on review sites may find they too will have to pay a large financial penalty for breaching HIPAA Rules and violating patient privacy.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy