Volume 17, Number 8 • August 2017
Report on Patient Privacy
As medical review sites proliferate and cumulatively rack up millions of views per day, physicians and health care systems need to understand what they can—and often more importantly, can’t—say online in response to a negative review.
Consumers who frequent online review sites for other industries are accustomed to seeing responses to reviews, especially to negative reviews. But “hands are tied for the provider,” says health care law attorney Robert Coffield, who practices with Flaherty Sensabaugh Bonasso PLLC in Charleston, W.Va. “The [HIPAA] rules don’t allow them to actively participate in the discussion,” Coffield tells RPP.
Health care providers—or their representatives—can engage people online who post negative reviews, but they need to be extremely cautious when doing so, other medical privacy experts also say.
“When patients are looking at reviews, they want to see a response back,” but health care practitioners must be mindful of HIPAA privacy rules at all times, says Andrew Rainey, executive vice president of strategy and corporate development for Binary Fountain, which provides patient feedback management solutions designed specifically for health care.
Rainey tells RPP that he recommends responding briefly online, but then shifting the conversation out of the public space to a secure platform as quickly as possible.
“It obviously makes sense to respond to negative reviews,” says Rainey. “But that’s not to say it makes sense to respond to all of them. You get a feel for what type warrant a response. I understand frustration on the physicians’ side, but consumerism is very real.”
When HIPAA was enacted and the regulations were written, social media didn’t exist, Coffield says. Therefore, stakeholders are attempting to apply it in a way that wasn’t envisioned at the time, he says, adding, “I think a lot of people have struggled with it.”
Over the past seven or eight years, Coffield says, physician and hospital clients evolved on their thinking about implementing a social media policy. Initially, he says, most organizations avoided all social media, due to HIPAA regulations. But as social media has matured, “it starts to get to the point where we have to let [employees] on social media to do their job.”
“My sense and my recommendation is, you want to work towards a pro-social media policy that educates and informs employees what they can and can’t do on social media” to comply with HIPAA, Coffield says. “You almost can’t sit back and not respond” to negative feedback, since failing to respond looks far worse than a HIPAA compliant response. “You need to have a well thought-out policy to respond.”
Medical Rating Sites Abound
Reviews come in a variety of formats on a growing number of websites, and can range from simple star ratings to anonymous essays. Different sites handle comments and reviews in varying ways:
- Facebook offers an option for businesses to add a space for reviews to their pages, but clients also can leave public comments on a business or personal timeline. Either way, the physician or health care entity in question can post a response or open a dialogue. Most people on Facebook post under their own names.
- Twitter doesn’t offer a reviews option—instead, users can post and share comments, called tweets, that “tag,” or identify, a subject such as a physician or hospital. The physician or hospital in question can respond by replying to the comment. Twitter is not primarily a review site, and it does not gather reviews in one place. Some people use pseudonyms on Twitter.
- Yelp, which is better known as a site to find restaurant and hotel ratings, also has a plethora of reviews for doctors, hospitals and other health care facilities. Entities can post responses to reviews, and many do so. Yelp users can post under their own names, but most do not.
- Zocdoc combines reviews and appointment scheduling, offering users the ability to search physicians and other health care providers by specialty and insurance accepted, and then schedule an appointment via the app or website. Reviews can include first names, and Zocdoc notes when a reviewer is a “verified patient.”
- RateMDs, a site specifically for doctor reviews and ratings, allows anonymous written reviews and provides health care practitioners with the opportunity to write a response to those reviews. The site has more than two million ratings.
- Healthgrades, which has high web traffic, has come in for plenty of criticism from health care practitioners because it allows anonymous reviews without verification that the reviewer is a patient. The site does allow providers to respond to negative reviews, but physicians have cited HIPAA concerns as part of what they say is an inability to properly refute unfair reviews.
Some sites, such as WebMD, allow users the chance to provide a star rating for a health care practitioner or facility, but don’t give the opportunity for comments from the reviewers or responses from the practitioners.
Offer To Speak with Unhappy Patients
Physicians and other health care entities cannot respond directly to specific patient complaints in negative reviews, Coffield says.
“You can either be silent, or if it’s your patient, you can follow up directly with the patient,” he says, adding that it’s best to bring the patient into the office to deal with the complaint directly, person-to-person. “You can’t respond [like that] online,” or even by phone, he emphasizes, even though he acknowledges that “it’s difficult for physicians to do, especially older physicians where they’re used to compliant patients.”
Replying directly online, even without addressing specific complaints, has to be done extremely carefully in order to comply with HIPAA regulations, Coffield says. He adds that a HIPAA-compliant response might read something like: “This website is not the proper forum for these types of discussions. If you have an issue with this particular provider, contact the facility.”
He adds, “You should respond in almost a webmaster-type fashion, and then immediately call the person [if the person can be identified] and say, ‘I just saw your post, and I’d like you to come in and talk about it.’”
There shouldn’t be anything problematic about responding to a negative review by saying, “Please give me a call at this number,” Coffield says. But getting into detailed discussions—even through Facebook and Twitter’s private messaging systems—is “pushing the envelope.”
“A lot of providers think if they don’t say who the patient is or don’t divulge many details that they’re not violating HIPAA—they’re keeping confidential information confidential,” Coffield says. However, protected health information under HIPAA includes information that could give someone the ability to identify a patient, and social media posts that include even scant detail could do that, he says.
Anonymous reviews pose even more significant problems, Coffield says. “Engaging validates the patient on the other side, and with some of these people you can’t win—the more you engage, the more you anger them. But at the same time, failure to respond at all might anger them, even if the response is, I’m not going to respond.” In those cases, provider organizations should attempt to take the discussion offline, but also should be prepared to stop engaging entirely, he says.
Develop a Response Policy for Reviews
Binary Fountain works with clients to manage their social media presence. When it comes to review sites, Rainey says, most feedback tends to be positive or neutral, but it appears more realistic for the provider to have a few less-than-stellar reviews in the mix: “You want to have a mix of positive and negative reviews.”
Deciding to respond online to negative reviews, even in a minimal, HIPAA-compliant fashion, requires a case-by-case analysis, says Rainey. For example, if a provider only has two reviews, and one is negative, then “maybe” it would be worth a response to balance out the negativity, he says, although “obviously not with any level of detail” that speaks specifically to outcomes or to anything identifiable about the case.
On Facebook, where names are clearly visible and usually real, Rainey suggests replying to negative comments using language like this: “I’m sorry to hear about your negative experience. We strive to ensure that these negative experiences don’t happen to anyone.” Then the reply should urge the person to call or email the office, in an effort to “take the conversation offline.”
For example, Binary Fountain client Providence Health & Services, based in Renton, Wash., responded to a negative Facebook post from a man who said he was disappointed in his care: “This is certainly not the feedback we like hearing from our patients, Dave. We strive to provide each and every one of our patients with the highest level of compassionate care possible. Thank you for taking the time to share about your experience, as it is what helps us to improve our overall quality of service.”
Other hospitals take a similar approach. For example, Sentara Regional Medical Center in Williamsburg, Va., responded to a negative review by saying: “We always strive to give the best patient care and are very sorry to see this happened to you and your wife. Please send your contact information to 1800Sentara@Sentara. com so we can route you to the appropriate patient advocate and learn more.”
On Yelp, the approach is again similar, even if the reviews are anonymous. Northwestern Memorial Hospital in Chicago responded to a recent negative review by saying: “Thank you for your honest feedback and we are sorry to hear about the troubles that you’ve experienced. If you haven’t already spoken with our Patient Relations Department, please fill out the following online form and our team will be in touch to help. Thank you.”
Twitter requires shorter replies—it’s limited to 140 characters—but the format still allows for the standard “please get in touch” approach recommended by experts. For example, an anonymous Twitter user tweeted at Providence Health & Services recently, saying “@ Prov_Health thanks for costing me thousands of dollars. Worthless criminals should [be] ashamed.” Providence replied, “Is there something we can help you with? Please dm [direct message] us and we are happy to look into your concern.”
Doctors Advised to Remain Mum
It’s important to train physicians not to respond directly and impulsively to negative reviews, Rainey says.
“We see physicians who do take this very personally,” he says, adding that “we do not recommend the physician respond back—oftentimes that’s going to involve ‘shooting from the hip.’” Responding to negative online reviews or comments in an emotional manner can result in major HIPAA problems, he adds.
“Inherently, it is incredibly challenging for the average patient to provide an accurate review of the quality of care they received,” Rainey says. “And it’s not just the quality of the procedure—it’s the parking, the quality of the front desk staff,” and other factors, some of which are not under the provider’s control.
Instead of the physician responding directly to negative comments, an established marketing team— assuming one is in place—can be trained and tasked with formulating responses, he says. The message from that marketing team to physicians should be: “Please do not go and create your own account and respond to this.”
Appropriate, measured responses can sometimes even persuade a reviewer to change the review, Rainey says. In one case, he says, a reviewer posted a negative review of a large hospital system’s emergency department on Yelp, but revised the star rating upward after the emergency room director reached out personally.
Contact Coffield at RCoffield@FlahertyLegal.com and Rainey via Binary Fountain spokesperson Michiko Morales at firstname.lastname@example.org.✧
Copyright © 2017, Health Care Compliance Association (HCCA). This article, published in Report on Patient Privacy, appears here with permission from the HCCA. Call HCCA at 888-580-8373 with reprint requests or email us at email@example.com.
About the Author