As a healthcare provider, you may log onto the internet one day only to discover a negative review from a disgruntled patient or family member. Undoubtedly, the review contains inaccurate, incomplete, or downright defamatory information. Your first impulse may be to post a response online, but doing so may subject you to HIPAA fines, adverse licensure action, or privacy lawsuits.

HIPAA generally prohibits healthcare providers from using or disclosing a patient’s protected health information without the patient’s authorization. (45 CFR 164.502). “Protected health information” includes information that “[r]elates to the past, present, or future physical or mental health or condition of an individual [or] the provision of health care to an individual, and … that [i]dentifies the individual, or [w]ith respect to which there is a reasonable basis to believe the information can be used to identify the individual.” (45 CFR 160.103). Thus, posting any information that identifies the individual as a patient likely violates HIPAA even if specific medical information is not disclosed; a patient does not waive their HIPAA rights by posting his or her own information, and there is no HIPAA exception that allows a healthcare provider to disclose information in response to a negative review. In 2013, Shasta Regional Medical Center paid $275,000 to settle claims that it violated HIPAA when it disclosed a patient’s health information to the media in response to a negative newspaper article. (See Press Release). ProPublica recently published a report identifying numerous HIPAA violations resulting from providers’ ill-considered responses to negative internet reviews. (See article).

Providers receiving negative reviews have several options for responding.

1. Ignore it. In most cases, negative reviews have few relevant readers, little impact, and simply do not merit a response. Any response you make may simply pour fuel on the fire and prompt further posts from the complainant. On the other hand, an occasional negative review may actually lend credibility to the reviewing site and any positive reviews posted on the site. To that end…

2. Grow your positive reviews. Positive reviews tend to offset and may push negative reviews down the page. The more positive reviews you can obtain, the less impact negative reviews will have. Act so as to merit positive reviews and encourage your patients to post positive reviews.

3. Respond generically without acknowledging that the individual was a patient or disclosing any information that may be linked to the patient. For example, you may respond simply by stating that you provide appropriate care, describing your general policies, or directing readers to positive reviews without referencing an individual case. You may explain that HIPAA prevents you from disclosing information in response, but invite the complainant to contact you offline. In all cases, be polite, professional, sensitive to the patient’s position, and careful that your response does not cross the HIPAA line. Readers are likely to respect and sympathize with a provider who responds in a professional, respectful manner that demonstrates a commitment to appropriate patient care and improvement.

4. Contact the patient to resolve the problem. Often, a person posting an online review is frustrated and wants to be heard. If you timely address the concern, you may convince the patient to remove the negative post and turn them into an avid supporter. Even if you cannot resolve the differences, the patient may be willing to give you a HIPAA-compliant authorization that would allow you to respond out of a sense of fairness. Even if he does not, you capture the moral high ground if the patient refuses to give you a chance to respond.

5. Contact the website that hosts the reviews and ask them to remove the negative review. Many websites will remove false or defamatory content, although you may be limited in your ability to prove your position given HIPAA limitations on your disclosures. Be aware that reporting the negative review does not guarantee that it will be removed, because the content, typically, must first violate the website’s policies or community standards.

6. Warn the patient against defamation. Patients may be liable for publishing libelous statements. An appropriate cease and desist letter may get the patient’s attention and prompt the patient to remove the post. Carefully consider the situation before sending such a letter; it may fuel that patient’s anger and trigger additional online criticisms. As a practical matter, defamation claims are usually not worth pursuing in court due to the cost and difficulty in establishing damages.

7. Learn from the negative reviews. Although annoying or painful, negative reviews do give you a chance to identify weaknesses and improve your processes or personnel. Do not discount the importance of such reviews. You should review your conduct to determine if changes are needed and, if so, make them. As appropriate, you may report back to the complaining patient and, hopefully, resolve the concerns. At the very least, you may be able to avoid such concerns in the future.