It is no secret that the Health Insurance Portability and Accountability Act (HIPAA) is a trap for the unwary. A recent study by the non-profit ProPublica has uncovered that the online review site Yelp (as well as other rating sites) are making it easier for covered entities to be ensnared. With the cooperation of Yelp and the use of analytical tools developed by NYU, ProPublica analyzed over 1.7 million Yelp reviews and identified over 3,500 one-star reviews in which patients mention privacy or HIPAA. ProPublica found that in dozens of instances, responses to patient complaints about care spiraled into disputes over patient privacy.

In one example, a chiropractor in California replied to a mother’s claim that he misdiagnosed her daughter with scoliosis, stating in his reply to her one star review that “You brought your daughter in for the exam in early March 2014…The exam identified one or more of the signs I mentioned above for scoliosis. I absolutely recommended an x-ray to determine if this condition existed; this x-ray was at no additional cost to you.” HIPAA applies to covered entities, business associates and healthcare clearinghouses, and protects information that those entities maintain that is related to an individual’s past, present or future health condition provided that there is a reasonable basis to believe the information can be used to identify the individual. Since Yelp reviews display the reviewer’s first name and the initial of their last name, it is reasonable to believe that the information in the chiropractor’s reply, which includes a discussion of a potential medical condition, could be used to identify the mother and in turn the daughter. (For purposes of HIPAA, it is irrelevant that the mother’s initial review already identified herself and her daughter.) A violation is even more likely when the response pertains to the reviewer and not a family member.

One reviewer complained to the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) which warned the practitioner about posting personal information. Deven McGraw, OCR’s deputy director of health information privacy, told ProPublica that health professionals can speak generally about the way they treat patients (such as “I provide all my patients with good patient care”) but that they cannot “take those accusations on individually by the patient.”

While some providers have sued patients over their reviews, such suits have been largely unsuccessful. It is becoming clear that those subject to HIPAA must come to grips with the flourishing use of sites like Yelp, and the asymmetric dialogue created by HIPAA’s protections. As these sites proliferate, covered entities would be wise to create written policies governing their workforce’s interaction with such sites.