This post, Watch out for these HIPAA violations in online reviews, first appeared on

When most physicians think of the Health Insurance Portability and Accountability Act (HIPAA), their immediate thought is a data breach. But they should also be keenly aware that they can violate the federal law simply by replying to a negative online review.

Most physicians are familiar with Yelp. Besides being the leading crowd-sourced rating site for restaurants, hotels and just about anything consumers want to buy, Yelp is host to healthcare reviews.   

Some patients complain about repeated lengthy wait times to see their doctor. Others criticize their doctor for what they consider to be unnecessary and expensive diagnostic tests, or they complain about the doctor’s poor bedside manner.

Doctors often defend themselves and their practice if they receive a negative review, replying to a comment or bad rating, or carrying on a dialogue with the patient reviewer. But this interaction can potentially expose personal medical information, resulting in a HIPAA violation.

For example, a patient with painful scoliosis complains about the long wait to see a neurosurgeon for spinal surgery, and gives the doctor a one-star rating. Even if the patient discloses his diagnosis, the surgeon is in violation of HIPAA if he responds by advising the patient to get an MRI before scheduling an appointment.

Proper etiquette for responding to negative reviews

Stake your claim

For review sites like Yelp, doctors should start by searching the site to find out if anyone has reviewed them on an unclaimed page. They can claim it as their profile page and take control of it, or create a new page.

Use caution with criticism

Physicians should think about interacting with an unhappy reviewer on Yelp in the same way they would speak to an unhappy patient in the office. Physicians need to be especially careful when defending themselves against a negative review, and even avoid identifying the reviewer as a patient.  Keep replies short and simple. The physician should thank the reviewer for taking the time to share his concern and invite him or her to have a phone conversation to discuss the matter.   

Periodically monitor reviews and ratings

Make sure your practice has a clear policy regarding responses to patient complaints as part of its HIPAA policies and procedures for employees. Have front office staff notify the physician of a negative review so that he or she can respond to the patient directly.

Talk it out

As a best practice during a follow-up phone call, physicians should listen to the complaint and let the patient know how they plan to resolve it, or discuss reasons for prescribing a treatment. Patients are more likely to update negative reviews if they know they’ve been heard. 

This post, Watch out for these HIPAA violations in online reviews, first appeared on

Comments are closed.