Bullseye Media logo - all white

4 Tips to Protect Patient Privacy When Responding to Online Feedback

button on keyboard with word privacy on it
“Get a life.”

That’s how one dentist ended his scathing public response to a bad online review recently. And that’s after revealing details about his patient’s personal health information (PHI), a clear violation of the U.S. Health Insurance Portability and Accountability Act (HIPAA).

keep phi secret keep phi safe gif

As a consequence of the violation (combined with the dentist’s refusal to cooperate with the resulting investigation), the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) imposed a $50,000 penalty.

Penalties for privacy violations don’t just happen in the U.S. According to the UN, 71% of countries have legislation in place to govern how personal data is used in healthcare practices. In most countries, disregarding your patients’ data privacy rights can result in serious legal and financial ramifications.

Stories like Dr. “Get a Life” are the reason many dental practitioners are hesitant to engage with patients on social media or respond to online reviews.

Don’t let cautionary tales deter you from building your online reputation.

Your federal and/or local legislation is in place to protect your patients, not to prevent you or your staff from engaging with people online. With the right guidelines and processes in place, you should feel confident in your ability to interact with patients online while maintaining their right to privacy. Here are four tips to help you find this balance:

Train and equip everyone on your staff.

Properly trained employees understand what violates a patient’s privacy, and as a result, they are more cautious about what they post, and when.

In the U.S., healthcare staff should thoroughly understand what constitutes protected health information (PHI) under HIPAA and how it can be used or disclosed (hint: only when the HIPAA Privacy Rule permits or requires it, or with the authorized individual’s signature). The HIPAA Journal goes into more detail about PHI.

Don’t forget about your state or local laws, as well. Here in Texas, home of Bullseye Media’s headquarters, healthcare practitioners must follow HIPAA and the ​​Texas Medical Records Privacy Act (TMRPA).

Set your staff up for success; provide them with everything they need to protect PHI while representing your practice. This includes a thorough training program, along with clear social media guidelines and policies that everyone understands and agrees to follow.

Prepare thoughtful, empathetic responses ahead of time.

Of course, you don’t want your posts, comments, and review responses to sound like “canned” statements copied and pasted from a template. Behind every post and review is a real person who deserves their own response. However, privacy laws limit just how “personal” a response can be when it comes to PHI.

We recommend that you draft 20 or more potential responses to online feedback, and have your lawyer or HIPAA-compliance consultant review and approve them from a legal perspective. Once approved, you or your staff can select the appropriate responses to reply to individual comments and reviews. Using a variety of responses helps show that a real person is behind the comments (this is not the time or place for bots).

stars wars these are not the droids you are looking for gif
Respond (ideally, within a week).

Patients expect practitioners to respond to their comments and reviews in a timely manner—especially ones that are negative. Read their feedback and select the most relevant pre-approved response, or, if one doesn’t fit the circumstance, work with your lawyer or consultant to craft an option that does.

Remember, due to PHI rules, you cannot acknowledge or repeat any identifying information about a patient. You cannot recognize that a person is a patient or confirm that they visited your office (even if they clearly state this information in their review).

Bonus tips for drafting public responses to negative feedback:
As you work with your lawyers and experts, consider the following examples:
Sidebar: these responses have not been approved by lawyers or compliance experts. We are digital marketing experts who wish to “stay in our lane,” so please consult your legal experts before posting these responses. Objection! Sustained! Motion to continue! Don’t hold us in contempt! (Have we proved our point that legal jargon is not our forte?)
Take it offline.

We spend a lot of time singing the praises of online marketing, but we also know when to employ time-tested, “old school” tactics. For example, a handwritten thank you note is a nice touch for a patient who leaves a positive review or gives you a referral.

To address negative feedback, an old fashioned phone call is often the right next step. When you call the patient directly, let them know you’re checking in, and ask them how their experience was during their last visit. Patients are usually happy to respond with feedback. Approach any negativity with calm, humble energy, and see if you can come to a mutual solution. Perhaps they need a redo, or more information. Maybe they aren’t a great fit for your office, and you can help refer them to a different provider.

A respectful conversation will likely make an impression. The patient might end up even modifying or updating their negative comment or review, which would demonstrate your commitment to ensuring that each patient has a satisfactory experience.

We hope these tips have been helpful. If you have any other questions about how to engage with your patients online, please reach out to us. Your friendly Bullseye Media reps are just a phone call, text, or email away.

Share :
Share on facebook
Share on twitter
Share on linkedin
Share on pinterest