There’s more to HIPAA than data breaches

Posted: Aug 03, 2017
Share This:

When most people hear about HIPAA violations, usually the first thing that comes to their mind is ‘data breach’ – hardly surprising considering how frequently large-scale data breaches occur within the healthcare sector.

But while healthcare data breaches have become an unfortunate fact of life, there are a number of lesser known HIPAA violations that can also affect covered entities, both inside and outside the practice walls. Unlike data breaches, many of these less-known violations can occur inadvertently, without malicious intent.

For example, it is not uncommon for patients to publish reviews and opinions about a particular physician or practice on social media or a review site, such as Yelp. These reviews could be positive or negative, and could even be false, and as such it is understandable that the physician or practice in question may try to defend themselves.

However, in doing so, the physician or practice may be making matters a whole lot worse for themselves, as a public exchange of this nature could be considered a violation of HIPAA. This is where things can become a bit blurred, because while patients may be happy to disclose details of their diagnosis and condition in a public domain, it is not acceptable for a physician or practice to follow suit – even an acknowledgement of a review of comment could be seen as a violation as it hints to an existing relationship between the two parties.

So how should HIPAA covered entities go about protecting their reputation online, without violating HIPAA?

For consumer review sites in particular, covered entities should search the internet to see if any reviews have been left on an unclaimed business page. The option then is to either claim the page and take control of it, or create a dedicated new page, which can be monitored and managed in a safe and secure way.

Physicians need to pay particular attention to how they defend themselves against negative reviews, and completely avoid identifying the reviewer as a patient. Ideally, the goal should be to take the conversation offline, to a private one-to-one channel. With this in mind, replies should be short and to the point – thank the reviewer for taking the time to share the concern and invite them to discuss the issue in more detail over the phone. When following up the review over the phone or in person, physicians should listen to the patient’s complaint and provide a detailed explanation of how they plan to resolve it.

To avoid future complications arising, admin staff should regularly monitor online mentions and notify individual physicians of any instances that they should respond to directly. Practice managers should ensure that the HIPAA policies and procedures for employees include details of how to respond to patient complaints online, to avoid what might start as a nuisance, from turning into a nightmare.