Legal
Legal Compounding of Tirzepatide Ends: What to Do Now
By Eric Atienza, Assistant Director of Digital Marketing and Marketing Technology, American Med Spa Association (AmSpa) The ability of ...
Posted By Madilyn Moeller, Friday, May 26, 2023
Medical spa patient reviews can be tricky. Your first instinct is to respond immediately to let patients know you heard them. However, this might not be the best idea. The wrong response to a review can get you into hot water with the Department of Health and Human Services Office for Civil Rights (OCR). Why? Because the Health Insurance Portability and Accountability Act of 1996 (HIPAA) requires you to protect the privacy and confidentiality of patient information. Even when a patient writes a review, you cannot confirm that the patient in question is someone you treat.
Medical aesthetic practices can use the tips below to ensure they respond to reviews appropriately and prevent HIPAA fines for publicly sharing patient information.
Find out more about how to open a successful and profitable medical spa practice.
Including protected health information (PHI) in response to a patient review is inappropriate. Additionally, information that can be reasonably tied back to a specific patient cannot be posted publicly. In one memorable case, a hospital employee posted negative comments on social media after treating the suspect in the fatal shooting of a police officer.
Even though she did not use the suspect’s name, the case's notoriety meant anyone could determine who the patient was. Because her comments included PHI, the result was a HIPAA fine and professional discipline.
Protected health information includes:
Patients can’t violate HIPAA by posting their information online, but you can by replying to it. Even when patients post their PHI, health care providers must be careful with what they say. For example, if a reviewer posts a message saying they had a pleasant experience and your response is, “Thank you for coming in! We’re happy you had a positive experience,” this response is a HIPAA violation, since you confirmed that they are a patient. The only permitted response, in this case, is “Thank you!”
When a patient review indicates the patient had specific concerns, a reply stating, “Please call us to address your concerns,” acknowledges that one patient had specific health concerns. Such concerns are PHI and may not be disclosed by a health care provider without prior written authorization.
Responding to patient reviews properly boils down to one thing: Less is more. There are really only two appropriate responses to online reviews.
Respond to a positive review with a simple, “Thank you.” Respond to a negative review with, “Please call our office.” Any other response is considered a HIPAA violation that can lead to costly fines.
In two recent cases, dental practices were investigated and fined because they responded to patient reviews in a way that improperly disclosed PHI.
In late 2022, a dental practice impermissibly disclosed a patient’s PHI on a webpage in response to a negative online review. The practice did not respond to the OCR’s data request or object to an administrative subpoena and waived its rights to a hearing. The OCR imposed a $50,000 HIPAA fine.
In a statement accompanying the announcement, OCR Director Lisa J. Pino underscored the agency’s commitment to enforcing privacy and security standards for patients’ PHI.
“OCR will continue our steadfast commitment to protect individuals’ health information privacy and security through enforcement, and we will pursue civil money penalties for violations that are not addressed,” said Pino.
In a 2019 incident, another dental office faced an investigation into a review response. The practice was fined $10,000 for disclosing one of its patients' PHI while responding to a review on Yelp. The review response revealed the patient’s full name, insurance information, treatment plan and cost information.
Roger Severino, director of the OCR at the time, stated, “Social media is not the place for providers to discuss a patient’s care. Doctors and dentists must think carefully about patient privacy before responding to online reviews.”
Read these blogs to know more about the medical spa laws you need to understand to open and run a legally compliant medical spa practice:
Compliancy Group’s simplified software and Customer Success Team remove the complexities and stress of HIPAA, helping medical spa professionals easily achieve HIPAA compliance. It gives practices confidence in their compliance plan, increasing patient loyalty and the profitability of their practice while reducing risk. As an AmSpa Vendor Affiliate, medical spa professionals can be confident in their compliance program.
Compliancy Group’s software automates HIPAA compliance for medical spas. Achieving compliance can be done quickly through just a few self-paced virtual meetings. New customers will save 15% on Compliancy Group’s software, which includes live coaching to guide you through your compliance requirements, risk assessment that makes the required HIPAA risk assessment a breeze, policies and procedures that fully satisfy HIPAA regulations and protect your business, and intuitive and automated HIPAA training that awards the HIPAA Seal of Compliance upon completion.
Related Tags
Medical spa news, blogs and updates sent directly to your inbox.
Legal
By Eric Atienza, Assistant Director of Digital Marketing and Marketing Technology, American Med Spa Association (AmSpa) The ability of ...
Legal
By Patrick O’Brien, JD, General Counsel, American Med Spa Association (AmSpa) The Federal Trade Commission’s (FTC’s) rule that would ...
Legal
By Patrick O’Brien, JD, General Counsel, American Med Spa Association The past few years have seen an explosion in ...
Legal
By Patrick O’Brien, JD, General Counsel, American Med Spa Association (AmSpa) In November 2023, the U.S. Federal Trade Commission ...