By Compliancy Group

Medical spa patient reviews can be tricky. Your first instinct is to respond immediately to let patients know you heard them. However, this might not be the best idea. The wrong response to a review can get you into hot water with the Department of Health and Human Services Office for Civil Rights (OCR). Why? Because the Health Insurance Portability and Accountability Act of 1996 (HIPAA) requires you to protect the privacy and confidentiality of patient information. Even when a patient writes a review, you cannot confirm that the patient in question is someone you treat.

Medical aesthetic practices can use the tips below to ensure they respond to reviews appropriately and prevent HIPAA fines for publicly sharing patient information.

1. Never respond to a review with a patient’s personal information.
2. Don’t confirm a reviewer is your patient.
3. Don’t acknowledge patient concerns publicly.
4. Less is more.

Find out more about how to open a successful and profitable medical spa practice.

Never Respond to a Review With a Patient’s Personal Information

Including protected health information (PHI) in response to a patient review is inappropriate. Additionally, information that can be reasonably tied back to a specific patient cannot be posted publicly. In one memorable case, a hospital employee posted negative comments on social media after treating the suspect in the fatal shooting of a police officer.

Even though she did not use the suspect’s name, the case's notoriety meant anyone could determine who the patient was. Because her comments included PHI, the result was a HIPAA fine and professional discipline.

Protected health information includes:

1. Name;
2. Address (including subdivisions smaller than state, such as street address, city, county or zip code);
3. Any dates (except years) that are directly related to an individual, including birthday, date of admission or discharge, date of death, and the exact ages of individuals older than 89;
4. Telephone number;
5. Fax number;
6. Email address;
7. Social Security Number;
8. Medical record number;
9. Health plan beneficiary number;
10. Account number;
11. Certificate/license number;
12. Vehicle identifiers, serial numbers or license plate numbers;
13. Device identifiers or serial numbers;
14. Web URLs;
15. IP address;
16. Biometric identifiers, such as fingerprints or voiceprints;
17. Full-face photos; and
18. Any other unique identifying numbers, characteristics or codes.

Don’t Confirm a Reviewer Is Your Patient

Patients can’t violate HIPAA by posting their information online, but you can by replying to it. Even when patients post their PHI, health care providers must be careful with what they say. For example, if a reviewer posts a message saying they had a pleasant experience and your response is, “Thank you for coming in! We’re happy you had a positive experience,” this response is a HIPAA violation, since you confirmed that they are a patient. The only permitted response, in this case, is “Thank you!”

Don’t Acknowledge Patient Concerns Publicly

When a patient review indicates the patient had specific concerns, a reply stating, “Please call us to address your concerns,” acknowledges that one patient had specific health concerns. Such concerns are PHI and may not be disclosed by a health care provider without prior written authorization.

Less Is More

Responding to patient reviews properly boils down to one thing: Less is more. There are really only two appropriate responses to online reviews.

Respond to a positive review with a simple, “Thank you.” Respond to a negative review with, “Please call our office.” Any other response is considered a HIPAA violation that can lead to costly fines.

Review Responses That Led to HIPAA Fines

In two recent cases, dental practices were investigated and fined because they responded to patient reviews in a way that improperly disclosed PHI.

In late 2022, a dental practice impermissibly disclosed a patient’s PHI on a webpage in response to a negative online review. The practice did not respond to the OCR’s data request or object to an administrative subpoena and waived its rights to a hearing. The OCR imposed a $50,000 HIPAA fine.

In a statement accompanying the announcement, OCR Director Lisa J. Pino underscored the agency’s commitment to enforcing privacy and security standards for patients’ PHI.

“OCR will continue our steadfast commitment to protect individuals’ health information privacy and security through enforcement, and we will pursue civil money penalties for violations that are not addressed,” said Pino.

In a 2019 incident, another dental office faced an investigation into a review response. The practice was fined $10,000 for disclosing one of its patients' PHI while responding to a review on Yelp. The review response revealed the patient’s full name, insurance information, treatment plan and cost information.

Roger Severino, director of the OCR at the time, stated, “Social media is not the place for providers to discuss a patient’s care. Doctors and dentists must think carefully about patient privacy before responding to online reviews.”

Read these blogs to know more about the medical spa laws you need to understand to open and run a legally compliant medical spa practice:

• Who Can Own a Medical Spa?
• Paying Commissions in a Med Spa
• Is It Legal to Practice as a Medical Aesthetician?
• The Business, Legal and Financial Aspects of MSOs
• Corporate Practice of Medicine: Living or Dead
• Physician Supervision: Keeping the Medical in Medical Spas
• Who Can Do What in a Medical Spa?
• How to Use Telemedicine for the Good Faith Exam
• Good Faith Exams: The Medical Spa Widowmaker

Contributed by Compliancy Group

Compliancy Group’s simplified software and Customer Success Team remove the complexities and stress of HIPAA, helping medical spa professionals easily achieve HIPAA compliance. It gives practices confidence in their compliance plan, increasing patient loyalty and the profitability of their practice while reducing risk. As an AmSpa Vendor Affiliate, medical spa professionals can be confident in their compliance program.

Compliancy Group’s software automates HIPAA compliance for medical spas. Achieving compliance can be done quickly through just a few self-paced virtual meetings. New customers will save 15% on Compliancy Group’s software, which includes live coaching to guide you through your compliance requirements, risk assessment that makes the required HIPAA risk assessment a breeze, policies and procedures that fully satisfy HIPAA regulations and protect your business, and intuitive and automated HIPAA training that awards the HIPAA Seal of Compliance upon completion.