Beware of HIPAA Violations When Responding to Yelp Reviews

Online reviews of patients’ experiences with healthcare providers can be an invaluable way to gain feedback from patients. Some healthcare providers even encourage patients to write reviews of their experiences, while others are wary as poor reviews can be bad for business.

Concern about the latter has led some healthcare providers to respond to comments about the poor treatment of patients, and by doing they have violated one of the fundamental aspects of the Health Insurance Portability and Accountability Act (HIPAA). They disclosed the protected health information of patients.

ProPublica recently conducted an investigation into privacy breaches on Yelp. Its report revealed the extent to which HIPAA is being violated by healthcare providers, and the difficulties they face responding to negative comments such as misdiagnoses of medical problems and unnecessary procedures that patients believe have been performed.

For the study, ProPublica was given unprecedented access to Yelp reviews and sifted through millions of comments on healthcare providers’ services. ProPublica researchers looked at the lowest possible ratings on the website – one star reviews – and ran a search for the terms “HIPAA” and “Privacy.”

The researchers isolated 3,500 reviews and discovered a number of the negative reviews started as complaints about the services received by patients, but had turned into disputes about patient privacy. In a number of cases, the comments were reported to the Department of Health and Human Services’ Office for Civil Rights due to alleged violations of HIPAA Rules on patient privacy.

One of the examples provided involved a privacy violation by a Californian chiropractor who had responded to a comment from a patients’ mother about the misdiagnosis of a medical condition. The chiropractor replied to the comment saying “You brought your daughter in for the exam in early March 2014,” and then proceeded to explain that “The exam identified one or more of the signs I mentioned above for scoliosis. I absolutely recommended an x-ray to determine if this condition existed; this x-ray was at no additional cost to you.”

Another example involved a Californian dentist who had been criticized for what was perceived to be an unnecessary extraction. The dentist responded to the patient’s comment saying “I looked very closely at your radiographs and it was obvious that you have cavities and gum disease that your other dentist has overlooked,” that dentist went on to write, “you can live in a world of denial and simply believe what you want to hear from your other dentist.”

Under the circumstances, the chiropractor may have been correct to investigate further and send the child for an x-ray and the dentist was certain that an extraction was called for. However, each made a fundamental mistake of responding directly to the patient, and by doing so, divulged protected health information.

Patients do not give up their right to privacy by posting a comment on a website. Even when patients write about bad experiences it does not mean healthcare providers can address those patients’ claims publicly. Before any PHI can be disclosed, which includes details of medical services provided, a healthcare provider must have been authorized to do so by the patient. Authorization needs to be obtained in advance and in writing.

By responding directly to a patient, a healthcare provider is confirming they are a patient and runs a risk of disclosing their medical histories or other PHI.

The vast majority of negative comments on the site relate to waiting times, treatment by office staff, or billing issues. Aaron Schur, Yelp’s senior director of litigation, explains that “Doctors who respond, and many don’t, tend to invite patients to discuss the matter offline or merely apologize.”

Deven McGraw, the deputy director of health information privacy at the Office for Civil Rights explained that healthcare providers can respond to negative comments, but they must do so in general terms and must never respond directly to a patient.

While the OCR has not issued fines for privacy violations such as this in the past, active investigations into privacy violations on websites are being conducted and serious violations could result in regulatory fines. They could also result in litigation from patients who feel their privacy has been violated.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of