Healthcare Professionals Committing HIPAA Violations on Yelp

A recent ProPublica report has revealed that many healthcare professionals are committing HIPAA violations on Yelp and other review sites when responding to bad feedback from patients.

A response to a negative comment may be viewed as a good way of mitigating some of the damage caused, but this can all too easily backfire. When physicians or other healthcare professionals see a bad review, they have to exercise much greater caution than a restauranteur for example. Responding to feedback on review sites has considerable potential to result in a HIPAA violation, and that can have expensive consequences for healthcare providers.

The report shows that all too often, healthcare professionals are committing HIPAA violations on Yelp and are violating the privacy of the patients in their responses to negative feedback. If patients – or any other individuals – report a HIPAA violation to the Department of Health and Human Services’ Office for Civil Rights, the matter will be investigated. If the OCR determines that patient privacy has been violated, the healthcare provider could be hit with a substantial fine.

How Are Healthcare Professionals Committing HIPAA Violations on Yelp?

If a patient submits a negative comment on Yelp or any other review website, the natural response is to respond to the criticism and provide an explanation. However, that explanation cannot involve the disclosure of any protected health information, which includes details of the treatment provided to patients. Under HIPAA Rules, physicians and other healthcare providers are also not permitted to acknowledge that a particular person is actually a patient. Even if the patient has already stated that they received treatment.

If a patient submits a comment saying they visited a particular healthcare professional and was made to wait an extraordinarily long time to receive treatment, the physician could not, for instance, reply and say the waiting times for x-rays can be long during busy times. Doing so would reveal the patient had an x-ray, and that information must remain private.

One of the examples cited by ProPublica came from a dentist who had been blamed for unnecessarily extracting a molar from a patient. The dentist respondent to the negative comment saying, “Due to your clenching and grinding habit, this is not the first molar tooth you have lost due to a fractured root,” He followed up by saying, “This tooth is no different.”

While this may seem like a perfectly acceptable response if criticized face to face, putting this in writing on a website that can be viewed by members of the public is a serious violation of patient privacy.

Healthcare professionals must think very carefully about replying to any feedback online, whether the comment is positive or negative.  If a reply is warranted, it must be kept very general and not refer to the patient in question.

Deven McGraw, deputy director of health information privacy at the Department of Health and Human Services’ Office for Civil Rights suggests responding to comments by saying “I’ve been reviewed in other contexts and have good reviews,” or that “I provide all of my patients with good patient care.”

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of