Don’t Post That

By Matt Fisher, General Counsel, Carium
Twitter: @matt_r_fisher
Twitter: @cariumcares
Host of Healthcare de Jure#HCdeJure

Social media and healthcare can be a productive combination, but not when patient information is involved. The power and reach of social media are nothing new, nor is the concern about the ready ability to spread misinformation. While that confluence of issues remains true, it also remains true that use of social media in healthcare must be done carefully to avoid creating privacy issues under HIPAA. The Office for Civil Rights offered a reminder about the need for caution with a settlement announcement on June 5, 2023.

Newest Patient Review Settlement

As indicated, OCR announced a HIPAA settlement on June 5, 2023 with a psychiatric practice over responses to negative reviews. As described in the press release (but interestingly not in the Resolution Agreement), a complaint was submitted to OCR in April 2022 that Manasa Health Center (MHC) allegedly disclosed patient information when responding to a negative review online. The complaint prompted an investigation by OCR. The investigation found a valid concern that MHC impermissibly disclosed patient information and failed to implement appropriate policies and procedures to protect patient information.

The press release and Resolution Agreement were both quite sparse when it came to any details. The brief summary above is about all that was revealed by OCR. The Resolution Agreement does give a bit more of a between the lines insight into the issues that were found. The clues are in the identification of the issues found by OCR following its investigation.

The first clue/finding was that MHC responded to four different negative reviews. The finding also clearly states that OCR found impermissible disclosures of patient information, which does not pull the punch in the statement. While the Resolution Agreement contains the standard language that MHC did not admit to any liability in entering into the resolution, it does seem that OCR is staking out a pretty strong position.

The other big problem identified by the finding is that MHC responded to four different reviews, which shows a pattern of conduct. Responding to even one review would be problematic, but the multiple responses firmly suggest a lack of respect for the regulatory obligations.

The second clue/finding was the broad statement of a failure to have policies and procedures implementing what seems to be many of the requirements of the HIPAA Privacy Rule and Breach Notification Rule. The finding does not go into specific detail, but the language gives the impression that MHC did not have all or any of the expected policies and procedures that would help guide workforce members for appropriately interacting with patient information as well as respecting privacy.

Turning to one final point about the resolution, the financial penalty imposed seems to yet again reflect what the impacted organization can pay. Despite the brief though strong findings, MHC only had to pay $30,000. The amount feels a little bit out of line with the finding of multiple impermissible disclosures, especially given prior statements and settlements from OCR in prior years over the same type of conduct.

What to do with Bad Reviews?

No one likes to be the subject of a bad review, especially in a public forum. However, as has been explained before, healthcare organizations must be very careful in approaching negative reviews online. As this and prior settlements make clear, disclosing patient information to respond is not allowed. In all likelihood, any form of public response is going to be problematic and create a cascade of headaches for the organization.

Instead of responding publicly, the organization can use the review as an opportunity for reaching out to the individual. If an individual is moved enough to post negatively online, then a direct discussion may help tease out the problem or concern underlying the review. In a best case scenario, the proactive outreach could result in a change of the review or at least enable a dialogue with the patient that can improve interactions going forward.

Another option would be posting a generalized response about the organization’s approach to patient care and suggesting that anyone can reach out to contact the organization. A generalized response should not explicitly or implicitly acknowledge that the reviewer is a patient, only provide general insight into how the organization operates.

Another alternative is to engage in proactive efforts to suggest that all patients can submit a review if desired. The proactive efforts would be aimed at generating positive reviews that my better reflect the actual nature of services provided. Engagement with patients in this manner may also generate other positive benefits by starting an unexpected dialogue or other discussion.

An additional benefit of engaging with patients to post reviews is the recognition of the impact that social media and the internet more broadly. So many people turn to review sites in daily life to make choices of what businesses to visit or services to access. While healthcare does operate differently to a degree, the evolving means of how services are found must be acknowledged. Word of mouth or referrals will not suffice anymore. Generating a larger number of reviews can help resolve those issues.

What Now?

The next steps are to evaluate decisions and make some changes that reflect new opportunities. That at least covers the engagement side of things. From the HIPAA perspective, every organization should review its HIPAA policies and procedures (or finally adopt if missing or insufficient). Once policies are there, then education must follow. If individuals are unaware of the policies, how can compliance occur? All demonstrate that respecting privacy is an ongoing effort that never ends.

This article was originally published on The Pulse blog and is republished here with permission.