Your guide to HIPAA-compliant patient testimonials and reviews

Just under half (46%) of the patients surveyed in Tebra’s 4th annual Patient Perspectives report state choosing their healthcare provider based on online reviews.

Positive online patient testimonials signal trust and a solid reputation. Trust is a significant part of being a reputable healthcare provider, and it intersects with Health Insurance Portability and Accountability Act (HIPAA) compliance. 

HIPAA has regulated patient privacy and information since 1996 — and the rise of online health portals and social media has made handling HIPAA compliance a more complex task. Its regulations were primarily designed to safeguard patients' sensitive medical information, especially when healthcare providers engage with health insurance companies. 

When healthcare providers bill insurance for their services, HIPAA compliance becomes a critical consideration. It's binding on healthcare entities that handle health insurance and maintain electronic health records.

To generate more online healthcare reviews to promote your practice, it’s vital that your existing patient testimonials stay HIPAA compliant — with processes in place to handle new patient reviews.

Below, we explore how to manage received patient testimonials and adhere to HIPAA rules. But first, what is the HIPAA privacy rule?

Learn how to create a seamless patient experience that increases loyalty and reduces churn, while providing personalized care that drives practice growth in Tebra’s free guide to optimizing your practice.

The HIPAA privacy rule dictates how protected health information (PHI) can be collected, stored, and used. 

PHI is any health information that is individually identifiable — such as name, date of birth, and social security number. It also includes data such as vehicle identifiers, serial numbers, and biometric identifiers like fingerprints or voice prints.

The ideal patient testimonial is timely, positive, and doesn't share sensitive information — though if a patient shares their own information, that is up to their own discretion. For example: "I'm a patient at [Practice Name], and I'm consistently impressed by the outstanding care I receive. The team here makes me feel comfortable, answers all my questions, and genuinely cares about my well-being."

When you receive patient reviews, it’s important to acknowledge receipt by responding promptly, while staying in compliance with HIPAA. Thanking the patient for their feedback, maintain patient anonymity, and encourage private, offline follow ups if needed: “Thank you for your review and your trust in our team. For privacy and HIPAA compliance, we are unable to discuss medical details publicly, but we're here to assist you privately with any concerns.”

Remember, if your clinic is seeking more patient reviews, it’s important to be cautious about how you solicit them. For instance, incentivizing reviews might not be ethical. Marcus Fernandez, attorney and co-owner at KFB Law, explains: “Offering incentives in exchange for testimonials may be viewed as coercive and compromise the integrity of the disclosure.”

Ensure that anyone in your organization who manages, solicits, or responds to online reviews thoroughly understands HIPAA compliance. Regular training sessions can ensure that your team is up-to-date with the latest guidelines and best practices.

There are significant financial penalties and legal repercussions for not adhering to HIPAA.

The path of enforcement lies through the Health and Human Services (HHS) Office of Civil Rights (OCR). The penalties work on a 4-tier sliding scale; the worse the violation, the higher the penalty. 

As of the time of writing, the most recent financial penalties according to the Federal Register include: 

The monetary aspect isn’t the only issue. Legal consequences might also involve criminal charges, especially in cases where a practice or team member intentionally disclosed or misused PHI for personal gain or harm.

Beyond HIPAA, consider state privacy statutes. Patient testimonials and word-of-mouth recommendations are essential for healthcare providers’ reputations. A single HIPAA violation, especially if public, can taint your reputation for years.

Patients entrust healthcare providers with some of their most personal and sensitive information. A breach, whether accidental or negligent, signals to patients that their privacy is not a priority. The wider problem is that this perception might cause patients — if they stay with your practice — to hesitate in sharing vital health details in the future, which can compromise the quality of care they receive.

Ensuring patient testimonials align with HIPAA guidelines guarantees that your practice protects patient privacy while leveraging the benefits of positive feedback.

It's important to clarify that patients can share their own information if they choose; it’s healthcare providers and practices who must ensure they do not violate HIPAA by sharing patient PHI without consent.

While patients cannot violate HIPAA, you can empower them to protect their PHI with suggestions on what to include in their reviews and testimonials. For instance, reviews might center around the patient's experience at the practice, rather than around their specific medical details. This approach not only ensures that feedback is genuine but also makes it more relatable to other potential patients, while reminding patients that their details will be public.

For your organization, compliant testimonials showcase your commitment to upholding both quality care and patient privacy, which boosts your professional credibility.

Patient testimonials can appear in a number of places — from your personal website to social media channels to third-party review sites and online directories. That’s why a proactive approach to continuously monitoring patient testimonials is vital.

In some instances, taking no action, including refraining from acknowledgment, may be the most appropriate course. When a patient's communication potentially discloses PHI, it's important to exercise restraint and assess whether any response is necessary.

Let’s explore at some potential situations you might face as a healthcare provider — and how to handle them:

Devi leaves a negative review for her healthcare provider about waiting times and mentions she had to wait, even though she has severe asthma.

Public response example: "Due to unforeseen circumstances, sometimes wait times can be longer than we’d like; for this we apologize. We value your feedback and take it seriously. Please feel free to contact our office directly so we can discuss your concerns further."

Private message example: "We appreciate your feedback and are here to address your concerns. We also want to remind you that sharing personal health information online can be risky.”

A patient, Emily, shares a detailed review on a platform like Yelp, discussing her recent surgery and the complications she faced.

Public response example: "Thank you for your feedback. We're here to support you and address any concerns you may have."

Private message example: "Thank you for sharing your experience. We value your privacy and encourage our patients to be cautious about sharing specific medical details online. If you wish, you may revise the more detailed parts of your review to protect your privacy."

A patient, Han, tags the clinic in a Facebook post, expressing gratitude for their service but shares a picture which has other patients in the background.

Public response example: "Hi, thank you so much for your kind words! We’re always thrilled to hear positive things about our clinic."

Private message example: "We’re truly grateful for your feedback and for sharing your experience. We noticed the photo you posted has other patients in the background. To respect their privacy, would you mind editing or replacing the image? We deeply appreciate your understanding."

A patient, Alex, from a group therapy session, mentions the names of other attendees and the topics discussed in their review.

Public response example: "Thank you for sharing your thoughts. Group therapy sessions are a valuable part of our offerings, and we're glad you found it beneficial."

Private message example: "We're grateful for your positive feedback on our group therapy sessions. To ensure the confidentiality of all attendees, we kindly ask you to edit your review to omit the names and specific discussions. We appreciate your understanding in maintaining the privacy of all members.”

The importance of HIPAA compliance in managing patient testimonials is a crucial factor in today's digital age where online reviews significantly influence healthcare decisions. The frequency of online reviews means that it's essential that these testimonials are not only positive but also HIPAA-compliant.

Protecting patient privacy and maintaining trust are paramount. By adhering to HIPAA rules, your organization can continue to foster trust, uphold patient privacy, and build a positive reputation while leveraging online patient reviews to promote your practice. 

HIPAA compliance requirements include the following:

Yes, healthcare providers can use patient testimonials in marketing materials, but they must ensure:

75% of people look online to find a doctor. Patients take a critical look at web presence, online business profiles, and reviews when they decide to pick a health provider. Learn where your practice should be online in the 2023 Patient Perspectives report.