For better or worse, social media is changing the way dentists do business. When social media is used correctly and in compliance with HIPAA regulations, it’s a powerful tool that can improve patient quality of care and help grow the practice. But how medical professionals and staff interact with patients online is like walking a razor's edge.
Many patients want, and some expect, to be able to communicate with medical professionals via social media tools, which is why it’s vitally important to understand the nuances of social media and HIPAA compliance risks. This includes everything from Instagram, Facebook, and TikTok to review sites such as Yelp, Reddit, and Google. Learning how to successfully navigate the digital world as a medical professional will help you avoid damaging your practice’s reputation with HIPAA violations. This way you can have a positive experience online that supports your practice.
Understanding HIPAA compliance risks online
Both dentists and dental staff should be trained in proper HIPAA compliance when it comes to responding to comments and reviews online. If you would like a thorough rundown about HIPAA, review these HIPAA dental questions. The largest risk factor for most dentists is, either intentionally or unintentionally, sharing Protected Health Information (PHI) about patients. PHI is any information related to a patient’s past, present, or future condition, and payment information. Examples include the patient’s name (John), condition (John’s root canal), account status (John has not paid for his root canal), any identifiable or personal information (John came to his appointment after working at the factory), and acknowledgement that the person making the comment is, in fact, your patient. (“We’re sorry for causing any discomfort during your root canal last week.”)
More by Adrian Lefler
3 tips to double your online dental reviews
Not just for teenagers: TikTok for dentists
Unfortunately, the internet is flooded with PHI disclosed by providers of all sizes. For example, it's not uncommon for medical professionals to share online patient reviews on the practice's website—but without a signed dental HIPAA form, using a patient review for promotional purposes is a direct violation. Not only do you need to have review response guidelines for your negative reviews, but for your positive reviews as well. It’s important to err on the side of caution in both scenarios.
Do not be this practice
California dental practice New Vision Dental was recently hit with a $23,000 HIPAA compliance fine for how they responded to negative reviews on Yelp. The doctor repeatedly disclosed PHI in his replies, including patient names, details from their visits, and insurance information. The Office of Civil Rights (OCR) found that the practice had also failed to provide adequate information in its Notice of Privacy practices. The OCR presented New Vision Dental with a corrective action plan and the $23,000 fine. They were required to remove all old posts and inform any past patients whose information had been shared.
Unfortunately, cases like this might encourage unethical practices by individuals purposefully trying to catch a dental practice in a HIPAA violation. The best defense for not landing your practice in a similar situation is to review the guidance on HIPAA compliance risk analysis. This can help you understand what areas of your practice are most vulnerable to HIPAA compliance violations.
Do not disclose PHI or details about a patient's visit
Some health-care providers may think, "It must be OK if everyone is doing it." However, many are unaware of HIPAA Privacy Rule standards that apply to patient reviews and posts on social media. In a world where everyone shares everything, medical professionals need to practice the utmost discretion when interacting with people online.
We can unpack this further. It's a HIPAA violation to respond to a patient's online review using language that supports or confirms that they’re a patient. It seems strange when the patient publicly offers PHI. However, it's still a violation to respond in a manner that confirms their statement, hence the dental HIPAA compliance violation of New Vision Dental.
Do not use emotionally charged or negative language
In another HIPAA violation, a dental practice in North Carolina was fined $50,000 for responding to a negative Yelp review. Not only did they disclose PHI, but they also insulted the patient’s intelligence, telling him to “continue with his manual work and not expose himself to ridicule.” Under no circumstances should a practice respond with demeaning or derogatory language.
People can be harsh online. It’s natural to want to defend your practice, your work, and your employees, but it may require a fair amount of restraint before you do so. So, before you get defensive, step away. Kindness and professionalism must supersede your feelings.
When you’re ready to respond, address the issue in a general way and offer to discuss the matter further in a private setting, such as over the phone or in person. You don’t want to ignore negative reviews entirely; responding to them can be an opportunity to improve the patient’s experience and demonstrate to potential patients that your practice is responsive and cares about patient satisfaction.
If you suspect that your practice is being targeted with spam or fake reviews, report them to the respective platform to have them removed.
Do not assume anything
Even if your patients are regulars or close family/friends, it is still vital that you get the proper HIPAA consent forms in place before sharing any reviews or photos. Do not assume patients will agree until you have it in writing or use this dental office photo release form.
Do not assume that past comments won’t become an issue later on. As seen with New Vision Dental, they had to not only delete past posts that violated HIPAA, but they also had to contact every patient that it affected. Those are notices you do not want to send out.
If you and your practice are currently making efforts to stay HIPAA compliant, don’t ignore your past performance online. If you’re worried you may have violated guidelines in the past, either you or a trusted team member should perform an audit of any responses made on behalf of your practice online to ensure that they’re HIPAA compliant.
Do not let HIPAA scare you offline
There is an enormous opportunity for you to grow your practice and build patient relationships online, so don’t let HIPAA deter you from sharing your practice online. Once you understand how to respond to negative (and positive) reviews, invest time learning how to get more Google reviews. Something as simple as campaign printables can be a powerful tool for converting Google searchers into new patients.
Protect your practice and patients
There is such a lack of understanding in health care that some software companies actually sell administrative and marketing services that directly conflict with HIPAA. It’s not uncommon for a health-care company to use a software system that responds to the facility's online reviews with statements confirming the reviewer as a patient. This is a perfect example of the lack of knowledge regarding HIPAA policies.
If you want to leverage online reviews, social media marketing, and your online reputation to grow and improve your quality of care, find an expert to help you avoid HIPAA compliance risks. My Social Practice specializes in the tools you need to be active on social media, get more online reviews, and share your practice, all while staying HIPAA compliant.
Proactively seeking online reviews lets the positive ones really shine. Check out our dental practice guide to online reviews. This can teach you where to focus your efforts to get more reviews, how to get positive reviews from current patients, and how reviews can help you grow your practice.