Welcome to Healthcare Marketing Rx, where our goal is to help your healthcare marketing get healthy and stay that way. This video is focused on how to make sure that you are getting HIPAA compliant patient reviews.
By reviews management system, we mean that you are actively trying to get more reviews from your patients. You’re asking on a regular basis and you’re tracking it somehow. Maybe you’re using a third-party automated tool, but one way or another, you are trying to get more reviews. You’re not just getting an occasional review from a really happy patient who decides to leave a review on there on your own. And you’re doing all of this in a HIPAA compliant way.
We are a HIPAA compliant healthcare marketing agency, but we are not lawyers. We’re providing this information based on our experience as a HIPAA compliant agency. It’s general information about getting HIPAA compliant online reviews for our clients based only on our experience. Please do not construe this as legal advice.
Please do consult with your healthcare attorney for specific questions. And throughout this video, you’re going to hear me refer to healthcare attorneys a few times. They’re really good to have. They’re different from a general business attorney. Healthcare laws are much more specific. If you do not have a healthcare attorney, we highly recommend that you find a good one.
The first way is that you can do it yourself. You assemble the tools you need. As long as you’re asking patients on more or less a regular basis to leave you a review, you’re sending them to Google, or you’re getting them on your website, well, you’ve got yourself a good patient management review system.
From a HIPAA point of view, it’s pretty simple to get HIPAA compliant patient reviews because you’re doing it all in-house. Whichever staff members in your practice are the ones that you’ve tasked to ask patients for reviews, they have to be trained on your HIPAA policies and procedures. They need to sign your required forms and take your required training, just like anybody else.
You also need to get permission from each patient if you’re going to email them or text them to ask for a review. That by the way is independent of whether you do it yourself or not. And lastly, you should do anything else that your healthcare attorney advises you to do.
Third party cloud-based systems that get patient reviews automate a lot of the steps you’ll do if you’re doing it yourself. And man, are there a lot of companies!
There are standalone third-party systems like those shown below. There are also some practice management systems that integrate asking for reviews. And you need to pick one that gets HIPAA compliant patient reviews.
So why do these review management systems need to get HIPAA compliant online reviews? Most automated systems ask patients for reviews by sending them SMS texts or emails. You (that little building on the left in the graphic below) have to give the tool that patient’s cell phone number or email address. Both count as protected health information (PHI).
And then the tool (the cloud-like icon in the middle) takes that and asks those patients to go to Google, go to Facebook, Healthgrades, Vitals, and whichever other review sites you choose. They might also send that patient to your website to leave a review. And then some other systems will take a review published on sites up here, and then also publish them on your website and all that’s got gotta be HIPAA compliant.
Even if there’s no other information about the patient included, nothing clinical, no health history, no nothing, an email address and a cell phone number count at PHI. If to give that to the third-party cloud-based system, they have a responsibility to protect that PHI from loss or theft, that they send emails or texts in a HIPAA compliant way, and that only authorized people inside that company can see it. There’s usually a lot of people who work in a company who have no need to see that information, but they might have access anyway.
Generally speaking, two things have to be true:
BAA stands for business associate agreement. BAAs are required by HIPAA. They’re very dense, legal documents. They can be a few pages. They can be a dozen pages, but generally speaking, here’s what they cover with respect to PHI:
With a BAA in place, the Office of Civil Rights (OCR) is much happier because they see a BAA. OCR is the federal agency that will investigate a breach or conduct an audit. There are usually state agencies as well.
The other broad category of things that you want to see is that they talk the talk. They use appropriate wording on their website or their materials like:
You don’t have to see all of these terms. But you want to see terms that at least sound like these. Inside each term are more specific descriptions of how they do each one, not to great levels of detail, but they give you some assurances that they’ve thought this through and that they’re doing these things.
If you’re already using a cloud-based system already, how do you find out if they already get HIPAA compliant online reviews?
Start with easy. Go to their website and go to the page on their site that describes their reviews management service. And look for the words, HIPAA compliant patient reviews, HIPAA compliant online reviews, HIPAA protected health information.
These are links to other pages on their website. Click on them and search. Look for those words again, HIPAA compliant patient reviews, HIPAA compliant online reviews, PHI, etc. My favorites when it comes to HIPAA compliance are the tools that say they either are HIPAA compliant or not.
There are some out there that will be very plain about it. They’ll say they are not HIPAA compliant. In fact, some will even say that if you use protected health information with their service, you are violating their terms. I like that because they make it easy for you to figure out if you’re using a HIPAA compliant tool or not.
If their website doesn’t answer that question for you, call them up. Get their tech support on the phone and ask them, do you get HIPAA compliant online reviews? Do you have a business associate agreement? Would you sign ours? If you have one, send it to us. Send us other information that you’ve got that describes how you are HIPAA compliant.
If you’re using a marketing agency who is providing you with review management services, ask them. they should know. And if they don’t, they really do need to find out. This is not something you want to play with.
In our opinion you should switch to one that is HIPAA compliant. To find good alternatives,
Once you find one or two and you start evaluating them, part of your evaluation should be with your health care attorney. Have them review the business associate agreement if they give you one.
Most companies have their own BAA they want you to sign. They’re standardized. They won’t negotiate their terms. That doesn’t really bother us because it makes sense that a company with hundreds, maybe thousands of customers will want to have one BAA with one set of terms and conditions. It’s just more practical for them to manage it that way, rather than having different sets of terms and conditions for every different customer to manage.
The most honest answer we can give you is we are just not sure. We have asked, I’ve lost count of how many healthcare attorneys we’ve asked this very question. And the reason we’re not sure is because we get a variety of answers from the different health care attorneys that we ask.
The most conservative of those attorneys say no way, under no circumstances. Simply by responding to a review, you are disclosing that there is a provider or a covered entity, patient relationship.
The less conservative ones say yes, but you have to be careful not to reveal any protected health information. Ultimately talk to your healthcare attorney to see what he or she says. Here’s an example of an acceptable response to them. Let’s say that you got a one-star review from a patient on Google. They would say, it’s okay to reply with something like the following.
“We’d like to understand your review better. Please contact us at [phone number] or [email address] so that we may understand your comments better.”
To these healthcare attorneys, you haven’t disclosed PHI.
Another example we see sometimes is when a patient leaves a negative review, but they’ve never been your patient. The less conservative healthcare attorneys say it’s okay to reply with something like the following:
“We’ve reviewed our records and do not show you being a patient in our practice. However, we would like to understand your comments better. Please contact us at [phone number] or [email address].”
Thank you for listening to this video.
One point to make is that we also have a companion video about reputation management and reviews, and that other one goes into best practices on how to do it well – how to ask for reviews, how to publish them on Google and other sites, learning insights from them so that you can improve your practice and a bunch of other topics. And if you put that video together with this video, we feel that you can get a really good start on bringing effective patient review management into your practice. So together they’ll help you get started.
At MarketVisory Group we offer patient reviews management as part of our done for you marketing packages and as a standalone service. If you have questions about patient reviews management or about us, please contact us using MarketVisory Group’s contact page.