Skip To Navigation Skip To Content Skip To Footer
    Rater8 - You make patients happy. We make sure everyone knows about it. Try it for free.
    Insight Article
    Home > Articles > Article
    Generic profile image
    MGMA Staff Members

    Managing your online reputation is a priority for many medical group practices — an Aug. 14, 2018, MGMA Stat poll found that more than two-thirds of practice leaders say their organizations manage online reputation (e.g., review sites and social media).

    Sometimes it’s just a matter of keeping track of the positive things your patients say about their care experience, and sometimes it’s a bit more complicated.

    A practice manager recently reached out to MGMA after a third-party consultant expressed concern about online reviews of practitioners, recommending that the practice update patient-practice agreements so that when a patient posts anything to social media, he or she waives HIPAA rights to privacy “and the review will be defended using the patient’s information about the appointment or treatment.”

    As the practice manager noted, the consultant recommended adding language to the effect of, “I understand that by posting any comments on any public forum (e.g., Facebook, Twitter, Google, Yelp) that I am waiving my rights to patient privacy guidelines under HIPAA and authorize the practice to respond accordingly.”

    If you’re reading that and thinking to yourself, “no, no, no, absolutely not,” you’re wise to be alarmed.

    First and foremost, using a patient’s health information against him or her in a back-and-forth battle of comments on an online review site will likely compound whatever damage was done to the practice’s reputation by the initial posting — and it certainly won’t appease the upset patient.

    As pointed out in his recent article, Kenneth T. Hertz, FACMPE, states that the best thing to do regarding a bad review is “respond in a professional, non-defensive way,” thank the poster and offer to speak to him or her personally to work on resolving any issues. Bad reviews are learning opportunities.

    So, can you really get a patient to sign away his or her HIPAA privacy rights because he or she posts an online review? No. The following advice comes from the MGMA Government Affairs team:

    As a technical matter, you can’t really “waive” your HIPAA right to privacy; the correct terminology is for a patient to provide consent or authorization to a covered entity to disclose protected health information (PHI). It may seem like a technicality, but as we know regarding federal regulations of healthcare, terminology is important (For example: Within HIPAA, “consent” and “authorization” have different applications with different standards; see FAQ #264).

    In this instance, “waive” is the key term. There are instances in which legal privileges may be waived by agreeing to voluntary disclosure (such as if you forward an email containing your attorney’s legal advice to the opposing party), but such a policy has no relevance in HIPAA as currently written.

    Covered entities must obtain patient authorization to disclose PHI except in certain situations — for example, when it’s for treatment, healthcare operations or payment purposes, and may only involve disclosure of the “minimum necessary” to accomplish the task.

    The requirements for a valid authorization of disclosure are laid out in 45 CFR 164.508, including that the authorization cannot contain conditions (e.g., the authorization cannot say that obtaining treatment is conditioned upon agreeing to the authorization). Further, the authorization cannot be “slipped into” a notice or other document the patient is required to sign (FAQ #342) and must contain specific information on the PHI that would be used in the disclosure, the name of the person authorized to make the disclosure and the name of the person to whom the disclosure would be made.

    Generic profile image

    Written By

    MGMA Staff Members



    Explore Related Content

    More Insight Articles

    Ask MGMA
    An error has occurred. The page may no longer respond until reloaded. Reload 🗙