In my last post, we discussed how the Federal Trade Commission impacts rules and regulations related to capturing reviews for posting online. To recap, the guiding principle is not to pay for reviews. No money, no gift cards, no discounts on future goods or services. If you do offer such perks, you must disclose that in the review. Otherwise, both the patient and you may incur liability.
Onward to the next federal constraint.
HIPAA and online reviews is an entire topic unto itself. Here, I’m going to focus solely on working with vendors to help you capture online reviews. I’m not getting into responding to posts, positive or negative, in a HIPAA-compliant way. We can tackle that subject at a later date.
If you work with a vendor to capture reviews for posting online, HIPAA likely applies.
This means the vendor should be a formal HIPAA Business Associate and securely store and transmit Protected Health Information (PHI). Random HIPAA audits are here. Don’t take shortcuts.
What is considered Protected Health Information? Many things. It includes the patient’s name, their email address, OR their mobile number. Notice I used the word “OR” and not “AND.”
With few exceptions (defined by statute), any time you disclose such Protected Health Information to a third party, such as a vendor, that party must either be a HIPAA Business Associate. Or you need a formal HIPAA compliant authorization from each patient.
A valid HIPAA authorization must meet certain requirements (Please don’t kill the messenger)
To bring this home, when working with vendors to help you gather and post online reviews, if Protected Health Information is transmitted:
We’ll tackle one more constraint imposed by federal agencies and statutes in Part 3.
Disclosure: Jeff Segal, MD, JD, is a member of MCSMN, founder of Medical Justice Systems, and CEO of eMerit.