• Revenue Cycle Management
  • COVID-19
  • Reimbursement
  • Diabetes Awareness Month
  • Risk Management
  • Patient Retention
  • Staffing
  • Medical Economics® 100th Anniversary
  • Coding and documentation
  • Business of Endocrinology
  • Telehealth
  • Physicians Financial News
  • Cybersecurity
  • Cardiovascular Clinical Consult
  • Locum Tenens, brought to you by LocumLife®
  • Weight Management
  • Business of Women's Health
  • Practice Efficiency
  • Finance and Wealth
  • EHRs
  • Remote Patient Monitoring
  • Sponsored Webinars
  • Medical Technology
  • Billing and collections
  • Acute Pain Management
  • Exclusive Content
  • Value-based Care
  • Business of Pediatrics
  • Concierge Medicine 2.0 by Castle Connolly Private Health Partners
  • Practice Growth
  • Concierge Medicine
  • Business of Cardiology
  • Implementing the Topcon Ocular Telehealth Platform
  • Malpractice
  • Influenza
  • Sexual Health
  • Chronic Conditions
  • Technology
  • Legal and Policy
  • Money
  • Opinion
  • Vaccines
  • Practice Management
  • Patient Relations
  • Careers

The Doctor's Guide to HIPAA Compliant Marketing


A key part of any marketing plan is making sure you stay up to date on the reviews and comments that are being left for your practice online but don't forget to consider HIPAA when discussing these reviews and using them to highlight the work your team does.

Reviews and testimonials are core elements of a medical practice’s marketing, whether good or bad, they shape your professional reputation like nothing else can. However, this can be a point of frustration for doctors because you have no control over what others say. Furthermore, when you try to promote positive reviews and respond to the negative ones, you are faced with HIPAA’s privacy rule.

practice management HIPAA marketing compliant health information

What is protected health information?

Despite common beliefs, HIPAA does not entirely forbid answering reviews, sharing testimonials, or discussing case studies. However, it does impose some very strict, and specific, restrictions. Here, we explain what you can and can’t say, as well as how to create a simple, HIPAA safe review-response strategy. HIPAA’s privacy rule protects any and all "individually identifiable health information.” You will not violate the rule unless your statement meets both criteria, individually identifiable and health information.

For example, a review response is individually identifiable, but it is allowed if you omit health information. On the other hand, if you are giving a lecture and mention the outcome of a specific case it might include health information, but it is allowable if it is de-identified. Below we examine both aspects of this rule in greater detail.

Health information

Essentially, anything relating to a person’s mental or physical condition or care is considered health information. According to the HIPAA privacy rule summary, this includes:

  • Demographic— Age, gender, ethnicity, and similar information
  • Conditions — Diagnosis, prognosis, symptoms, medical history
  • Treatment — Test results, prescriptions, medical appointments, care providers
  • Financial — Past or future payments relating to medical treatment

Individually identifiable

According to the HHS (United States Health and Human Services), HIPAA’s privacy rule does not protect de-identified information. There are two ways to meet the standard of de-identifying. The first is an expert determination by a qualified individual. The second is to remove all identifiers, which are outlined in HIPAA regulations.

There are nearly two dozen items on the list of identifiers. They include:

  • Basic information — Name, contact details, URLs, health records, full face photos, IP addresses, vehicle registration information
  • Dates — All elements, except year, of any date relating to the individual
  • Location — Geographical information referring to an area smaller than a state, full zip codes or partial (first three digits) zip codes that represent fewer than 20,000 people
  • Identifying numbers — Social security numbers, account numbers, and similar
  • Other — In addition to the lengthy list of specific personal identifiers, you need to consider if there is a reasonable basis to believe the information may be used to identify the individual. This stipulation is especially relevant to review responses. Even if you omit all personal information, people reading your response will realize you are referring to the reviewer.

Myths and misunderstandings about HIPAA privacy compliance

Often, doctors react to HIPAA’s privacy rules in one of two ways. Some find the complexity intimidating, and they decide that any review response or similar interaction is too risky. Others believe they have nothing to worry about if their internal policies and ethical standards will cover anything HIPAA might forbid. In most cases, neither is quite accurate.

You can respond to reviews, including testimonials on your website, and utilize patient data safely without violating HIPAA. However, it is important that you clearly understand the requirements, because some details of the rule are unexpected.

The most common points of confusion include:

  • The individual’s status as a patient is health information. For example, if a reviewer says the wait time in your office was an hour, and you respond that the person only waited five minutes, then you have violated HIPAA, even though you didn’t mention any medical details.
  • Health information is protected, even if the individual already released it. For instance, a patient might describe the medical condition in great detail in the review. However, it is a violation of HIPAA for you to repeat any of those details in your response.
  • You can release protected information if you have written authorization from the individual to do so. If you want to include signed testimonials or full photos on your website, you simply need to get the correct authorization. However, verbal consent is not sufficient.

Crafting compliant review responses

You also need to be mindful of HIPAA even when answering positive reviews. Doctors tend to tread lightly when dealing with a disgruntled patient. It is easy to respond to good reviews more casually, but a simple statement like “it was great to see you,” is a violation.Patient reviews can be the best — or worst – advertisement your medical practice can get. Considering the long list of things that you aren’t allowed to mention you might be wondering what you can say.

  • Thank reviewers for their feedback. You can acknowledge the review, without acknowledging that the person is a patient. Furthermore, a “thank you” is good practice, even when answering bad reviews. Other people who read the interaction will want to know that you care about patient satisfaction and that you take feedback seriously.
  • Give information about your practice. You can’t directly respond to details of the review, but you are free to discuss your policies, standard of service, and other details about your practice.
  • Invite the person to contact you directly. You will have more freedom to resolve the issue if a person is willing to call your office, rather than discussing it in a public forum. Additionally, it will show potential patients that you tried to correct the problem.

Here are a few examples of noncompliant review responses, and complaint alternatives:

  • Noncompliant: It’s always a pleasure to see you (acknowledge that the person is a patient). Compliant: Thank you for the kind words!
  • Noncompliant: You need to give the medicine time to work (mentions the person’s treatment). Complaint: Our goal is to help every patient live pain-free.
  • Noncompliant: I’m so sorry you had to wait; our schedule was delayed by a serious emergency that day. (confirms the person is a patient) Complaint: Our average patient wait time is 11 minutes, though occasionally our schedule is delayed by emergencies.
  • Noncompliant: Please give us a call to reschedule (confirms the person is a patient). Compliant: Please give us a call!

Putting it all together

The simplest and safest solution is to avoid reviews entirely. Just don’t encourage them, don’t respond to them, and don’t put them on your website. That is exactly the strategy some doctors take. Unfortunately, that is also a potentially deadly marketing mistake.

In truth, patient reviews can be the best — or worst – advertisement a medical practice can get.

  1. Invest the time (yours or a trusted employee) to thoroughly understand the HIPAA privacy rule and use that information to create a few standard “template” responses, as well as consent forms. Have a lawyer or HIPAA expert review them if you are unsure.
  2. Monitor review sites closely, and post pre-made responses promptly.
  3. Use reminders, in-office forms, or third-party software to encourage patients to leave reviews.
  4. Include authorized or de-identified testimonials on your practice website.

HIPAA is nothing to fear, but it is something to take very seriously. With a good strategy you can answer every review quickly, easily, and without wondering if you crossed a HIPAA line.

For more practice management insight, read on here!

About the Author:

Naren Arulrajah is President and CEO of Ekwa Marketing, a complete internet marketing company that focuses on SEO, social media, marketing education and the online reputations of doctors. With a team of 180+ full-time marketers, www.ekwa.com helps doctors who know where they want to go, get there by dominating their market and growing their business significantly year after year. If you have questions about marketing your practice online, call 855-598-3320 to speak one-on-one with Naren.

Related Videos
Victor J. Dzau, MD, gives expert advice
Victor J. Dzau, MD, gives expert advice