With apologies to The Beatles, it was 20 years ago today (okay, Sunday) that President Clinton signed Public Law 104-191, better known as the Health Insurance Portability and Accountability Act, or HIPAA. Although the law addressed a multitude of issues, it’s safe to say that the most relevant requirements for most providers is spelled out in Sec. 262, which states that anyone:
who maintains or transmits health information shall maintain reasonable and appropriate administrative, technical, and physical safeguards–
- A) to ensure the integrity and confidentiality of the information;
- B) to protect against any reasonably anticipated–
- (i) threats or hazards to the security or integrity of the information; and
- (ii) unauthorized uses or disclosures of the information
Legalese aside, it’s pretty straightforward — divulging protected health information (PHI) without the patient’s consent is verboten — yet it seems to be a point that some providers still continue to miss, especially when it comes to responding to negative reviews.
As noted in previous posts, there are any number of ways to respond to a negative review, but discussing a patient’s care in a rebuttal? Everybody knows that’s a HIPAA violation, right?
If a May 27 article in The Washington Post is any indication, the unfortunate answer is “apparently not.”
The article cites research conducted by ProPublica, in which the non-profit news organization searched Yelp’s database of reviews for one-star reviews from patients that mentioned HIPAA or privacy. In “dozens of instances,” the reviews included responses from providers that clearly discussed the specifics of the patient’s care, potentially identifying them and violating the law.
From a California dentist who scolded a patient who accused him of misdiagnosing her:
I looked very closely at your radiographs and it was obvious that you have cavities and gum disease that your other dentist has overlooked. … You can live in a world of denial and simply believe what you want to hear from your other dentist or make an educated and informed decision.
From a Washington state dentist about a patient who blamed him for the loss of a molar:
Due to your clenching and grinding habit, this is not the first molar tooth you have lost due to a fractured root. This tooth is no different.
From an employee of a Phoenix plastic surgeon responding to a parent who complained that the doctor “seemed flustered with my crying child” during the repair of a scar on his chin:
This patient presented in an agitated and uncontrollable state. Despite our best efforts, this patient was screaming, crying, inconsolable, and a danger to both himself and to our staff.
In some cases, it’s likely that the above providers (or their employees) assumed that because patients discussed the specifics of their cases — “outing themselves,” as it were — that they were therefore allowed to do the same. Like it or not, that simply isn’t the case.
Worse yet, the problem is unlikely to go away anytime soon. In the month after the Post article ran, it received a whopping 750 comments and, in aggregate, they tell a tale of confusion and frustration from both patients and providers:
I think that when someone files a YELP review they are voluntarily disclosing their protected patient information and HIPPA [sic] should no longer apply. “Licenses should be temporarily suspended” is totally ridiculous. Why should doctors be unable to respond to online lies and misrepresentation?
A doctor who retaliates against a patient for giving him or her a bad review by revealing private information should be avoided at all costs, for that type of behavior is not only a violation of HIPAA but also of the Hippocratic Oath.
I worked as an ER doc for 20 years… I would NEVER respond to a patient comment though do think that in posting a comment, the patient has waived their right to privacy.
As a physician, the whole “the patients (or as a pediatrician, their parents) can rate you but you can’t respond” thing has never seemed fair. If it seems fair to you, please explain how.
The answer to that last comment — and to the 749 other ones in the thread — is that the issue isn’t about what’s fair or unfair. It’s about complying with the law and avoiding the risk of violating the statute. It’s okay for providers to speak generally about the way they treat patients but the regulations are clear: healthcare providers must get consent before discussing individual cases, identifying people as patients, or divulging protected information.
As Deven McGraw, deputy director of health information privacy for the Office for Civil Rights, which enforces HIPAA, told the Post,
If the complaint is about poor patient care, they can come back and say, ‘I provide all of my patients with good patient care’ and ‘I’ve been reviewed in other contexts and have good reviews.’ [But they can’t] take those accusations on individually by the patient.
