It can be tempting for a business to push back on a negative review on social media. However, health care providers cannot disclose patients’ protected health information (PHI) in response to negative reviews posted on social media.

In June 2016, a patient filed a complaint with the U.S. Department of Health & Human Services Office for Civil Rights (OCR) alleging that their dental service provider had responded to the patient’s social media review on Yelp by disclosing the patient’s last name and details of their health condition. The OCR investigation found the dental office had disclosed PHI of multiple patients in response to patient reviews posted on the provider’s Yelp page. Furthermore, the provider did not have a policy and procedure in place to prevent such disclosures, and did not have a Notice of Privacy Practices that complied with the HIPAA Privacy Rule.

Ultimately, the dental practice agreed to pay $10,000 to OCR and adopt a corrective action plan, including two years of monitoring by OCR for compliance with the HIPAA rules, to settle these social media disclosures of patients’ PHI. OCR noted the settlement amount was “substantially reduced” due to the dental practice’s size, financial circumstances, and its cooperation with the investigation.

Social media complaints, when handled well, offer health care providers a chance to build their brand and differentiate their business from competitors. Negative reviews also offer insight for providers on how they can improve service delivery. However, in responding to negative reviews, health care providers must comply with HIPAA, and applicable state medical confidentiality laws, to prevent unauthorized disclosure of patients’ PHI.

Providers should consult with an attorney to develop strategies for preventing the unauthorized disclosure of patients’ PHI when responding to negative reviews on social media. This could include: preparation of a policy and procedure regarding disclosures of PHI to ensure that social media interactions protect patients’ PHI, including training for employees and discipline for the impermissible use or disclosure of PHI, consistent messaging in response to patient reviews, and tracking of social media interactions.