How to Respond to Negative Online Reviews by Patients

What should you do if a patient leaves a negative online review of your practice? Here are tips for creating a response that is thoughtful, protective of your interests, and most importantly, legally compliant.

In today’s consumer-driven economy, businesses have come to learn the power of online review sites. While positive online reviews can draw new customers, the opposite also holds true: negative reviews can compel consumers to stay away. According to one 2018 survey, 94 percent of respondents said an online review had convinced them to avoid a business.

It’s not just restaurants, hotels, and retailers that may be on the receiving end of a negative online review. Physicians and other healthcare providers may also find themselves the subject of a critical review on Yelp, Google, Healthgrades, Vitals, RateMDs, or another rating site. In some cases, the reviewers focus on the provider’s quality of care. In other cases, business practices such as the quality of customer service by the administrative staff or the provider’s billing procedures trigger the review.

When faced with a negative online review, it’s natural to want to respond quickly to mitigate any damaging publicity – particularly when you believe the review is false, inaccurate, or inflammatory. Sometimes, a swift response may indeed be appropriate. But don’t let your indignation cloud your judgment—it’s imperative to stay calm and develop a response that complies with your legal and ethical duties.

HIPAA and Responding to Online Patient Reviews

The federal Health Insurance Portability and Accountability Act (HIPAA) generally prohibits healthcare providers from using or disclosing a patient’s protected health information (PHI) without the patient’s authorization.[1] For HIPAA purposes, PHI refers to any individually identifiable health-related information that a provider maintains as part of the patient’s medical record[2]. PHI includes not only the patient’s medical information, but also demographic and other identifiers attached to that medical information. Under HIPAA, all PHI is shielded from unauthorized use or disclosure.

When a patient posts a review, he or she is publicly disclosing his or her status as a patient. Here’s the rub:  although patients are free to reveal what would otherwise be protected information about themselves in an online review, they do not waive HIPAA’s protections. That means that under HIPAA, you may not counter a negative online review that contains a patient’s self-disclosed information with additional information about that patient.

As the Office for Civil Rights within the U.S. Department of Health and Human Services explained in a 2013 HIPAA enforcement action regarding a complaint about a plastic surgery practice’s disclosure of PHI on Yelp: “A covered entity may not confirm or deny that a particular person was, in fact, a patient, or disclose any other individually identifiable health information (IIHI) including but not limited to demographic information such as name or address.” Covered entities that do reveal protected health information in response to a review can face stiff penalties.

To take an example, consider a review in which a patient complains:

“I had to wait two and a half hours in the lobby before my visit with my doctor, and the receptionist was rude to me when I asked her to explain my bill.”

In response, the provider posts:

“Your visit on April 1 was delayed because you were more than 30 minutes late for your scheduled appointment. The front office staff did not intend to be rude to you and was only trying to explain that you were behind in paying your bill from prior visits.”

Such a response would violate HIPAA’s non-disclosure restrictions. When combined with the patient’s original review, the response effectively identifies the patient using information about her from the provider’s records about the patient.

Although HIPAA constrains what you can include in response to a negative online review from or about a patient, it does not outright prohibit you from responding. A provider may still respond to a review without acknowledging that the reviewer was a patient or disclosing any information about the patient, such as:

Thank you for your feedback. Our medical practice strives to deliver a positive experience for our patients. To protect our patients’ privacy, we prefer to resolve any patient complaints offline. We encourage you to contact our office to discuss how we may address your concerns.

This response not only complies with HIPAA but also offers a positive, conciliatory tone while showing respect for the reviewer’s privacy and seeking to understand the reviewer’s negative experience better.

Alternative Approaches to Negative Online Reviews

Although developing HIPAA-compliant direct responses to negative online reviews is an important marketing and public relations strategy, not every review warrants a response. Some reviews may be so incomprehensible, outlandish, or offensive that they lack credibility and will have little adverse impact. In those cases, responding directly to the review could backfire, generating additional negative comments from the reviewer.

Still, it may be appropriate to take some action even in those situations. One alternative is to contact the review site and request that the site take down the review. The standard for removal of a review may differ from site to site. Yelp, for example, may remove reviews that:

• reveal that the reviewer has an apparent conflict of interest (e.g., the reviewer is from the business or a competitor)
• don’t focus on the reviewer’s own experience (e.g., the review relays the experience of someone else)
•  include “inappropriate material,” such as hate speech, lewd commentary, threatening language, or private information about employees or patrons.

In other instances, you may benefit from contacting the patient. Many negative online reviews stem from the reviewer’s sense of feeling unheard, so reaching out and offering a willingness to listen to the patient’s complaint may alleviate the underlying problem. After addressing the patient’s concerns, it’s possible that the patient will delete the review or supplement it with additional information about the resolution to the issue.

If the patient stands by the contents of the review, you may be able to convince him or her to sign a HIPAA authorization to allow you to respond on the review site with more specificity about the issue in question.

Can You Sue for Defamation?

Some online reviews may cross the line of just being negative to constituting a defamatory statement about a provider. In Illinois, as in many other states, defamation is a type of civil offense where the following elements are present:

1. the defendant made a false statement about the plaintiff;
2. the statement was published to a third party and is not protected by a legal privilege;
3. the defendant was at fault by at least acting negligently;
4. the plaintiff suffered damages as a result.[3]

If these requirements are met, consider engaging legal counsel to determine whether initiating a lawsuit would be appropriate.

As noted in a 2018 article by USA Today, some physicians and other providers have resorted to litigation to challenge negative online reviews and prevailed. For example, in Desert Palm Surgical Group, P.L.C. v. Petta,[4] a 2015 case from Arizona, a cosmetic surgery and dental practice sued a former patient for defamation and false light invasion of privacy after alleged on various consumer review websites that the providers were not board-certified and were incompetent, unethical, and unprofessional.

After a jury trial, the court entered a judgment in favor of the providers for more than $12 million. On appeal, the court vacated the judgment because the damages award was so high that it “shock[ed] the conscience of th[e] court,” but it upheld the jury’s determination that the patient’s statements conveyed a defamatory meaning or painted the providers in a false light.

Despite such precedents, there are practical reasons to avoid litigating what potentially could be a strong (if not costly) case based on defamation and related claims. The above-noted USA Today article is a testament that such litigation may generate unwanted media attention and potentially depict the litigating provider as overly sensitive or “anti-patient.” Moreover, as in the Arizona case, litigation may prompt the patient to file his or her own countersuit based on malpractice or other claims and to submit complaints to the provider’s licensing board and other regulators.

Ultimately, however, a decision whether to commence litigation should be driven by the particular facts and circumstances in a given case, as assessed by legal counsel retained by the provider.

Still Unsure How to Respond? Get Expert Help

At Jackson LLP, our attorneys are experienced in reviewing the legal implications of negative online reviews about healthcare providers and working with providers to develop marketing strategies to respond such reviews without violating applicable privacy and confidentiality laws.

To schedule a complimentary phone consultation with a Jackson LLP attorney, click the button below.

[1] See 45 C.F.R. § 164.502.

[2] See 45 C.F.R. § 160.103.

[3] See Perfect Choice Exteriors, LLC v. Better Bus. Bureau of Cent. Ill., Inc., 2018 IL App (3d) 150864, at *P22, 99 N.E.3d 541, 547 (Ill. App. 2018).

[4] 236 Ariz. 568, 343 P.3d 438 (Ariz. App. 2015).