- Health professionals are adapting to a harsh reality in which consumers rate them on sites like Yelp, Vitals, and RateMDs much as they do restaurants, hotels, and spas. The vast majority of reviews are positive. But in trying to respond to negative ones, some providers appear to be violating the Health Insurance Portability and Accountability Act, the federal patient privacy law known as HIPAA. The law forbids them from disclosing any patient health information without permission.
- One Washington state dentist turned the tables on a patient who blamed him for the loss of a molar: “Due to your clenching and grinding habit, this is not the first molar tooth you have lost due to a fractured root,” he wrote. “This tooth is no different.”
In California, a chiropractor pushed back against a mother’s claims that he misdiagnosed her daughter with scoliosis. “You brought your daughter in for the exam in early March 2014,” he wrote. “The exam identified one or more of the signs I mentioned above for scoliosis. I absolutely recommended an x-ray to determine if this condition existed; this x-ray was at no additional cost to you.”
Seems like a tough issue. I'm honestly wary of the idea of allowing reviews of medical practices on places like Yelp. I understand that these sorts of websites can expose poor practices, but I expect that these reviews may ultimately do more harm than good, and there doesn't seem to be any way for physicians to defend themselves from negative reviews without violating HIPAA.
Yelp doesn't disclose your full name. Yelp foreshortens your name to first name, last initial. A doctor responding to a patient cannot therefore violate HIPAA unless that doctor discloses the patient's full name in their response. Defending yourself against a negative review on Yelp isn't that tough - you write a response that says "we're so sorry that you had a negative experience with us. Please contact us directly so that we can remedy the situation with you". If you see one or two of those, you know you have a responsive vendor. If you see a thousand of those, you know you have a shitty office with someone running damage control. My wife had one where she wrote "I'm sorry you had such a bad experience at my office... but are you sure you were ever my patient? Your name doesn't match anything in our records and your location is 180 miles away from us. Please call us if you'd like to give us another chance." Within two days we had "upgraded one star for being nice" and within a week they'd deleted the review.
Are you sure about this? My (admittedly limited) understanding was that sharing even the first names and last initials could be considered a HIPAA violation. Again, though, my understanding is that this may also be a violation of HIPAA. FTA: A doctor responding to a patient cannot therefore violate HIPAA unless that doctor discloses the patient's full name in their response.
you write a response that says "we're so sorry that you had a negative experience with us. Please contact us directly so that we can remedy the situation with you"
Nicholl replied on Yelp, acknowledging that Grijalva’s daughter was a patient (a disclosure that is not allowed under HIPAA)
http://www.geekymarketer.com/5-simple-hipaa-violations/ https://www.mc.vanderbilt.edu/root/vumc.php?site=hipaa&doc=11532 http://hipaa.ucsf.edu/frequently-asked-questions Fact of the matter is, none of this is settled caselaw even though it's been 13 years since HIPAA was approved. So some wag reporter can say "Yelp reviews might violate HIPAA" but the fact of the matter is, Yelp anonymizes your information in the same way most of the HIPAA lawyers are recommending. 'cuz let's be honest: if someone violates your HIPAA privacy on Yelp, you're going to sue that person AND Yelp, and they have deeper pockets. We used to deal with this with the Americans with Disabilities Act. The rules are deliberately vague so that lawsuits would establish caselaw. That caselaw has not been established with HIPAA, but dollars to donuts if Yelp was worried they'd be doing something else.Don’t say the patient’s last name when calling them back into the examination room. Calling a patient by first name and last initial or a numbering system is a smarter – and safer – form of identification.
Whenever possible, the patients first name and last initial should be used instead of the full name.
The use of whiteboards is allowed as long as reasonable safeguards are implemented, as appropriate. Listing only last name and first initial in the department is adequate, whereas full first and last name are permitted for safety reasons in the operating room.
Yes, that's a good point. I think the lack of case law is really the key here. Interesting that this hasn't all been sorted out in case law. It seems people aren't as sue-happy as one might be made to believe.Fact of the matter is, none of this is settled caselaw even though it's been 13 years since HIPAA was approved.
So here's the thing: In order to sue, you need a reason. If suing is super-duper easy and cheap, people will sue over everything. If suing is expensive, people will sue over things that will be profitable. An attorney will take a case on spec but only if they suspect they'll make enough, as their fee, to cover their investment of time. You can absolutely file a HIPAA complaint. However, you will get no money out of it. If HHS decides your rights were violated, HHS will fine the violator. You will see nothing. So if you want personal redress, you have to be able to demonstrate that you, personally, suffered injury. If you are a private figure, your anonymity has a value of zero. If you are a public figure, you likely don't do yelp reviews using your first name and last initial (Amy W.: "They tried to make me go to this rehab but I said, no, no no!"). If you are a private figure who becomes famous because of your yelp review you become a limited-purpose public figure and your anonymity has a value of less than zero. In order for caselaw to advance on this one, a private individual would have to demonstrate that they experienced material harm from a pseudonymous HIPAA disclosure. I'm pretty imaginative, but off the top of my head I'm drawing a blank.
HHS doesn't have to sue. They are judge, jury and executioner. HHS determines your violations outside a court of law. HHS assigns penalties outside a court of law. It's like the FAA or the DOT or the SEC or any other USA TLA: if they decide you owe money, you owe money. It's not a judgement, it's a fine. What you, as a non-governmental entity, can do, is argue the fairness or validity of the law under which you were fined... but the law itself is entirely under their purvey. http://www.washingtonpost.com/wp-dyn/content/article/2011/02/22/AR2011022207094.html That's what this looks like - not a litigious reshaping of the law but a top-down bureaucracy determining how badly you're fucked. Again, in the land of civil fun the law can be shaped... but now we're back in that corner case I lack the imagination to create.
That contradicts a quote in the article. I'm not convinced that giving individual details of a patient's case is helping the medical professional win converts. If I saw a medical professional doing that, I'd be wary of using their services. It would be an indication of how little they cared about your personal information. The author then goes on to describe a review system taken on voluntarily by a hospital to help improve their own services. However, in that, the doctors' competencies were not rated and doctors were not allowed to respond. “If you whitewash comments, if you only put those that are highly positive, the public is very savvy and will consider that to be only advertising,” said Thomas Miller, chief medical officer for the University of Utah Hospitals and Clinics. Unlike Yelp, the University of Utah does not allow comments about a doctor’s medical competency and it does not allow physicians to respond to comments. After I read the article, I was curious about the backdrop for this issue. I didn't find much, but I did find this article by the same author written roughly a year ago for NPR. In it, he writes that medical professionals have tried to sue patients who give bad reviews, but the courts have ruled in the favor of the patients and rating review companies every time so far. The author of both those articles doesn't explain his relationship with the controversy. I'd be interested to hear more about what his potential financial interest in the issue. there doesn't seem to be any way for physicians to defend themselves from negative reviews without violating HIPAA.
“There’s certainly ways to respond to reviews that don’t implicate HIPAA,” Schur said.
In 2012, University of Utah Health Care in Salt Lake City was the first hospital system in the country to post patient reviews and comments online. The system, which had to overcome doctors’ resistance to being rated, found positive comments far outnumbered negative ones.
Periodically doctors, dentists and other providers threaten or even file lawsuits against people who post negative reviews on Yelp or against Yelp itself. Their track record is poor: Courts have ruled in favor of the company and various consumers.
It seems like he's primarily interested as a journalist. His wikipedia page states that he's VP of the Association of Health Care Journalists, but that group seems pretty ethically sound. The author of both those articles doesn't explain his relationship with the controversy. I'd be interested to hear more about what his potential financial interest in the issue.
I feel like it is possible to respond in such a way that doesn't necessarily violate the rules, like for example with the dental one the dentist could have said there are a number of reasons somebody may lose a molar ( maybe list some) and recommend that the patient contact the dental office to have this issue explained to them. The chiropractor seems a bit more tricky but he could say something along the lines of how he is thorough with every patient to make sure nothing gets overlooked.