Recently, a doctor asked our thoughts on whether his standard HIPAA Notices of Privacy Practices could be amended to allow him to disclose protected health information online “to set the record straight.”
His goal was not to debate a patient’s opinion. Rather, he wanted to be able to refute factually inaccurate online statements without having to resort to a defamation lawsuit to achieve that goal.
HIPAA and state privacy laws are rather strict. Unless a particular fact pattern falls into a defined exception, HIPAA and state privacy laws do NOT allow for release of protected health information unless the patient provides explicit permission. Correcting a factually inaccurate online statement does not fall under such an exception. Doctors who cavalierly respond and “set the record straight” by revealing protected health information without such permission are engaging in a high risk activity.
So, back to the original question. Can an agreement be penned which preemptively grants the doctor permission to respond to fictional posts?
Perhaps. But, there are a number of caveats.
First, HIPAA Notice of Privacy Practices is not really an agreement, per se. It is a disclosure of what a practice must do to conform to HIPAA. In contrast, an agreement is a two-sided meeting of the minds. Each side gives. Each side gets. So, if the doctor wants the patient to provide permission to respond online, it probably needs to be separate from the standard HIPAA Notice of Privacy Practices.
Next, an agreement (a contract) must have certain elements to be enforceable. It must contain “consideration.” Each side must get something out of the deal. An agreement which only allows the doctor to respond in public would not, on the surface, provide the patient with any additional benefit. One potential benefit which might sidestep this shortcoming would be for the doctor to waive his right to sue for defamation. If such consideration is embedded into an agreement, the doctor would use the public forum as his full and total remedy for a fictional post. The doctor would be waiving his right to sue. This, arguably, is a tangible benefit to the patient.
There are other details that need attention for an agreement to be enforceable. It cannot be unconscionable. The patient would need to be fully aware of the terms. Burying such a term in tiny print legalese would not pass the sniff test. Drawing attention to the terms in bold print within a separate document would get closer to passing that test.
Next, the agreement must comport with the law. The HIPAA statute allows a patient to withdraw consent previously provided to release protected health information. So, a patient might give consent today, have a procedure done, and then withdraw that consent a week later. If that happens, the doctor would have to honor the patient’s request. He would not be able to respond publicly.
What if the patient withdraws consent after the doctor has already responded publicly to a fictional post? This is a bit trickier. Certainly, the doctor would be foreclosed from responding further. Arguably, the doctor would also be obliged to remove his response, if it were feasible and practical. Of course, it’s hard to put the toothpaste back in the tube. If a response goes up on a site whose written policy is to make such posts permanent, then you have no practical way to remove that response. But, if you have the means to remove the response to the post, you likely will have to – to conform to HIPAA.
Next, what happens if you are not 100% sure the patient posted the review with factual misstatements. You would want to err on the side of caution. A patient’s family member or friend might have penned the post. If so, you would not have the patient’s permission to respond.
Finally, what about the details of a response? HIPAA states that if protected health information is disclosed, the least amount of information should be disclosed to address the stated goal. So, if patient alleges online she developed a post-op infection, and the facts are that the patient had an allergic reaction to adhesive tape, then that pithy nugget is all that could be disclosed. Additional facts, such as the patient having a history of alcohol abuse and a borderline personality disorder, for example, could not be posted.
This analysis is a long-winded way of stating that such an agreement might be challenging to enforce; and, if used, would need to be used cautiously. That said, there should be better ways to set the record straight than having to file a lawsuit. If a doctor wants clarity in whether such a pioneering agreement complies with HIPAA, the best way to achieve that certainty is to ask HHS directly. Remember, pioneers take the arrows.
in my limited 55y of practice, middle-aged women of limited-means are the main complainers. Men go straight to personal injury lawyers if there is a serious malpraxis or just change MDs. The wealthy rarely waste their time complaining.
Maybe a best first step would be to contact the patient and ask whether he was the culprit. And if so, perhaps an accommodation can be reached before any shooting starts. If not, the patient can always choose among retracting the offending post, allowing a public rebuttal, and facing a lawsuit for slander/libel. Seems like an exhaustive differential. Or am I missing yet another option–beyond ignoring it and hoping for the best?
JH
Responding publicly to correct misinformation about a specific patient, even if they initiated the complaint is just about impossible. We have to understand that when it comes to PHI, we are not on a level playing field. When it comes to finding out if a patient actually wrote a libelous post, your options, besides actually calling them are limited. You could hire a technology investigator through an attorney’s office. I’m sure both would charge by the hour. I would surmise a decent investigation disclosing ISP source data could cost you 5-8,000 dollars. Remember that you have to execute a HIPAA business agreement with both before you start.
Your reputation and pride might have been severely hurt, but even after you find out “who” you still have to decide what if anything you will do about it.
Even before HIPAA laws, we were still not safe. But the punishments for our potential transgressions got very much worse.
HIPAA laws are a continuation of Congress’ war against physicians. While some HIPAA statutes make sense, like most politically liberal regulations, they run amok in a sea of assigning blame and Draconian punishments. This provides more cannon fodder for regulators and investigators: Job security.
These could have been prevented, just like the despicable Stark laws. But alas we were too busy fighting among ourselves to get together to fight them.
So, what can you do? First, most patients are used to seeing negative, even hateful reviews on other consumer sites. If we took them all too seriously we wouldn’t buy anything. Second, I myself look to an “effort” on the part of the vendor to make things right. This doesn’t have to be an apology or an admission of fault. It helps if the vendor admits a “problem” but it doesn’t have to go much further. But that’s just me.
I think most web readers are well educated and face many of the same technology-related problems in their own careers. They might not be nearly as judgmental as you think they are. This leaves us some room to improvise carefully written non-specific comments. We already know they can’t be about the specific complaining patient.
Example: “I got a post operative infection after my surgery from dirty instruments at their clinic.” Jon Dough, patient
Posted answer: “As most patients know, it is illegal for doctors to discuss specific patient issues on a public space. But even if were not, our in-house patient privacy rules would forbid that. We do have specific written protocols to prevent infections. Among others, we use: ‘Fundamentals of Infection Prevention and Control: Theory and Practice, by
Debbie Weston.’ Causes of infection usually invite spirited debate at medical meetings. For example most patients don’t realize that loss of blood supply to the site is a chief cause. One of these is use of tobacco by patients.”
Here you’ve implied that this patient smoked without actually saying it. Canny readers used to reading on-line reviews will pick up on that immediately.
It is usually best to keep these replies as short as you can. When you try to over-explain you tend to sound over-reaching and guilty. KISS rules apply.
Michael M. Rosenblatt, DPM
We just learned from MedicalJustice of a fictional negative post on Yelp that became syndicated and was specifically duplicated on yahoo replacing all of the preexistent reviews that were mostly positive.
The fictional post violates Yelp’s terms of service since it was self admittedly penned by a “friend” that supposedly accompanied the unhappy patient. With the help of MedicalJustice, the post was flagged as inappropriate, but Yelp’s review and removal of flagged inappropriate reviews can take several weeks, not days. This poster has a history of several other Yelps, all of which are 1 or 2 stars reviewing other docs and a Starbucks. No mention of any positive experiences in her existence.
Based on this, it’s easy to see the deck is stacked against the physician and business owner. It is tempting to post an interjection, but engaging the fictitious poster is risky and may be misinterpreted by the public.
eMerit is part of our practice, and this is the most effective neutralizer of the negative and fictional posts. eMerit enables you to easily populate the internet with your own patients’ experiences, so if the majority of your patients are happy, the entirety of your internet virtual reputation can be positive. Proactive internet posting of your own patients’ words has a dilutional effect reducing the impact, visibly and relevance of an outlier or fictitious post.
In many cases it’s best to let your own patients’ posts dominate the internet dialogue, rather than relying on agreements to deal with outliers and fictional posts. Patient posting agreements may be less effective, more risky, and possibly objectionable to state and federal authorities.
On this Independence Day, let’s celebrate the First Ammendment and deputize our patients to help the public learn the unbiased truth about your practice. 🙂
Eric
While a doctor’s narcissism might be crushed with one negative, even if false, internet post, it is highly unlikely that his practice will be adversely affected. I have 4 reviews posted of which 3 are patently false but neither do I care nor do most of my patients. As in anything else when a sizeable number of negatives begin to pile up and checks with the state medical board begin to corroborate some of these reviews then the doctor ought to get worried and so should the public. Responding to adverse appraisals on the internet is not only a sign of immaturity but will probably attract the attention of the regulatory authorities.
Physicians’ concerns about fictional posts and negative reviews may not be about narcissism nor immaturity. In our practice, well over 90% of our new patients site internet reviews as one of the main reasons for visiting us. The negative “Yelpers” tend to compose more of a novel than a review, and they tend to post on several, not one, physician rating site. Syndication of posts is an additional challenge.
Newly discovered fictional or negative reviews need to be dealt with if your practice referral base comes from the internet. If there is a flagrant violation of terms, it may be best to wait for the company to review and remove. Otherwise, I do not agree with ignoring the post. We do rely on the expertise of MedicalJustice when it comes to posting any and all responses.
Hope this helps. 🙂
Eric
When a patient posts a negative review of medical care received, have they not waived their HIPAA rights by disclosing to the public their medical history? If so, then the named physician should be able to post a reply including relevant facts regarding pre-existing medical conditions, details of care rendered, and refute the negative comments. In the age of the Internet, at some point this issue will make it through the courts and, ultimately, the Supreme Court will be asked to decide whether our rights have been violated when we cannot defend ourselves on the internet due to HIPAA requirements.
A patient who posts online has not implicitly waived his/her rights under HIPAA.
Doctors can release protected health information if (a) the patient provides consent; or (b) the situation falls under an exception to requiring consent – such as reporting of a patient’s disease for public health reporting – such as rabies; or TB.
I would listen closely to Medical Justice and not release any PHI on public web sites, no matter what the patient published. Even if the Courts intervened and permitted some disclosure, their ruling would likely be very narrow and would not abrogate HIPAA as it is presently constituted.
In the mean time you would open yourself to attacks on two fronts, one from your patient’s attorney, and the other from vengeful Government. You have some things to fear from patients; but you have everything to fear from Government.
If you are concerned about your Media exposure and malpractice issues, it’s time to do something constructive: Sign up with Medical Justice.
Michael M. Rosenblatt, DPM