Recently, a doctor asked our thoughts on whether his standard HIPAA Notices of Privacy Practices could be amended to allow him to disclose protected health information online “to set the record straight.”


His goal was not to debate a patient’s opinion. Rather, he wanted to be able to refute factually inaccurate online statements without having to resort to a defamation lawsuit to achieve that goal.


HIPAA and state privacy laws are rather strict. Unless a particular fact pattern falls into a defined exception, HIPAA and state privacy laws do NOT allow for release of protected health information unless the patient provides explicit permission. Correcting a factually inaccurate online statement does not fall under such an exception. Doctors who cavalierly respond and “set the record straight” by revealing protected health information without such permission are engaging in a high risk activity.


So, back to the original question. Can an agreement be penned which preemptively grants the doctor permission to respond to fictional posts?


Perhaps. But, there are a number of caveats.


First, HIPAA Notice of Privacy Practices is not really an agreement, per se. It is a disclosure of what a practice must do to conform to HIPAA. In contrast, an agreement is a two-sided meeting of the minds. Each side gives. Each side gets. So, if the doctor wants the patient to provide permission to respond online, it probably needs to be separate from the standard HIPAA Notice of Privacy Practices.


Next, an agreement (a contract) must have certain elements to be enforceable. It must contain “consideration.” Each side must get something out of the deal. An agreement which only allows the doctor to respond in public would not, on the surface, provide the patient with any additional benefit. One potential benefit which might sidestep this shortcoming would be for the doctor to waive his right to sue for defamation. If such consideration is embedded into an agreement, the doctor would use the public forum as his full and total remedy for a fictional post. The doctor would be waiving his right to sue. This, arguably, is a tangible benefit to the patient.


There are other details that need attention for an agreement to be enforceable. It cannot be unconscionable. The patient would need to be fully aware of the terms. Burying such a term in tiny print legalese would not pass the sniff test. Drawing attention to the terms in bold print within a separate document would get closer to passing that test.


Next, the agreement must comport with the law. The HIPAA statute allows a patient to withdraw consent previously provided to release protected health information. So, a patient might give consent today, have a procedure done, and then withdraw that consent a week later. If that happens, the doctor would have to honor the patient’s request. He would not be able to respond publicly.


What if the patient withdraws consent after the doctor has already responded publicly to a fictional post? This is a bit trickier. Certainly, the doctor would be foreclosed from responding further. Arguably, the doctor would also be obliged to remove his response, if it were feasible and practical. Of course, it’s hard to put the toothpaste back in the tube. If a response goes up on a site whose written policy is to make such posts permanent, then you have no practical way to remove that response. But, if you have the means to remove the response to the post, you likely will have to – to conform to HIPAA.


Next, what happens if you are not 100% sure the patient posted the review with factual misstatements. You would want to err on the side of caution. A patient’s family member or friend might have penned the post. If so, you would not have the patient’s permission to respond.


Finally, what about the details of a response? HIPAA states that if protected health information is disclosed, the least amount of information should be disclosed to address the stated goal. So, if patient alleges online she developed a post-op infection, and the facts are that the patient had an allergic reaction to adhesive tape, then that pithy nugget is all that could be disclosed. Additional facts, such as the patient having a history of alcohol abuse and a borderline personality disorder, for example, could not be posted.


This analysis is a long-winded way of stating that such an agreement might be challenging to enforce; and, if used, would need to be used cautiously. That said, there should be better ways to set the record straight than having to file a lawsuit. If a doctor wants clarity in whether such a pioneering agreement complies with HIPAA, the best way to achieve that certainty is to ask HHS directly. Remember, pioneers take the arrows.