More than 77 percent of patients use online reviews as their first step in finding a new doctor, according to recent research from SoftwareAdvice. And according to the Journal of the American Medical Association (JAMA), 59 percent of consumers say physician rating sites are “somewhat” or “very” important.

At Reputation, we recommend responding to at least 20 percent of all positive reviews and 100 percent of all negative reviews. But it gets tricky in healthcare, where the possibility of someone exposing protected health information (PHI) can put a healthcare provider at risk

How can you be sure your organization is responding to online reviews in a HIPAA-compliant way?

PHI is More than Medical History

HIPAA compliance is essential for ensuring technical, physical and administrative safeguards are in place for protecting sensitive patient information. And PHI is covered under the HIPAA Privacy Rule.

PHI includes more than a patient’s medical history — it’s any information that can identify a patient during the course of their care. Basic information such as name, phone number, email address or birthdate, appointment dates or times, diagnosis or test results are all PHI.

In the world of online reviews, patients may provide this information willingly when they leave a review. But a healthcare organization’s response to those reviews must comply with HIPAA’s privacy rule; otherwise, steep fines or even lawsuits can ensue.

Related: Mastering the Marketing Technology Stack for Healthcare

How to Respond —  and How Not to Respond

Following are some “do’s” and “don’ts” for your team to consider when responding to patient reviews, to ensure HIPAA compliance:

Do’s:

1. Thank them for their feedback: All feedback is valuable. Patient comments in online reviews and social posts can shed light on potential operational problems or help train staff to be more friendly, helpful and effective. Show appreciation for any feedback —  good or bad.

2. Keep it anonymous and reference policy: Make sure your team responds to reviews without acknowledging the reviewers were patients.

3. Take it offline: Follow up and discuss specifics privately with the reviewer, preferably by phone. In the response itself, invite them to contact you, and provide contact information.

4. Focus on the positive: Create responses that show your dedication to improving patient experience. Continue the conversation with additional responses, updating the patient on changes you’ve made since receiving their feedback.

5. Use templates: Create approved responses that address various common scenarios.  Work with your legal and compliance team to develop 15-20 approved responses to common patient scenarios. Then, load them into your Online Reputation Management platform, so anyone responsible for responding to patient comments can easily pick a response from a drop-down menu.

Related: Thriving in the Face of Change: 5 Consumer Experience and Marketing Trends for Healthcare

6. Screen your stream: If you stream reviews from CAHPS surveys on your website, ensure the written comments are reviewed for HIPAA compliance. If you use an ORM platform, take advantage of its natural language processing abilities to identify and flag PHI so it’s not published to your website.

Don’ts

• Don’t delete reviews: Unless a bad review includes profanity or slander, you should leave all reviews up. This builds trust with your audience, and adds credibility to your positive reviews. If all your reviews are positive, consumers become suspicious. In fact, 90 percent of consumers suspect censorship or fake reviews if they don’t see any bad scores.

• Don’t alter content, but don’t acknowledge or repeat PHI: If a review from a patient includes protected health information (PHI) you don’t need to delete it. However, don’t repeat or disclose additional PHI in your response, and never acknowledge the reviewer is a past or present patient.

• Don’t email a patient without their consent: In many states, healthcare providers need a patient’s written consent to communicate with them electronically. Unless you are sure of your state’s laws or have consent, use the phone.

Here are two good examples of HIPAA-compliant responses:

Example: Keep it anonymous

Review: I arrived for my appointment with Dr. Smith on time last Friday at 10 am, but spent 15 minutes filling out forms. That made my appointment a lot longer than it should have been.

HIPAA-compliant response: Thank you for your feedback. We try to keep convenience top of mind. However, it is our policy to ensure all necessary paperwork is complete prior to a patient’s initial visit so that their care is appropriately coordinated. Did you know paperwork can be filled out on our patient portal prior to an appointment?

Example: Take it offline

Review: The doctor was rude and abrupt during our visit and I felt she didn’t have time to answer my questions. I left crying.

Related: The Millennial Impact on Healthcare

HIPAA-compliant response: We sincerely apologize for your recent experience. Please call us at [phone number] so we can ensure a better experience next time. Thank you for your comments.

Example: Positive response

Review: I love this place and I don’t love hospitals! When I was there for liver issues they did everything they could do to make me comfortable and the staff was great.

HIPAA-compliant response: Thank you for your kind words!

Some Rules of Thumb

Reputation recommends responding within two to three business days. Automatic alerts within an Online Reputation Management platform help your team stay on top of all reviews and ensure reviewers receive timely responses.

If you’re just starting with ORM in your organization, you may wish to go back and respond to old reviews, particularly any negative ones. Acknowledge any issues and let the reviewers know that their feedback is an essential part of your plan to improve your service.

Want more best practices for crafting review responses?

Read this ebook to learn the trends that are affecting the way healthcare organizations are engaging with consumers online.