Physical Therapy Provider Pays $25K in HIPAA Fines for Publishing Patient Testimonials

September 7th, 2019

HIPAA and Patient Testimonials

Did you know that a physical therapy provider was once fined $25,000 for HIPAA violations related to patient testimonials? If you are a licensed healthcare professional or operating as a licensed healthcare company, you are likely bound by very specific and strict laws to not divulge any information about your patients/clients. Under the Health Insurance Portability and Accountability Act (HIPAA), if a provider collects and publishes patient testimonials, this would require a specific HIPAA release form. However, there are safe ways to make use of patient testimonials in your healthcare marketing. Let’s consider a few points.

First, Brazzell Marketing Agency is a marketing consultancy and provider, not a compliance consultant. Therefore, if you are a licensed healthcare provider, our authority on this matter would be subordinate to yours. Here we only provide food for thought, and the decision on how to proceed needs to be your own.

Is a $25K HIPAA Fine the Exception?

The case of that poor physical therapist is cautionary, but probably not the norm. Patient testimonials are a common feature of healthcare websites. Most healthcare websites violate HIPAA in other ways, but no inspector ever does anything about it. However, if you have a malevolent competitor who wants to spend time causing problems instead of taking better care of patients, patient testimonials could leave you vulnerable to at least a complaint inspection.

Is It Enough to Post Testimonials with the Names Removed?

In our unauthoritative opinion, this still leaves a practice at risk. Our interpretation of HIPAA is that if the patient’s brother can read that testimonial and figure out that’s his brother, it’s a HIPAA violation. Practices may not reveal enough info for anyone to even guess who your patient is.

How Healthcare Providers Can Safely Use Patient Testimonials

The safest way to take advantage of patient testimonials is to refer to your favorite review website. For instance, you can simply publish “4.7 Stars from 23 Reviews on Google.” Date the statement so it stays true even as your reviews fluctuate in the future. We also feel it’s legal for you to ask patients to give you a review on the websites.

Is it Legal to Publish Patient Reviews from Google, Facebook, etc. on My Website?

A hardnose inspector might say “No.” Our unauthoritative opinion is, “Yes, as long as you follow copyright law.” Part A of HIPAA’s definition of health information states: “is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse.” Imagine your patient going to Facebook and typing a glowing review. In this instance, the patient created the information and Facebook received it. Facebook now owns this text, not you. Our interpretation of this is that it is not Protected Health Information because the covered entity did not create it, and a patient did not give the information to a covered entity. Would an inspector or judge say you did “receive” the information at the moment you moved it from Facebook to your own website? Maybe. Your call.

However, it is definitely a copyright violation if you quote the text or take screenshots of reviews on third-party websites. Google, Facebook, etc. own those reviews. Not you. When publishing third-party reviews on your website, be sure to only use means authorized by the third-party website.