Connect with us

Kaia Pankhurst

Keeping HIPAA Happy: The Legal Way to Solicit Reviews

Although HIPAA does not specifically mention online reviews, it outlines several rules that impact your legal ability to encourage patients to write reviews.




ONLINE REVIEWS CAN make or break your business. In fact, up to 84 percent of patients say they help them choose a doctor. When patients are happy with your services, it’s a great idea to encourage them to review your practice on Google or Yelp.

But can you actually do that? The Health Insurance Portability and Accountability Act (HIPAA) is very strict on how health care providers use patients’ contact information. In order to stay out of trouble, it’s crucial that you familiarize yourself with HIPAA’s rules and follow them to the letter.

ECPs Glam It Up in Their Top Eyewear Picks
Photo Gallery

ECPs Glam It Up in Their Top Eyewear Picks

49 Boss Memes That Everyone in Retail Can Relate To

49 Boss Memes That Everyone in Retail Can Relate To

Inked Opticians: 19 ECPs Show Off Their Eyewear Tats
Photo Gallery

Inked Opticians: 19 ECPs Show Off Their Eyewear Tats

What Does HIPAA Actually Say?

Although HIPAA does not specifically mention online reviews, it outlines several rules that impact your legal ability to encourage patients to write them. Here are the basics of HIPAA’s privacy rule as it relates to your patient’s contact information and how you’re allowed to use it.

The Privacy Rule is meant to protect all “individually identifiable health infomation” that you might get from your patients. The way you get that information doesn’t matter; whether you hear it verbally, read it in an email, or your patient fills it out in an online form, that information is protected. Individually identifiable health information includes:

  • The patient’s name, address, birthday, or social security number
  • The patient’s past, present, or future mental or physical health conditions
  • Any services or care you’ve provided or are currently providing the patient
  • Any other information one might reasonably believe could be used to identify your patient

You need a patient’s express written permission to use or disclose their information for any marketing efforts. Your intended use or disclosure of the information needs to be clearly defined in plain language to make sure they understand what they’re agreeing to. Your patient must also be able to revoke their consent at any point. Keeping their information in a database is fine, but you will need their permission to add them to mailing lists.

Start with a Survey

One of the best ways to get reviews from the right patients is through patient satisfaction surveys. Through an automated system, you can identify patients that provide high satisfaction scores and ask them to write reviews. It’s a great way to curate a positive digital reputation.


But Is This Method HIPAA Compliant?

Technically, yes, with a major caveat.

You do not need consent to send any communication that falls under care operations, which could include invoices, appointment reminders, and other administrative messages needed to keep the practice running. A patient satisfaction survey helps you identify areas for improvement and, as such, is covered as care operations messages.

With that said, asking for online reviews is not considered care operations. As part of the survey, you will need to ask for consent to contact them in the future. You cannot ask for reviews if you don’t receive consent. If they give you high satisfaction scores on the survey and consent to receive communication from you in the future, you can follow the survey up with a request for a Google or Yelp review.

Make Sure Patients Can Opt Out

It’s not enough for patients to opt-in; they must be able to opt-out any time. To stay HIPAA compliant, you need to make sure every piece of communication that requires consent also has a simple and clearly labeled button or checkbox that allows a patient to withdraw their consent.

Save Yourself a Headache

It’s important that every practice owner and manager study HIPAA. It is not simply an issue of following the law; it’s about respecting patients’ privacy and wishes. If you can prove that patient experience is your priority, your practice will grow. Disclaimer: This article is based on an interpretation of HIPAA’s guidelines and should not be considered bona fide legal advice.


Kaia Pankhurst is a Senior Content Strategist at Marketing4ECPs ( where she creates and implements content strategies for eyecare practices all over North America. Outside of the office, Kaia is a musician, activist, and professional wrestler. Email her at [email protected]


Sponsored by Shamir

Customer Focused, Service Oriented, Forward Thinking

Shamir is the recognized world leader in custom-designed technology for life improvement, fashion, performance sports, occupational single vision, and progressive lenses. Our values, the driving force behind our ideas and actions, keep the ECP in the center. Every Shamir representative is personally committed to our customers’ vision, and to providing the best service and support to meet and exceed their expectations, all with a personal touch.

Click here for more information.

Promoted Headlines






Get the most important news and business ideas for eyecare professionals every weekday from INVISION.


Most Popular