Connect with us

Kaia Pankhurst

Keeping HIPAA Happy: The Legal Way to Solicit Reviews

Although HIPAA does not specifically mention online reviews, it outlines several rules that impact your legal ability to encourage patients to write reviews.




ONLINE REVIEWS CAN make or break your business. In fact, up to 84 percent of patients say they help them choose a doctor. When patients are happy with your services, it’s a great idea to encourage them to review your practice on Google or Yelp.

But can you actually do that? The Health Insurance Portability and Accountability Act (HIPAA) is very strict on how health care providers use patients’ contact information. In order to stay out of trouble, it’s crucial that you familiarize yourself with HIPAA’s rules and follow them to the letter.

End of a VEE Era
Photo Gallery

End of a VEE Era

INVISION Races to Miami with Ferrari and Ray-Ban
Photo Gallery

INVISION Races to Miami with Ferrari and Ray-Ban

11 Images That Show Why The Novel Eye in North Kingstown Was Named One of America’s Finest Optical Retailers for 2023-24
Photo Gallery

11 Images That Show Why The Novel Eye in North Kingstown Was Named One of America’s Finest Optical Retailers for 2023-24

What Does HIPAA Actually Say?

Although HIPAA does not specifically mention online reviews, it outlines several rules that impact your legal ability to encourage patients to write them. Here are the basics of HIPAA’s privacy rule as it relates to your patient’s contact information and how you’re allowed to use it.

The Privacy Rule is meant to protect all “individually identifiable health infomation” that you might get from your patients. The way you get that information doesn’t matter; whether you hear it verbally, read it in an email, or your patient fills it out in an online form, that information is protected. Individually identifiable health information includes:

  • The patient’s name, address, birthday, or social security number
  • The patient’s past, present, or future mental or physical health conditions
  • Any services or care you’ve provided or are currently providing the patient
  • Any other information one might reasonably believe could be used to identify your patient

You need a patient’s express written permission to use or disclose their information for any marketing efforts. Your intended use or disclosure of the information needs to be clearly defined in plain language to make sure they understand what they’re agreeing to. Your patient must also be able to revoke their consent at any point. Keeping their information in a database is fine, but you will need their permission to add them to mailing lists.

Start with a Survey

One of the best ways to get reviews from the right patients is through patient satisfaction surveys. Through an automated system, you can identify patients that provide high satisfaction scores and ask them to write reviews. It’s a great way to curate a positive digital reputation.


But Is This Method HIPAA Compliant?

Technically, yes, with a major caveat.

You do not need consent to send any communication that falls under care operations, which could include invoices, appointment reminders, and other administrative messages needed to keep the practice running. A patient satisfaction survey helps you identify areas for improvement and, as such, is covered as care operations messages.

With that said, asking for online reviews is not considered care operations. As part of the survey, you will need to ask for consent to contact them in the future. You cannot ask for reviews if you don’t receive consent. If they give you high satisfaction scores on the survey and consent to receive communication from you in the future, you can follow the survey up with a request for a Google or Yelp review.

Make Sure Patients Can Opt Out

It’s not enough for patients to opt-in; they must be able to opt-out any time. To stay HIPAA compliant, you need to make sure every piece of communication that requires consent also has a simple and clearly labeled button or checkbox that allows a patient to withdraw their consent.

Save Yourself a Headache

It’s important that every practice owner and manager study HIPAA. It is not simply an issue of following the law; it’s about respecting patients’ privacy and wishes. If you can prove that patient experience is your priority, your practice will grow. Disclaimer: This article is based on an interpretation of HIPAA’s guidelines and should not be considered bona fide legal advice.




The Best Overall Progressive Lens, Now Powered by AI

Engineered with Behavioral Artificial Intelligence and utilizing new XR-motion™ technology, Varilux XR series goes beyond prescription and eye physiology to consider the patient’s visual behavior and design a progressive lens that respects how
their eyes naturally move.

Varilux XR series comes in two versions, Varilux® XR design and Varilux® XR track. The Varilux XR track lens provides an additional level of personalization by incorporating the exclusive Near Vision Behavior Measurement, providing up to 25% more near vision width3 according to the patient’s need, so patients get the highest level of customization.

Discover Varilux XR series and enjoy instantly sharp vision in motion4 and seamless transitions from near to far.

For more information, visit here.

Promoted Headlines






Get the most important news and business ideas for eyecare professionals every weekday from INVISION.


Most Popular