In my last post, we discussed how the Federal Trade Commission impacts rules and regulations related to capturing reviews for posting online. To recap, the guiding principle is not to pay for reviews. No money, no gift cards, no discounts on future goods or services. If you do offer such perks, you must disclose that in the review. Otherwise both the patient and you may incur liability.

Onward to the next federal constraint.


Of course.

HIPAA and online reviews is an entire topic onto itself. Here, I’m going to focus solely on working with vendors to help you capture online reviews. I’m not getting into responding to posts, positive or negative, in a HIPAA compliant way. We can tackle that subject at a later date.

If you work with a vendor to capture reviews for posting online, HIPAA likely applies.

This means the vendor should be a formal HIPAA Business Associate and securely store and transmit Protected Health Information (PHI). Random HIPAA audits are here. Don’t take shortcuts.

What is considered Protected Health Information? Many things. It includes the patient’s name, their email address, OR their mobile number. Notice I used the word “OR” and not “AND.”

With few exceptions (defined by statute), any time you disclose such Protected Health Information to a third party, such as a vendor, that party must either be a HIPAA Business Associate. Or you need a formal HIPAA compliant authorization from each patient.

A valid HIPAA authorization must meet certain requirements (Please don’t kill the messenger)

  • Identify the disclosing health care provider
  • Identify the recipient(s)
  • Label the purpose
  • Define an expiration date or event
  • Date
  • (Can be electronic)
  • Must include:
    • failure to sign will not affect treatment or payment for treatment;
    • may revoke the authorization at any time;
    • information may no longer be protected by HIPAA once disclosed.
  • Must be a stand-alone document

To bring this home, when working with vendors to help you gather and post online reviews, if Protected Health Information is transmitted:

  • The vendor must be a HIPAA Business Associate and securely transmit and store PHI
  • If the vendor is not a HIPAA Business Associate, you need a valid HIPAA compliant authorization from each patient to disclose Protected Health Information
  • Even if a vendor IS a HIPAA Business Associate- if they disclose PHI, you/they will need a valid HIPAA compliant authorization to disclose that information, in this case, a review, to the public

We’ll tackle one more constraint imposed by federal agencies and statutes in Part 3.