Doctor Marketing & HIPAA Compliance – 3 Critical Errors Doctors Must Avoid

What does effective, HIPAA-complaint doctor marketing look like? And why does it matter?

It matters because the effort you’ve pursued in promoting your practice should never become a liability. If your marketing tactics are not HIPAA-compliant, you may be putting your patients’ information, and your practice, at risk. So, if you are negotiating with a marketing vendor, review the points outlined below. They may spare you the agony and expense of a failed audit.

If you are unsure if your current vendor is putting your practice at risk, contact us.

eMerit helps physicians do doctor reputation management right.

Point No. 1 – Filtering patient reviews is a risk. Ask your vendor how (and if) they filter content.

Before discussing HIPAA, we must discuss the Board of Medicine and the Federal Trade Commission (FTC). Both frown on false or deceptive advertising. Arguably, filtered reviews (without proper disclosures) do not tell the full story of a practice. And if the Board of Medicine or the FTC frowns on you, it will take action. They can fine you. They can put your license to practice at risk. If your practice cherry-picks positive reviews and uploads them (or selectively sends patients) to third-party sites, regulatory agencies may see your “cream of the crop” selection as an invitation to a “longer discussion.” Regulatory bodies may be okay with filtering reviews/endorsements – so long as the practice discloses its gathering techniques…


While the example above is honest and does disclose the filtering, its power to inspire trust in new patients is negligible. If you feel compelled to use filtered content, disclosing your methods is one of the few ways to minimize risk. But, we are not sure why you’d use the technique when its marketing benefit is neutered.

In conclusion: Understand the consequences of filtering reviews. Our opinion? Don’t do it.

Point No. 2 – HIPAA audits are here. Marketing is addressed by HIPAA. Be prepared.

Like the IRS, the Office of Civil Rights for the Department of Health and Human Services conducts audits. Random audits. Failure to meet its standards will result in enormous fines. Proactive practices have little to fear.

What does a HIPAA audit look like?

An investigation might be a paper audit or an on-site audit and requires your practice to provide the following…


Any practice can be subject to a random audit. But, if a HIPAA breach occurs, and all these documents have been created upfront, it demonstrates you thought about HIPAA before the problem. It’s an explanation. You’re prepared. If you struggle to create these documents after the fact, it is considered “an excuse.” Penalties will correlate to your state of preparation. Or lack thereof.


How do HIPAA violations happen? What are common examples?

Let’s pretend your patient (Amy) has diabetes. Let’s pretend Amy just posted a glowing review on Google. In her review, Amy, using her full name, thanks you for helping her control her blood sugar. You notice the review and write the following response…

“I’m glad I was able to help, Amy. Please remember to check your blood sugar every night. And keep your insulin refrigerated!” 

And there you have it. It does not matter Amy divulged information about her healthcare when she wrote her review. By 1) identifying Amy as your patient and 2) acknowledging her diabetes, you’ve betrayed Amy’s PHI. Thus, you’ve committed a HIPAA violation.

Responding to a NEGATIVE review can be just as dangerous.

Let’s pretend Amy’s sister (Sarah) has a sore throat. You examine Sarah, administer treatment, and send her on her way. A week passes. All seems well. Then you read Sarah’s review…

“The doctor was nice, but his staff was rude! And I had to wait 40 minutes JUST to get examined for a sore throat! He’s an OK doctor, but his practice SUCKS!”

Not wanting your staff’s reputation to be tarnished, you respond as follows.

“I’m sorry you had a bad patient experience with my staff, Sarah. We’ll do our best to improve wait times. If your throat does not feel better soon, please consider visiting us again.” 

The bottom-line is this: If you insist on responding to patient reviews, DO NOT reveal information about the patient’s treatment. DO NOT identify the author as your patient. A doctor can reveal information about a patient’s treatment online ONLY IF the doctor has the patient’s written authorization to do so.

In conclusion: Get HIPAA-compliant. Conduct an SRA, establish HIPAA Security and Privacy Policies, and provide ongoing HIPAA training. Find a trusted entity to walk you through.

Point No. 3 – Be wary of third-parties that “specialize” in doctor marketing. It is your responsibility to verify they are HIPAA-complaint.

If you work with a third-party vendor to capture reviews for posting online, HIPAA applies. The consequences for noncompliance are steep. Practices should be vigilant about third-party business agreements. This means the vendor should be a formal HIPAA Business Associate with signed documentation acknowledging as such and they must securely store and transmit Protected Health Information (PHI).

We already know random HIPAA audits are here. Do NOT take shortcuts.

If the vendor is not a HIPAA Business Associate, and you provide PHI to this vendor, you need a valid HIPAA-compliant authorization from each patient before disclosing Protected Health Information to this vendor. Even if a vendor IS a HIPAA Business Associate, they will still need a valid HIPAA-compliant authorization if they disclose PHI to the public – most patient reviews, for example. Also, make sure your Business Associate carries cyber liability coverage if the vendor creates a HIPAA problem. Many vendor marketing agreements cap their liability to what you paid the vendor. Such a cap will be grossly deficient if and when you need to be bailed out because of your vendor’s breach.

Some practices (those that do not file for insurance reimbursement, for example) may not formally fall under federal HIPAA rules. But, the analysis does not stop there. State privacy laws still apply. And how does the state determine if a privacy breach occurred? Well, they look to see how HIPAA would have treated the incident. So, there’s a backdoor tool for enforcement of HIPAA even when a practice is not technically beholden to HIPAA.

In conclusion: Make sure all third-party vendors sign HIPAA Business Associate Agreements if they will have access to PHI.

Some vendors who focus ion doctor marketing are HIPAA-compliant. Many more are not. eMerit serves doctors of all specialties and across all states, diligently posting 99% of the patient reviews a practice collects. We coordinate with our clients to help them control Google page one searches, while also providing a comprehensive suite of reputation marketing services.

Learn About 3 Essential Questions Doctors Must Answer to Get More Patient Reviews
I’d Like to Contact eMerit and Discuss My Interests