The customer’s loyalty is the ultimate goal of any business. Every day companies should not only try to provide excellent service, but also try to turn a dissatisfied customer into a happy one.
But how can one calm down an angry patient without violating HIPAA regulations? Sounds like this poses an additional challenge to healthcare providers. But no worries – Pissed Consumer is always ready to give you the tips on how to respond to reviews and to comply with HIPAA at the same time.
Healthcare companies, more than companies in any other area of business, need to build trustworthy, reliable, and loyal relationships with their clients. But they have something very important to consider while communicating with their patients, especially online, on public platforms: HIPAA (The Health Insurance Portability and Accountability Act that was adopted in 1996).
This Act is aimed at securing the privacy of individuals’ health information that is held or transferred in an electronic form. The list of institutions that should comply with HIPPA regulations include:
- medical centers, clinics, and hospitals;
- private practices;
- outpatient providers;
- hospices and adult care providers;
- health plans and insurance providers.
Why Is HIPAA Compliance Important for Healthcare Providers?
Or, in other words, what consequences can HIPAA violations have for them? HIPAA violations are infamous for substantial fines that can go up to $5.5 million. Such significant HIPAA violation penalties may be particularly threatening to small private practices. Moreover, healthcare institutions can also be punished with sanctions or loss of license.
Real HIPAA violation examples and following fines that speak louder than words are:
- For instance, in April 2017 CardioNet had to settle potential noncompliance with the HIPAA Privacy and Security Rule. The company was obliged to pay $2.5 million as HIPAA violation penalties and to draft a corrective action plan.
- Similar issue happened to Memorial Healthcare System (MHS). This medical organization had to pay the U.S. Department of Health and Human Services (HHS) $5.5 million to settle potential violations of HIPAA in February 2017. The protected health information (PHI) of 115,143 individuals were impermissibly accessed by MHS’s employees and disclosed to physician office staff.
- Another case of HIPAA violation took place in November 2017, according to Digital Guardian. Lahey Hospital and Medical Center (Lahey) agreed to pay $850,000 in HIPAA violation penalties and to adopt a corrective action plan so as to settle potential violations of the HIPAA Privacy and Security Rules.
And these HIPAA violation examples are not so rare. Nevertheless, businesses operating in a medical field have to keep up with modern technological advances to succeed in customer service and to meet HIPAA requirements. That’s why it’s important to be aware of 5 most common HIPPA violations and to follow Pissed Consumer Tips on how to respond to online reviews in accordance with HIPAA requirements.
5 Most Common HIPAA Violations
The entities that deal with people’s medical records have to always be on guard. They should not only be able to protect the data from unauthorized disclosures, but also to ensure integrity and availability of patient’s information upon request. Moreover, medical institutions also need to train their staff according to HIPAA requirements.
Regardless of all these preventive measures, the most common HIPAA violations are still rather common and occur frequently over the years. Take a look at 5 most common HIPAA violations.
1. Disclosure or use of protected health information (PHI) without authorization.
Employees can accidently share individual’s private information with their colleagues or friends. Just like this Pissed Consumer reviewer who had a complaint regarding pharmacists there. They decided to call the dentist, the author had seen before, and to discuss his/her prescription:
“…I am not happy with Walgrens pharmacy nor the pharmacist there. What make Walgrens think they have the right to play doctor and report something so trivial as this? I did not give them permission to discuss my meds with any other person and that is, to me, a HIPAA violation. My meds should not be discussed with anyone without my permission...”
The leak of data can happen if medical workers text their data via insecure telecommunication channels and expose them to hackers or mishandle patient’s records, so other medical staff members or patients can see it. This Pissed Consumer poster experienced such an issue when the person received his/her records in an unsecured envelope exposed to public eye:
“The notice was sent in a non standard envelope, with specific account, medical details and collection details visible from outside the envelope and through the envelope window for all to see. This was both an FDCPA violation and a HIPAA violation.”
A Walgreens customer had the same issue at a pharmacy where he/she was shown records of another customer:
“…$30.00 may not be much to them but they are sure losing alot more now due to a large number of prescription transfers and considering a lawsuit over a HIPAA violation when they showed me the computer screen with someone else's prescription history, name and contact information…”
Last but not least are online posts, comments on different social media networks, review platforms, and blogs. Their customer service representatives can unintentionally breach individual’s privacy and share his/her PHI.
2. Absence or lack of technical safeguards to protected health information.
This type of HIPPA violations poses one of the biggest dangers to any healthcare entity. Unfortunately, company security systems quite often turn out to be unable to protect their patients’ medical records and can be easily accessed by cybercriminals. Or health information can go public if employees access data through their home computers or any other unprotected computers.
3. Inability for patients to access their protected health information.
Medical institutions can fail to provide patients’ records upon request which can cause HIPAA complaints. Like, for example, this Quest Diagnostics customer had a situation where his/her records were not released upon his/her request:
“…HIPAA gives patients the right to get copies of all of their medical records. That means nothing can stand between you and your medical records. Quest and Doctors that don’t release the records until they see you in office are violating this. Reports the reports shouldn’t be required to be released from the doctor's office.
Some doctor's abuse this system and don't release the report even though nothing is abnormal on the report…”
Another person, who wrote this HIPAA-related review about CareNow, shares the same concern:
“…Furthermore, they have no respect for HIPAA they refuse to release your complete records cover to cover and the records you do got are blacked out hiding full detailed information…”
Even though this type of HIPAA violations seems minor, it can lead to quite costly settlements.
4. Lost or stolen devices.
Theft of cell phones, tablets, laptops, flash drives, and other devices with PHI in them can result in HIPAA violation penalties. Even if this HIPAA breach is considered incidental, this fact doesn’t lessen the sum of payments a violating organization has to cover. To prevent this from happening, management and employees must take respective security measurements.
5. Illegal or excessive access to patient’s files by employees.
It is also a quite common type of HIPAA violations when staff members access patient’s records without authorization. Especially, if employees are patient’s friends, relatives or if a patient is a celebrity. This consumer who posted a review about Gentiva complained about a HIPPA violation:
“..I was admitted to Kennestone Hospital, Marietta GA recently and subsequently found out via text messages that this individual was intent on finding out information about my personal medical issues by way of imploring Chubby to mischievously ascertain this information, effectively violating HIPAA Privacy Laws…”
Such a curiosity can be seriously punished with substantial fines or even imprisonment.
An organization can be penalized not only for a committed crime, but also for a potential threat to individual’s medical data and for the lack of a respective action plan. To avoid possible noncompliance with the HIPAA regulations, an organization should trace all the updates and dynamics in the Security and Privacy Rules.
6 Tips on How to Respond to Reviews Under HIPAA Guidelines
The HIPAA restrictions are not the ground to ignore your patients’ HIPAA complaints. You just need to be more careful than other businesses when communicating with your clients. To succeed in this communication and to get the maximum for your company, you need to keep in mind some tips.
1. Respond quickly.
It is what your disgruntled customers expect from you first of all. But remember that HIPAA will not forgive impulsiveness. It might be an expensive mistake. Double check everything you write to your customers publicly. Re-check the tone and phrases you use to respond to HIPAA reviews.
2. Be patient, polite, and helpful.
Bad things happen and patients CAN BE unhappy with your services. So, be ready that an angry client might express himself/herself in an aggressive way. But this behavior shouldn’t affect your attitude. Be objective and don’t take it personally.
Think about the answers to the following questions: Why did it happen, and why did the patient feel this way? Is there something you could have done to prevent it? Have you or your colleagues already heard about it? Should you consider a change or improvement?
Remember, that your “weapon” is patience and friendliness. Admit the mistake and take full responsibility for it. At first, it will soothe the person and make him/her open for further interaction. Your main goal is to take the conversation off-line and dispute the question mentioned in a HIPAA review face-to-face.
3. Comply with the “confidentiality” rule.
Since you can’t disclose patient’s information in any way, you should create responses that will correspond to HIPAA requirements. You shouldn’t acknowledge that the person that was referred to your healthcare entity is your patient. Even if he/she publicly admitted it. It means that replies like:
“We apologize that you’ve experienced some issues with our company. But we’d love to take the chance to make it right.”
are not the best answer because you publicly recognize this person to be your patient. Your answers to HIPPA reviews on media sources have to be totally impersonal but not “robotic”. It means that you have to create at least several templates. But you also need to leave some space to refer to a particular problem.
For example, when a person is dissatisfied with some company policies or rules and you need to explain them to eliminate a conflict. Moreover, all the responses should be written in such a way, so that to encourage your customer to discuss the matter offline.
4. Take the dispute offline.
It’s the main goal of resolving any medical issue online. In an offline conversation you can find out as many details as possible to help you fix the issue faster and not to violate HIPAA regulations. Also, it’s necessary to make the conversation more personal and to make your customer feel cared about and important.
5. Try to get as many details as possible.
Even if a customer hasn’t provided you with them. The information you collect is needed to make the right unbiased and empathic decision. You have to get answers to the basic questions: how/where/when it happened, who was involved, what actions were made to settle the issues. In turn, give as many details as possible to your customer regarding how you are going to resolve his/her problem and when it is going to happen.
6. Follow up.
Reach out to a person in several days to make sure that your customer’s HIPAA complaint has been addressed and resolved. Keep in mind that you must always provide the best customer service. Thanks to follow-ups and collected feedback, you will know for sure whether you’ve fully met your customers’ needs.
Remember that such close Company – Customer communications help not only to turn a disgruntled consumer into a loyal one, but to identify possible flaws in your business and to prevent them from happening in future.
HIPPA poses a real monetary danger to medical businesses if they do not meet its requirements. But knowledge and law-abiding behavior and business strategies have always been the best tools to avoid any legal issues. Be aware, stay updated and your medical entity will be perfectly safe.
- business tips
- consumer online reviews
- HIPAA complaint
- HIPAA regulations
- HIPAA violation
- how to respond to reviews
- online reviews
While every effort has been made to ensure the accuracy of this publication, it is not intended to provide legal, medical, accounting, investment, or any other professional advice as individual situations will differ and should be discussed with an expert and/or lawyer.