Patient testimonials and reviews can help convey a level of trust to potential new patients and many digital marketing professionals highly recommend displaying testimonials on your website.
BUT HOW DOES HIPAA APPLY TO PATIENT TESTIMONIALS?
In 2012 a physical therapy provider in Los Angeles was found to have impermissibly disclosed numerous individuals' protected health information (PHI), when it posted patient testimonials, including full names and full face photographic images to its website without obtaining valid HIPAA-compliant authorizations.
The organization was required to pay a $25,000 fine, adopt & implement a corrective action plan & report compliance efforts for a 1 year period.
If you are going to display patient testimonials on your website (or even on the wall in your waiting room) here are a few things you must do:
Do not include any protected health information in a testimonial
You must have an agreement and authorization form signed by your patient
A written copy of HIPAA policies must be made available to all patients, and a policy that explains A) the use and disclosure of patient health information for website/social media pages; B) a description of the process for obtaining patient authorization to use their information; and, C) creation and use of a valid authorization form.
I would recommend making your testimonials anonymous by removing any identifiers like the patient's name & full facial photo. De-identifying the testimonial in my opinion is the safest way to prevent potential issues that could come up. That said, you should still follow all of the guidelines above even if the testimonials are de-identified.
The bottom line here is to review ALL of your processes as they relate to HIPAA. If you're using our HIPAA Forms service then you understand the importance of being HIPAA compliant but it's easy to overlook something like patient testimonials on your website. While your forms may be secure and compliant there may be other aspects of your website that are not.