On this week’s episode, Dr. MedLaw returns to talk about the ethical and legal matters that physicians should bear in mind when handling negative online reviews.

Hi, this is Dr. MedLaw. If you haven’t met me before, I’m a radiologist with a specialty in breast imaging and I’m also a medical malpractice attorney.

We’re at the last part of our little mini-series on social media issues, and the topic now is dealing with negative postings about you. We’ve talked about some general issues about this in the past, but now we’re going to get into the nitty gritty. What do you do when you’re angry? How do you avoid making the situation worse?

Let’s start with the fact that you’re already doing what you should do in your practice. You’re following that smart aphorism that “the solution to pollution is dilution,” and you’re encouraging satisfied patients to leave feedback online.

But now, your office manager, who monitors physician rating sites for you, just told you that there’s a comment about you that says, “You’re the nastiest doctor I ever had, you ignored what I was saying about my back pain and accused me of just being lazy and not wanting to work, and you didn’t care if I lived or died.” And you know who this is. It was a new patient who had not been able to qualify for disability in the past and wanted you to provide them with an accommodation claim for work so they could take unlimited breaks to lie down. When you told them that your evaluation of their condition just did not support that, they stormed out.

They were angry then. Now you are angry because you’re being characterized falsely, and you really want to respond.

Of course, you’re not going to go down a rabbit hole about suing the website or the person who put up the post. You know that the website is immune under the Communications Decency Act for what third parties post. You also know that this post is not actually going to cause you economic damages. It would underpin a defamation claim, and that’s even if you could actually sustain a claim that these are knowingly false statements and not just opinion.

You also know that such lawsuits have backfired on doctors because they publicized the issue. That’s called the Streisand effect because Barbara Streisand made such a big stink about Google having a picture of her house that she drew more attention to the picture of her house. You also know better than to have a lawyer send the poster a demand letter insisting that the post be removed because at best, there’ll immediately be another post describing how you tried to bully them, and the demand letter will go viral. And at worst, there could be a complaint to your state board for harassment and for trying to impede a patient in their right to engage in public speech on healthcare.

That leaves writing your own response, and that’s why we’re talking today, because that’s the point at which doctors can aim at the negative poster and end up shooting themselves in the foot. They’re angry and feel betrayed by a patient they only tried to help, both of which are mindsets in which the likelihood of worsening the situation with an actionable privacy breach is just far too likely.

The classic First Amendment response is that the answer to speech that you don’t like is speech of your own. That’s great when you’re learning about the First Amendment, but the founders were not fiduciaries for patients, and they didn’t have to deal with medical confidentiality laws.

This situation is also the flipside of the usual confidentiality scenario. In most cases of privacy breaches, the patient has said nothing, and the onus is on the doctor who wants to share something about the case to not reveal identifying information. Here, though, the patient has opened the door to their PHI by posting to the world that they’re your patient and about what happened in their care. The doctor’s likely to see that as a general waiver, but it isn’t. The patient is still in complete control of what can be revealed about them.

Start with their name. If the poster signs off as Jane Smith, okay, fine, that’s her choice. But if she uses J. or JS or J. Smith, no further identification can be offered in the doctor’s response. And if the post is anonymous or under a pseudonym, the doctor cannot use the patient’s name, even if the statements in the post make it absolutely clear to the doctor who the patient is.

The real challenge, though, comes as far as refuting the negative comment. Again, posting a quantum of PHI is not a waiver by the poster as to the rest of it. The doctor crafting their response must therefore be careful to go no further than what the poster has said—essentially, to mirror it. But where’s that line, particularly when it may be in the eye of an investigator-beholder if a complaint is made?

The most strict school of thought is that to respond with anything other than a completely generic response—like if there was a complaint about a long wait, you say something like, “Our office strives to see all patients as promptly as scheduled”—that anything more than that completely disengaged statement is a privacy violation because it verifies the PHI that the poster is a patient. But that’s overly strict because the complaint itself makes that revelation.

Then how far can the doctor go in being substantive? For example, what if a patient posts, “I had terrible chest pain, but all Dr. Jones did was listen to my heart for a moment and then blow me off.” Clearly the doctor cannot say, “We also performed an EKG that showed normal sinus rhythm and no ischemic changes.” That’s clearly chockfull of additional information.

But can the doctor respond that in addition to auscultation, an EKG was performed? It precisely mirrors the allegation that nothing else was done—but it does include an additional fact in doing so. The answer is that that option could pass muster or not, depending on the evaluator. The doctor should probably stick to something like, “A full evaluation was performed prior to discharge.”

Then what happens?

The doctor now feels completely unsatisfied and they feel like they have had to absorb and attack unilaterally while being denied the chance to offer an appropriate defense. The chance that the doctor will make the error of saying too much to self-justify gets very, very real. The consequences of what then becomes a retaliatory comment are potentially very significant.

As a cautionary tale, consider the experience of a dental practice. A patient made a complaint on their Google page under a pseudonym, but an employee figured out who they were. The practice then does this complete PHI dump: the name of the patient, their dental condition, treatment, appointment attendance. Then they cap it off with an anecdote about how badly behaved the poster was in the office. So the poster does exactly what you’d expect of an angry person who wants to get the practice in trouble. They make a complaint to the Office for Civil Rights at Health and Human Services, saying this was a HIPAA violation. The practice was slapped with a $50,000 fine.

Of course, this practice obviously went too far, but what you write that seems innocuous and just clinically relevant to you may not make it under the limits that an OCR or state board evaluator applies when a patient who already has a grudge against you gleefully presents it to get you in trouble.

With this sort of uncertainty, it’s not surprising that AI has entered this area, with vendors promoting programs that will be separate from any PHI access and provide acceptable generated answers to online comments. That a technology that’s known to hallucinate, creating unfounded answers and false facts on its own, may not be ideal in this setting, should be considered. In any case, though, the doctor must review what the AI system produced. It cannot be left to work autonomously in the doctor’s name.

While we’re on the topic of answering not personally, I’m going to say something that should go without saying: you cannot job out a response to your staff. Even if you have the best partner, associate, office manager, or best nurse practitioner, and you’re one mind and two bodies, it’s going to go out as your response. They can draft it and show it to you, but you cannot let someone else answer for you.

So, what should you do?

Your first question to yourself is whether the comment is potentially damaging enough for you to pay a lawyer or HIPAA consultant to help you craft a response. Since it’s virtually certain that it’s not going to rise to that level, your next step is to consider, what is the essence of the complaint under vitriolic language? Specifically, is it something for which you can provide a generic answer that doesn’t touch on PHI too?

If the comment is that your restroom is dirty or that your front desk staff discusses patients too loudly and can be overheard in the waiting room, you can easily address those without ever touching on the individual patient, even if it’s a rant against you personally, saying that you only care about racking up billing. You can answer that with a general statement that all treatment plans are clinically based in best practices and that all care is discussed with patients before it’s initiated.

But if the complaint is about specifics of the poster’s own care, you have to consider whether you’ll need details that can impinge on PHI to respond to it in a way that you feel is adequate to nullify it. If so, your next question to yourself is whether dealing with the negative comment is worth the risk that you will step over a confidentiality boundary and provide ammunition to someone who already wants to cause you reputational and business harm.

This is not to say that you won’t prevail. As we noted earlier, a limited PHI statement may pass muster, but even that would be a Pyrrhic victory, if in responding to an online comment you buy yourself a costly and time-consuming interaction with the OCR or state board. A good rule in having this discussion with yourself is to honestly understand that what you can do, you probably won’t like; but what you will like, you probably can’t do.

Your best bet if the comment is not one that can be answered cleanly—and you’re not going to like this, the next part of what I’m saying—take a cue from Queen Elsa, and let it go. Let it be swallowed up in the many positive comments and your overall excellent rating. I know you didn’t like that answer, but it’s probably the way that you want to go so that what was minor never grows beyond that.

Before we close, let’s look at one other issue. Is there ever a role for contacting a patient who posts negatively online? The answer to that is a very caveated “yes.”

If the patient has posted about a legitimate issue—again, even in a very volatile way—then it’s worth your corrective attention. Part of that can be contacting the patient. However, this must clearly be about you accepting the criticism rather than you trying to get the comment taken down. The latter would be viewed as overweening by the party with greater power—you—if the patient then makes a harassment complaint to your state board.

If you do decide to contact the patient who posted, leave the online site and do it privately with them. Do it in writing so there’s proof of what you said, and state that you were unaware of the problem. If that’s the case, that you apologize for any convenience they had and you’ll be taking steps to correct the issue that they raised. Then thank the poster for bringing it to your attention and urge them to contact you directly in the future if there’s an issue.

The implication will be not to post online again, but it will be within the offer of a better alternative, not as an attempt to silence them from criticizing the practice. Do not ask expressly for a takedown. Remember that a future evaluator needs to see this solely as good practice in the face of an error, not a non-apology that’s just a way to pressure the patient.

That’s it for our little mini-series. Thanks for a chance to talk about this important topic.