HIPAA-Compliant Marketing

Posted on by ASCENT: Administrator Support Community for ENT

Many successful medical practices rely on patient reviews and testimonials as a key part of their marketing efforts. As powerful as these can be in helping your business, they can run afoul of HIPAA privacy rules and regulations; reviewers are not bound to the same restrictions and may reveal information that cannot be published. And if you’re in the habit of promoting positive reviews and responding to negative ones, you might inadvertently cross the line, as well. Despite these potential problems, there are ways you can you leverage reviews for positive business purposes.   

Understanding HIPAA’s Rules Regarding Reviews

hospital bracelet with HIPAA information

Contrary to popular belief, you are allowed to respond to reviews, can share testimonials, discuss case studies, and use patient data without violating HIPAA rules. There are some very specific restrictions, however, requiring a thorough understanding of the rules. Keep in mind that HIPAA’s privacy regulations are designed to protect “individually identifiable health information.”


Protecting a patient’s anonymity is at the core of “individually identifiable” information. HIPAA regulations outline the following identifiers:

  • Basic information: Name, contact details, URLs, health records, full face photos, IP addresses, vehicle registration information.
  • Dates: All elements, except year, of any date relating to the individual  
  • Location: Geographical information referring to an area smaller than a state, full zip codes or partial (first three digits) zip codes that represent fewer than 20,000 people
  • Identifying numbers: Social security numbers, account numbers, and similar
  • Miscellaneous: In addition to the lengthy list of specific personal identifiers, you need to consider if there is a reasonable basis to believe the information may be used to identify the individual. This stipulation is especially relevant to review responses. Even if you omit all personal information, people reading your response will realize you are referring to the reviewer.

Removing all identifiers should help you avoid a HIPAA violation. You can also turn to a qualified individual to provide an expert determination.

Protected health information concerns anything related to an individual’s mental or physical condition or care. Per HIPAA, this includes:

  • Demographic: Age, gender, ethnicity, and similar information
  • Conditions: Diagnosis, prognosis, symptoms, medical history
  • Treatment: Test results, prescriptions, medical appointments, care providers
  • Financial: Past or future payments relating to medical treatment

While these rules seem straightforward, even the most experienced professionals sometimes have trouble understanding exactly what they can and cannot say. Some of the most commonly misunderstood areas involve the fact that the individual’s status as a patient is considered health information; that all health information is protected, even if the patient has released it him/herself; and verbal consent is insufficient when releasing protected information – you must have written authorization.  

Experts recommend crafting HIPAA-compliant patient responses in advance; you are free to thank the reviewer for their feedback without acknowledging that they are a patient, for example. It’s okay to provide information about your organizations policies and standards of service as long as you don’t specifically respond to details of the review. And it’s good practice to invite the person to contact you directly offline.

It may seem that HIPAA is so restrictive reviews and testimonials simply aren’t worth the trouble, but given their power as a marketing tool, it’s worth investing the time to understand HIPAA’s privacy rule and then use the information to your advantage without worrying about creating a violation.