From the frying pan into the fire? When HIPAA and reputation collide
One of the values I find in reading a lot online is that I’ll read something that makes me realize a gap in my own understanding of HIPAA or other issues. In this case, some forum comments and posts made by a doctor raised questions in my mind about whether HIPAA-covered entities fall afoul of HIPAA by responding to negative comments a patient made about them in public forums.
Can doctors defend their reputation in public spaces of the Internet if they are accused of lousy treatment by a named patient, and if so, how much can they say in the process of trying to defend their reputation without violating HIPAA? Or are they violating HIPAA if they respond at all if the patient has not given explicit consent for them to discuss their care or case?
Recognizing that I’m wandering in as a spectator to the dispute that inspired this blog entry and have not contacted any of the parties involved, here’s what it looks like from behind the relative calm of my coffee mug:
1. A patient was seemingly unhappy with the results of a surgical procedure. The doctor seems to have made a second attempt, also with less than optimal results. Both parties agree on that. From there, the stories diverge.
2. The patient said he asked for half of what he had paid to be refunded. When the doctor refused, he left critical reviews/complaints about him on consumer sites. He also registered a [name]sucks.com domain.
The doctor responded to a number of the patient’s posts. In one, he indicated that the patient had suffered from a “rare complication.” It is not clear to me who first mentioned “rare complication.”
3. The doctor claims the patient tried to extort him and has harmed his business by his public comments. He has repeated that allegation in a few forums and even started his own threads about the patient’s business on some consumer gripe sites.
Seeing a doctor file a consumer complaint about a patient’s business is disturbing. That there’s no indication he ever dealt with the business where the patient is employed is disturbing. That in some of the posts he not only warns the employer about the patient but characterizes the patient as “unstable” is especially disturbing.
I do not know if the doctor consulted with his attorney about the wisdom of posting about his patient or responding to him online, but certainly I do not view his conduct as prudent. But what would HIPAA say, if anything?
Doctors can generally reveal confidential patient information to defend themselves in actions involving a professional disciplinary board if a patient files a complaint about them. They can also disclose financial information if necessary to obtain payment (e.g., as in referring an account to collection), but to discuss quality of care in a public forum, even if the patient disclosed the relationship or complained about you? Or to reveal your patient’s occupation and workplace and accuse your patient of attempted extortion? Defamation issues aside, what does HIPAA require of us?
I certainly understand the professional and personal desire to defend or repair one’s reputation, but reading the posts gave me that “yucky” feeling that the conduct was not appropriate. Maybe there is a HIPAA exemption that makes such public statements permissible and I just haven’t found it or recognized it, or maybe there isn’t any such exemption and some think there should be, but I don’t see where HIPAA permits us to say publicly what this doctor said. Certainly, even if the doctor has not violated HIPAA, I have strong reservations about this type of approach and think it probably does more reputational harm than good, but for now, I’m just focused on the HIPAA aspects.
HIPAA lawyers: have I misunderstood the law? If so, please educate me. Thankfully, I’ve never been in this situation, but if I ever am, I’d like to know what HIPAA really permits or bars.