HIPAA FAQs
This page offers answers to commonly asked questions from clinics about HIPAA. If you can’t find your question here, please reach out to hipaa@bu.edu.
Quick links: De-identified Patient Information | Responding to Online Reviews
De-identified Patient Information
De-identified patient information is data that has had personally identifiable information (e.g., a person’s name, email address, or social security number), including protected health information (PHI; e.g. medical history, test results, and insurance information) removed.
How can I use de-identified patient information?
If the information is truly de-identified under HIPAA, it is not PHI and you do not need an Authorization to use it for classroom and other educational presentations, publications, promotions or other purposes.
How do I know if the information is de-identified?
Ask these questions:
- Does the information include the patient’s name, initials, social security number or medical record number?
- Does the information include any dates relating to the patient, such as patient date of birth, date of treatment, dates of appointments?
- Does the information include geographic identifiers, such as the patient’s address, or even the patient’s town or zip code?
- Does an image (photo or video) show the patient’s face?
- If the image does not show the patient’s face, is it possible to identify the patient from what is shown?
- Does the information or image include any of the 18 HIPAA identifiers? See complete list in BU HIPAA Policy 1.4.
- Does the information include any other element that may be used alone or together with other available information to identify the patient?
If you answer yes to any of these questions, you need an Authorization.
Examples of De-identified Patient Images (No Authorization Needed)
- Video showing patient’s gait when showing only from the shoulders down
- Photo or video of the patient walking that shows only patient’s back
- Images of body parts that are not identifiable
Examples of De-identified Descriptions (No Authorization Needed)
73-year-old, active woman underwent a routine cardioversion for atrial fibrillation but developed multiple complications, including sepsis and respiratory failure, resulting in weakness.
Patient is a 30-year-old female with a history of right-sided headaches, after a motor vehicle accident, which occurred 1 month ago. Since the accident she reports having constant headaches. Her pain is described as a dull ache. The pain is located in the neck, back of the head, and it sometimes travels to the front of the head and into the eye. She reports daily headaches that can last anywhere from 30 minutes to hours
Example of Identifiable Descriptions (Authorization Needed)
Ms. Wilson was born in July of 1953 and has worked for 40 years as a welder. Her COPD was first diagnosed in 2007. In the last quarter of 2017, she had a series of 3 COPD exacerbations. These exacerbations required medical intervention with antibiotic treatment and oral steroids; she was hospitalized at Boston Medical Center briefly during the last event.
Key Definitions
PHI: For this purpose, assume PHI is any information a clinic has about any of its patients. This includes registration and payment data, demographics, the patient medical record, oral information, photos, other images and audio/video records.
De-identified PHI: PHI from which you have removed patient name, dental record number, address, contact information and all dates (DOB, treatment dates, etc.). See complete list at BU HIPAA Policy 1.4.
Patient Authorization: A signed form in which the patient gives authorization for his/her PHI to be used for a purpose other than treatment, payment and health care operations.
Minimum Necessary Rule: Always use the minimum amount of patient information needed.
Responding to Online Reviews
Patients will occasionally leave online reviews (e.g., Google reviews, Yelp, etc.) about their experience at a healthcare facility and/or about their provider. It is tempting to respond to those reviews, whether good or bad. However, responding to a review can be a HIPAA violation and a violation of state privacy laws, so it is best practice to not respond at all. The following are some FAQs about responding to online reviews:
My patient wrote a review about me online. Should I respond?
No. Your response may be an impermissible disclosure of patient information and a violation of HIPAA and state privacy laws.
So, I should just ignore the fact that the patient wrote a review?
Absolutely, not. You should reach out to the patient offline to let them know you saw their review. You can do this at their next appointment. If the review was positive, you can tell them how much you appreciated their kind words. If the review is negative, you can hear what they have to say, and see if you can address their concerns. Although negative reviews are never enjoyable to hear, it may be an opportunity for improvement.
The patient’s review is completely made up. Does it matter that the review isn’t even true?
Unfortunately, you cannot respond to the patient’s review to say it is untrue. However, you can reach out to the website that hosts the review and ask them to remove it, since it is false.
The patient identified themself in the review, so they already disclosed their own information. Why can’t I respond?
Even if a patient identifies themselves in a review, it does not give you the ability to respond and acknowledge that they are a patient. There is no exception under HIPAA or state law for responding to a patient’s review without the patient’s authorization.
What is the big deal if I do respond?
The Office of Civil Rights (OCR) has entered into settlement agreements for responding to online reviews, which include fines and monitoring by the government, with several healthcare providers. This issue is on OCR’s radar and is something they are enforcing.
Even if I can’t respond, can someone else from my clinic respond?
We strongly recommend that no one at your clinic respond to online reviews. It is challenging to provide a meaningful response to a review when you can’t acknowledge that the person giving the review is a patient. However, if the clinic feels a response is necessary, an individual at the clinic can be specifically designated to respond to online reviews. Such person can only respond to the online review with a generic statement, which says something like, “Our office strives to provide excellent service to all patients, and we do our best to meet this goal. We encourage any patient who would like to discuss their experience to contact us directly,” or “Thank you!”
This was super helpful, but what if I have more questions?
You can always reach out to hipaa@bu.edu with any questions you have about responding to online reviews or any other health privacy matters.