My Physical Therapist Is a Terrible Provider

thumbs down cell phone

How to deal with negative online reviews while complying with HIPAA.

By Paul J. Welk, PT, JD

Reading the statement “My Physical therapist is a terrible provider” on an internet site or social media platform related to an employee of your physical therapy practice presumably stirs a number of emotions.

While a practice owner’s first thought may be to quickly respond to the review, in many cases that may not be the best approach. Any response must give strong consideration to a number of factors. This article will concentrate on issues to consider under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) when responding to negative online reviews of a physical therapy practice.

A primary reason for the HIPAA privacy rule is to define those situations in which a covered entity, such as a physical therapy practice, may use or disclose an individual’s protected health information. In general, a covered entity may not use or disclose protected health information except as the privacy rule permits or requires or as the individual who is the subject of the protected health information authorizes in writing.1 Information protected by the privacy rule includes items such as an individual’s name, address, and birthdate. When an individual posts a negative comment about a physical therapy provider, a specific response to that individual’s comment presumably is not a circumstance under which a covered entity may disclose protected health information. As a result, many providers who made specific responses could be found in violation of HIPAA.

There is a substantial body of information available that illustrates the potential ramifications under HIPAA in responding to a negative patient review. For example, Yelp, an online review forum, provided access to ProPublica, an independent newsroom, to over 1.7 million reviews from its users. In analyzing these public reviews, ProPublica identified many instances in which providers appeared to be violating HIPAA in responding to negative reviews.2 In addition to the concerns identified by ProPublica, there are multiple instances in which covered entities have reached settlements with the United States Department of Health and Human Services Office of Civil Rights (OCR) in connection with the release of protected health information without a valid authorization. By way of specific example, in 2013 the OCR announced a settlement with a regional medical center in a case where OCR investigators found that the medical center released information from an individual’s medical record to multiple media outlets as part of the medical center’s response to an article suggesting that the medical center had inflated diagnoses to obtain excessive reimbursements.3

When determining how to address a negative review in a way that is HIPAA compliant, there are a number of factors to consider. Initially, is it better for the practice simply not to respond? The practice needs to weigh the risks and benefits associated with a response and make a decision based on the particular facts. For example, if a website contains 100 reviews of a practice and one of those has a potentially negative connotation, the practice may elect not to respond, while in a similar circumstance if the sole review is negative the practice may take a different approach. As has been seen in many circumstances outside of the health care context, engaging in a detailed back and forth debate via social media postings or otherwise can often have detrimental effects.

If it is ultimately determined that a response is necessary, the respondent needs to be cognizant of complying with HIPAA. As noted earlier, a practice cannot disclose protected health information in its response under most circumstances. Although it may seem like a small point, even acknowledging that an individual is or was a patient may be a violation under HIPAA. One way to deal with negative reviews is to establish a general response that is not specific to the individual negative review but rather addresses only the practice or provider. By way of example, in certain circumstances the following may be an appropriate response: “Our physical therapy practice seeks to provide all of our patients with high-quality rehabilitation services. Our office is happy to address any questions, comments, or concerns that anyone may have about the physical therapy care provided by us. In order to comply with applicable privacy laws, our office generally cannot respond to reviews on a case-by-case basis even if we do not agree with the contents of the review.”

In cases where the individual providing the negative review can be identified, the practice could consider directly contacting the individual to discuss his or her concerns. Before contacting the individual, it may be helpful to talk with the treating provider in an effort to determine if this particular approach may be helpful under the circumstances.

Of course, the best way to avoid the need to consider how to respond to a negative review is to eliminate the negative review in the first place. While unlikely to resolve the issue completely, utilizing patient satisfaction surveys and allowing individuals to have open lines of communication to raise complaints and concerns directly with the practice should help to minimize individuals’ posting of negative reviews on a public forum.

Although a practice owner’s initial intuition may be to quickly respond to a negative review with a detailed explanation of the practice’s position regarding the issues of concern, careful consideration should be given to this response to assure that the practice does not exacerbate the situation or otherwise violate any of its obligations under HIPAA.


1 Summary of the HIPAA Privacy Rule. Available at https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html. Accessed July 27, 2018

2 Stung by Yelp Reviews, Health Providers Spill Patient Secrets. Available at https://www.propublica.org/article/stung-by-yelp-reviews-health-providers-spill-patient-secrets. Accessed July 27, 2018.

3 Her Case Shows Why Healthcare Privacy Laws Exist. Available at http://articles.latimes.com/print/2012/jan/04/business/la-fi-hiltzik-20120104. Accessed July 26, 2018.

*Please note that this article is not intended to, and does not, serve as legal advice to the reader but is for general information purposes only.

Paul Welk

Paul J. Welk, PT, JD, is a Private Practice Section member and an attorney with Tucker Arensberg, P.C., where he frequently advises physical therapy private practices in the areas of corporate and health care law. Questions and comments can be directed to pwelk@tuckerlaw.com or (412) 594-5536.