Is Yelp HIPAA compliant?

Yelp is an ideal platform for discovering new, trustworthy businesses. Healthcare providers are no exception. If someone is looking for a new doctor, many start with a search on Yelp. Thousands of medical professionals, providers, clinics, and other medical-related businesses use Yelp to market themselves. This leads many to wonder: is Yelp HIPAA compliant?

SEE ALSO: Social Media & HIPAA Compliance: The Ultimate Guide

With 178M unique visitors per month , it is evident that Yelp is a great place to list your business. However, you need to know its HIPAA limitations and best practices so you can use the platform in a HIPAA compliant manner.

About Yelp

Yelp is a local directory and customer rating website for all types of businesses. Visitors can search and browse by location, business category, or keyword searches. Yelp is most commonly known for its review network. The website has gathered over 205M reviews where users leave star ratings and comments. It is estimated that a businesses's revenue increases by 9% for every Yelp star. The platform was launched in 2004 and continues to grow year over year.

Why medical professionals use Yelp

Healthcare is actually the reason that Yelp was created. “Yelp exists today because its founder, Jeremy Stoppelman, fell ill in 2004 and wanted recommendations for a doctor in San Francisco. He couldn’t find any useful information online, so he built a platform to make it possible for people to share and find reviews of doctors—and every other kind of local business,” Yelp said on its blog .

Yelp business pages provide plenty of information for a visitor to make an informed decision. Plus, online reviews have a powerful effect on purchase decisions. It’s estimated that 91% of people under 34 are “are big believers of online reviews, trusting them as much as personal recommendations.” Yelp promotes people using the platform to review doctors and considers the insight they provide quite helpful. The company claims that 84% of consumers use review sites to find a new doctor . Reviews share the personal one-off experiences of customers, but combined, they reveal much more. Trends can easily be spotted about things like wait times, customer service, and the quality of treatments.  Negative reviews can sometimes become a positive experience. One professional claims that Yelp made him a better doctor .

SEE ALSO: How Doctors Should Deal with Negative Online Reviews

HIPAA fines from Yelp reviews

As helpful as online reviews can be, Yelp reviews pose a potentially serious threat to medical providers. In fact, Yelp reviews are the cause of some severe HIPAA fines. One dental office was forced to pay $10,000 for example. It replied to a patient’s review and included the person's name and health condition, breaking HIPAA rules about keeping protected health information (PHI) private. That’s just one example of the millions of dollars in HIPAA fines levied each year. SEE ALSO: The Complete Guide to HIPAA Violations Some medical providers using Yelp, especially smaller practices, are unaware of the details of the HIPAA Privacy Rule. They don't understand how the consequences of violating it can impact their businesses. To sum up, HIPAA limits what a doctor can say when responding to a patient review, which we will explain below.

The business associate agreement and HIPAA compliance

A business associate is a person or company that performs certain functions or activities that involve the use or disclosure of protected health information (PHI) for a covered entity. If a business associate handles, stores, or in any way uses PHI for a covered entity, then a business associate agreement (BAA) must be in place. A BAA is a written contract between a covered entity and a business associate and is required by law for HIPAA compliance.

Is Yelp HIPAA compliant?

Yelp will not sign a BAA with covered entities.  However, this does not mean healthcare providers cannot use it. It simply means that covered entities must steer clear of transmitting any PHI via the platform. SEE ALSO: Social Media for Healthcare Professionals—What to Watch For Conclusion: Yelp is not HIPAA compliant because it will not sign a BAA. However, covered entities can use it—as long as they do not share any PHI.

How to be HIPAA compliant on Yelp

Have no fear. Medical professionals interact with patients on Yelp every single day in a HIPAA compliant manner. Educate yourself and your staff on best practices for Yelp and all social media platforms.

These include:

• In-depth understanding of what information constitutes PHI
• Never post any information that can be interpreted as PHI
• Avoid language that confirms whether a patient received any services
• Make general statements about the practice, without sharing specifics
• Use broad terms to address “all patients” rather than individuals
• Ask for written consent before sharing any reviews
• Do not diagnose or describe any prognoses, symptoms or courses of treatment
• Use HIPAA compliant email to contact a patient directly instead of responding to his or her review 

The underlying lesson is simple— do not publicly post ANY patient information . Yelp put together a guide to help healthcare professionals navigate the space here. The article shares great examples of real reviews and how to handle them while remaining HIPAA compliant.

Collect more reviews on Yelp

A healthcare organization’s presence online is an important part of its identity. Yelp can be a powerful platform to grow your business, and how many reviews you have on your profile makes a huge difference to people shopping for a new provider. Yelp discourages advertising for reviews. You should not offer perks, awards, or discounts in exchange for reviews.

However, you are allowed to ask your customers to leave you one. You can ask your patients to leave you Yelp reviews by sending a simple email to all your patients with Paubox Marketing, our HIPAA compliant email marketing solution. The platform allows you to send personalized email marketing which includes protected health information directly to your recipients email boxes—no passwords or portals required. Read more about what sets Paubox Marketing apart from non-HIPAA compliant solutions (such as Mailchimp and Constant Contact) here.