Patient testimonials may seem like an obvious way for any healthcare and wellness practice to promote themselves and build trust, but getting these testimonials published comes with a catch. Under The Health Insurance Portability and Accountability Act of 1996 (or HIPAA), medical and cosmetic providers cannot reveal any identifying details about their patients without their consent.
However, this “consent” can be a little unclear – and if you get it wrong, there can be severe penalties for your practice. So while it is possible to still use patient testimonials to build trust in your practice, you need to make sure that you follow all requirements to avoid HIPAA violations.
First off, it’s important to differentiate what “consent” is from “authorization”. Consent can be anything from verbal to written – and crucially, it’s not legally binding. A valid “authorization” on the other hand is a written document of authorization that precisely indicates what’s going to be done about a patient's information. There are two particular documents that healthcare practices need to use patient testimonials on their website:
A notice of privacy practices is basically a document that tells your patient three things:
This is crucial because anything about the PHI (or patient health information) usually cannot be disclosed. Giving your patient a notice of privacy practices is the primer they need to know what’s going to be done about their data – both for advertising purposes and for any other reason to disclose their PHI.
In contrast to the notice of privacy practices, the patient testimonial advertising form is specifically about how you want to use the patient’s testimony. Specifically, it has to answer:
If this sounds general to you, it is – HIPAA guidelines don’t really specify how you should frame or write this form. As long as it answers the three questions above, you can use whatever language you need to write the form.
Once you’ve managed to have your patient sign and secure those two forms, you should be HIPAA-compliant to use their testimonies on your website. Depending on how you craft your Patient Advertising Testimonial Form, it’s possible to use your patient testimonies in several ways.
Here’s our checklist of things you need to make sure of before publishing any patient testimonial in your content:
This might seem easy to forget, but it’s important to establish that:
A patient must be properly briefed about the content of each form, and any of their concerns and questions should be answered before publishing their testimonial anywhere. To be absolutely safe, always make sure that you have multiple copies of the two documents, and store the originals in a secure place.
While patients may give their authorization to disclose details about them for testimonials, they must know what kind of data you’re going to disclose. Some information like diagnosis, place of treatment, or even the type of treatment may not be information that they want out there.
Remember, HIPAA law expressly protects the patient, not the provider – it’s far easier for the provider to be sued than the patient. Even the smallest bit of information that you’re planning to use for a patient’s testimonial needs to be run through them before they ever make it into your content.
Patients also need to be informed where exactly their testimonials will be displayed. Given that a content strategy often requires that you repurpose, recycle, and publish content across multiple platforms, you need to make it clear to your patient where their testimonies can be displayed.
These areas include:
Aside from compliance, informing the patient about where their testimonials will end up can actually encourage organic sharing. If you’ve provided great service to the patient, they can share their testimonies with their network, bringing your business to a wider audience.
Some patients can be self-conscious about their image, especially with issues like how they sound or how they look. To avoid any possible issues with using their testimonials in this way, you should inform your patient about how their testimonials will be used.
Some patients may prefer to leave a simple review on your website, while others are open to interviews and video testimonials. Not only does this ensure that your patients release a testimonial that they’re comfortable with, but it can also potentially save you the time and effort for creating different types of content.
This is perhaps one of the trickiest parts of testimonials: whether a patient needs to be reimbursed for their review. There isn’t a lot of guidance in the HIPAA ruling about whether practices need to pay patients that give their testimonies for advertising purposes. However, the Federal Trade Commission has some guidance about this:
Generally, you don’t want the promise of payment or reimbursement to motivate your patients to give you a testimonial. Not only does this skew their opinion, but it’s extremely unethical and can incur your business heavy penalties if it’s found out.
Healthcare and wellness practices need to understand that consent and authorization aren’t permanent. A patient has the right to revoke their authorization at any time, and they should be informed of their rights to revoke their permissions before practices publish their testimonials.
While this may sound worrying, patients who have been provided excellent service are usually unlikely to revoke their authorization and consent about disclosing health information in their testimonies. However, it’s still within the best practice to inform your patients that they can exercise this right and brief them on the process of doing so.
Does the kind of practice matter for getting HIPAA-compliant patient testimonials?
The short answer is yes. While it’s easy to think that only medical procedures are covered by HIPAA, cosmetic treatments and other procedures in aesthetic medicine are also fully covered by these regulations. So it doesn’t matter if you’re a hospital or a wellness spa – if you want to use patient testimonials, you need to remain HIPAA compliant.
Generally, hospitals and clinics have more hoops to jump through with getting HIPAA-compliant patient testimonials, especially with the wording of their Patient Testimonial Advertising Form. Given that these institutions usually share information with other hospitals and clinics in the same network, anything about the patient’s PHI mustn’t be disclosed without authorization.
Wellness services like med spas and cosmetic practices may have an easier time crafting the language needed for their Patient Testimonial Advertising Form, but it’s also important to consider that patient testimonials play a bigger role in the growth of their business compared to strictly medical practices. For the best possible cooperation from your patient, you need to make sure that they’re comfortable with their testimonials before you publish them anywhere.
While HIPAA has strict guidelines on what exactly can healthcare and wellness practices reveal about a patient's protected health information, it’s possible to still get testimonials without having to violate any regulations. The social proof offered by patient testimonials is a really powerful tool to build trust in your brand – and to grow your audience reliably.