Talk To Us

How to Get HIPAA-Compliant Patient Testimonials for Trust Building

Patient testimonials may seem like an obvious way for any healthcare and wellness practice to promote themselves and build trust, but getting these testimonials published comes with a catch. Under The Health Insurance Portability and Accountability Act of 1996 (or HIPAA), medical and cosmetic providers cannot reveal any identifying details about their patients without their consent.

However, this “consent” can be a little unclear – and if you get it wrong, there can be severe penalties for your practice. So while it is possible to still use patient testimonials to build trust in your practice, you need to make sure that you follow all requirements to avoid HIPAA violations.

Patients and HIPAA Compliance: What Can They Say?

First off, it’s important to differentiate what “consent” is from “authorization”. Consent can be anything from verbal to written – and crucially, it’s not legally binding. A valid “authorization” on the other hand is a written document of authorization that precisely indicates what’s going to be done about a patient's information. There are two particular documents that healthcare practices need to use patient testimonials on their website:

1) Notice of Privacy Practices

A notice of privacy practices is basically a document that tells your patient three things:

  • How their medical information will be used
  • The details of their point of contact for accessing their medical information
  • Circumstances that justify the use or disclosure of their PHI without authorization

This is crucial because anything about the PHI (or patient health information) usually cannot be disclosed. Giving your patient a notice of privacy practices is the primer they need to know what’s going to be done about their data – both for advertising purposes and for any other reason to disclose their PHI.

2) Patient Testimonial Advertising Form

In contrast to the notice of privacy practices, the patient testimonial advertising form is specifically about how you want to use the patient’s testimony. Specifically, it has to answer:

  • How your patient’s information will be used
  • What exact information will be disclosed
  • Why the patient consents to having their information released

If this sounds general to you, it is – HIPAA guidelines don’t really specify how you should frame or write this form. As long as it answers the three questions above, you can use whatever language you need to write the form.

A Quick Compliance Checklist

Once you’ve managed to have your patient sign and secure those two forms, you should be HIPAA-compliant to use their testimonies on your website. Depending on how you craft your Patient Advertising Testimonial Form, it’s possible to use your patient testimonies in several ways.

Here’s our checklist of things you need to make sure of before publishing any patient testimonial in your content:

1) Has the patient given their written and documented consent?

This might seem easy to forget, but it’s important to establish that:

  • Your patient has a copy of both signed forms (notice of privacy practices and patient testimonial advertising form)
  • Your patient has been informed about the specifics of each document, and this exchange is documented either in writing or in other places like an email.

A patient must be properly briefed about the content of each form, and any of their concerns and questions should be answered before publishing their testimonial anywhere. To be absolutely safe, always make sure that you have multiple copies of the two documents, and store the originals in a secure place.

2) Has the patient been made aware of the exact information that will be used?

While patients may give their authorization to disclose details about them for testimonials, they must know what kind of data you’re going to disclose. Some information like diagnosis, place of treatment, or even the type of treatment may not be information that they want out there.

Remember, HIPAA law expressly protects the patient, not the provider – it’s far easier for the provider to be sued than the patient. Even the smallest bit of information that you’re planning to use for a patient’s testimonial needs to be run through them before they ever make it into your content.

3) Has the patient been informed where their testimonials will end up?

Patients also need to be informed where exactly their testimonials will be displayed. Given that a content strategy often requires that you repurpose, recycle, and publish content across multiple platforms, you need to make it clear to your patient where their testimonies can be displayed.

These areas include:

  • A dedicated testimonial section on your website or webpage
  • An excerpt from a blog, long-form article, or case study
  • Any social media channels, either in text, image, or other formats

Aside from compliance, informing the patient about where their testimonials will end up can actually encourage organic sharing. If you’ve provided great service to the patient, they can share their testimonies with their network, bringing your business to a wider audience.

4) Has the patient been told how exactly their testimonials will be used?

Some patients can be self-conscious about their image, especially with issues like how they sound or how they look. To avoid any possible issues with using their testimonials in this way, you should inform your patient about how their testimonials will be used.

Some patients may prefer to leave a simple review on your website, while others are open to interviews and video testimonials. Not only does this ensure that your patients release a testimonial that they’re comfortable with, but it can also potentially save you the time and effort for creating different types of content.

5) Has/will the patient be reimbursed or credited for any profits made?

This is perhaps one of the trickiest parts of testimonials: whether a patient needs to be reimbursed for their review. There isn’t a lot of guidance in the HIPAA ruling about whether practices need to pay patients that give their testimonies for advertising purposes. However, the Federal Trade Commission has some guidance about this:

  • The practice cannot give their patients a reason to expect compensation or other benefits before giving their testimonials/comments
  • The practice may be able to discuss compensation for the patient after they’ve already given their comment/testimonial, but this is not always necessary

Generally, you don’t want the promise of payment or reimbursement to motivate your patients to give you a testimonial. Not only does this skew their opinion, but it’s extremely unethical and can incur your business heavy penalties if it’s found out.

6) Has the patient been made aware of their other rights like revocation of consent?

Healthcare and wellness practices need to understand that consent and authorization aren’t permanent. A patient has the right to revoke their authorization at any time, and they should be informed of their rights to revoke their permissions before practices publish their testimonials.

While this may sound worrying, patients who have been provided excellent service are usually unlikely to revoke their authorization and consent about disclosing health information in their testimonies. However, it’s still within the best practice to inform your patients that they can exercise this right and brief them on the process of doing so.

Does The Industry Matter?

Does the kind of practice matter for getting HIPAA-compliant patient testimonials?

The short answer is yes. While it’s easy to think that only medical procedures are covered by HIPAA, cosmetic treatments and other procedures in aesthetic medicine are also fully covered by these regulations. So it doesn’t matter if you’re a hospital or a wellness spa – if you want to use patient testimonials, you need to remain HIPAA compliant.

Generally, hospitals and clinics have more hoops to jump through with getting HIPAA-compliant patient testimonials, especially with the wording of their Patient Testimonial Advertising Form. Given that these institutions usually share information with other hospitals and clinics in the same network, anything about the patient’s PHI mustn’t be disclosed without authorization.

Wellness services like med spas and cosmetic practices may have an easier time crafting the language needed for their Patient Testimonial Advertising Form, but it’s also important to consider that patient testimonials play a bigger role in the growth of their business compared to strictly medical practices. For the best possible cooperation from your patient, you need to make sure that they’re comfortable with their testimonials before you publish them anywhere.

Compliance and Growth With Patient Testimonials

While HIPAA has strict guidelines on what exactly can healthcare and wellness practices reveal about a patient's protected health information, it’s possible to still get testimonials without having to violate any regulations. The social proof offered by patient testimonials is a really powerful tool to build trust in your brand – and to grow your audience reliably.

Must Read

Tell the right story with the best people.

Grow your brand more effectively and become a name your customer's won't forget with steady content that stands out from the noise.
Request your free content consultation with a Writrly content strategist and learn exactly how our team can help you create better content today.