by Donna Vanderpool, MBA JD

Ms. Vanderpool is the Vice President of Risk Management at Professional Risk Management Services in Arlington, Virginia.

Funding: No funding was provided for the preparation of this article.

Disclosures: The author is an employee of PRMS Inc., a risk management consulting company for health care providers.

This ongoing column is dedicated to providing information to our readers on managing legal risks associated with medical practice. We invite questions from our readers. The answers are provided by PRMS, Inc. (, a manager of medical professional liability insurance programs with services that include risk management consultation, education and on-site risk management audits, and other resources offered to health care providers to help improve patient outcomes and reduce professional liability risk. The answers published in this column represent those of only one risk management consulting company. Other risk management consulting companies or insurance carriers may provide different advice, and readers should take this into consideration. The information in this column does not constitute legal advice. For legal advice, contact your personal attorney. Note: The information and recommendations in this article are applicable to physicians and other health care professionals so “clinician” is used to indicate all treatment team members.

Innov Clin Neurosci. 2019;16(9–10):44–46


I have been thinking about more ways to market my practice online. In addition to sprucing up my practice website, I may want to use one of the many online referral services. Are there any professional liability risks that I should be aware of?


The variety of available online marketing options can present variable degrees of risk, but there are ways to manage this risk.


Websites can be a great way to market your practice online. In terms of professional liability, however, the more interactive a physician’s website is, the greater the risk.

Potential Risk Areas

Inadvertent establishment of a treatment relationship. If an individual submitted a psychiatric question to you, and you responded, it could be viewed by that individual to be treatment advice, which could inadvertently establish a physician-patient relationship.

Patient testimonials. You should exercise extreme caution when soliciting patients for testimonials, particularly with respect to ethical obligations and legal requirements. Ethically, it could be viewed as putting a patient in a situation where he or she did not feel comfortable saying no. According to the American Medical Association’s Ethics Opinion 9.6.1, “…testimonials of patients as to the physician’s skill or quality of the physician’s professional services tend to be deceptive when they do not reflect the results that patients with conditions comparable to the testimoniant’s condition generally receive.” As pointed out by the American Psychiatric Association’s Ethics Opinions A.4 and A.11, psychiatrists should not ask patients to do activities not related to treatment. Even with patient consent, the concern is that the consent could be influenced by transference and the need by the patient to please the physician. Some states prohibit testimonials in physician advertising. You may want to check your state’s definition of unprofessional conduct or professional misconduct to see whether testimonials are addressed.

The Risk Management Advice

  • Ensure website content is current and accurate.
  • Comply with applicable state law requirements related to physician websites.
  • If you do use patient testimonials, be sure to obtain written authorization from the patient to do so. One practice had to pay $25,000 to stop the federal government’s investigation related to posted patient testimonials. The testimonials, including names, had been posted on the practice’s website without the knowledge of the patients.1
  • If you are a Covered Entity under HIPAA, post your Notice of Privacy Practices on your website.
  • Do not violate intellectual property law when posting materials from other sources.
  • If you link to outside sources, link only to credible websites and post a disclaimer on your website explaining that you are not responsible for information on linked websites.
  • If you are selling products on the website, ensure compliance with applicable laws and ethical standards.
  • Avoid posting anything on your website that could be construed as specific treatment advice.
  • Do not allow individuals to communicate with you via the website to avoid the inadvertent establishment of a treatment relationship. Current patients should communicate via a secure patient portal.
  • If prospective patients can download forms, consider including a statement that doing so does not guarantee a treatment relationship will be established.
  • If you have online appointment scheduling via your website, ensure all information is secure and not available for others to see. One practice learned this lesson the hard way—after having to pay $100,000 to stop the government investigation resulting from a publicly accessible online scheduling calendar containing patient demographic and medical information.2

Online Referral Services

Online referral services, such as ZocDoc and Psychology Today, can be very appealing for online marketing.

Potential Risk Areas

Drug-seekers. Psychiatrists are finding that there are many individuals out there who routinely seek out physicians online in an attempt to gain access to controlled substances, and not to form a true treatment relationship.

Limited-purpose patients. Physicians using these types of online referral services are also finding that there are many patients who have other purposes, outside of forming a treatment relationship in mind, such as filling out disability forms or testifying in litigation.

Use of patient information. Be sure you know exactly what the service is doing with your patients’ information. Years ago, Practice Fusion (at that time a free electronic health records service), unbeknownst to the physicians, sent follow-up emails to patients under the doctors’ names, asking for feedback about the visit. Based on the patient feedback, it was clear they believed only their physician would see the feedback. Instead, the reviews were posted on Practice Fusion’s website. Practice Fusion subsequently entered into a settlement agreement with the Federal Trade Commission.3

Request for testimonials. We’ve heard of online referral services being very persistent in urging physicians to obtain patient testimonials—for the service’s own use.

The Risk Management Advice

  • To dissuade potential drug-seeking individuals, consider adding the following language to your profile: “I check the state prescription monitoring program before I prescribe” (if your state has a prescription monitoring program); “I do not prescribe controlled substances on the first visit;” or “I do not prescribe for pain.”
  • To manage additional patient expectations, include other applicable statements, such as that the first visit is only an evaluation to see if it is appropriate to establish a treatment relationship.
  • A Business Associate Agreement (BAA) pursuant to HIPAA is necessary from the referral service as it will, at a minimum, store patient information. Even if you are not a covered entity under HIPAA, you should obtain the BAA to ensure the service promises to adequately protect the confidentiality of your patients.

Responding to Negative Online Reviews

Unfortunately, in today’s digital world, online reviews are a fact of professional life. Fortunately, the vast majority of physician reviews are positive. But, as a psychiatrist, you have very few options when faced with a negative review.

Potential Risk Areas

Patient confidentiality. Even though your patient has put it on the Internet for the entire world to see, you still must maintain patient confidentiality. By addressing a review, you would be inappropriately confirming the reviewer is a patient.

Contracting with patients to not post negative reviews. One organization has suggested that its members establish a contract with patients under which patients promise to not say anything negative about the physician. In exchange, the physician will give the patient confidentiality rights under HIPAA. The federal agency responsible for enforcing HIPAA learned of this contract and stepped in and clarified that patients cannot be required to agree to a gag order in exchange for confidentiality, to which patients are entitled without any such contract.4

Astro-turfing. A creative physician realized that he could bury the negative reviews by having his staff pretend to be patients and post positive reviews. The state’s Attorney General learned of this and fined the practice $300,000.5

The Risk Management Advice

  • Really think about the patient’s complaint to rule out that it is a valid one. For example, the fact that you and your front office assistant always have professional communications does not mean that a patient’s complaint of rudeness on the part of the front office assistant is, per se, false.
  • If the negative review is from a current patient, you should discuss the concerns privately with that patient.
  • Without confirming the poster is a patient, you can ask the site to remove the post if it is false, the post violates the site’s own policies and terms, or removal is allowed (some sites will give physicians a set number of “takedowns” per year, no questions asked).


Online marketing can be a great way to get the word out regarding your services as a physician, and implementing a few safeguards can help reduce your liability risk. When considering a website design for your practice, the less interactive it is, the better. If patient information is collected on your site, make sure the site is secure and complies with state laws. Avoid posting anything that could be construed as treatment advice. A simple, noninteractive website that provides information about your practice poses very little risk. If you decide to use an online referral service, make sure to get a BAA from the service provider first to ensure patient confidentiality. Consider adding statements to your profile that inform the public of pertinent practice policies, such as those concerning the prescription of controlled substances. And finally, if faced with a negative online review(s), never publicly address the complaint. If the person who posted the negative review is a current patient, address the concerns with the patient in private. Use legitimate complaints as learning opportunities to improve your practice. For false negative reviews, check the site’s policies and terms to learn what, if any, options are available to you for removal of the offending review.


  1. United States Department of Health & Human Services. Physical therapy provider settles violations that it impermissibly disclosed patient information. Available at: Accessed September 12, 2019.
  2. United States Department of Health & Human Services. HHS settles case with Phoenix cardiac surgery for lack of HIPAA safeguards. Available at: Accessed September 12, 2019.
  3. Federal Trade Commission. FTC approves final order in practice fusion privacy case. Available at: Accessed September 12, 2019.
  4. United States Department of Health & Human Services. All case examples. Available at: Accessed September 12, 2019.
  5. New York Attorney General. Attorney General Cuomo secures settlement with plastic surgery franchise that flooded Internet with false positive reviews. Available at: Accessed September 12, 2019.