Strategies for responding to reviews

Healthcare providers must balance maintaining their online reputation with HIPAA compliance requirements. According to How to Respond to Online Patient Reviews Without Violating HIPAA, "Understanding the boundaries HIPAA sets is crucial when responding to online reviews. Even a well-meaning reply can inadvertently violate patient privacy, leading to legal trouble and reputational damage."

Practical response strategies

Template response approach

An article published in the Journal of Oral and Maxillofacial Surgery suggests that "there are appropriate mechanisms to respond to negative online reviews in a HIPAA compliant manner. Providers should be encouraged to keep online responses vague. For example, in responding to a patient's online review describing that the provider did not change his blood pressure medications, although he said he would, a HIPAA compliant response would be: 'Our staff aims to make sure all concerns are properly addressed, and we will make note of this feedback to ensure we are doing all we can to help. Please be in touch if there is anything we can do to assist at this time.' This response can seem impersonal, but it is compliant with the law as it does not reveal or confirm any patient-specific information. The stringent protections of health information restrict the response to generic and non-identifiable terminology, which may not address the patient's concern."

Gayland O. Hethcoat II explains in Disclosing Patient Information in Responses to Online Reviews: Recent OCR Enforcement Action Is a Cautionary Tale, recommends that "covered entities may create pre-approved responses for use in replying to negative posts," suggesting this sample response: "We value feedback about the patient experience with our care providers. Out of consideration for our patients' privacy rights, we do not disclose any patient information on public forums. We encourage you to contact our office by phone or email so we can further discuss your experience."

Oromchian in How to Respond to Online Patient Reviews Without Violating HIPAA, provides additional examples of safe, generic responses that practices can adapt:

• For complaints about wait times: "Thank you for sharing your feedback. Our team strives to provide efficient and timely care, and we're always working to improve our processes."
• For negative experiences: "We're sorry to hear about your experience. Please call us at [phone number] so we can better understand your concerns and work toward a resolution."
• For general feedback: "Thank you for your review. We appreciate your feedback and will take it into consideration."

Developing your response framework

Creating a standardized approach to review responses can help ensure consistency and compliance. Consider developing templates that include:

• Opening acknowledgment: "Thank you for taking the time to share your feedback."
• Empathy statement: "We understand your concerns and take all feedback seriously."
• Quality commitment: "We are committed to providing the highest quality care to all our patients."
• Private discussion invitation: "Please contact our office directly so we can address your concerns personally."
• Professional closing: "We value your feedback and look forward to the opportunity to improve."

Learn more: Managing online reviews: What you need to know

The importance of timing and tone

Response timing can impact both the effectiveness and compliance of your reply. Responding too quickly might suggest you're reacting emotionally rather than professionally, while waiting too long could signal that you don't take patient feedback seriously. Oromchian recommends responding "within two to three days of the review being posted" and suggests that "if a timely, detailed response isn't feasible, a brief acknowledgment can suffice."

The tone of your response is equally important. Even when faced with unfair or inaccurate criticism, maintaining a professional, empathetic tone demonstrates your commitment to patient care and reflects positively on your practice's values. As noted in Ethical considerations in responding to negative online reviews, "Responding in a defensive or angry tone could damage your professional image, ultimately causing more harm than good."

As Oromchian explains, "Responding to reviews is about more than protecting patient privacy—it's an opportunity to showcase your professionalism and commitment to patient care."

Real-world case studies

The Manasa Health Center case

In April 2020, OCR received a complaint alleging Manasa Health Center had impermissibly disclosed patient information online when responding to a negative online review. The complainant alleged Manasa Health Center responded to a patient's review and disclosed the patient's mental health diagnosis and treatment information. The Manasa Health Center incident reveals vulnerabilities in online patient communication, demonstrating how healthcare providers can violate HIPAA regulations when responding to reviews.

Former OCR Director Melanie Fontes Rainer said in response to the case, "OCR continues to receive complaints about health care providers disclosing their patients' protected health information on social media or on the internet in response to negative reviews. Simply put, this is not allowed. The HIPAA Privacy Rule expressly protects patients from this type of activity, which is a clear violation of both patient trust and the law."

This case resulted in a $25,000 settlement and a corrective action plan.

The U. Phillip Igbinadolor case

The consequences of improper review responses extend beyond the Manasa Health Center case. In March 2024, OCR imposed a $50,000 civil monetary penalty against U. Phillip Igbinadolor, D.M.D. & Associates, P.A. (UPI), a dental practice in North Carolina, for responding inappropriately to a negative Google review.

According to Hethcoat's analysis in "Disclosing Patient Information in Responses to Online Reviews: Recent OCR Enforcement Action Is a Cautionary Tale," the violation occurred when UPI responded to a negative review posted under a pseudonym by revealing "the patient's full name and details about the services he received, claiming that the patient 'never came back for his scheduled appointment.'"

The practice's response went beyond simple HIPAA violations, including personally attacking language that stated: "From the foregoing, it's obvious that [Complainant's full name] level of intelligence is in question, and he should continue with his manual work and not expose himself to ridicule. Making derogatory statements will not enhance your reputation in this era [Complainant's full name]. Get a life."

This case demonstrates how emotional responses to negative reviews can escalate into serious legal and financial consequences. The $50,000 penalty was classified as "willful neglect not corrected" because the practice refused to cooperate with OCR's investigation and declined to submit required documentation.

A pattern of enforcement

This enforcement action is part of a broader pattern. As Hethcoat notes, OCR has taken multiple enforcement actions involving online reviews. In 2019, another dental practice paid $10,000 to settle claims that it disclosed "a patient's PHI, including her last name, details of her treatment plan, insurance, and cost information, in its response to the patient's review on Yelp." During that investigation, OCR discovered the practice had improperly disclosed other patients' PHI in multiple Yelp review responses.

Even earlier, in 2013, OCR issued a warning letter to a plastic surgery practice regarding inappropriate disclosure of a minor patient's information in response to a parent's Yelp review, demonstrating that this issue has been on OCR's radar for over a decade.

Best practices for implementation

Staff training and protocols

Implementing HIPAA compliant review response procedures requires staff training. All team members who might interact with online reviews should understand the legal requirements and have access to approved response templates. Regular training sessions should cover new platforms, updated regulations, and lessons learned from industry violations.

As Hethcoat emphasizes in his analysis, "covered entities should consider developing a policy regarding uses and disclosures of PHI on online platforms. Indeed, in its recent enforcement actions, OCR has emphasized the importance of covered entities having policies specifically addressing PHI and social media."

Monitoring and response systems

Establish systems to monitor reviews across all platforms where your practice appears. This includes Google Reviews, Yelp, Healthgrades, and industry-specific platforms. Automated monitoring tools can help ensure timely responses while maintaining documentation for compliance purposes.

Documentation and compliance tracking

Maintain records of all review responses, including the original review, your response, and any follow-up communications. This documentation can be valuable for compliance audits and can help identify patterns in patient feedback that might indicate systemic issues.

Creating a positive review culture

The best defense against negative reviews is prevention through exceptional patient care. Implement systems to encourage satisfied patients to share positive reviews while addressing concerns before they become public complaints. This might include follow-up surveys, patient feedback systems, and proactive communication about potential issues.

However, as Oromchian notes, when managing your online presence, "A page with only glowing reviews may seem suspicious to potential patients. Instead, respond professionally to negative reviews and focus on generating more positive feedback to balance the overall perception of your practice."

FAQs

Can providers train third-party marketing agencies to handle review responses?

Only if the agency is a HIPAA compliant business associate with a signed agreement and thorough training on PHI protections.

What if a reviewer uses a fake name or pseudonym—can the provider confirm their identity?

No, providers still cannot confirm or deny the person is a patient, even if they suspect or recognize them.

Is it ever appropriate to respond publicly after handling the issue privately?

No, any public follow-up must remain generic and avoid confirming patient identity or any outcome of the private interaction.

Do HIPAA compliant templates need to be approved by legal counsel?

Yes, legal review is highly recommended to ensure that pre-approved responses remain within HIPAA boundaries.

Should practices respond to every review, or only negative ones?

It’s best to respond to both positive and negative reviews in a generic, professional manner to show engagement without risking PHI disclosure.