How Healthcare Providers Respond to Reviews Without Violating HIPAA

The HIPAA rule most providers get wrong

HIPAA does not prohibit responding to reviews. It prohibits disclosing protected health information in a public forum. The difference matters: a generic reply that thanks the reviewer and invites them to contact the office is fully compliant. A reply that says "we're sorry your root canal was uncomfortable" is not, because it confirms the reviewer was a patient and names a procedure. See how we do this for dental practices.

The Office for Civil Rights at HHS has issued settlements against providers who responded to online reviews by confirming treatment details. The lesson is not "don't respond." It's "respond without ever confirming the clinical specifics."

The HIPAA-safe reply pattern

The 5-rule HIPAA response checklist

1. Never confirm the reviewer is a patient.
2. Never name a procedure, diagnosis, or outcome.
3. Thank the reviewer generically and acknowledge the sentiment.
4. Invite them to contact the office directly for anything specific.
5. Document your internal response process so every staff member writes replies the same way.

The cost of not replying at all

Some practices avoid the HIPAA question by refusing to respond to reviews entirely. That's the worst of both worlds: you take on all the reputation risk of unanswered complaints while missing the benefit of a well-managed profile. The safer path is a tone guide that makes HIPAA-compliant replies the default, so every team member writes the same way and nothing slips into risky territory.

The safest practices are the ones where every team member who might respond to a review has been shown the rules and a few sample replies. That 15 minute training session is the difference between a compliant profile and a settlement.

Sources: HHS Office for Civil Rights guidance on social media and HIPAA, published HIPAA settlement cases 2013 to 2024.