Essential do’s and don’ts for responding to online reviews in healthcare—without violating HIPAA.
HIPAA-Compliant Review Responses
By Keith Maynard
Estimated Read Time: 3 Minutes
Why It Matters
Responding to online reviews—especially in healthcare—requires a delicate balance between engagement and confidentiality. The Health Insurance Portability and Accountability Act (HIPAA) protects patients’ private health information (PHI), and even a well-intentioned response can inadvertently violate these regulations. Here’s how to reply professionally without risking a breach.
Key Guidelines for Safe, Compliant Responses
1. Never disclose personal health information (PHI).
Even if the reviewer shares personal details, do not repeat or acknowledge them in your response. This includes:
-
Names (even if the reviewer uses their own)
-
Geographic details smaller than a state (e.g., city, ZIP code)
-
Dates tied to treatment (birth dates, admission/discharge dates, etc.)
-
Contact info (phone numbers, email addresses, URLs)
-
Identifiers (medical record numbers, device IDs, license plates)
-
Photos or biometric data
-
Account or insurance numbers
-
Any other unique identifiers
2. Avoid acknowledging the individual as a patient
Do not confirm or imply that someone is a patient—even if they publicly say so. Avoid using their name or responding in a way that suggests familiarity.
3. Keep your language general
Instead of addressing specific issues or visits, speak in broad terms. Use phrases like:
“We take all feedback seriously.”
“We're committed to continuously improving our care.”
4. Do not reference medical issues or treatments
Never confirm, deny, or reference any diagnosis, condition, or treatment—regardless of what the reviewer shares.
5. Stay brief and neutral
Long responses increase the risk of oversharing. Avoid emotional language, detailed explanations, or defensiveness. Be positive and courteous, but concise.
6. Don’t apologize for a bad experience
An apology—even a vague one—can be interpreted as confirmation that the person received care at your facility. Instead, explain your privacy obligations:
“Because of privacy regulations, we’re unable to discuss specifics in a public forum.”
7. Provide an offline path for resolution
If a reviewer shares concerns that warrant a follow-up, direct them to a private channel:
“We’d love to connect with you directly—please call our office at [phone number] to speak with our team.”
8. Express gratitude
Thanking someone for their feedback is a safe and professional way to show you value their input—without confirming their patient status.
HIPAA-Compliant Response Examples
Positive Review
❌ "We’re so glad you enjoyed your appointment last week!"
✅ "We appreciate your feedback and are committed to providing excellent care."
Negative Review
❌ "Sorry to hear about your wait time—we’ll bring it up with our staff."
✅ "Thank you for your feedback. We’re committed to improving the experience for all patients. Please contact our office manager at [phone number] to share more details."
General/Clinical Reference
❌ "We’re so glad your therapy sessions helped last month!"
✅ "We strive to provide compassionate, effective care and welcome feedback from the community."
Final Thoughts
Online reviews are an important opportunity to demonstrate your commitment to care—but in healthcare, every word counts. With a clear policy and a HIPAA-first approach, you can engage responsibly while protecting your patients and your practice.