How to Respond to Reviews in Compliance with HIPAA Guidelines

A female dentist responding to online reviews on her laptop

Online reviews on Google, Yelp, Facebook, and other public review platforms are more critical than ever for dentists. Here’s why: 84% of consumers look to online reviews before choosing providers. Additionally, according to … This text opens a new tab to Moz local search ranking factors…Moz, review signals account for 13% of local ranking factors.

In other words, not only do reviews matter to potential patients, but they are incredibly important for organic and local SEO.

Why respond to reviews?

In addition to obtaining reviews, responding to online reviews is a great way to build trust with potential patients and engage with current patients.

A well-crafted response to a negative review can turn a bad situation into an opportunity, while a thoughtful response to a great review can build loyalty and show you really care.

However, dentists and other healthcare professionals have something extra to consider when responding to online reviews: HIPAA.

The Health Insurance Portability and Accountability Act, or HIPAA, is designed to protect patients’ privacy. So how does HIPAA affect your ability to respond to reviews?

When responding to reviews, do not confirm the reviewer is a patient.

HIPAA concerns

Non-compliance could result in legal action and hefty fines, so how can you engage with patients who leave you a review – without getting in legal hot water?

Rest assured, it CAN be done successfully!

Healthcare professionals can respond to reviews – it just takes a little care to make sure it’s done in a way that respects and protects patients’ privacy.

You may wonder:

If the patient leaves a review on a public site like Yelp or Google, isn’t that an authorization for the practice to acknowledge he or she is actually a patient? After all, the patient basically admits it in his/her own words.

In reality, no matter what the patient states in the review, it’s NOT an authorization for the practice to release any patient information in response.

Best practices: How to respond to reviews in a HIPAA-compliant manner

When responding publicly on Google, Yelp, or other platforms, never confirm if the patient was seen by your practice or release any of the patient’s medical information.

It’s best to focus on office policies and use generic terms that don’t offer any specific patient information.

Here are a few examples showing how to respond in a compliant manner:

Example review: “Dr. Dentist is the BEST! She treats my 5-year-old son so well that he LOVES to visit the dentist. I had a cavity filled during my last visit and the doctor was so gentle; it didn’t hurt at all. Our entire family loves Dr. Dentist and we highly recommend her!”

  • BAD response: “We’re so glad you enjoyed your experience with us and look forward to seeing you again soon!”
  • GOOD HIPAA-compliant response: “We aim to deliver the best care to patients and love to hear positive experiences! Thanks for sharing this feedback!”
  • Why it works: The response doesn’t directly confirm the reviewer is a patient.

Example review: “I had to wait more than an hour to be seen, and the front desk lady was rude and didn’t seem concerned with my long wait at all. When I finally saw the dentist, he only spent a few minutes with me and seemed rushed.”

  • BAD response: “We’re sorry you had a bad experience with our team during your appointment and we’d love the opportunity to make it right.”
  • GOOD HIPAA-compliant response: “When scheduling, it’s our policy to allow plenty of time with the doctor so we can keep our schedule running on time. However, because of emergency situations, it is possible to be behind schedule occasionally. We appreciate your feedback and are committed to providing the best patient care; you’re welcome to send any other comments to our Office Manager Debbie at (email address).”
  • Why it works: The content of the response is generic and focuses on the practice’s policies. It doesn’t confirm the reviewer is a patient. It also provides an opportunity to takes the conversation offline.

More tips and best practices

Don’t let HIPAA-related fears prevent you from asking for or responding to reviews! Google itself states that “Replying to reviews is a great way to engage with your customers and get valuable feedback.” Here are a couple of useful tips to keep in mind from the … This text opens a new tab to Google My Business …Google My Business Help page:

  • Be nice and don’t get personal. This isn’t just a guideline–it’s also a good idea as a business owner…Keep your responses useful, readable, and courteous.
  • Keep it short and sweet. Users are looking for useful and genuine responses, but they can easily be overwhelmed by a long response.
  • Thank your reviewers. Respond to happy reviewers when you have new or relevant information to share. You don’t need to thank every reviewer publicly since each response reaches lots of customers, not just one.

You can respond to reviews in a HIPAA-compliant manner successfully! If you have questions about local SEO, online reputation, or obtaining reviews, … This text opens a new tab to schedule an appointment …schedule a free, no-obligation call with Angela, our Director of Client Services. She’d be happy to help answer your questions!

This blog post was originally published in 2017 and has been updated.

4 comments on “How to Respond to Reviews in Compliance with HIPAA Guidelines”
  1. Avatar for Whitney Speir
    Simon Barnett

    Thanks for this for the article, I used some of the info here on my recent blog – I hope that’s okay!

  2. Avatar for Whitney Speir

    This is thoughtful and useful content! Thank you so much.

  3. Avatar for Whitney Speir
    Francis Smith

    A HIPAA breach in your company can attract a hefty fine, costing you thousands of dollars and possible jail time. How much you pay in fines generally depends on the number of people affected by your violation and the type of crime committed.

    Francis Smith ||

  4. Avatar for Whitney Speir
    Donald Smith

    HIPAA violations can continue for many months, or even years, before they are discovered. The longer they are allowed to persist, the greater the penalty will be when they are eventually discovered. Learn more details from

Leave a comment:

Your email address will not be published. Required fields are marked *