Since 1996, the Health Insurance Portability and Accountability Act, commonly referred to as HIPAA, has been ensuring the privacy of patient health information. That applies to all aspects of patient information, including names and medical details that might be mentioned when they submit a review of your practice or medical facility.
To be clear, a person can say whatever they want about their medical history. However, a patient talking about their medical history does not provide any protection to anyone else. So, if someone gives details about the medical treatment they received in a Google review, Yelp review, etc. the provider, practice, or facility responding to that review cannot reference any of those details or other legally protected patient data.
However, you don’t want to go to the other extreme and stop responding to patient reviews. Whether it’s a positive or negative review, responding is an important trust signal for prospective patients.
Thanking patients for good reviews shows that your practice listens and responds to feedback. A constructive response to a negative review can build even more trust because it should demonstrate care, concern, a willingness to address problems, and the ability to stay calm and composed even when confronted with hostile criticism.
Is HIPAA Compliance Mandatory?
Yes, HIPAA compliance is legally required by all people and entities that interact with or process medical information containing personally identifiable information (PII). Compliance is enforced through financial penalties that can be quite costly.
Penalties for non-compliance with HIPAA regulations fall into four categories.
- If you exercised “reasonable diligence” yet didn’t realize that you had violated HIPAA regulations, the penalty can be $100-$50,000 per violation.
- HIPAA violations “due to reasonable cause” without any willful neglect is $1,000-$50,000 per violation.
- HIPAA violations due to willful neglect that have been corrected in a timely fashion are $10,000-$50,000 per violation.
- Violations caused through willful neglect that has not been corrected in a timely fashion have a $50,000 per violation penalty.
While there is a cap on HIPAA violation penalties, the cap is $1.5 million per year, so it’s still a significant amount.

How You Write a HIPAA-Compliant Response
Now that you understand how vital HIPAA compliance is, even on social media posts and reviews, let’s look at the five essential aspects of writing HIPAA-compliant review responses.
5 Tips for a HIPAA-Compliant Response
- Do not mention details about the patient’s medical history or any treatment they received. Even if the patient mentioned them, replying with the same violates HIPAA regulations.
- Stay cool, calm, and collected. Even if the reviewer was nasty, it’s essential to rise above any vitriol. Maintain a calm, reasonable tone throughout all communication, especially in public.
- Say, “thank you.” Yes, even when the reviewer is nasty. Actually, it’s even more important when the reviewer is nasty. It may help to diffuse hostility and demonstrates and appreciation of all feedback. Even if it doesn’t, it helps to set a constructive tone and looks good to prospective patients who may be reading reviews as part of their decision-making process.
- General responses are best. While usually in marketing – and responding to reviews is both marketing and community management – a personalized response is best, HIPAA compliance requires a more general response. Plan ahead and prep statements like, “We appreciate your feedback. It helps us improve and create a better patient experience.” But whether you use pre-written responses or not, avoiding specifics about the person or medical services they received is essential. Even if the reviewer went into detail about either or both items, the response should not mention personally identifiable information or medical conditions.
- Go offline when necessary. If the reviewer mentions something that needs to be addressed, such as asking for follow-up information or complaining about problems, it’s best to move the conversation away from public view to help avoid any HIPAA guidelines. It’s also just good advice in general when dealing with negative reviews. Respond by thanking the reviewer for their comments and ask them to reach a specific person by phone or email, and then provide that contact information.
Here is a HIPAA-compliant response to a compliment one hospital received as an example.
As you can see, it’s simple, effective, and compliant. Reviewers and prospective patients want to see a timely, polite response, and this qualifies.
As for a response to a negative review, here is a HIPAA-compliance response from the same hospital.
As you can see, this is an effective, HIPAA-complaint response because:
- It acknowledges the complaint (though it should have done so more quickly).
- It does not cite any personally identifiable information or medical conditions/treatments.
- It directs the discussion offline and provides contact information to facilitate further discussion to resolve the complaint.
While ensuring HIPAA compliance of patient medical information can have many components, as you can see, writing HIPAA-compliant responses to online reviews is actually fairly easy. Just maintain a polite, professional tone, keep it general, and direct follow-up conversations offline.

Get started with a free marketing assessment call to evaluate your business needs

“Testimonial regarding HairLossMarketing and RHRLI?”
The team has done an excellent job at getting us consistent quality leads. People who are educated and ready to pull the trigger when they come into the office.
– Dr. Baiju Gohil