You’re staring at a one-star review that’s factually wrong. The patient is misrepresenting what happened. Other prospective patients are reading this right now and forming opinions about your practice based on lies.
Every fiber of your being wants to set the record straight. Tell the truth. Share what actually happened. Defend the years of training and thousands of hours of work that this one angry person is trying to destroy with a paragraph on Google.
Here’s why you can’t: HIPAA doesn’t care about your feelings. And the fines start at $100 per violation and go up to $1.5 million per year for willful neglect. Over $100 million in pixel-related settlements have been paid by US healthcare organizations between 2023 and 2025 alone, according to Content Clicks.
This isn’t a guide about whether you should respond to reviews. You should. This is a guide about exactly what you can and can’t say when you do.
What counts as protected health information
This is where most doctors get it wrong. They think PHI means medical records. It means much more than that.
Under HIPAA, protected health information is any individually identifiable health information. In the context of review responses, this includes:
- Confirming that someone is or was your patient
- Mentioning any procedure, treatment, or service they received
- Referencing any diagnosis, condition, or symptom
- Naming any dates of service, appointments, or follow-ups
- Describing their treatment plan, recovery, or outcomes
- Sharing any billing or payment information
- Referencing conversations you had with them about their care
Notice the first one. Just confirming that someone was your patient is a potential HIPAA violation. Even if they’ve identified themselves publicly. Even if they’ve posted details about their own care. Their right to share their own health information does not give you the right to confirm it.
A patient can write: “Dr. Smith performed my rhinoplasty on March 15 and it looks terrible.” You cannot respond with: “Your rhinoplasty results at six weeks post-op are within normal healing parameters.” Even though they brought up the procedure, your confirmation of it combined with a clinical assessment constitutes a PHI disclosure.
What patients are allowed to do (that you’re not)
Here’s the asymmetry that makes doctors furious: patients can say whatever they want about their care in a review. True or not. There’s no HIPAA restriction on patients sharing their own health information. HIPAA only restricts covered entities, which is you.
So a patient can write: “Dr. Smith butchered my facelift and then refused to help.” And your response options are limited to generic, non-confirming language. You can’t say “that’s not what happened” with specifics. You can’t say “your results were actually excellent based on the photos from your follow-up.” You can’t even say “we’d be happy to review the surgical notes with you” because that confirms they had surgery at your practice.
Is this fair? No. Is it the law? Yes. And the penalties are steep enough that fairness doesn’t matter.
The safe response framework
Given these constraints, here’s what you can actually say in a review response:
You can acknowledge the feedback without confirming the relationship. “We take all feedback seriously” is safe. “We’re sorry you had a negative experience at our office” starts to imply a patient relationship.
You can express empathy in general terms. “We understand how frustrating a negative experience can be” works. “We understand your frustration with your surgical results” does not.
You can describe your general standards. “Patient safety and satisfaction are priorities for our practice” is fine. “Your safety was our top concern during your procedure” confirms a procedure happened.
You can invite offline resolution. “We’d welcome the opportunity to discuss your concerns directly. Please contact our office at [phone].” This is the safest and most effective response element.
You cannot confirm, deny, or discuss any specifics. Full stop.
Here’s a response that stays within HIPAA boundaries:
“We appreciate you sharing your feedback. Patient satisfaction is always a priority for our team, and we’re sorry to hear about this experience. We’d welcome the chance to discuss your concerns directly. Please reach out to our office at [phone number] so we can assist you.”
Here’s a response that violates HIPAA:
“Mrs. Johnson, I’m sorry your recovery from the procedure we discussed in your January consultation didn’t meet your expectations. As I mentioned during your follow-up appointment, the healing process takes 6-8 weeks, and I recommended a follow-up at the 3-month mark that you did not attend.”
That second response contains: the patient’s name linked to a clinical relationship, a procedure reference, a specific consultation date, a clinical recommendation, a healing timeline, and an implied noncompliance. A HIPAA enforcement officer would have a field day.
Real cases where doctors got burned
I can’t share specific settlement details due to confidentiality, but here are the patterns I’ve seen play out:
The defending doctor. A surgeon responds to a negative review by explaining the clinical rationale for their surgical decisions. The patient, now even angrier, files a HIPAA complaint. The Office for Civil Rights investigates. The practice settles.
The correcting doctor. A physician responds to a review claiming a misdiagnosis by clarifying the actual diagnosis and treatment plan. The physician thought they were being helpful and transparent. HHS saw it as an unauthorized disclosure of PHI.
The over-sharing staff member. A practice manager, upset about a bad review, responds with a detailed timeline of the patient’s visits, citing office records, to demonstrate that the practice did everything right. This wasn’t even the doctor’s mistake. It was a staff member who didn’t understand HIPAA’s reach.
The social media defense. A provider screenshots a patient’s medical record to disprove claims made in a review and posts it on social media. This is the extreme case, but it has happened. Multiple times.
In every case, the doctor’s intent was to defend themselves. In every case, the law didn’t care about intent. Disclosure is disclosure.
The “but they said it first” misconception
I hear this from doctors constantly: “The patient already shared all these details in their review. I’m not revealing anything new.”
HIPAA doesn’t work that way. A patient’s voluntary disclosure of their own information does not constitute a HIPAA waiver. Even if a patient broadcasts their entire medical history on the front page of the newspaper, you still cannot confirm or add to that information without their written authorization.
The only exception would be if you had a valid, signed HIPAA authorization form from the patient specifically allowing you to discuss their care in the context of a review response. And I’ve never seen a practice that has that.
When you can respond with more detail
There are narrow circumstances where a more detailed response might be permissible:
The reviewer is clearly not a patient. If you’ve checked your records and there’s no match, you can state: “We’ve searched our records and were unable to find a match for this review. If you have been a patient here, please contact our office directly so we can look into this.” This doesn’t confirm anyone as a patient. It states a factual finding.
The reviewer has signed a HIPAA authorization. In theory, if a patient provides written authorization for you to discuss their care publicly, you could respond with clinical details. In practice, this never happens, and most healthcare attorneys would still advise against it.
You’re responding to a positive review with general thanks. Thanking someone for a positive review is low risk, but even here, don’t add clinical details they didn’t mention.
Building a HIPAA-compliant response system
The safest approach is to create a system that makes violations nearly impossible:
Approved templates only. Create 5-10 pre-approved response templates reviewed by a healthcare attorney. Staff should copy-paste and customize only the non-clinical elements (general tone, office phone number).
Dual review for negative responses. Before any response to a negative review goes live, two people should review it: one for tone and one for HIPAA compliance. If either flags a concern, the response gets revised.
Staff training. Anyone with access to your review profiles needs HIPAA training specific to online communications. General HIPAA training doesn’t cover the nuances of review responses. Most front desk staff have never been told that confirming a patient relationship in a review is a violation.
Access control. Limit who can respond to reviews. The fewer people with access, the lower your risk. Ideally, one or two trained individuals handle all review responses.
The state law layer
HIPAA isn’t the only regulation that matters. Depending on your state, additional laws may apply:
State medical board advertising rules may restrict what you can say in public responses. Some states treat review responses as a form of advertising or public communication subject to medical board oversight.
State privacy laws may provide additional protections beyond HIPAA. States like California (CCPA/CPRA) and Illinois (BIPA) have their own healthcare data provisions.
PHIPA in Ontario and similar provincial privacy legislation in Canada add another layer for Canadian practitioners.
And platform-specific policies matter too. Google, Yelp, and Healthgrades all have their own terms of service regarding provider responses. Violating platform policies can result in your responses being removed or your profile being flagged.
The 41% burnout factor
Here’s something that doesn’t get talked about enough: 2 in 5 healthcare providers say online reviews contribute to their professional burnout, according to Tebra’s 2025 data. And over half of providers have considered leaving medicine due to negative online reviews.
That’s not weakness. That’s a rational response to an asymmetric system where patients can say anything and you can’t defend yourself.
The answer isn’t to disengage. It’s to have a system that handles reviews for you, consistently and safely, so you don’t have to stare at every one-star review and feel your stomach churn. Build the templates. Train the staff. Set the process. Then step back and focus on what you actually went to medical school to do.
What to do this week
- Pull up every review response you’ve ever written. Read them with HIPAA eyes. Does any response confirm a patient relationship, reference a procedure, mention dates, or describe clinical details? If yes, edit or delete those responses today.
- Schedule 30 minutes with a healthcare attorney to review your current response practices. This is cheap insurance.
- Create three template responses (positive, negative, suspected fake) that have been vetted for HIPAA compliance. Share them with every staff member who has access to your review profiles.
- Restrict review response access to one or two trained individuals at your practice.
The cost of getting this right is a few hours and a legal consultation. The cost of getting it wrong is a federal investigation and a fine that could run into six or seven figures. The math is easy.