All articles
Healthcare11 min read·

HIPAA-Compliant Review Responses: What Healthcare Providers Can (and Cannot) Say

One wrong review response can trigger an OCR investigation and six-figure fines. Here's exactly what HIPAA allows healthcare providers to say publicly.

By Review Remover Editorial Team

HIPAA-Compliant Review Responses: What Healthcare Providers Can (and Cannot) Say

In 2016, a California dermatologist paid $10,000 to the OCR after responding to a Yelp review with clinical details. In 2022, a Texas dental practice paid $50,000. The pattern is consistent: HHS treats public review responses as a common HIPAA enforcement priority, and the penalties are real.

The core rule: any information about a patient — including whether someone IS a patient — is Protected Health Information (PHI) under HIPAA. You cannot confirm treatment, deny treatment, describe visits, reference dates, or discuss medical facts publicly, even to defend against false claims.

You CAN say: (1) generic statements about your practice's approach ('We strive to provide excellent care to every patient'); (2) a general apology for the reviewer's experience ('We're sorry to hear this'); (3) an invitation to discuss privately ('Please call our office manager at X'); (4) general information about your practice hours, services, or policies.

You CANNOT say: (1) 'We remember you' or 'You're not our patient'; (2) any clinical detail even if the reviewer disclosed it first ('Your extraction was performed properly'); (3) any timing information ('You came in on March 3rd'); (4) any diagnosis, treatment, or billing information.

The 'reviewer disclosed it first' trap is where most providers get fined. Even if a patient publicly names their surgery, diagnosis, or provider, HIPAA still prohibits YOU from acknowledging it. The patient can waive privacy for their own information; you cannot.

For clearly false or defamatory reviews, the correct path is removal via platform policy — NOT public response. Google, Yelp, Healthgrades, and Vitals all have processes for removing HIPAA-violating reviews (yes, reviews can violate HIPAA by revealing PHI) and defamatory content.

Some providers use a 'response through action' strategy: never engage with negative reviews online, but reach out to the reviewer privately if identifiable, resolve the issue, and ask if they'd consider updating their review. Roughly 30–40% of negative reviewers will update or remove a review after a genuine private resolution.

Train every team member with review-response access on HIPAA rules. A single well-meaning response by a front-desk employee can trigger an OCR complaint. Use written response templates and require sign-off by a designated compliance owner before any public response.

For practices under review bombing or coordinated attacks, engage a healthcare-specialized reputation team. General reputation firms often draft responses that would be HIPAA-compliant for a restaurant but are catastrophic for a medical practice.

#HIPAA#Healthcare#Compliance

Dealing with a fake or unfair review?

Get a free review audit. We'll tell you if the review violates platform guidelines and is eligible for removal.

Request Free Audit