HIPAA-Compliant Review Responses: What Healthcare Providers Can (and Cannot) Say
One wrong review response can trigger an OCR investigation and six-figure fines. Here's exactly what HIPAA allows healthcare providers to say publicly.
By Review Remover Editorial Team

In 2016, a California dermatologist paid $10,000 to the OCR after responding to a Yelp review with clinical details. In 2022, a Texas dental practice paid $50,000. The pattern is consistent: HHS treats public review responses as a common HIPAA enforcement priority, and the penalties are real.
The core rule: any information about a patient — including whether someone IS a patient — is Protected Health Information (PHI) under HIPAA. You cannot confirm treatment, deny treatment, describe visits, reference dates, or discuss medical facts publicly, even to defend against false claims.
You CAN say: (1) generic statements about your practice's approach ('We strive to provide excellent care to every patient'); (2) a general apology for the reviewer's experience ('We're sorry to hear this'); (3) an invitation to discuss privately ('Please call our office manager at X'); (4) general information about your practice hours, services, or policies.
You CANNOT say: (1) 'We remember you' or 'You're not our patient'; (2) any clinical detail even if the reviewer disclosed it first ('Your extraction was performed properly'); (3) any timing information ('You came in on March 3rd'); (4) any diagnosis, treatment, or billing information.
The 'reviewer disclosed it first' trap is where most providers get fined. Even if a patient publicly names their surgery, diagnosis, or provider, HIPAA still prohibits YOU from acknowledging it. The patient can waive privacy for their own information; you cannot.
For clearly false or defamatory reviews, the correct path is removal via platform policy — NOT public response. Google, Yelp, Healthgrades, and Vitals all have processes for removing HIPAA-violating reviews (yes, reviews can violate HIPAA by revealing PHI) and defamatory content.
Some providers use a 'response through action' strategy: never engage with negative reviews online, but reach out to the reviewer privately if identifiable, resolve the issue, and ask if they'd consider updating their review. Roughly 30–40% of negative reviewers will update or remove a review after a genuine private resolution.
Train every team member with review-response access on HIPAA rules. A single well-meaning response by a front-desk employee can trigger an OCR complaint. Use written response templates and require sign-off by a designated compliance owner before any public response.
For practices under review bombing or coordinated attacks, engage a healthcare-specialized reputation team. General reputation firms often draft responses that would be HIPAA-compliant for a restaurant but are catastrophic for a medical practice.
Dealing with a fake or unfair review?
Get a free review audit. We'll tell you if the review violates platform guidelines and is eligible for removal.
Request Free Audit