How to Legally Respond to Patient Online Reviews

Studies show that 84 percent of consumers turn to review sites to find a doctor or dentist. But those reviews they’re reading can be a mixed bag for the practice. Good or not so good, your practice needs to respond to every review if for no other reason than to show you are cognizant and engaged with these online sources.

But that’s where things can get tricky. Patient privacy must be protected, as has been dictated for the last 20 years by HIPAA, the Health Insurance Portability and Accountability ACT of 1996, along with a host of individual state privacy laws. While the law is broad, its basics say that healthcare organizations and providers are not allowed to use or disclose patient information without explicit prior authorization from the patient. And this isn’t legal stuff that never is acted upon, like the user agreements in every software upgrade — HIPAA violations have resulted in fines and prescribed action plans for practices across the country.

At Advice Media, we’re believers in engaging with your online reviews, so we don’t think you should play it safe by being quiet. You can acknowledge and engage with your reviewers while protecting their privacy.

First, let’s address some misperceptions about online reviews and what is and isn’t legal according to HIPAA.

Situations and perceptions

Here are three typical situations with online reviews and some existing perceptions about them.

  1. When a patient submits a review, it is a tacit authorization for the practice to disclose information about that patient.

This is not true. Just because a patient chooses to post a review does not mean they have provided authorization to release any information about the patient in response.

  1. When a patient submits a review, the practice can respond in kind.

Again, this is not true. No matter what the reviewer detailed about his or her experience at your practice, they still have not provided authorization to the practice to respond back with specific patient information and details.

  1. A practice can use a review posted on Yelp or other review sites as a testimonial on the practice’s website or social media.

Nope. The patient has to explicitly agree to allow their testimonial to be posted on the practice website.

As you can see, the act of posting a review is not some approval of the patient to use his or her specific information in any way. To comply with HIPAA, the practice/provider should not make any comments that would confirm that the patient received any healthcare services, or make any specific comments about those services. And when it comes to testimonials, get the patient to give written authorization before using their review.

How you should respond

While we believe it is important for you to acknowledge reviews, you need to be careful how you do it. We think the acknowledgment should be in the comments section under the review; this is a public response. Plus, you can also send a direct message to the reviewer; this is a private message for their eyes only. Whether you use one or both methods, the end goal should be to take the conversation off of the public space and move it to a private channel such as directly phoning your office.

So, how should you comment on a review? It’s best practices according to HIPAA to never release any patient information or confirm that a patient was seen by your practice.

Here’s a hypothetical review:

  • My daughter had a great checkup yesterday with Dr. Jones. Even getting her cavity filled was a great experience. I love the way the staff treated her, and the efficiency of the entire office.

Pam Smith

Your office manager may be in charge of making your response to this review, and he or she may want to post a response like this:

  • Hi Pam,

We’re glad that Maddie had such a great experience. Dr. Jones is great with children and takes pride in making their visits pain free. Look forward to seeing you next time.

Ann Shultz

Office Manager

This response would not be HIPAA compliant because it included specifics about both the patient and the care she received. This was a confirmation that the patient was at the facility and that they plan on seeing them again. None of this is HIPAA compliant.

A compliant response would be like this:

  • We love to hear about great experiences. We aim to deliver the highest level of patient care possible. Thanks for your feedback.

A direct message needs to be equally non-specific, but it should also request that the individual contact your office directly if any follow-up is necessary. You can give the person’s name and phone number to contact. But again, since even direct messages are electronic and potentially seen by others, these messages can’t talk about the patient being treated at your office or any specifics of that treatment.

While these responses seem like non-descript pabulum, they do comply with HIPAA restrictions on patient information. Of course, if you want to thank a patient for a review more directly, you can always call them or write a short thank you note.

If you have further questions about complying with HIPAA, don’t hesitate to call your Advice Media representative.

Posted in: News, Review Management

Leave a response

Make an Instant Impact – Get Started Today

We know healthcare. For almost twenty years, we have helped thousands of medical practices grow online. Ask for our featured case studies. To receive more information about our services, please complete the form below or call (435) 575-7470.

Request Your FREE DIGITAL MARKETING REVIEW

Quick Contact

  • This field is for validation purposes and should be left unchanged.


Advice Media - Digital Marketing Agency Small Logo

Park City Headquarters
1389 Center Dr #230 | Park City, UT 84098
Melville, New York Office
115 Broadhollow Rd #225 | Melville, NY 11747