Skip to main content

HIPAA compliance extends beyond the office. One of the trickiest HIPAA issues for medical providers is responding to public online reviews while also protecting private patient information. Follow our advice below to craft HIPAA-compliant review responses that show your commitment to patient care and patient privacy. 

Why review responses matter

Smart practices know they need to respond to online reviews because they understand that today’s medical clients search online to find and choose services. Potential patients expect to read reviews about providers before making their decisions, even when they have a word-of-mouth referral.

When providers leave professional, HIPAA-compliant responses, they show potential customers their patient-focused values. But when providers ignore reviews, searchers are likely to see the providers as uninvolved in the patient experience–no matter how connected they are in the office. Provider responses online quickly magnify positive patient experiences or negative ones, as potential clients imagine themselves in the place of the reviewer.

Responding to negative reviews is crucial

It is not bad to log some negative reviews. In fact, some research shows that “too perfect” reviews actually make readers suspicious, because they want to know the reviews are real and that the provider is human.

However, providers do need to respond to negative reviews to show concern for patients and to present another view. Even if you follow up and respond thoroughly to a patient complaint in person, if someone has lodged a complaint or negative comment online, you need to provide an appropriate response there, for potential clients to read.

Responding to positive reviews also matters

A good rule of thumb is to respond to every negative review, and to respond to a portion of positive ones. If you respond to every positive review–even the small and quick reviews that say “great!” or “Love this doc!” then you seem automated and insincere. However, when someone has taken time to really offer positive words and details, it’s important to show appreciation.

Responding with HIPAA compliance is essential

HIPAA compliance should be top priority in your online responses. If potential clients see you respecting others’ privacy, they assume the same will happen for them. But if they see you divulging sensitive information or diminishing people’s experiences, they will assume even worse in the office.

Google online healthcare marketing advertisementsBeyond your reputation, the real penalties for HIPAA non-compliance are severe. These can range from $100 per event for a simple mistake, to $50,000 per instance for willful neglect. Physicians always bear the burden of knowing what is appropriate and what is not, and can be penalized even if they are reasonably diligent.

Keys for HIPAA compliance in online responses

To maintain HIPAA compliance always remember to protect patient privacy and project a professional, caring voice. Remember that although your responses are to one person, they are public for all to see.

1. Never include any information about the patient

Avoid discussing treatments or details about the reviewer’s visit to your office. In fact, HIPAA compliance guidelines require you to avoid even acknowledging that the reviewer has been a patient or visited your office at all.

Avoiding personal information can be especially challenging, because reviewers often divulge their own personal details and experiences. When providers respond, it’s natural to want to respond to those details. It’s also natural to think of a review and response as an exchange between just two people, forgetting that it remains a public conversation online, long after the original discussion has ended. 

Providers have a moral and legal obligation to protect patient privacy, even if the patient has divulged personal details and not protected their privacy themselves. 


Thank you for letting us know about your experience last week with the nurse-midwife. We are sorry she refused to give you the strep test you asked for. We want expecting mothers to feel free to ask for whatever health care they need during their routine prenatal visits. Please talk with our office manager at your next visit.

Not HIPAA compliant. Although the reviewer may have left details in the review, providers must avoid repeating these details in their responses.


Thank you for taking the time to leave a review. We strive to provide the best care possible to all our patients. We value your feedback and would like to address your concerns directly. Please contact us at 555-555-5555.

This HIPAA-compliant response avoids sharing patient information, not even acknowledging that the reviewer visited the practice.

2. Respond quickly, but not immediately

It’s important for people to see you respond quickly because this shows you care about them and customer service. Meanwhile, it’s human nature to have an emotional response when we read something about ourselves, especially negative feedback. Even one negative review can be deeply cutting to a provider who spends busy days trying to help people.

Online responses must remain professional and patient-focused no matter what. When we respond reactively, we tend to ignore guidelines for being professional. You might need to detach and calm down, even if you think you don’t.

Unless a review alerts you to a true emergency, follow a standard to wait at least a few hours or overnight before responding. This habit can help you check your emotions and protect any personal details that might violate HIPAA compliance standards.

3. Always start with “thank you” or other words of appreciation

An appreciative start helps you remember that a reviewer is a real person who took their time to give you feedback. They matter, and their feedback also matters, and even the most angry reviews can help you improve your practice if you listen without being defensive.

HIPAA compliance addresses how seeking healthcare often requires patients to face difficulties or express their most private concerns, and they need to trust their providers to understand and honor this personal information. Your professional and courteous replies online–especially to angry reviewers–goes a long way in showing potential clients that they really can trust you.

4. Focus on procedures and policies, not the individual

One of the most effective ways to maintain patient privacy is to focus on standards of care, best practices, and your goals to meet these. Focusing on your procedures and policies lets you show personal care without getting too personal. 


Our policy is to schedule plenty of time between patients in order to avoid long waits. We strive to deliver the best care possible to all our patients, but we occasionally fall behind schedule because of emergencies. Thank you for your feedback. If you want to discuss further, please contact us at 555-555-5555.

This HIPAA-compliant response acknowledges the reviewer’s concern about wait time while focusing on general practice standards.

5. Take the discussion offline

Invite reviewers to contact you personally to discuss and resolve issues. Consistently include your customer service phone number in your responses. A personal conversation is always more effective than an online exchange, especially with negative reviews that require negotiation or amends.

If you have the reviewer’s contact information in your system, you can reach out directly and privately to resolve issues. If you do, be sure you have signed permission to contact via email or text, or to leave a voice message, because these contact methods also raise privacy concerns.


Would you please call us at 555-555-5555 so we can work to resolve your issue? We look forward to hearing from you. We are always eager to improve patient care.

This response quickly invites a conversation offline. Problem resolution requires personal detail far beyond HIPAA compliance. If a reviewer continues the discussion online, practices should keep encouraging offline discussion.

6. After resolving an issue, invite the reviewer to update their review

A periodic negative review gives you a chance to show your effective customer service. When you have reached a successful resolution, see if the patient will update their review. Even if they don’t, you can modify your response to show you addressed the concern and worked to resolve it. Your consistent and effective efforts matter most, and these will show through your regular responses.

7. Develop a library of HIPAA-compliant responses to choose from with confidence

Many medical groups develop a list of review responses they regularly choose from when responding. Some groups have these evaluated by legal advisors. Some practices use an automated review system like SocialClimb’s that includes a library of responses. No matter the method, an approved list offers professionalism and variety and can be adapted if needed. Your staff can have confidence that their responses are both effective and fully HIPAA compliant. 

SocialClimb’s reputation marketing and automated patient acquisition

At SocialClimb, we keep HIPAA compliance and other industry standards as our highest priority. We provide medical practices of all sizes the tools they need for effective medical marketing, including reputation building, targeted ads, and automated patient acquisition. We understand the needs of medical practices, and we offer a carefully developed library of responses our customers can use to respond to both positive and negative reviews. Read more or request a demo to learn how SocialClimb’s automated tools can help you develop your online reputation and grow your practice with ease.

Close Menu

Learn about SocialClimb's New Predictive Patient Targeting with Postcard Deployment

Get Our Free HIPAA Compliance eBook