How to manage online reviews and stay HIPAA compliant

If you’re not careful, doctors, dentists, and other health professionals can get into hot water when it comes to HIPAA compliance and online reviews. Yes, you have to be HIPAA compliant in responding to online reviews!

According to the Yale School of Medicine, one plastic surgery shop in St. Louis posted before-and-after photographs on the Internet of thirty patients who had undergone breast augmentation surgeries. “Though their faces were obscured, the patients sued for negligence when they discovered that the pictures included identifying information, and that the site could be located simply by searching for the patients’ names.”


Fortunately, HIPAA regulations tend to help prevent such horror stories from happening. But HIPAA expert Dr. Danika Brinda reminds us that HIPAA came from a pre-online-review world.

How do health professionals and medical businesses respond to online reviews and stay HIPAA compliant?

Manage all your reviews for multiple sites and get more reviews from your happiest patients with Womply Reputation Management. Learn more, plus get free reputation monitoring and customer insights when you sign up for Womply Free! 

In this post, we’ll explain why it’s worth it for health professionals to respond to online reviews. We’ll also lay out some safe ways to write responses without compromising patient privacy.

Why bother? Is responding to online reviews worth it?

It’s no secret that online reviews matter to local businesses. Lakes of data and studies have shown that 9 out of 10 customers typically research before they buy, including 77% of patients searching for a trusted doctor.

So, having a presence on review sites, listings, and local directories is critical for being found and attracting new customers and patients. And the good news is, most of the time, at least for Yelp, reviews are positive.

But is just having reviews enough? Does responding to reviews make a difference?

One online reputation company published a study to answer this question and found that 78 percent of consumers say that seeing management respond to online reviews makes them believe that the business cares more about them.

In the same way, HIPAA compliant organizations have no excuse not to respond to reviews. In one Software Advice survey of how patients use online reviews, the majority of respondents (65%) felt it was “very” or “moderately important” for doctors to post a response.

But it’s tricky. Let’s look at ways you can interact with customers online without violating health laws.

How to respond to reviews and stay HIPAA compliant: 3 Don’ts and 3 Do’s


Don’t use language that indicates the patient even visited your local business premises.


  • A patient writes: “I had a wonderful experience seeing [doctor’s name].”
  • A non-compliant response would sound as innocent as: “Thank you, [patient’s name], for coming into our office yesterday.”
  • This is a violation of the patient’s personal privacy.

Don’t use any details or specifics, even if the patient mentions them in their own review.


  • A patient lauds: “My migraines are feeling much better thanks to [doctor’s name].”
  • A response like this would trigger a legal event: “We’re so glad! Remember to keep taking your Floricet oral twice a day!”
  • *Facepalm* Please, please, avoid giving detailed information out online, especially with patient prescriptions.

Don’t argue with negative reviews or egg on further online discussion.


  • A patient complains in a review: “The receptionist was rude. I’m never coming back.”
  • Digging in like this is asking for a court case:  “Sorry to hear this. Could you elaborate on the behavior of the receptionist?”
  • Oy vey. Should the patient respond would imminently result in apocalyptic disaster for your practice. Avoid unnecessary solicitation from your patients outside of a medical appointment.


Do respond. Full stop. For the sake of your reputation and revenue, take the first step and write a professional, cordial response.


  • A patient effuses in a review: “I didn’t appreciate how rushed the appointment felt.”
  • It might not have felt rushed to you, but a response like this would go a long way: “Thank you for your review. Per our policy, we try our best to see patients as efficiently as possible without sacrificing our commitment to provide quality health care.”

Do keep things general and policy-based.


  • A patient praises: “My skin rash is gone. Dr. [name]’s advice and treatment worked!”
  • Do not address the specific issue. Instead respond like this: “Thank you for your kind words. Our practice strives to perform at the highest standards of our policy to provide quality medical services.”
  • It might sound lame compared to a restaurant or hotel owner’s response, but it’s better than getting sued.

Do offer to take the conversation offline.


  • A patient writes about a terrible experience: “Your recommendation didn’t work. My back pain is worse now.”
  • Contain the incident and provide a clear next step: “We’re sorry to hear about the pain you’re experiencing and we’d love to help. It is our policy to protect patient information and discuss important matters offline. Please call us at [888-888-8888] so that we can help right away.”
  • Review sites are not the place to defend oneself. The best and safest action is to take the conversation offline.

If you take one lesson away from this article it’s this: HIPAA compliant businesses should respond to reviews if they want to succeed in today’s digital and smart-patient world. Remember these recommendations as you write your responses and your customers will be both pleased and protected.

Recent Articles

9 Atlanta area events that can be great for your small business in 2022

In this 5-minute read: 9 events in Atlanta, GA in 2022 that your business should know about Start your year …

Read More

25 free business listing websites every small or local business should be on (Updated for 2022!)

Be sure to claim your company’s free listings on these sites so more customers can find your business. 

Read More

9 events that every Houston, TX area small business should know about in 2022

In this 5-minute read: 9 local events that Houston small businesses should take advantage of this year Attending events, business …

Read More

Small business events in Chicago: 8 ways to grow and market your business in 2022

In this 5-minute read: 8 Chicago events to add to your 2022 business calendar Wherever your business is located, you …

Read More

10 2022 Washington DC area events that can be great for your small business

In this 5-minute read: 10 events that Washington DC area businesses need to know about this year Which DC events …

Read More

5 Orlando area events in 2022 your small business should take advantage of

In this 5-minute read: 5 2022 events in Orlando, FL that your business needs to know about Which events may …

Read More

See why Womply is the #1 marketing and CRM solution used by 500,000+ businesses.