How to Respond to Patient Reviews in Compliance with HIPAA Guidelines

By Amber Turner On Dec 14, 2022 . 0 Comments

94% of people use online reviews to evaluate physicians, and 75% say online ratings and review sites have influenced their decision when choosing a physician.

Your online reputation is essential in earning prospective patients’ trust, and your responses give a first look into the services they will receive if they choose your practice for their medical needs.

How do you respond when the reviews start coming in? If it’s positive, your task is simple: thank patients for their loyalty and for taking the time to share their experiences. 

The challenging part comes when the feedback isn’t as complimentary, made all the more complicated when you add in patient privacy concerns.

Negative reviews on sites like Google, Vitals.com, Healthgrades.com, RateMDs.com, Yelp, and even Facebook can be especially damaging—destroying your online reputation and turning away future patients.

Because you are in the healthcare industry, you must be extra mindful of how reviews are managed. 

HIPAA guidelines protect patient privacy, and you as a healthcare provider should know how to stay compliant.

Follow our advice below to craft HIPAA-compliant review responses that show your commitment to patient care and privacy. 

What is HIPAA?

HIPAA is short for the Health Insurance Portability and Accountability Act of 1996.

HIPAA guidelines are in place to protect patients’ personal health information. The act restricts medical professionals in how they can interact or communicate with their patients online.

Any reference to or acknowledgment of a patient’s personal health information is a potential violation of HIPAA guidelines.

The Consequences of Non-HIPAA Compliant Reviews

A simple mistake can result in a full-scale HIPAA violation, which can have significant financial consequences for your healthcare practice.

There are four levels of HIPAA violations.

This is a graph of HIPAA Violation Penalties by the HIPAA Journal

  • Tier 1: A violation that the covered entity was unaware of and could not have realistically avoided, had a reasonable amount of care been taken to abide by HIPAA Rules – Minimum fine of $100 per violation up to $50,000
  • Tier 2: A violation that the covered entity should have been aware of but could not have avoided even with a reasonable amount of care. (but falling short of willful neglect of HIPAA Rules) – Minimum fine of $1,000 per violation up to $50,000
  • Tier 3: A violation suffered as a direct result of “willful neglect” of HIPAA Rules, in cases where an attempt has been made to correct the violation – Minimum fine of $10,000 per violation up to $50,000
  • Tier 4: A violation of HIPAA Rules constituting willful neglect, where no attempt has been made to correct the violation – Minimum fine of $50,000 per violation

The maximum total amount penalized to the offending group is $1.5 million per year.

Patient Reviews Quick Q&A

Common questions about patient reviews and feedback.

Q: How do you respond to a negative patient review?

A: Ignoring the reviews altogether is not an option. In your response, you should acknowledge the issue and apologize for it. Even if they’re unreasonable or it isn’t your practice that’s at fault, an apology shows that you care. 

If the negative review has false claims or exaggerated statements, address those remarks respectfully and apologize for any misunderstanding.

Next, the best course of action is to take the conversation offline by using a standard response to call the office.

Q: How do you respond to a positive review of a patient?

A: The ultimate goal of responding to positive reviews is to evangelize the patient and show that you take feedback seriously.

Thank your reviewer and politely show appreciation for their willingness to leave a review for your practice. Make sure you address what made the patient happy and take the time to call it out in a unique response.

Q: How do you respond to feedback reviews?

A: In general, responding to reviews — positive and negative alike — shows you’re an engaged business owner who cares not only about your business but about your patients, too.

The best preparation for responding to patient reviews and online feedback is to have a process in place.

Tips for a HIPAA-Compliant Response for Patient Reviews

The penalties above not only hurt a healthcare practice financially, but it also has the potential to negatively impact its reputation.

Knowing these consequences, you may be thinking, how do you avoid these pitfalls and effectively respond to reviews?

Patient reviews are a vital part of a healthcare organization’s identity. And responding to online reviews is a great way to build trust with potential patients and engage with current patients.

A well-crafted response to a negative review can turn a bad situation into an opportunity, while a thoughtful response to a great review can build loyalty and brand evangelists.

Here are five tips for responding to help you respond to negative reviews in a way that is HIPAA compliant.

1. Keep patients’ privacy intact

When responding publicly on Google, Yelp, or other platforms, never confirm if the patient was seen by your practice or release any of the patient’s medical information.

Personal Health information can be referred to as PHI. PHI goes beyond a person’s health records and the fact that they were a patient of yours. It includes anything that someone can use to identify a patient, including the individual’s:

  • Name
  • Email address
  • Phone number
  • Birthdate
  • Appointment dates/times
  • Test results
  • Diagnoses

Medical providers have a moral and legal obligation to protect patient privacy, even if the patient has divulged personal details themselves. It’s best to use generic terms that don’t offer any specific patient information.

2. Thank the reviewer and address their concerns

Saying “Thank You” shows that you take every piece of feedback seriously to further improve the patient experience.

Stick to general phrases like “We take your feedback seriously” or “We strive to always improve our patient experience.”

In any case, make sure that you avoid referencing any specifics about the patient’s visit or treatment. Even if the reviewer mentions specifics about their treatment or visit, don’t acknowledge it.

3. Take critical issues offline

The best way to help patients with issues or additional comments is by directing them to a specific number, email, or department where both parties can discuss specific issues. 

It also relieves you of any potential breaches of HIPAA guidelines in further online conversations.

Additionally, we have seen positive outcomes with our clients who reach out personally to those negative reviewers. With the focus on resolving their complaints with a professional demeanor; done correctly the patient may consider changing or updating the review.

Don’t ask patients to take a review down. Even if you ask politely, making the request creates distrust and undermines the doctor-patient relationship.

4. Promote your practice’s values and policies

Responses are an excellent opportunity to further your brand messaging. So instead of addressing a complaint or compliment directly, you can talk about your practice’s goals or what you strive to do as it relates to the patient’s review.

5. Create a response strategy for your reviews

The most important thing when responding is that it shouldn’t be impulsive.

Work with your team and create a policy on how you can respond to different types of reviews while complying with HIPAA guidelines.

TAKE NOTE: Some healthcare professionals assume that if patients publicly disclose protected health information on their own, they are free to respond however they feel appropriate. 

However, this is a false assumption. Healthcare professionals are always responsible for upholding HIPAA regulations.

Responding To Positive and Negative Comments on Social Media

On Facebook, people can either “recommend” or “not recommend” your business, and this leads to an aggregate rating out of 5.

Screenshot of Facebook page review score

In addition to the “Review” section of a business’ Facebook page, individuals can write a post or comment for your business and share their feedback. 

Instagram is not a review platform. However, comments on your posts are public that potential patients can see.

It’s essential to monitor your social media accounts for probable feedback, positive and negative. Respond to all Facebook reviews and treat all comments with feedback like mini-reviews and reply to each one. 

Best Practices: Examples of HIPAA-Compliant Responses

Following are a few examples showing how to respond to ensure HIPAA compliance.

Example: Positive Response

Review: “I love this place! When I was there for my back issues, they did everything they could to make me comfortable, and the staff was great.”

HIPAA-compliant response: “We aim to deliver the best care to our patients and love to hear positive experiences! Thanks for sharing this feedback!”

Example: Negative Response

Review: “I had to wait more than an hour to be seen. The front desk lady was rude and didn’t seem concerned with my long wait at all. When I finally saw the doctor, she only spent a few minutes with me and seemed rushed.”

HIPAA-compliant response (1): “When scheduling, it’s our policy to allow plenty of time with the doctor and do our best to keep our schedule running on time. However, due to emergencies, it is possible to be behind schedule. We appreciate your feedback and are committed to providing the best patient care. Please contact our Office Manager Debbie at (email address) to further discuss your experience.”

HIPAA-compliant response (2): We sincerely apologize for your recent experience. Please call us at [phone number] so we can ensure a better experience next time. Thank you for your comments.

Worried About Breaking HIPAA Guidelines? Koda Digital Has Your Back

Although HIPAA regulations undoubtedly make replying to online reviews more challenging, it is not an impossible task.

All in all, when writing HIPAA-compliant responses, it’s important to remember why you are responding in the first place. 

Patient reviews give healthcare practices invaluable insights that can help optimize patient care and experience. You want your responses to portray your practice in a positive light online, promote trust, and demonstrate gratitude for your patients.

For more helpful patient review tips and HIPAA guides, check out our previous blogs:

If you find that you’re spending time dealing with reviews, it’s important to hire a reputation management agency to respond to reviews. 

At Koda Digital, we keep HIPAA compliance and other industry standards as our highest priority.

Tracking online reviews is just one small aspect of how we help medical practices. 

We have helped many practices stand out and above their competitors with a cohesive business strategy that involves SEO, AdWords, reputation management, and much more.

Spend your time focusing on your patients, we will handle the rest. 

Get a 5-minute call with Koda Digital today to learn how to get a handle on your online reputation management and improve every digital touchpoint of your patient’s journey.


Choosing the Right Social Media Platform For Your Medical Practice

When implementing a successful social media marketing strategy for your practice, you must first


7 Reasons Your Healthcare Practice Needs to Invest in a Digital Marketing Agency in 2023

Do you know that 77% of patients will perform a medical search for services

Leave a Comment

Your email address will not be published. Required fields are marked *

Get your free & custom website audit

If you're ready to discover the strengths and weaknesses of your
digital marketing efforts, without all the confusing techno-babble,
then enter your healthcare website below.