When you operate a medical or dental practice, hospital, medical spa, or any other healthcare clinic — or support one as a marketing agency — you understand the importance of adhering to HIPAA regulations and keeping patient information private. But one area where healthcare providers need to be especially careful is when responding to patient reviews.
Customer reviews are critical to business success these days, regardless of the industry, and they can show up anywhere — on third-party review sites, Google, in social media posts, even on the business’s website.
Although it’s a best practice to respond publicly to every review that comes in — not to mention good for your brand — businesses in the healthcare space have a few more rules to follow and more at stake. Bottom line: the personalized, detailed responses that are recommended and even expected for other industries need to be avoided in healthcare and won’t work for HIPAA-compliant review responses.
In this article, we’ll cover what the rules are, the consequences of not following them, and give examples of HIPAA-compliant review responses and non-compliant responses. You can use this information to confidently move forward with your review strategy at your practice or clinic, or for the healthcare clients you support.
What are the rules for HIPAA-compliant review responses?
Because HIPAA is first and foremost concerned with patient privacy, a HIPAA-compliant review response has to be the same — whether the review is positive, negative, or neutral.
Though you can’t control what a patient might include in their review, you do have to control what you include in your response, and that means leaving out any protected health information (PHI) or other identifying information. Here’s a summary list of PHI covered under HIPAA that you cannot post publicly in a review response:
- Personal identifiers such as name, address, age, gender, and Social Security Number
- Electronic identifiers such as telephone, fax number, email, and website URLs
- Biometric identifiers such as fingerprints and full-face photos
- Medical record numbers, account numbers, insurance claims, and eligibility approvals
- Diagnoses, medical conditions, medical advice, treatment plans, dates of diagnoses or treatment, and payment for treatment
- Names of doctors, nurses, or other medical personnel who may have assisted the patient
The main rule of thumb to follow is this: In their review, even if the patient discloses or mentions their own name, condition, diagnosis, treatment, a specific doctor they saw, any medical advice they were given, or the fact that they are a patient at your clinic or hospital, you cannot respond publicly to those details without breaching confidentiality. Instead, to ensure a HIPAA-compliant review response, you need to keep it as generic as possible and include a disclaimer about your inability to comment on specific details due to privacy regulations (we’ll show you what that looks like in the examples later on).
Sometimes reviews can be confusing, though. In the interest of nurturing patient relationships — especially one that may have soured from a poor experience — you want to be able to respond appropriately and empathetically without crossing a line, yet you may not always understand where that line is. When in doubt, it’s always a good idea to consult with legal counsel about how to create and maintain HIPAA-compliant review responses.
What happens if you don’t follow the rules?
To review: If you include anything in your review response that identifies the patient or their condition, treatment, or doctor, you’re violating their patient privacy — regardless of how forthcoming the patient might have been about those details themselves.
HIPAA violations can have serious financial penalties — even if the violations are completely unintentional. Whether accidental or not, violations can cost you anywhere from $100 to $50,000 in fines, per violation. If you rack up several violations in a year, it can get very expensive.
In addition to running afoul of HIPAA, you can also become the target of patient lawsuits if reviewers feel you violated their privacy in some way, which can bring additional financial harm to your practice or clinic. That’s why it’s better to be clear upfront about the risks to patient privacy in public forums and how to avoid them, then to find out after the fact.
However, don’t let these discussions turn you off from responding to patient reviews. There are definitely ways you can write HIPAA-compliant review responses that keep patient privacy intact while enabling you to engage productively with the reviewer and earn or strengthen their loyalty.
4 steps for handling patient reviews
Before we get into specific HIPAA-compliant review response examples, here’s a step-by-step guideline you can follow every time you get a patient review:
1. Think it through before responding
Before writing or posting anything, pause a moment and decide:
- Did the reviewer include any PHI in their review that has to be avoided in the response?
- Is the review positive — in which case a simple “thank you” is fine?
- Is the review negative — in which case a more thorough interaction with the reviewer may be necessary?
- If the review is negative, do you fully understand the reviewer’s experience or complaint, and if not, what questions do you need to ask to understand it better?
Sometimes when you get busy, the impulse is to check off the boxes quickly — patient review comes in, review response goes out, move on to the next item on your list. But it’s better to take some time first so you know what you’re dealing with and can craft a thoughtful, appropriate, HIPAA-compliant review response.
2. Thank the reviewer
Whether the review is positive or negative, always thank the reviewer for their feedback. This shows them that you’re paying attention, care about what they have to say, and sincerely want to improve if there is an issue.
You can work a “thank you” into any kind of response you give without violating HIPAA. In fact, sometimes it may be the only thing to say publicly, as we’ll talk about next.
3. Take the conversation offline, if necessary
Let’s be honest: negative reviews can be unpleasant. And because healthcare businesses have to be extra cautious about how they respond, it’s very likely that you can’t address the details that are included in the reviewer’s complaint, unless you want to risk a response that violates HIPAA. Nor is it a good idea to get into a back-and-forth with a disgruntled reviewer in a public, online setting.
This can understandably feel uncomfortable, though, since you want to be respectful to the reviewer and adequately address their concerns. At the same time, you need to be aware that there could be potential patients watching how you handle the review.
In keeping with HIPAA-compliant review responses, when a review is negative, the best way to respond is to thank the reviewer for their feedback — as noted above — and let them know that due to privacy regulations, you can’t discuss specific details. Then, invite the reviewer to discuss their comments with you further on a phone call. That way the reviewer isn’t being ignored, and you can get the information you need to better understand the situation and come up with a resolution.
4. Turn patient feedback into action
Positive and negative feedback both point somewhere — to things that are going well that you should do more of, or things that aren’t working and need to be fixed.
Feedback is always valuable, so take the information the reviewer is giving you and turn it into action. It helps to use a software platform that can analyze patient sentiment and deliver easy-to-understand insights you can use to make effective changes that ensure a better patient experience — and get more positive reviews to boot.
Examples of non-compliant and HIPAA-compliant review responses
Now that we’ve talked about the basic steps for handling patient reviews, here are some examples of review responses and what makes them HIPAA-compliant or not. Feel free to borrow and rework the HIPAA-compliant examples to use in your own practice, clinic, or hospital.
Doctor’s / dentist’s office:
Positive review: “My name is Jan and I recently had my yearly check-up with Dr. Jones at your office. I just want to say how great Dr. Jones and the rest of your staff were. They were prompt and helpful, and I really appreciated it.”
- Non-compliant response: “Thank you, Jan! We’re so glad to hear from our patients when they have a great experience with Dr. Jones and our staff.”
- Why it’s non-compliant: The response mentions the patient’s name, the doctor’s name, and acknowledges that the reviewer is a patient.
- HIPAA-compliant review response: “Thank you! We strive to be prompt and helpful, and we really appreciate your feedback.”
Negative review: “I was just at your clinic for a teeth-cleaning and I was so disappointed. Dr. Cook was 20 minutes late, the person who checked me in was rude, and I got billed twice for the service. I’m seriously thinking about not coming back.”
- Non-compliant response: “I’m so sorry to hear that you didn’t have a great experience and that we incorrectly processed your billing. I will also address your concerns with Dr. Cook and our front-desk personnel so we can do a better job going forward. Please consider returning as our valued patient and enjoy 10% off the next teeth-cleaning you book with us.”
- Why it’s non-compliant: The response mentions treatment, billing, the doctor’s name, and acknowledges that the reviewer is a patient.
- HIPAA-complaint review response: “Thank you for this valuable feedback. Due to privacy regulations, I can’t discuss specific details. However, please call [phone number] and ask to speak with our office manager, who will be able to discuss your concerns.”
Hospital:
Positive review: “My nephew Brad was admitted to the ER after a car accident, and we couldn’t have had a better experience during such a stressful time. The ER doctors and nurses were so kind and worked hard to stabilize him and treat his broken leg. We felt well taken care of the entire time. For anyone who has to unfortunately end up in the ER, [hospital name] is the place to be.”
- Non-compliant review response: “We’re so glad to hear that you had a positive experience with our ER staff as they treated your nephew Brad’s broken leg. We want to extend our wishes for a speedy recovery.”
- Why it’s non-compliant: The response mentions a medical condition and acknowledges the reviewer’s nephew was a patient.
- HIPAA-compliant review response: “Thank you for your positive feedback. We take great pride in having a well-run, well-staffed emergency room to help care for the community.”
Negative review: “Whatever you do, don’t schedule surgery at [hospital name]. I had gastrointestinal surgery there about three weeks ago, and it was an awful experience. Everyone I encountered was too busy to talk to me about the procedure, I didn’t know what to expect, and when it was done, I was left alone in the recovery room for way longer than I was told. It’s clear the staff doesn’t care at all about the patients.”
- Non-compliant review response: “Thank you for letting us know about your patient experience. I’m so sorry it was disappointing. We work hard to provide a high level of patient care, but it looks like we didn’t meet our own standards this time. Would you mind disclosing how long you were in the recovery room, so we can look into this further?”
- Why it’s non-compliant: The response acknowledges the reviewer was a patient, mentions an aspect of the medical treatment (recovery), and publicly asks for more details about the recovery experience.
- HIPAA-compliant review response: “Thank you for your comments. We take all feedback very seriously. Due to privacy regulations, we’re unable to discuss specific details. However, please call the hospital administrator at [phone number] as they will be able to further address your comments.”
Medical spa:
Positive review: “I’m a 34-year-old who had lip injections two days ago for the first time. They were done by Kelly. I have to say she was amazing — so professional — and she gave me tons of good advice afterward. I highly recommend her and [med spa name] for anyone looking for the same service.”
- Non-compliant review response: “This is great to hear! We love our first-time customers. Thanks for letting us know about your positive experience with Kelly and our lip injection service. We hope to see you back here soon.”
- Why it’s non-compliant: The response mentions a particular staff member and treatment, and acknowledges the reviewer is a customer/patient.
- HIPAA-compliant review response: “Thank you for your great feedback. We put a lot of effort into providing positive experiences for anyone who visits.”
Negative review: “Don’t bother going to [med spa name]. I had a laser treatment on June 4 and couldn’t leave my house for a week after. I had a weird reaction to it as soon as I got home and freaked out about it, but I couldn’t get anyone to call me back! Terrible customer service. Not worth the time or money.”
- Non-compliant review response: “Thanks for letting us know about this upsetting experience you had with our laser treatment. We pride ourselves on our customer service and I’m sorry no one called you back. Could you let us know when you called and if you asked to speak to anyone in particular? Our phone system may have been down on June 4.”
- Why it’s non-compliant: The review mentions treatment, the date of treatment, and acknowledges the reviewer was a patient/customer.
- HIPAA-compliant review response: “Thank you for your feedback. Due to privacy considerations, we can’t discuss any details here, but if you’re willing to call the clinic director at [phone number], they’ll be happy to chat with you further.”
An important tip regarding AI-generated review responses
Many review management platforms utilize artificial intelligence (AI) to generate and automate review responses. This is a great feature to have as it can save tons of time and relieve the creative burden, especially for businesses with a small team juggling multiple responsibilities or agencies that are handling review management for multiple clients.
However, when it comes to AI, HIPAA-compliant review responses definitely require human attention. If you do rely on AI to write responses to patient reviews — even in a partial capacity, such as just for positive reviews — you still need to have someone who can carefully look over and, if necessary, ruthlessly edit those responses before they are posted publicly. That way, you can be sure to remove any PHI or other identifying information that could potentially violate HIPAA.
Even as generative AI tools continue to improve in ability and output, there is still an important role for humans when it comes to responding to reviews in the healthcare space. HIPAA is too critical to leave entirely to AI at this time. You’ll thank yourself for taking the extra step of running review responses past a human first before posting.
HIPAA doesn’t have to be an obstacle
Remember, you don’t have to fear patient review responses. Follow the guidelines here for HIPAA-compliant review responses, and engage legal counsel for additional questions you have or for help in responding if you’re uncertain about something.
You can successfully use reviews and review responses to engage with your patients, deepen their loyalty, and maintain a positive image of your healthcare brand.
To learn about GatherUp’s comprehensive reputation management platform with review response capabilities, schedule a demo today.
