By on

What is HIPAA?

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) protects a patient’s health information.

The regulations of HIPAA require healthcare providers to follow privacy guidelines so that a patient’s health information remains confidential. The law applies to everyone who works for a healthcare organization.

This makes responding to reviews a tricky one; you have to be able to reply without referring to specifics or publicly sharing information about the patient and their case. Here are the best ways for healthcare providers to respond to reviews without violating this important law.

Are Review Responses HIPAA-Compliant?

Healthcare marketers often find it challenging to determine whether or not a review response is HIPAA-compliant.

First and foremost, the response should not disclose if a reviewer is, indeed, a patient. Even if a patient leaves his or her name and a detailed description of the visit, the person responding to the review must not confirm that the reviewer is or was a patient, since this could violate patient privacy.

HIPAA-Compliant Ways to Respond to a Review

The best way to respond to reviews that patients write on online review sites, such as Google or Facebook, is to be as general as possible and direct the patient offsite to discuss the issue.

Saran Zamora, marketing coordinator at Nicklaus Children’s Hospital, responds to reviews under the HIPAA guidelines. Her team follows this practice when responding to reviews:

“We have carefully drafted responses that we post whenever the site allows for a response,” she says. “These responses never ask for any personal health information but rather are crafted to let the reviewer knows we are aware of the comment and we encourage him or her to contact us directly. The response provides a phone number. The idea being not to address the comment directly online, but to provide the reviewer an avenue to directly communicate with us.”

4 Steps to a HIPAA-Compliant Response

  1. If you feel frustrated when you read the review, do not respond right away. Take a five-minute walk or perform another task before responding.
  2. Thank the patient (or family member, friend of the patient, etc.) for leaving the review. If the reviewer addresses something specific, like the food at the hospital, then thank the reviewer for their feedback about the food.
  3. Express your concern with something like this: “We take all feedback seriously” or “Your feedback on the patient experience is extremely valuable to us.”
  4. Direct them to your department that handles patient’s concerns. Leave a phone number for that department and tell the reviewer that a representative will be available to talk about their concerns.

What if the Patient Writes about their Diagnosis?

Even if you’d like to address concerns or anything about the patient’s diagnosis in the review, you can’t write any health-related information at all in the response. You will violate the law if you do. That’s why it is best practice to take the conversation offline.

Art Gross, CEO of Entegration, writes that if a patient writes about his or her diagnosis in the review, then a doctor can not write about anything related to the patient’s diagnosis.

If a patient feels their rights have been violated, they can write the complaint here.

Megan Wenzl

Megan is the Associate Editor for ReviewTrackers. She's a writer who is committed to finding useful information to help your business succeed. Megan holds an M.A. in journalism from Columbia College Chicago.


  1. Andrea Horner

    Even though HIPAA came into the picture before the review-world came into existence, the concepts of HIPAA still apply. Patient reviews are a vital part of healthcare organisation’s identity. It’s every doctor’s responsibility to protect patient privacy, though wanting to respond. Even the most knowledgeable organisations can struggle with how to respond to patient reviews while maintaining patient confidentiality.