Select Page

A Guest Post by Kelly McLendon of CompliancePro

There are several types of social media interactions that providers of care or any HIPAA regulated organization will have to carefully approach. This article addresses online review responses for a healthcare business.  Online reviews can be difficult to manage under HIPAA requirements. The rules are so strict that at no time can direct acknowledgment of any provider-patient interactions be reflected in an online review or posting by the provider or their practice/company.

In fact, it cannot even be acknowledged, without prior consent, that the patient was ever seen or treated by the provider or their organization.

Negative social media reviews of HIPAA providers of care, health plans or other companies that create, use or manage protected patient data are a dicey subject to say the least. In many ways, social media reviews that are disagreeable or inaccurate pose an unfair disadvantage for smaller physician, dental, chiropractic and specialty practices because these smaller practices have a limited number of reviews, so any single review could skew their rankings and social media perception significantly.

hospital or surgery centers complying with HIPAA regulations

Although smaller practices are most vulnerable to the impact of a small number of negative reviews, hospitals, surgery centers, and other large healthcare facilities and networks encounter the same issues and must follow the same rules. There is a narrow window of permissible actions that can be taken under the HIPAA privacy and security laws. This often leads healthcare businesses to avoid responding to online reviews altogether.

But ignoring online reviews is bad for business

Responding to online reviews can help you increase trust, get more new patients, get more physician referrals, and hire the best employees. Responding to online reviews can even help get more reviews which boosts your business in the long-run.

It’s important to create, maintain, and utilize well documented written policies and procedures for online review response guidelines within your company. And, of course, to train your staff on these requirements and policies.

In today’s society, online reviews on Google and Facebook are widely used, and viewed. Responses show you’re listening and care about improving your patients’ experiences and they are becoming more expected. That means not responding to reviews could put you behind your competition.

General HIPAA compliant strategies for responding to negative online reviews

  1. Use carefully worded generic responses to reviews.
  2. Put in place strict guidelines for individual review responses.
  3. Require a second staff-member or manager to review responses before they are posted publicly.
  4. Let the reviewer know they are welcome to call your office to discuss their concerns privately.

Once you determine what your general strategy will look like, you’ll need to sort out the details of what will and will not be a part of your review response protocol. Consider some of these hard rules when setting up your plan. Be explicit with your team so there is no ambiguity. Here are a few examples of HIPAA compliant, and best practice rules you might include in your procedure.

typing a HIPAA compliant reply to a bad review

Rules for responding to online reviews while being HIPAA compliant

  1. Don’t use language that indicates the patient ever visited the Organization’s premises.
  2. Don’t use any details or specifics, even if the patient mentions them in their own review.
  3. Never argue with negative reviews or egg on further online discussion.

Once you have your rules in place, consider providing your team with examples of ‘dos’ and ‘don’ts’ so that the best possible decisions can be made on a case by case basis. Here are some examples to consider.

Examples of HIPAA compliant responses to online reviews

  • ‘Thank you for your review. Per our policy, we try our best to see patients as efficiently as possible without sacrificing our commitment to provide quality health care’.
  • ‘Thank you for your kind words. Our practice strives to perform at the highest standards to provide quality medical services.’
  • ‘We appreciate your feedback. We will take this into consideration when assessing how to best serve our patients.’
  • ‘It is our policy to protect patient information and discuss important matters offline. Please call us at [888-888-8888] so that we can help right away.’

In addition to the things you can say, it’s important to give your team examples of things not to say.

Examples of what NOT to say when responding to patient reviews

  • ‘Unfortunately on the day of your appointment Carrie was not here to help with your request.’
  • ‘I’m sorry to hear that your procedure was not covered by your insurance policy.’
  • ‘We strive to always meet our customers’ expectation, especially long-time patients like you.’
  • ‘Thank you for the kind words, we look forward to seeing you at your follow up appointment.’

Each review is going to be a little different and so a canned response to all negative or positive reviews, sometimes doesn’t fit the situation. Even keeping within your organization’s protocol, there may be more gray areas than you’d like. Some additional guidelines can help you reduce liability and improve your online reputation as well. Here are some tips to help you build your healthcare business’s review response strategy.

tips for healthcare review responses

Tips for healthcare review responses

  • Address negative reviews offline in a private manner when appropriate.
  • Be on the lookout for malicious actors or hackers. Someone could be trying to setting bait for you to fall out of HIPAA compliance so they can take legal action against you, trying to hack your accounts, or trying to defame your business. If you suspect foul play, contact legal counsel.
  • Time your response, never respond in the heat of the moment, with anger or by rushing. Think about the implications and determine the most advantageous way to work through this issue. 
  • Be careful not to use excuses but you can let them know of any changes you’ve made. 
  • Be very measured in any apologies in a public forum. It is best to get legal counsel approval prior to issuance of any public apologies, to reduce any points of liability. 
  • Assume there may be some miscommunication and work to resolve it with the patient directly, but again, not in a public forum.
  • Maintain an open, helpful, reasonable stance, with a goal to improve your own customer service.
  • Thank the reviewer for their comments and where applicable do make changes to prevent re-occurrence even if this is not to be disclosed in public. 
  • Don’t take reviews personally. Separate your emotions from review feedback. Most reviewers want to help you better your business for other patients, not hurt your feelings.
  • Try and get as many good reviews as you can, these will help dampen the influence of the occasional neutral or negative review. 

These recommendations are useful for responding to patient reviews, and they are helpful for building an overall strategy for other areas of your online or public presence.

HIPAA regulations apply to all online content such as blog articles, Facebook posts, and website testimonials.

Whether it’s on Instagram, your website, or a password moderated forum, HIPAA regulation apply to all of it including, blogs, pictures, videos, chats, audio recordings, testimonials, the list goes on. If you have one policy about your online presence, it should be that nothing related to patients gets posted without first discussing with the patient and getting their explicit consent.

It is important to respond to online reviews, even with HIPAA requirements

HIPAA imposes serious consequences for failure to be in compliance. Slip-ups can easily occur if you are not following a strict policy and that can offer grounds for an investigation by the Office for Civil Rights (OCR) with associated penalties.

But it is still incredibly important for healthcare businesses to respond to online reviews. It builds trust with current and future patients as well as the greater community. It shows everyone that patient satisfaction is a priority in your practice and that you are actively listening to your patients to improve their experiences. On top of that, responding to bad reviews help to prevent bad reviews in the future. A lot of people will think twice about posting a harsh review if they see you respond thoughtfully to each one.

If you set up a clear and well thought out procedure, your review response strategy doesn’t have to be complicated. Restrictions are easier to work around when you focus on how you can use reviews to better your business, not only for patients, but for you and your employees as well.


This article was provided by Kelly McLendon, Managing Director of CompliancePro Solutions.

CompliancePro Solutions was founded in 2011 to focus on the growing need for technology and services to address patient privacy and security. Our web-based privacy compliance management tool, CompliancePro Health, reduces the costs and risks associated with managing the privacy of patient data and handling HIPAA mandated requests. CompliancePro also provides security and privacy risk analysis and consulting services to healthcare organizations and Business Associates.