Guide

HIPAA and online reviews: what you can and can't say

You can absolutely respond to reviews — you just can't disclose protected health information while doing it. Here's the line, in plain English.

Why this matters

The HHS Office for Civil Rights has fined practices specifically for disclosing patient information in responses to online reviews. Fines have ranged from a few thousand dollars to tens of thousands — for a single reply. The reviewer waiving their own privacy by posting does not waive your obligations.

The bright line

You may speak about your general policies and standards. You may not confirm an individual is or was a patient, or reference anything about their care, condition, payment, or visit.

✅ Safe❌ Violation
"Thank you for the kind words — our team works hard to make every visit comfortable.""So glad your root canal went smoothly, Sarah!"
"We take concerns seriously; please contact us so we can help.""You missed two appointments, which is why there was a delay."
"We can't discuss specifics here, but we'd love to talk privately.""Your insurance denied the claim, not us."

A safe default for any review

Thank the reviewer, speak only to general standards, and (for complaints) invite a private conversation. That structure is compliant for positive and negative reviews. The free generator on this site is built around exactly this pattern.

This is general information, not legal advice. Consult your compliance officer or attorney for your situation.