HIPAA Concerns When Responding to Online Patient Reviews

As dental attorneys in Columbus, Ohio, Nardone Limited advises dentists and dental practices on a variety of matters, including labor and employment issues, human resource issues, as well as other legal matters that arise. For example, we are often asked to advise dental practices on whether they can and should respond to a patient who has posted an online review. In a previous blog, we explored the reasons a dental practice should respond to patient reviews, whether those reviews are negative or positive. This article, however, will discuss the legal constraints imposed by the Health Insurance Portability and Accountability Act (“HIPAA”), when it comes to responding to online patient reviews.


The HIPAA Privacy Rule permits covered entities to use and disclose patient protected health information (“PHI”) only when it is for purposes related to treatment, payment, or care operations. PHI is any individually identifiable health information (“Health Information”) that is electronically transmitted or maintained as part of a patient’s medical record. This includes demographic information, such as age or gender, that is collected from an individual and is created or received by a healthcare provider and relates to a past, present, or future mental or physical health condition. Health Information also includes information that identifies the individual or with respect to which there is a reasonable basis to believe the information can be used to identify the individual. Further, in a letter from the Department of Health and Human Services (the “Department”), dated October 23, 2013, the Department indicated that a covered entity may not confirm or deny that a particular person is, in fact, a patient, or disclose any other Health Information including, but not limited to, demographic information such as the patient’s name or address. These laws make it tricky for dental practices to respond to online patient reviews.

How to Respond Without Violating HIPAA

Today, dental practices are even more concerned with online reviews since many people are turning to review sites to help them choose a provider. This makes it difficult for dental practices to ignore negative online reviews. But, before responding, dental practices should educate themselves regarding HIPAA, so that a negative review does not turn into a HIPAA violation complaint. Below are some guidelines dentists should consider before responding to online patient reviews.

  • Protect the Patient’s Information. Whether responding to a negative or positive review, dental practices cannot divulge any patient information. When we think of PHI, we sometimes think this only means information that has to do with a person’s medical condition, medical history, or the medications the patient might be taking. But, as mentioned above, PHI includes much more than medical information. Responses to online reviews from dental practices should not include information such as names, email addresses, or phone numbers. As a general rule, dental practices should not reveal any information that could be used to identify the patient. 
  • Do Not Disclose the Reason the Patient Was Seen. It is considered a HIPAA violation for a dental practice to publicly disclose a patient’s medical condition or a particular procedure the patient had done. This also includes revealing any symptoms the patient was seen for. Even if the patient discloses their medical condition in a review, this does not permit the practice to discuss or acknowledge the condition or procedure. Dental practices must obtain the patient’s written consent before disclosing any PHI.
  • Do Not Confirm That the Patient is in Fact a Patient. Even if responding to a positive review, a dental practice cannot confirm that the patient is a patient of the practice. Simply writing, “Thank you for coming in!” could be a potential HIPAA violation because it confirms that the patient was at the dental practice.
    • It is okay, however, to acknowledge a patient’s positive or negative review by responding in a neutral manner. If a patient has posted a negative review about their experience at the practice, the following is an example of a neutral response: “Thank you for your feedback. At XYZ Dental we strive to provide the best possible service and would appreciate the chance to address your concern privately. Please call our office to discuss your concern.”
    • If you are unsure how to respond without violating HIPAA, you should consult with someone who works in this area on a regular basis.
  • Take Complaints Offline. Because HIPAA laws are so easy to violate when responding online, it is best to take these conversations offline. But, dental practices should be cautious before reaching out directly to a patient. Dental practices should not send private messages to patients on social media sites when attempting to discuss the negative review. Instead, the practice should call the patient to discuss the patient’s concern.

If you care about your dental practice’s reputation, it is almost impossible to ignore online reviews. In fact, you should not be ignoring patient reviews, whether negative or positive. For this reason, it is necessary for dental practices to implement an office policy as it relates to responding to online reviews. The dental practice should work to create a response strategy for different types of reviews. Having a policy in place will help reduce your dental practice’s risk of violating HIPAA. But, before creating a standard office policy regarding HIPAA, you should consult with a dental attorney who is familiar with HIPAA.

Contact Nardone Limited

Our dental attorneys have vast experience assisting dental practices when it comes to responding to negative online patient reviews. If your dental practice has questions regarding the best practices for responding to online patient reviews from a HIPAA compliance standpoint, or you need help creating a social media policy for your dental office, you should contact the experienced dental attorneys at Nardone Limited. We can help guide you through how to properly respond to online reviews, as well as how to implement a standard office policy.