The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that prohibits the disclosure of protected health information (PHI) without patient consent. PHI is defined as “health information that can be used to identify an individual” and includes data related to a patient’s medical or physical condition, and identity. HIPAA extends to online review management, and since responding to reviews is essential to a healthcare organization’s online reputation, healthcare marketers must follow HIPAA guidelines when crafting review responses. Below are best practices to consider when handling online reviews, and some examples of HIPAA-compliant responses.

Best practices for HIPAA-compliant review responses

Avoid a HIPAA violation by following these quick tips:

  • Have an internal plan. Collaborate internally to develop review response policies, including identifying who will be responding to reviews and creating templates that can be customized for positive and negative reviews.
  • Protect PHI in your response. Remove all detail about a patient’s diagnosis, treatment, condition, and visit, and do not confirm or deny them as a patient.
  • Respond broadly. Stick to general responses like, “Thank you for your feedback” or “Thank you for taking the time to leave us a review.”
  • Take the conversation offline. Give the reviewer the opportunity to further discuss their comments by providing them with a phone number or email address for your office or patient experience team. This also helps prevent further online conversations that could violate HIPAA.

Keeping these tips in mind, below are some real examples of review responses that either violate or follow HIPAA guidelines.

Review responses that violate HIPAA

These examples below highlight how easy it is to violate HIPAA in a review response:

This response not only acknowledges the reviewer as a patient, but also confirms the reviewer has received care multiple times from this particular clinic. The response goes on to highlight that the reviewer was turned away because they were experiencing COVID-like symptoms, violating this reviewer’s PHI:

This next review response recognizes the reviewer and the reviewer’s family as patients of the practice:

HIPAA-compliant review response examples

The examples above highlight how easy it is to violate HIPAA in your review responses. By following the tips outlined in this post, you can remain compliant in your responses.

Here is a review response that meets HIPAA regulations by staying general. It does not acknowledge the reviewer as a patient, nor does it mention the treatment or visit-related details of this review:

When responding to negative reviews, it can be even more difficult to remain HIPAA-compliant, especially when you disagree with the review. This response stays calm and broad, does not confirm or deny the reviewer is a patient, and it asks the reviewer to follow up offline to discuss their experience in more detail:

Interested in learning more about how SearchLab can help you with your online review responses? Contact our team to schedule a demo to get started.