Can I respond to a negative patient review without violating HIPAA?

Yes, but you must never confirm that the person was your patient or share any detail about their visit, condition, treatment, dates, insurance or cost. Even acknowledging that someone is a patient is a disclosure of protected health information under HIPAA. The safe move is a short, generic reply that thanks them for the feedback, states your commitment to good care, and invites them to contact the office privately. You respond to the tone and the concern, never to the medical facts.

Has a medical practice ever been fined for a review response?

Yes. In 2019 a Dallas dental practice, Elite Dental Associates, paid a 10,000 dollar settlement to the Office for Civil Rights after disclosing a patient's name and treatment details in a Yelp reply, and accepted two years of federal monitoring. In 2022 a California practice, New Vision Dental, settled for 23,000 dollars over protected health information posted in responses to reviews. These are real federal cases, and they started with a single reply written in frustration.

Should I respond to negative reviews at all?

Yes. Future patients read your replies as closely as the reviews themselves, and a calm, professional response to criticism often builds more trust than a wall of perfect five star ratings. The goal is not to win the argument or change the reviewer's mind. It is to show every future reader that your practice listens, stays composed, and handles problems like a professional. Silence can read as not caring, while a defensive or detailed reply can read as careless with privacy.

Can I ask a platform to remove a fake or defamatory review?

You can flag reviews that violate the platform's policies, such as spam, reviews from people who were never patients, or content with profanity and threats. Google and Yelp will sometimes remove these, though it is not guaranteed and the process can be slow. What you cannot do is bully a platform into removing honest criticism, and you should never threaten a patient or post in a way that reveals their identity. For clearly fake or defamatory content, document it and consider speaking with a healthcare attorney.

How can I get fewer negative reviews in the first place?

Catch problems before they reach the public. Most negative reviews come from a small frustration that nobody addressed in the moment, a long wait, a billing surprise, a call that was never returned. Ask every patient for feedback right after their visit and give unhappy patients an easy private way to reach you first. Respond to calls and messages fast so issues get solved instead of stewing. A steady stream of fresh, honest reviews from happy patients also keeps the occasional bad one from dominating your profile.

How to Respond to Negative Reviews Without HIPAA Risk

A practice owner typing a careful reply to a negative patient review on a laptop without sharing protected health information — The reply you type in the heat of the moment is the one that gets you in trouble. Photo via Unsplash.

Most businesses can fire back at a bad review with the full story. A restaurant can say "you actually came in on Tuesday, sent the steak back twice, and we comped your meal." A healthcare practice cannot do any of that. The moment you confirm someone was your patient, or mention a single detail about their visit, you have disclosed protected health information. That is true even if the patient already shared those details themselves in the review. Their decision to go public does not give you permission to respond in kind.

This is the trap, and it catches good, well meaning practice owners constantly. The reviewer broke no rules by venting. You, however, are bound by HIPAA every minute of every day. The asymmetry feels unfair, and it is, but it is the law, and the penalties are real.

The Yelp reply that cost a dental practice 10,000 dollars

In 2019 the Department of Health and Human Services Office for Civil Rights settled with Elite Dental Associates, a privately owned practice in Dallas. A patient had left a Yelp review, and the practice replied publicly. In that reply, it included the patient's last name along with details about her health condition, treatment plan, insurance and the cost of her care. One frustrated response, written to defend the practice, turned into a federal complaint.

The result: a 10,000 dollar settlement and a corrective action plan with two years of monitoring by the federal government. Investigators also found the practice had no policy covering this kind of disclosure and lacked a compliant notice of privacy practices, which made things worse. It was not a hacker or a stolen laptop. It was a review reply.

Elite is not alone. In 2022, OCR reached a 23,000 dollar settlement with New Vision Dental in California over protected health information disclosed in responses to Yelp reviews. Two practices, two states, same mistake: answering a public review with private facts. If you take one thing from this article, take this. The damage is almost never the review itself. It is the reply.

$10,000 plus two years of federal monitoring, the price one dental practice paid for a single Yelp reply that named a patient and described her care. Source: HHS Office for Civil Rights, 2019.

Why you should still respond, every time

After reading that, you might be tempted to never reply to anything. That is the wrong lesson. Saying nothing has its own cost, because future patients are watching how you handle criticism. Reviews are now the front door of your practice. In the 2025 How Patients Choose Their Doctors report from rater8, 84 percent of patients said they read online reviews before choosing a new provider, and more than half read at least six of them. A separate 2025 survey from Tebra found that the vast majority of patients read reviews before booking and weigh them heavily in the decision.

Here is the part that matters most. Those readers do not just scan the star rating. They read your replies, especially to the negative ones. A calm, gracious response to an angry review tells the next patient more about your character than any glowing five star comment ever could. Silence reads as "they do not care." A defensive, detailed reply reads as "they are careless with privacy." A short, warm, professional reply reads as "these are people I can trust." You are not writing for the reviewer. You are writing for the hundred future patients who will read it.

The safe formula for any negative review

You can respond to almost any bad review safely if you stick to a simple structure. The trick is to answer the emotion, not the medical facts. Thank, acknowledge, redirect to a private channel, and stop. Never confirm they were a patient, never mention dates, conditions, treatments, money or insurance. Here is the shape of a reply that is both human and HIPAA safe:

A reply you can use today

"Thank you for taking the time to share this. We take all feedback about our patients' experience seriously and hold ourselves to a high standard. We would genuinely like to understand what happened and make it right. Please reach out to our office manager directly at [phone or email] so we can talk it through. We appreciate the chance to do better."

Notice what that reply does and does not do. It does not say "you were here on the 14th" or "your treatment went exactly as planned." It does not argue. It does not even admit the person is a patient. It simply shows warmth, accountability and a clear next step in private. That is the whole game. If the reviewer responds to your invitation, the rest of the conversation happens offline, in a phone call or a secure message, where you are free to actually solve the problem.

A quick story from the trenches

A dermatology office called us in a panic on a Sunday. A patient had posted a long, furious review naming a specific procedure and claiming the practice had botched the billing. The owner had already drafted a reply laying out the patient's full appointment history, line by line, to prove the patient was wrong. She was about to hit publish. We asked her to read it back and imagine a stranger reading it. Then we showed her the Elite Dental case. She went pale. We rewrote her reply into four calm sentences that named nothing, invited a private call, and closed warmly. The patient called the next day, the billing issue turned out to be a simple coding error, and they fixed it in ten minutes. The review even got updated to four stars. The version she almost posted could have cost her thousands.

What to do about fake or abusive reviews

Not every bad review comes from a real patient. Competitors, bots, and people who confused you with another office all show up. You are not powerless here, you just have to stay within the rules. You can flag reviews that break a platform's policies, things like spam, obvious fakes from non patients, hate speech, or threats. Google Business Profile and Yelp both have report tools, and they will sometimes remove content that clearly violates their terms, though it is slow and never guaranteed.

What you must not do is retaliate. Do not threaten the reviewer, do not post their personal information, and do not try to publicly prove they were never a patient by referencing your records. For a review you believe is genuinely defamatory and damaging, document everything with screenshots and talk to a healthcare attorney before you act. The calm public reply still applies in the meantime: a short note that you have no record matching this experience and would welcome a direct call to help. That reassures readers without revealing anything.

The best defense is fewer bad reviews in the first place

Here is the truth most reputation advice skips. The strongest move is not a clever reply, it is catching the frustration before it ever becomes a public review. Almost every angry one star started as a small problem nobody handled in the moment: a 40 minute wait with no explanation, a billing surprise, a phone call that went to voicemail and never got returned. Solve those in real time and the review never gets written.

Two habits do most of the work. First, ask every patient for feedback right after their visit and give the unhappy ones an easy, private way to reach you before they reach Google. Second, answer your phone and messages fast, because a returned call within minutes turns a would be reviewer into a loyal patient. We have written about both: the simple, ethical system to earn more honest reviews from happy patients, and why a missed call is the most expensive leak in your practice. A steady flow of fresh, genuine reviews also dilutes the occasional bad one, so a single angry voice never gets to define you.

How EtherealMinds helps you protect your reputation

Reputation work is unglamorous and high stakes, which is exactly the kind of thing we handle for healthcare practices across the United States. We set up an automatic, ethical system that asks every patient for feedback at the right moment and routes the unhappy ones to a private channel first, so problems get solved instead of published. We help your team reply to public reviews in a way that is warm, on brand and HIPAA safe, never the panicked midnight draft. And because so many bad reviews trace back to a call nobody answered, our AI receptionist picks up every call and message instantly, day or night, so the frustration that fuels a one star review never gets started. It all plugs into the same patient acquisition system and the website that turns your good reputation into booked appointments.

Your reputation is too valuable to manage in the heat of the moment. Build the system, breathe before you reply, and let your calm, professional voice be the thing every future patient sees.

Protect your reputation the right way

Book a free strategy call. We will review your current reviews and ratings, set up an ethical system to earn more good ones, and make sure every reply you post is professional and HIPAA safe.

Book a free strategy call →

How to Respond to Negative Patient Reviews Without Breaking HIPAA