It’s natural to want to defend your practice—especially when a negative online review feels unfair, misleading, or outright false. But for healthcare providers, responding to a bad review isn’t just a public relations concern—it’s a legal one. You could be walking straight into a HIPAA violation.
Under HIPAA—and many state privacy laws—healthcare providers are prohibited from disclosing patient health information to unauthorized individuals. This includes not only obvious disclosures, such as a diagnosis or treatment details, but also something as seemingly harmless as confirming that someone is a patient. Even a simple statement like, “I’m sorry you felt that way about your visit,” could be interpreted as a disclosure of protected health information (PHI).
So what should you do when confronted with a negative review?
First, decide if it’s worth responding at all. Not every negative review needs a response. Sometimes, the most strategic move is to let it go. However, if the review contains false or defamatory statements, you may want to contact the review platform and request that it be removed in accordance with their content policies.
If you do choose to respond, you can still do so in a way that protects patient privacy. A compliant response should acknowledge that your practice takes concerns seriously, reaffirm your general commitment to quality care, and invite the individual to contact your office directly to discuss the matter further. This approach demonstrates professionalism without crossing any legal boundaries.
What you should never do is reference the reviewer’s condition, visit, or any personal detail—no matter how vague it seems. Likewise, avoid blaming the patient, even if you feel their account is inaccurate or incomplete. Comments like, “You missed several appointments” or “You didn’t follow the treatment plan,” are not only unprofessional—they may constitute a HIPAA violation.
Also, don’t get pulled into an online back-and-forth. Responding more than once can escalate tensions, increase the risk of disclosing sensitive information, and reflect poorly on your practice. One thoughtful, respectful response is enough.
Finally, remember that your response is not just for the reviewer—it’s for everyone else reading it. Potential patients will form impressions about your professionalism, judgment, and values based on how you handle criticism. Always be polite, measured, and HIPAA-compliant. A negative review can be frustrating—but turning it into a HIPAA violation is far worse. Stay calm, stay professional, and when in doubt, don’t respond publicly at all.