Learn how healthcare providers can respond to reviews in a HIPAA-compliant way. With insights from Omar Ruiz, an experienced private practice owner.
Estimated reading time: 5 minutes
Online reviews on sites like Google, Healthgrades, and other platforms are crucial in how prospective clients choose healthcare providers. These would-be clients are researching your practice online, and what they find directly influences their decision to book with you or scroll to the next provider.
You might think, "I should respond to every review to show I'm engaged with my clients!"—and that instinct is right! Responding to reviews is important.
But here's the catch: when it comes to healthcare, those seemingly innocent responses could accidentally reveal protected health information (PHI). One wrong word, and suddenly you're violating HIPAA rules and facing a compliance nightmare.
In this guide to handling client reviews, you'll learn how to acknowledge reviews and feedback while staying firmly within HIPAA's boundaries. You'll also get insights from Omar Ruiz of Private Practice Marketing. They specialize in helping mental health professionals market their services ethically.
Think about the last time you tried a new restaurant or bought a product online. Did you check the reviews first? Chances are you did! The same psychological principle applies when potential clients search for a healthcare provider.
|
But reviews aren't just valuable for potential clients—they create a win-win-win scenario:
According to Omar Ruiz, potential clients look for these key factors when reading your reviews:
Healthcare providers face stricter rules than other businesses when responding to reviews. While a restaurant owner can freely thank customers by name and reference their visit ("Thanks for coming in last Friday, Britta! We're glad you enjoyed the lobster bisque!"), healthcare providers operate under much stricter rules. HIPAA creates a complex landscape where even seemingly innocent responses can lead to serious violations.
Let's break down the key principles you must understand to comply with HIPAA while still engaging with your reviewers.
Even if a client leaves a 5-star review, you cannot acknowledge that they were your client. The mere fact that someone received healthcare services is considered protected health information (PHI), even if they've disclosed it themselves.
|
PHI Information that relates to:
|
So what can you do? A simple "thank you" is acceptable, but it needs to be worded very carefully. We'll show you exactly how to craft these responses later in this guide.
Even a seemingly innocent confirmation like "Thanks for coming in last Tuesday!" reveals a date of service and confirms a provider-client relationship—both protected under HIPAA.
Along with not confirming a relationship, you also can't confirm any of the details revealed in the review. For example, if a dental patient leaves a review saying they had a great experience with a teeth whitening procedure, it's not OK to respond back saying that you're glad they were happy with the procedure. And definitely don't volunteer any information.
In a case resolved in 2023, Manasa Health Center in New Jersey was fined $30,000 and had to submit to a corrective action plan for two years for responding to a patient's negative online review by including specific information about the patient's diagnosis and mental health treatment. The investigation also found that the practice had impermissibly disclosed the protected health information of three other patients in similar responses.
Expanding on a client's review might be tempting so prospective clients have more information about your services. Don't succumb to this temptation!
According to Omar Ruiz, while HIPAA doesn't specifically address reviews, Section 45 CFR 164.508 regulates the use of PHI in marketing.
If you want to share a client's review that includes protected health information (PHI), you must obtain written authorization first. This applies because marketing is considered any communication that encourages people to use your services. As a healthcare provider, you need permission before using client information in promotional materials, including testimonials.
If your client is willing to leave a review but doesn't want to disclose their PHI, you should still recommend having them sign an authorization form. Some review platforms, like Healthgrades, allow clients to submit reviews anonymously, reducing the risk of PHI disclosure.
To support your compliance with HIPAA, send your clients a copy of your marketing authorization form outlining the purpose, scope, and process of how you would utilize their testimonial or review.
|
🤓 Pro tip: Use Hush™ Secure Forms for your marketing authorization forms. This way, you make your practice more efficient and support HIPAA compliance at the same time! Learn more about our secure online forms. |
When it comes to online reviews, knowing what NOT to do is just as important as knowing what to do.
Even well-intentioned responses can land you in hot water if they cross certain boundaries. Let's look at the most common pitfalls providers stumble into when managing their online reputation—and how to avoid them while maintaining a responsive online presence.
The best reviews read like testimonials describing your services and why they made your client so happy. Some may be so well written that it seems like a waste for them to only be viewable in one place. Why not feature them in your brochures and website? This is a great idea, but only if you have written consent from the client.
In a case from 2022, New Vision Dental was fined $23,000 for improperly responding to patient reviews on Yelp. The dental practice habitually disclosed PHI when responding to reviews, sometimes providing full names where patients had only used Yelp usernames and including detailed information about visits and insurance that wasn't mentioned in the original reviews.
In addition to the financial penalty, the practice had to implement a corrective action plan, including developing new privacy policies, conducting staff training, and notifying affected patients of the breach.
When responding to negative reviews, avoid being defensive or shifting blame to the client. According to Omar Ruiz, this can be seen as an "omission of liability" where you avoid taking accountability. Instead, acknowledge the feedback and invite the reviewer to continue the conversation privately.
The solution is to be vague yet appreciative. Let's explore exactly how to craft responses that protect your practice while still engaging with your reviewers.
So you've got a glowing 5-star review that could be marketing gold, or a scathing 1-star critique that makes your stomach drop. What now?
The golden rule is surprisingly simple: keep it vague and move the conversation to a secure channel. Think of public review responses like speaking in a crowded elevator—anyone could be listening, so you must be extremely careful about what you say.
The goal isn't to have a meaningful exchange in the public forum—it's simply to acknowledge the feedback and redirect to a private, secure conversation.
When responding to reviews, you can use the following examples:
❌ Not OK: "We're so glad you came in for your anxiety therapy sessions last month and saw such great progress!"
🚫 Why it's a problem: Confirms they were a client, when they visited, and what treatment they received—all PHI.
✅ OK: "We strive to provide exemplary mental health care and always appreciate feedback from the community."
✔️ Why it works: Generic acknowledgment that doesn't confirm or deny a provider-client relationship.
✅ OK: "We appreciate the time people take to share perspectives on mental health services and wellness journeys. We at [Practice Name] work hard to offer everyone the opportunity to achieve their mental health goals and live the life they deserve."
✔️ Why it works: Acknowledges the review without confirming the reviewer was a client.
❌ Not OK: "We're sorry you feel our cognitive behavioral therapy sessions didn't meet your expectations. We'll discuss this with your therapist to improve our services."
🚫 Why it's a problem: Confirms the specific treatment they received and acknowledges them as a client.
✅ OK: "We strive to provide exemplary mental health care, welcome feedback, and are always ready to address any concerns through direct contact with our office."
✔️ Why it works: Acknowledges feedback without confirming the relationship, and invites secure communication.
✅ OK: "Our policy at [Practice Name] is to provide everyone with the best mental health care and service quality. We are always ready to address any concerns through direct contact with our office."
✔️ Why it works: Remains generic while offering a private channel to address concerns.
Did you notice something? The "OK" responses to both positive and negative reviews sound almost identical. That's not a coincidence!
The most HIPAA-compliant approach is to have a nearly identical template response for all reviews that:
|
🤓 Pro tip: You can also use the direct messaging feature on review platforms to respond privately—but don't let the word "private" fool you! Even in direct messages, you need to maintain the same level of vagueness. These platforms aren't HIPAA-compliant, so treat them as public spaces. |
The takeaway is to successfully move the conversation to a secure channel like encrypted email or a HIPAA-compliant web form. That's where you can finally address specific concerns or express genuine appreciation.
Negative reviews can provide valuable feedback for improving your practice. Common issues mentioned in negative reviews include:
Use this feedback constructively to improve your systems and service delivery rather than taking it as a personal attack.
HIPAA compliance is just the beginning of your responsibilities when managing reviews. While HIPAA creates universal standards for protecting health information, each mental health profession also has its ethics codes that may place additional restrictions on how you can solicit and respond to reviews.
Think about it: your clients share their deepest vulnerabilities and often view you as an authority figure. This creates a relationship where they might feel compelled to comply with requests—like leaving a review—even if they're uncomfortable doing so. Professional ethics codes recognize this dynamic and provide guardrails to respect client autonomy.
Let's explore how different professions approach this delicate balance.
Omar Ruiz explains that mental health professionals follow different ethics codes or rules regarding testimonials.
Why Do These Rules Exist?
In healthcare provider-client relationships, clients might feel pressured to please their provider. This is called "undue influence"—when someone feels they can't freely say no because of the provider's authority. Ethics codes protect clients from feeling obligated to leave reviews they're not comfortable with.
Psychiatrists, psychiatric mental health nurse practitioners, and physician assistants have no explicit restrictions regarding soliciting testimonials or reviews in their ethics codes.
Timing is also crucial to maintain appropriate professional boundaries when soliciting reviews.
|
The best time to request a review is typically at the end of treatment, often during the discharge session when the client has accomplished their goals and experienced positive outcomes.
Many therapists use the phrase "once a client, always a client" but this doesn't mean clients never change status.
|
When treatment ends, the discharge process formally closes the client's record. This matters for reviews because many ethics codes allow asking former clients (but not current ones) for reviews.
Omar Ruiz also recommends including a section about online testimonials and reviews in your intake paperwork. This allows you to address the topic at the beginning of treatment rather than waiting until the end, setting appropriate expectations and guidelines early in the therapeutic relationship.
Sometimes, you'll encounter reviews that require more specialized handling than the standard approach we've outlined. While maintaining HIPAA compliance remains essential, these situations call for additional strategies. Let's explore some of these special cases.
The first step is to check if the reviewer was a client by comparing any identifiable information in the review with your client records. If they were never a client, you can respond:
✅ Suggested Response: "Unfortunately, we have no record of you coming to our practice. Please email or call us to discuss any grievances you may have."
Next, look up the review platform's policies to see if you can request removal of the review. Most platforms have guidelines about prohibited content that may warrant removal.
Former employees might sometimes leave negative reviews as a form of retaliation. While you can respond stating they were not a client, avoid mentioning reasons for their termination. Employment laws often prevent business owners from disclosing termination reasons, especially on public platforms.
Defamation occurs when false statements harm your reputation. Consider legal action if:
Consult an attorney who might send a cease and desist letter to encourage the removal of the review. If unsuccessful, litigation for defamation may be an option, although likely an expensive one.
Here’s how you can acknowledge good reviews and turn around bad reviews by using Hushmail’s secure email and web forms.
✅ Private message template: "We appreciate your feedback. We're sorry your experience wasn't as expected. Please contact us through our secure web form to discuss further."
When a client takes the time to write about your services, that's an immediate opening for you to cultivate the relationship. A heartfelt thank you to a good reviewer deepens an already good relationship. A sincere effort to mitigate a bad experience can turn a bad review into a good one.
Once you've successfully moved your client to a secure means of communication, you'll have the freedom to respond effectively. Don't forget that clients can update, edit, or remove bad reviews. Now that you know how to remain in compliance, make sure you take the time to respond—it makes a difference!
Ensure Your Responses Remain HIPAA-Compliant! Sign up for Hushmail for Healthcare to keep your communication secure and compliant!
We’re confident that you’ll find plenty of ways to use electronic signatures on your web forms. Today we’re going to take a look at a few of the most...
In light of the new, online environment, we thought it would be a good time to publish a reminder of what it means to be HIPAA compliant. We hope...
A single HIPAA mistake could cost you time, money, or even your reputation. Are you prepared to handle a potential violation?
