New Free Google Business Profile audit for local businesses — limited slots available Claim yours →
Industry Guides

HIPAA-compliant review responses — the 11-word rule every healthcare practice gets wrong

The Review Makers Team
Published May 8, 2026
📖 9 min read📝 1,034 words
HIPAA-compliant review responses — the 11-word rule every healthcare practice gets wrong
By The Review Makers Editorial Team
Reputation & GEO Strategists · Updated 2026-05-08 · 9 min read

In 2022 the HHS Office for Civil Rights settled with Manasa Health Center, LLC for $30,000 over four review responses that disclosed protected health information. The reviewer had publicly mentioned receiving care. The practice acknowledged that care. That acknowledgement alone — not a treatment detail, just the confirmation of patient status — was the violation.

Most healthcare practices don't know this. Most third-party review-management tools don't know this. Here's the rule, the templates, and the math.

Why HIPAA reaches review responses

HIPAA's Privacy Rule (45 CFR § 164.502) prohibits a covered entity from disclosing protected health information (PHI) without authorisation. PHI includes the fact that someone received care — not just the diagnosis or treatment.

When a patient publicly mentions in a review that they were seen at your practice, their disclosure is not your authorisation. You still cannot acknowledge the patient relationship publicly. The HHS Manasa settlement and the 2024 Anchorage Behavioral Health case both turned on exactly this issue.

The 11-word safe template

"Thank you for the feedback. We appreciate every comment as we continually improve."

That's it. 11 words. No confirmation, no reference to a visit, no procedure name. Use it for every positive review.

For negative reviews:

"We take all feedback seriously. Please call our office at [phone] to discuss."

Notice: no acknowledgement of any specific incident, no defence, no implied relationship.

Where practices most commonly cross the line

  1. "Glad we could help with your [procedure]!" Discloses both treatment and patient status.
  2. "Sorry your wait was long — we had two emergencies that morning." Discloses operational PHI of other patients.
  3. "Thanks for choosing us for your child's check-up!" Discloses patient status of a minor.
  4. "We'll see you at your follow-up next week." Confirms ongoing treatment relationship.

The legal framework non-attorneys should know

HIPAA breaches don't always require harm — the violation is the disclosure. Penalties range from $137 per violation (unknowing) to $68,928 per violation (wilful) under the 2024 inflation-adjusted tiers.

OCR can investigate based on a single complaint. Most healthcare review-related settlements have been triggered by patients reporting their own subsequent dissatisfaction with the response, not by random audits.

This is not legal advice — talk to your compliance officer. But the conservative template above protects against the most common failure modes.

Building a HIPAA-safe response system

  1. Train every team member who responds to reviews on the 11-word rule.
  2. Use a small template library — 4–5 variants of the positive template, 2–3 for negative.
  3. Document a review-response policy alongside your existing HIPAA policies.
  4. Run a quarterly audit of past responses against the rule. Edit or delete anything that crosses the line.
  5. For complex negative reviews, route to legal/compliance before responding publicly.

"The patient's disclosure is never your authorisation. They can mention their visit publicly; you still can't confirm it."

— Senior strategist, The Review Makers

Frequently asked questions

Can I say 'thanks for visiting us'?
Risky. 'Visiting' implies the patient relationship. Stick to the 11-word template — 'thanks for the feedback' is safer than 'thanks for visiting'.
If a patient leaves their full name and procedure detail in a review, am I free to discuss it?
No. Their disclosure does not waive your obligation under HIPAA. You still cannot confirm or expand.
Can I respond via private message instead?
If the platform supports private messaging and the patient initiated contact, yes — and a private channel is the right place to address treatment specifics. Public channels stay generic.
Does HIPAA apply to dental practices the same way?
Yes — dentists are HIPAA-covered entities. Same rules apply.
What about mental-health practices, addiction treatment, etc.?
Even stricter. 42 CFR Part 2 covers substance-use disorder treatment and is more restrictive than HIPAA. Generic responses only — no exceptions.
Can I delete a review that violates a patient's own privacy?
You can't delete it (only the platform can), but you can report it and request removal. Don't add your own disclosure in the response.
Do I need a HIPAA-trained agency to manage reviews?
Strongly recommended for healthcare. Generic review-management vendors often draft responses that cross HIPAA lines.
What if my response is genuinely about an operational issue — billing, wait time?
Keep it generic. 'We take wait-time concerns seriously and would like to discuss your specific experience offline. Please call us at [phone].' No specifics.
Can I dispute a review with the platform?
Yes — Google, Yelp, Healthgrades all allow review disputes for content-policy violations. Defamation, off-topic, fake accounts are valid grounds. HIPAA-related disclosures by reviewers about themselves are not removable.
Does this apply to staff posting on social media too?
Yes — and worse. Staff posts naming patient status are HIPAA violations with potential personal liability. Train staff on social media policies separately.

Sources & references

  1. HHS Manasa Health Center settlement
  2. HHS HIPAA Privacy Rule resources
  3. 45 CFR § 164.502 (Privacy Rule)
Share this article 𝕏 in f 🔗

The Review Makers Team

We help businesses build trust through authentic online reviews, reputation management, and AI-optimised content — across Google, Yelp, Trustpilot and 12+ platforms.

Want a reputation that wins customers?

Get a free reputation audit — we'll show you exactly where you stand and how to improve.

Get My Free Audit →

You Might Also Like

The SaaS founder's guide to G2 vs Capterra vs TrustRadius vs Gartner Peer Insights — 2026 conversion data

The SaaS founder's guide to G2 vs Capterra vs TrustRadius vs Gartner Peer Insights — 2026 conversion data

📖 9 min read
The complete Shopify reviews playbook for 2026 — rich snippets, AI Overviews & the Shop Recommended badge

The complete Shopify reviews playbook for 2026 — rich snippets, AI Overviews & the Shop Recommended badge

📖 10 min read
Booking.com's 2026 review algorithm change — 4 review patterns that lift property score by 0.3★

Booking.com's 2026 review algorithm change — 4 review patterns that lift property score by 0.3★

📖 8 min read
📬 The Reputation Brief

One 5-minute read a week.
Zero fluff. Real numbers.

The data we don't publish on the blog — fresh AI-citation studies, platform algorithm changes, FTC enforcement updates, and one client case-study every Tuesday morning.

4,200+
Reputation pros subscribed
98%
Open the first email
Weekly
Tuesdays · 5 min read
📬
Get the Tuesday Brief
Free · Unsubscribe in one click
🔒 No spam, ever 📨 One email per week
✅ You're in! Check your inbox to confirm — first Brief lands next Tuesday.