Jun 01, 2022



How to Stay HIPAA-Compliant When Responding to Patient Reviews

By Healthgrades Staff

Responding to negative reviews while remaining HIPAA compliant can be tricky.

There’s no denying the overwhelming popularity of third-party review sites: Yelp alone averages 178 million unique users every month, and practitioner sites like Healthgrades continue to impact both search results and patient decisions. In healthcare, even the most resistant physicians and provider organizations are beginning to embrace transparency in patient experience by monitoring and soliciting reviews to build credibility with prospective patients and boost visibility in local search.

But how do you respond when the reviews start rolling in? If it’s positive, your task is simple: thank patients for their loyalty and for taking the time to share their experience. The tricky part comes when the feedback isn’t as flattering, made all the more complicated when you add in patient privacy concerns.

The consequences of non-HIPAA compliant reviews

When a hospital receives a bad review, they often begin investigating the circumstances around that review. For instance, if someone complains about an x-ray technician misreading their results, you can’t confirm that the technician did misread the results, or even talk about the technician at all — this would violate the patient’s privacy.

A simple mistake like this can result in a full-scale HIPAA violation, which can have significant financial consequences for health systems. There are four levels of HIPAA violations, and you could stand to rack up a maximum of $1.5 million in fines each year.

  • The lowest tier of penalty is an unintentional violation where HIPAA authorities couldn’t reasonably have expected to know it was a violation. This type of violation can incur $100 to $50,000 per violation.
  • If you felt you needed to violate HIPAA due to a reasonable cause, you could be fined $1,000 to $50,000 per violation.
  • If you realize that you violated HIPAA and correct your mistake shortly after it takes place, expect to be fined $10,000 to $50,000 per violation.
  • If you willfully violate HIPAA and do not correct your mistake in a reasonable amount of time, you will receive a fine of $50,000 per violation — the highest amount allowed.

These massive fines might make you reconsider even answering reviews in the first place, but we assure you, turning unhappy patients into loyal brand ambassadors is worth doing your homework. Here are five tips for responding to help you respond to negative reviews in a way that is HIPAA compliant.

1. Don’t ignore honest reviews

Perhaps you’re afraid of bringing the issue any extra attention. Or the complaint seems so off-base that it’s just not worth addressing. Truth is, negative reviews are opportunities. They’re your chance to engage with patients in meaningful ways, get valuable feedback to transform your practice and show prospective clients that you’re willing to own mistakes. Even if you believe the patient misunderstood the situation that led to their bad review, it is almost always worth taking a moment to clear the air.

However, some reviews certainly toe the line between “honest, but critical, feedback” and outright unacceptable behavior. If a review is clearly not from a concerned patient, is unrelated to you or your organization, or violates the review site’s terms of service, report the review and provide evidence. Review sites don’t like fake reviews either – though they will often only consider removing them if they violate very specific rules (e.g., contains offensive language, raises privacy concerns, etc.). Healthgrades validates all patient reviews to ensure that they are submitted by real patients with feedback related directly to their experience in your care. Moreover, patients agree to abide by our editorial policy when they submit a review.

2. Plan your response

On the flip side, you don’t want to be so eager to reply that you let emotion get in the way. It’s natural to see a negative review as a personal slight. It may come from your passion for delivering high-quality care. Or, maybe you feel a patient is unappreciative when your organization has done everything possible in complex circumstances.

Valid or not, negative reviews help you see the world from the patient’s perspective. Ask yourself:

  • Why did this happen, and why did the patient feel this way?
  • Is there something we could have done to prevent it?
  • Have we heard this before?
  • Should we consider a change or improvement?

When you have your answers, don’t be defensive or try to justify your side. Instead, recognize the concerns, address legitimate complaints, and politely correct any inaccurate information.

If you are passionate about the work that your health system does, reading a scathing review can make even the most well-tempered person feel defensive. That’s why it’s best to take a few minutes – perhaps even a day – to understand the patient’s experience in that particular situation so you can deliver a calm and respectful response. This will help your health system appear not empathetic and professional to not only the reviewer, but any potential patients who read the reviews.

3. Thank the reviewer and address their concerns

While it’s never fun to get called out, consider: for every customer who complains, 26 others remain silent, even if they had the same experience. When addressing customers, keep a few basic guidelines in mind.

  • Be gracious — Acknowledge patients for taking the time to voice their opinion openly and honestly. A simple “thank you” can go a long way.
  • Address concerns directly — If a patient mentions something in particular about their experience – be it lack of parking or poor bedside manner – address that concern directly in your reply.
  • Share solutions — Let the patient know how they’re helping you improve the care you provide to patients. Describe any relevant improvements or alternatives, like a new online scheduling system if they were unhappy with wait times. 
  • Continue the conversation — It’s unlikely that you can fully address the patient’s concerns in a public-facing message. Always offer to continue the conversation by giving them a method to contact you directly. Leave a callback number, an email, or link to a contact portal to give them a way to continue the conversation.

Taking the time to craft replies for each individual shows that you’re not a robot reciting automated messages — instead, you’re helping the patient feel heard and understood. Remember to be mindful of HIPAA, however. If the patient’s complaint is about your medical advice or his/her condition, diagnosis or treatment, you can’t give a detailed public response without breaking confidentiality. Even if a patient is forthcoming about their health status and willingly shares personally identifiable information, your health system simply cannot confront these issues head-on without breaching confidentiality. Consider engaging legal counsel to review replies and help you respond in line with HIPAA requirements.

Without a doubt, there are advantages to responding publicly – namely, building credibility online with prospective patients. However, if the reviewer is extremely upset or needs help regarding a very specific issue, consider sending a private message or asking him or her to call your office to work things out. It will reassure the reviewer that you genuinely want to fix the situation for them, not just for the digital audience.

4. Don’t ask patients to take a review down

Even if you ask politely, making the request isn’t in your best interest. Aside from ethical (and perhaps legal) considerations, it creates distrust and undermines the doctor-patient relationship. Besides, most people know that patients have both positive and negative experiences and that no business can please all of its customers every time. So, focus on resolving their complaints with a professional demeanor; done correctly the patient may consider changing or updating the review on their own.

An example of a HIPAA-compliant response

When drafting responses to negative reviews, the blank answer box can feel intimidating. If you type the wrong thing, there could be significant financial – and reputational – repercussions. However, as long as you strike the right balance between being empathetic and respectful of patient privacy, responding is easier than it looks.

For instance, let’s say your health practice gets a negative Google review from an agitated patient:

“On the evening of March 7th, I visited your emergency room with a broken arm. When I arrived, there was no nurse or receptionist on duty and the self check-in station did not work. I decided to sit in the waiting area and not think about the pain. Finally, I was approached by a nurse who apologized and explained they were woefully understaffed. Neither the provider nor the nurse were wearing name tags and after initially apologizing, they were both inattentive and dismissive about caring for my arm. I spent a total of four hours in your hospital from start to finish. Next time I need care, it would be worth the extra 15 minute drive to your competitor.”  

Here is an example of a genuine response that addresses specific issues without breaking confidentiality:

“Because of privacy regulations, we can’t discuss any specifics about your comments on this forum. However, we are committed to providing you high quality care, and we take your feedback very seriously. 

Reducing wait times is one of the most challenging aspects of our hospital, so we recently hired a consultant to help us better allocate our nurses and front-desk personnel and avoid these kinds of problems in the future. 

Please contact our patient experience office directly at [include phone number/email]. We are happy to discuss additional details to resolve this matter with you.”

Keep in mind that there’s no need to start drafting a response from scratch when replying to a review. It is common practice for health systems to design a general response framework, and then adjust templates as needed to fit each individual patient’s concerns. This effort also helps to reduce the risk of inadvertently violating HIPAA guidelines.

Increase visibility, connect with patients, and boost referrals when you claim your free doctor profile on Healthgrades.

Learn More

Final thoughts

Your job isn’t done when you hit the reply button. Always take any legitimate patient complaints and use them to rethink policies and future enhancements for your healthcare organization.

Don’t fret over a single bad review. As we’ve just discussed, you should respond and learn from it, but don’t dwell on it because your prospective patients are looking at the whole picture and not just at a single negative instance. Bad reviews will happen. What the health consumer will consider is how you’ve handled them.

Lastly, patient reviews give healthcare organizations invaluable insights that can help optimize patient care and experience. Even when the patient’s opinion may not be accurate, it is true to them, and it reflects the way others are likely to perceive your brand. The best thing for your organization to do is use the findings to make changes that matter most to those you serve.

Read Best Practices When Responding to Online Patient Reviews