Back to Blog
healthcare hipaa review response

HIPAA and Google reviews: what your practice can't say

HIPAA limits what your dental, chiropractic, or medical practice can say in a Google review response. Here's the short list of safe and risky language.

Respondyr

A patient leaves a five-star Google review and writes, “Dr. K did an amazing job on my root canal.” You reply, “So glad the root canal went well, thanks for trusting us!” That single response is a potential HIPAA problem. You just confirmed, in public, that this person is your patient and what procedure they had. The reviewer disclosed it. You didn’t have to.

This is the part of healthcare review response that most practices get wrong, and most review response tools never think about. If you run a dental office, a chiropractic clinic, a vet practice, or any medical setting, here’s what you can and can’t say when you reply to a Google review.

The one rule that covers 80% of the risk

Never confirm or deny that someone is a patient.

That’s it. That’s the rule that prevents most of the HIPAA-adjacent mistakes practices make in review responses. Even if the reviewer says they’re a patient, even if they name the procedure, even if they post their full medical history, your response cannot acknowledge any of it. Confirming that a specific person received care from you is protected health information the moment you put it in a public reply.

The HHS Office for Civil Rights has fined practices for exactly this. A dental practice in Texas paid $10,000 to settle after responding to negative Yelp reviews with patient names and treatment details. A New York dental practice paid $125,000 for the same pattern. These cases keep happening because owners feel attacked and want to set the record straight in public. Don’t.

What you actually can say

You can talk about your practice in general terms. You can thank someone for feedback. You can invite a private conversation. You cannot tie any of it to the specific person who left the review.

Safe language for positive reviews:

  • “We appreciate you taking the time to share your feedback.”
  • “We’re glad to hear you had a positive experience with our team.”
  • “Thanks for the kind words about our staff.”

Safe language for negative reviews:

  • “We take all feedback seriously and would like the chance to discuss this with you directly.”
  • “Please reach out to our office manager at [phone] so we can look into this.”
  • “We’re sorry to hear about your experience. We’d welcome the opportunity to talk through it.”

None of that confirms patient status. None of it references a treatment, a diagnosis, or a visit. It treats the reviewer like a member of the public who left feedback, which is the only safe stance you can take in writing.

Language that creates risk

These are the patterns that get healthcare practices in trouble:

  • Confirming the appointment: “We’re glad your cleaning last Tuesday went well.”
  • Naming the procedure: “So happy your crown is working out.”
  • Defending against allegations with details: “Actually, the X-rays you mentioned showed…”
  • Apologizing for the specific complaint: “We’re sorry the cavity filling didn’t hold up.”
  • Using the reviewer’s first name with care details: “Sarah, we’re sorry the dental implant procedure didn’t meet your expectations.”

Each of these confirms the relationship and the care. The reviewer’s disclosure does not waive your obligation. HIPAA protects the patient’s information, not your ability to respond truthfully.

Why this matters for your Google ranking

You can’t ignore reviews either. Google’s local ranking factors include owner response rate, and 89% of consumers read business responses to reviews (BrightLocal, 2024). Healthcare practices that go silent on reviews lose twice. They lose the SEO signal that comes from consistent responses, and they lose the trust signal that comes from showing they engage with feedback.

The trap is the response itself. Owners feel pulled between two bad options. Stay silent and look indifferent, or respond and risk a violation. The right answer is to respond to every review with language that’s warm, brief, and doesn’t reference any care.

A consistent reply that says “thanks for your feedback, we’d love to talk more directly if there’s anything we can do” is doing the job. It tells future patients you read your reviews. It tells Google you’re an active business. It says nothing that could be used against you.

How most response tools fail healthcare

Generic AI review tools were built for restaurants and home services. They were trained to write responses that mirror the reviewer. If a customer says “great pizza,” the AI says “we’re glad you enjoyed the pizza.” That pattern is fine for a pizzeria. It’s a violation waiting to happen for a dental office.

Out of the box, most automation tools will happily generate “we’re so glad your wisdom tooth extraction went smoothly” because it reads as natural and warm. It’s also a public confirmation of a patient relationship and a specific procedure. The tool isn’t trying to break HIPAA. It just doesn’t know healthcare is different.

This is one of the reasons our Business plan has healthcare-aware drafting rules that prevent the AI from acknowledging specific treatments, conditions, or patient details, and routes every reply through human approval before posting. It’s a product feature, not a HIPAA compliance service. The practice is still responsible for its own compliance program, and patients’ actual records never touch our platform.

A practical 3-step check before publishing any healthcare response

Before you hit publish on a review reply, ask three questions:

  1. Does this confirm the person is a patient? If yes, rewrite.
  2. Does this reference a specific treatment, procedure, or condition? If yes, remove it.
  3. Could this exact reply work for any feedback from any member of the public? If yes, ship it.

Most reviews can be answered in under twenty words with this approach. It feels generic at first. It is generic, on purpose. Generic is the only safe public posture for a healthcare practice with a duty to protect patient information.

If you want help responding to every Google review without putting your practice at risk, that’s what Respondyr is built for. We also covered specifics for dental practices and veterinary clinics if you want the industry-specific playbook. Starts at $29/month, healthcare-aware rules included on the Business plan, no contracts.