HIPAA and Online Reviews: What Dentists Can and Cannot Say

A patient leaves a 1-star Google review claiming you botched their root canal. Your instinct is to defend your work, explain what actually happened, and set the record straight. Do not do this. A single HIPAA violation in a review response can cost your practice up to $1.5 million per violation category per year — and the Office for Civil Rights has made it clear that online reviews are not an exception.

In 2023 alone, the OCR investigated over 800 HIPAA complaints tied to social media and online review responses by healthcare providers. Dental practices are among the most frequent violators because the rules around reviews feel counterintuitive: a patient can share their protected health information publicly, but you cannot.

What HIPAA Actually Prohibits

HIPAA's Privacy Rule (45 CFR §164.502) restricts covered entities — which includes every dental practice — from disclosing protected health information (PHI) without written patient authorization. PHI includes:

• The fact that someone is or was a patient at your practice
• Appointment dates, treatment types, or clinical details
• Billing amounts, insurance information, or payment history
• Any clinical observations, diagnoses, or treatment outcomes

The critical point: even if a patient discloses their own PHI in a public review, that does not give you permission to confirm, deny, or expand on that information. Their disclosure does not waive their HIPAA protections.

Real HIPAA Violations From Review Responses

These are based on documented OCR enforcement actions and published case studies:

Case 1: Confirming Patient Status

A dentist responded to a negative review by writing: "We treated you three times and each time you cancelled your follow-up appointments."

Violation: Confirmed the reviewer was a patient and disclosed the number of visits and that appointments were missed.

Case 2: Disclosing Treatment Details

An orthodontist wrote: "Your Invisalign treatment was progressing well until you stopped wearing the aligners as instructed."

Violation: Disclosed the specific treatment type and clinical compliance details.

Case 3: Referencing Financial Information

A practice owner responded: "Your insurance only covered 60% of the procedure, which we explained before treatment began."

Violation: Disclosed insurance coverage details and confirmed a procedure took place.

Case 4: Sharing Clinical Observations

A dentist wrote: "The X-rays clearly showed the cavity had progressed, which is why we recommended the crown."

Violation: Disclosed diagnostic findings and treatment recommendations.

What You CAN Say: Safe Response Guidelines

The good news is you can still respond to every review — and you should. Responding improves your local SEO and shows prospective patients you care. You just need to stay within these boundaries:

Safe Response Elements

| You CAN say | You CANNOT say | |---|---| | "Thank you for your feedback" | "Thank you for being our patient" | | "We take all concerns seriously" | "We reviewed your chart and..." | | "Please contact our office to discuss" | "Your appointment on March 5th..." | | "Our office strives for excellent care" | "Your crown procedure went well" | | "We'd like to learn more about your experience" | "Your insurance was billed correctly" |

The Universal Safe Template

Thank you for taking the time to share your feedback. We take all concerns seriously and would welcome the opportunity to discuss your experience directly. Please contact our office at [phone number] so we can address this personally.

This template works for virtually any negative review because it:

• Does not confirm or deny the reviewer is a patient
• Acknowledges the concern without agreeing or disagreeing
• Moves the conversation offline where PHI can be discussed privately

Staff Training: The 3-Rule Framework

Every team member who might respond to reviews — office managers, front desk coordinators, associate dentists — needs to understand three rules:

Rule 1: Never Confirm

Do not confirm that the reviewer is a patient. Even saying "we value all our patients" in response to a specific review can be interpreted as confirmation.

Rule 2: Never Specify

Do not reference any clinical details, dates, procedures, billing, or insurance information — even if the patient mentioned them first.

Rule 3: Always Redirect

Every response to a negative review should end with an invitation to continue the conversation offline via phone or email.

Train your staff quarterly. Review response policies should be part of your annual HIPAA training, and any staff member authorized to post public responses should receive specific coaching. Consider designating one person — typically the office manager — as the sole review responder to minimize risk.

The Grey Areas

Can You Respond to Positive Reviews?

Yes, but carefully. Saying "Thank you, Sarah! We're glad you had a great experience" is generally considered low-risk. However, saying "We're glad your cleaning went well" discloses that Sarah received a cleaning, which is PHI. Stick to general gratitude without mentioning specific services.

Can You Ask Patients to Update Their Reviews?

You can reach out to a patient privately (after verifying their identity through proper channels) and attempt to resolve their concern. If the patient voluntarily updates or removes their review afterward, that is their choice. You cannot offer incentives or pressure them to change the review.

What About Anonymous Reviews?

Even if a review appears anonymous, respond as if HIPAA applies. Confirming details about "the patient who came in last Tuesday" could identify them to anyone who knows their schedule.

How AI Review Response Tools Help

One of the highest-risk moments for HIPAA violations is when a frustrated practice owner responds emotionally to a negative review. AI-powered response tools reduce this risk by generating responses that are structurally compliant — they never reference PHI, always use safe language patterns, and consistently redirect offline.

Arck's AI Review Agent drafts HIPAA-compliant responses automatically, escalating negative reviews to the practice owner with a pre-written response they can approve or edit. This eliminates the "angry response at 10 PM" scenario that leads to most violations.

Your HIPAA Review Response Checklist

Before posting any review response, confirm:

1. No patient confirmation — does the response avoid confirming or denying the reviewer is a patient?
2. No clinical details — are all references to treatments, procedures, or diagnoses removed?
3. No financial information — is billing, insurance, or payment information excluded?
4. No dates or specifics — are appointment dates, visit counts, or scheduling details absent?
5. Offline redirect — does the response invite the reviewer to contact the practice privately?

If you can check all five boxes, the response is safe to post.

Want HIPAA-compliant review responses on autopilot? See how Arck's AI Review Agent works — every response is compliance-checked before it goes live.