HIPAA Compliance and Reputation Management for Healthcare Providers

As technology advances, the term “word of mouth” changes in meaning. It used to be that a personal recommendation from a friend or loved one was the gold standard of approval. Now, people have access to so much information that they don’t even need to personally know whoever left a review in order to trust their opinion. So, how do you – as a healthcare provider – stand out when there are dozens of other choices in your area? Reputation management.

According to BrightLocal, 76 percent of consumers trust online reviews as much as personal recommendations. That means your potential patients are trusting already existing patients and what they say about you online. Additionally, 90 percent of consumers read online reviews before they even visit a business. So, it’s important to have reviews and to respond to them. But how do healthcare providers keep up with their reputation management, while also following HIPAA compliance?

What Is HIPAA Compliance?

HIPAA is short for the Health Insurance Portability and Accountability Act of 1996, which provides healthcare and personal information protection to patients. Under HIPAA, protected health information (PHI) must remain confidential when transferred, received, handled, or shared. PHI is basic information that includes, but is not limited to:

  • Name
  • Date of birth
  • Phone number
  • Email address
  • Appointment information
  • Diagnosis
  • Test results

What does this have to do with reputation management? Healthcare providers need to remain HIPAA compliant when answering patient reviews. Let’s go over the HIPAA compliance checklist when it comes to reputation management for healthcare providers.


Thank the reviewer – Whether feedback is good or bad, it’s best to start off by thanking the user for writing the review, and to be courteous. This can be phrased in ways similar to these examples:

  • “Thank you for your review.”
  • “Thank you for taking the time to leave a review.”
  • “Thank you for your feedback.”
  • “Thank you for your honesty.” (For negative reviews.)

Keep it anonymous – Unlike other situations where you want to be extra personable with a patient, your review response should be the opposite. Do not refer to them by name (or username). Also, do not specifically reference how or if you know them.

Take the conversation offline – For those (hopefully rare) reviews that are not five stars, it is important to resolve conflicts via other forms of communication. While tempting to set the record straight, its best to avoid details as they could make your response non-compliant. We recommend offering an alternative means of communication:

  • “Please contact our office at (555) 555-5555 so we can resolve your issue.”
  • “Please send our office a direct message so we can hear more about what happened.”
  • “Please email us at your earliest convenience so we can address your concerns.”

Keep preapproved versions of your response – As a practice, decide how you want to represent your office and your “voice” as a business. This way, you can plan ahead and have answers that are ready to go as soon as you get a new review. We recommend responding to each review within 48 hours, or as soon as possible.


Reveal personal information – A patient’s name is a simple way to personalize a review response but cannot be included when dealing with medical practices. Additionally, don’t acknowledge or reference any other personal information or PHI. Avoid phrases such as the following:

  • “Thank you, John.”
  • “We loved seeing you on Tuesday!”
  • “We hope your back pain is resolved soon.”
  • “Keep up with that ointment and your rash is sure to go away!”

Ignore bad reviews – Unfortunately, bad reviews are posted from time to time. Regardless of what prompted the review, it’s important to respond. The patient took time to post it and potential patients will look at your practice favorably if you engage with everyone.

Delete bad or unfavorable reviews – Similarly to ignoring reviews, it’s best not to remove bad reviews just so you can have a spotless rating. Answering a bad review will have readers and Google looking at you in a more positive light.

Be HIPAA compliant in all situations.

One last thing you should do to improve your reputation management: Have a plan! It’s best to hope for the best and prep for the worse.

Not sure how to get started? The EGC Group offers healthcare and wellness marketing for providers looking to stand out from their competitors, while also following HIPAA compliance. Contact us today to get started on your new reputation management strategy!