Healthcare practices can collect Google reviews without violating HIPAA, if done correctly. Learn exactly what's allowed, what's not, and how to build a compliant review strategy.
Most healthcare practices I work with fall into one of two camps: those who think they can't ask for reviews at all because of HIPAA, and those who are asking for reviews in ways that could actually create a compliance problem. Neither approach is right.
HIPAA doesn't prohibit healthcare providers from asking for reviews. What it prohibits is using or disclosing Protected Health Information (PHI) without patient authorization. Understanding exactly where that line is, and staying on the right side of it, lets you build a strong review profile without creating legal exposure. This guide covers exactly where that line is.
HIPAA's Privacy Rule restricts how covered entities (healthcare providers, health plans, healthcare clearinghouses) and their business associates use PHI. PHI includes any information that could identify a patient in connection with their health status, healthcare services received, or payment for healthcare.
The key principle for review management: you can ask a patient to leave a review, but you cannot use their PHI to do so, and you absolutely cannot respond to a review in a way that confirms, denies, or adds to the patient's health information.
The HHS Office for Civil Rights has specifically addressed healthcare reviews. Their guidance is clear: responding publicly to a review in a way that reveals whether someone is a patient or shares any detail about their care, even to defend against a false accusation, constitutes a HIPAA violation.
โ ๏ธ Common Mistake: Responding to a negative review with "I'm sorry you felt that way after your appointment on Tuesday, we did discuss this during your visit." That response confirms the person is a patient and references their appointment. That's a HIPAA violation, even if what you said is true and the reviewer is being unfair.
You can ask patients to leave reviews. A general request, "Would you be willing to share your experience on Google?", is fully compliant. You're not using PHI; you're making a general ask.
You can send review requests via text or email to patients who have opted in. Most healthcare practices have patients sign communication consent forms that include text and email contact for appointment reminders and follow-up. That same consent covers sending a review request. Confirm your consent language covers "patient satisfaction communications" or similar.
You can use QR codes at your front desk, in waiting rooms, or in patient handout packets. Displaying a QR code linking to your Google review page is fully passive, no patient information is used, no PHI is disclosed.
You can respond to positive reviews with generic, non-PHI-confirming language. "Thank you for taking the time to share your experience. We're glad to hear it!" does not confirm anyone is a patient, does not reference their care, and is fully compliant.
๐ฅ Quick Win: Print a simple card or display a sign in your waiting room with a QR code linking to your Google review page. The message can be: "Had a great experience? Scan to leave us a review on Google." This passive approach generates reviews with zero HIPAA risk.
Respond to any review in a way that acknowledges the reviewer as a patient. Even writing "Dear [Name], thank you for being a patient at our practice" confirms PHI, the fact that they received care from you. This is a violation.
Reference any details about their visit, diagnosis, or treatment in a public response. Even a vague reference like "We're glad your procedure went well" is problematic.
Use targeted review requests that segment patients by procedure or diagnosis. Sending review requests specifically to patients who had positive outcomes for a particular treatment uses clinical data to target a communication, which qualifies as PHI use.
Use patient data from your EHR to power automated review requests without a Business Associate Agreement (BAA). If your review management software accesses patient records to trigger requests, that software is a Business Associate under HIPAA and needs a signed BAA in place.
โ ๏ธ Common Mistake: Practices using a HIPAA-compliant EHR for appointment reminders, then adding a review request plug-in that accesses the same patient data without confirming the plug-in vendor has signed a BAA. The reminder software was compliant. The review plug-in may not be.
This is the most common compliance gap I see, and it's where practices get into trouble even when their request process is fully compliant.
The safe response framework:
For positive reviews: "Thank you for sharing your experience. Our team works hard to provide excellent care, and feedback like yours means a lot to us."
No name, no appointment reference, no confirmation of patient status. Generic, warm, compliant.
For negative reviews: "We take all patient feedback seriously and strive to provide the best possible care. We'd like to address your concerns directly, please contact our office at [phone number] so we can speak privately."
This acknowledges the concern without confirming patient status, doesn't argue with the details, and moves the conversation off a public platform.
Never:
๐ก Pro Tip: Designate one person in your practice as the review response owner and provide them with a HIPAA-compliant response template library. Consistent, reviewed templates eliminate the risk of an off-the-cuff response that violates the standard.
A 1-star review claiming a procedure went wrong or that your staff was negligent creates a strong temptation to respond with the facts. This is exactly where HIPAA violations happen in healthcare.
Your instinct is to correct the record. Your HIPAA obligation is to protect the patient, even an angry one.
The correct approach:
Sunrise Family Dental in Columbus had 22 unaddressed negative reviews before we started working together. The practice manager's instinct was to respond with patient details to show the reviews were exaggerated. We replaced that approach with compliant generic responses, and over 90 days, their rating moved from 3.1 to 4.2, not from arguing with negative reviews, but from generating new positive ones consistently.
๐ Flento Data: Healthcare practices that responded to all reviews (including negative ones) with compliant generic responses saw a 34% increase in new patient Google review rates over 6 months, compared to practices that either didn't respond or responded selectively to only positive reviews.
A HIPAA-compliant review request system has three components:
1. Consent mechanism. Patient communication consent forms should include language covering patient satisfaction surveys and review requests. Review your current intake forms with your legal counsel to confirm coverage.
2. Compliant trigger. Review requests should be triggered by appointment completion (via your scheduling system), not by clinical records or diagnosis data. If your review management software integrates with your EHR, verify a BAA is in place with the software vendor.
3. Generic request language. Your review request text or email should not reference the patient's specific appointment, the type of care received, or any clinical information. "We hope your visit went well. If you have a moment, we'd appreciate a Google review." is compliant. "We hope your procedure on Tuesday went smoothly" is not.
๐ ๏ธ Action Step: Review your current review request workflow with your compliance officer or legal counsel. Confirm three things: consent coverage, BAA status with any software vendors, and that request language contains no PHI.
Flento's review management system for healthcare practices is designed to comply with HIPAA requirements. Review requests are triggered by appointment completion signals, not by clinical data, and the platform uses generic, non-PHI language in all automated communications.
For practices that need a BAA, Flento provides signed Business Associate Agreements for healthcare customers. This covers the compliance gap that many review management tools, designed for general businesses, create when used in healthcare settings.
The response template library in Flento includes pre-built HIPAA-compliant response templates for positive, neutral, and negative reviews, reducing the risk of a staff member writing a response that inadvertently violates the standard.
โ Done? See Flento's HIPAA-compliant review tools for healthcare โ [Try Flento free]
Can a healthcare practice ask patients for Google reviews? Yes. Asking a patient to leave a review does not use PHI. The restriction is on how you respond to reviews publicly, not on asking for them. Compliant request language avoids referencing any specific care, appointment, or clinical information.
Is it a HIPAA violation to respond to a Google review? It can be. Responding in a way that confirms someone is a patient, references their care, or discloses any health information is a HIPAA violation, even if the response is defensive or accurate. Always use generic, non-PHI-confirming language.
Do I need a BAA with my review management software? If the software accesses your patient records (EHR, scheduling system with patient data) to trigger review requests, yes, a BAA is required. If the software is triggered by a separate non-PHI signal (like a simple appointment completion webhook), the BAA requirement depends on whether PHI is technically transmitted.
Can I dispute a false negative review from a non-patient? Yes, if you can clearly establish the reviewer was never a patient, you can flag the review through Google's removal process as fraudulent. Do not publicly state the person was never a patient in a response, even if true, this creates an implicit claim about your patient records.
What happens if my practice violates HIPAA through a review response? HIPAA violations related to public disclosures (like review responses) are reviewed by HHS OCR. Civil penalties range from $100 to $50,000+ per violation depending on the level of negligence. Consult your practice's legal counsel for guidance specific to your situation.
