Healthcare practices face specific legal constraints when responding to negative reviews that most industries do not. HIPAA restricts what you can disclose about any patient, including one who wrote a negative review. The FTC’s Consumer Review Fairness Act restricts how you can try to suppress honest reviews. State medical boards have professional-conduct rules that apply to online communication about patients. Getting this wrong carries real consequences. Here’s the framework.
What you cannot do
HIPAA-violating responses
The most common mistake: responding to a negative review by citing specifics about the patient’s care. Even confirming the person was a patient is a HIPAA disclosure. Detailing their medical history, complaints, or treatment in a public response is a serious HIPAA violation that has generated OCR enforcement actions and six-figure settlements against healthcare practices.
“This patient came to us with severe depression and was clearly non-compliant with our recommended protocol.”
“We take all patient feedback seriously and strive to provide the highest level of care. We cannot discuss any specific patient's experience publicly due to patient privacy rules. If you'd like to discuss your concerns with us, please contact [office contact] directly.”
Why: Any specific-patient detail in a public response is a HIPAA violation regardless of whether the patient identified themselves first. OCR has pursued this pattern in formal enforcement actions.
CRFA-violating review suppression
The Consumer Review Fairness Act prohibits contract provisions that silence customers from writing honest reviews, and prohibits certain retaliation against reviewers. This applies to healthcare practices. You cannot require patients to sign “no negative review” clauses in intake paperwork; you cannot threaten legal action against honest reviews simply because they are negative.
Defamation threats against honest reviews
Defamation requires a false statement of fact. Opinion-based negative reviews (“the office is unpleasant,” “I didn’t get the results I hoped for”) are almost never actionable defamation. Threats or legal actions against opinion reviews create CRFA exposure, bar complaint exposure, and Streisand-effect reputation damage.
Review gating in violation of FTC rules
The FTC has specifically enforced against “review gating” - practices that ask for feedback privately first and only solicit public reviews from satisfied patients. This is deceptive review-solicitation practice and carries FTC exposure.
What you can do
Generic empathetic responses
Respond to negative reviews generically - acknowledging that patient experience matters, inviting private contact, and avoiding any specific-patient detail. This is the standard-of-practice response that most healthcare attorneys advise.
“(No response at all - looks inattentive)”
“We appreciate every piece of patient feedback and take all concerns seriously. We cannot discuss individual patient experiences publicly due to privacy rules, but if you'd like to discuss your concerns directly, please reach out to us at [office contact]. - [Practice Name] Team”
Why: The generic response acknowledges the reviewer, explains your privacy-driven silence, and offers a path for direct conversation - without any HIPAA-implicating specifics.
Private outreach to resolve
If the review is from an identifiable patient (sometimes they use their real name) and you have their contact on file, you can privately reach out to try to resolve the underlying issue. Most reviewers who receive genuine private outreach update or remove negative reviews.
Report fake or impersonation reviews
Reviews from non-patients or clear impersonation can be reported to the platform for removal under the platform’s policies. Keep documentation of why you believe the review is not from a patient.
Solicit real reviews broadly
The FTC-compliant way to build review volume is to solicit reviews from all patients, not only satisfied ones. Don’t screen for positive reviews before soliciting; don’t incentivize positive reviews specifically. Build volume across the board, which naturally dilutes individual negatives.
Platform-specific considerations
Google Reviews
Google Reviews are the most-visible platform. Google’s removal criteria are narrow - fake reviews, conflicts of interest, off-topic reviews, illegal content. Most negative-but-opinion reviews will not be removed by appeal.
Yelp
Yelp’s moderation is especially strict; appealing a negative review as a business owner is notoriously difficult. Focus your response energy on the generic compliant response rather than removal attempts.
Healthcare-specific platforms
Healthgrades, Zocdoc, Vitals, and similar platforms have their own review processes. Some allow physician responses; some require response through the platform. Policies on removing reviews vary.
BBB and state medical board complaints
Better Business Bureau complaints have their own resolution process. State medical board complaints are separate from reviews and involve professional-conduct investigations that require different response handling (typically legal counsel).
Building review resilience
The most-resilient practices on review platforms share certain characteristics:
- High review volume. A few negative reviews in a context of 200+ reviews read differently than the same negatives in a context of 15 reviews total.
- Consistent broad solicitation. Every patient is invited to leave a review; no gating for positive sentiment.
- Responsive generic responses. Every review, positive and negative, gets a generic response acknowledging the feedback.
- Private resolution when possible. Proactive outreach to resolve negative experiences privately.
- Operational improvements driven by feedback.Patterns in negative reviews get addressed operationally, which prevents recurrence.
Frequently asked questions
Can I say “we don’t have a record of this patient”?
No. Even that is implicitly a HIPAA-sensitive statement and can be interpreted as confirming or denying the reviewer’s patient status. Stick to generic responses.
What if the review contains factually false claims?
Consider legal counsel on defamation options (rarely advisable except in egregious cases), platform reporting for policy violations, or simply letting the review stand with a generic response that invites private conversation. The Streisand effect of public legal action typically amplifies the review rather than removing it.
Can I offer refunds in exchange for review removal?
This creates CRFA and state-consumer-protection exposure, particularly if framed as contingent on removal. Offering to resolve the underlying issue is different from paying for review removal. Most healthcare attorneys advise against the direct transaction.
What about online reputation management services?
Evaluate carefully. Services that suppress honest reviews or generate fake positive reviews create legal exposure for the practice. Legitimate services focus on helping solicit real reviews broadly and responding to reviews compliantly.
Should physicians respond personally?
Usually not. Practice-level generic responses from the marketing or office team are safer. Personal physician responses risk slipping into HIPAA-implicating specifics, emotional tone, or professional-conduct issues that state medical boards can investigate.
What documentation should we keep on review response?
Document the review, the response posted, any private outreach attempted, and operational changes made in response to patterns. This documentation is useful both for reputation management and in rare cases where the review pattern becomes part of a regulatory or legal matter.