Saltzer Surgery Center

Responding to reviews best practices (HIPAA)

How to Respond —  and How Not to Respond

Following are some “do’s” and “don’ts” for your team to consider when responding to patient reviews, to ensure HIPAA compliance.

Content provider by View original content


  1. Thank them for their feedback: All feedback is valuable. Patient comments in online reviews and social posts can shed light on potential operational problems or help train staff to be more friendly, helpful and effective. Show appreciation for any feedback —  good or bad.
  2. Keep it anonymous and reference policy: Make sure your team responds to reviews without acknowledging the reviewers were patients.
  3. Take it offline: Follow up and discuss specifics privately with the reviewer, preferably by phone. In the response itself, invite them to contact you, and provide contact information.
  4. Focus on the positive: Create responses that show your dedication to improving patient experience. Continue the conversation with additional responses, updating the patient on changes you’ve made since receiving their feedback.


  • Don’t delete reviews: Unless a bad review includes profanity or slander, you should leave all reviews up. This builds trust with your audience and adds credibility to your positive reviews. If all your reviews are positive, consumers become suspicious. In fact, 90 percent of consumers suspect censorship or fake reviews if they don’t see any bad scores.
  • Don’t alter content, but don’t acknowledge or repeat PHI: If a review from a patient includes protected health information (PHI) you don’t need to delete it. However, don’t repeat or disclose additional PHI in your response, and never acknowledge the reviewer is a past or present patient.
  • Don’t email a patient without their consent: In many states, healthcare providers need a patient’s written consent to communicate with them electronically. Unless you are sure of your state’s laws or have consent, use the phone.