The Intake

Insights for those starting, managing, and growing independent healthcare practices

Your guide to HIPAA-compliant patient testimonials and reviews

Online patient reviews are part of promoting your healthcare practice — but it’s vital to stay HIPAA compliant. Here’s how.

HIPAA-compliant patient reviews

At a Glance

  • Patient testimonials are influential in healthcare decisions, so maintaining HIPAA compliance in them is essential for protecting patient privacy and the healthcare provider’s reputation.
  • HIPAA rules require careful management of patient testimonials, including responses and solicitations, to ensure privacy and avoid legal repercussions and financial penalties.
  • Healthcare providers must train their staff, monitor testimonials across all platforms, and handle patient reviews proactively to adhere to HIPAA guidelines and maintain trust in the digital healthcare landscape.

Just under half (46%) of the patients surveyed in Tebra’s 4th annual Patient Perspectives report state choosing their healthcare provider based on online reviews.

Positive online patient testimonials signal trust and a solid reputation. Trust is a significant part of being a reputable healthcare provider, and it intersects with Health Insurance Portability and Accountability Act (HIPAA) compliance. 

HIPAA has regulated patient privacy and information since 1996 — and the rise of online health portals and social media has made handling HIPAA compliance a more complex task. Its regulations were primarily designed to safeguard patients' sensitive medical information, especially when healthcare providers engage with health insurance companies. 

When healthcare providers bill insurance for their services, HIPAA compliance becomes a critical consideration. It's binding on healthcare entities that handle health insurance and maintain electronic health records.

To generate more online healthcare reviews to promote your practice, it’s vital that your existing patient testimonials stay HIPAA compliant — with processes in place to handle new patient reviews.

Below, we explore how to manage received patient testimonials and adhere to HIPAA rules. But first, what is the HIPAA privacy rule?

Learn how to create a seamless patient experience that increases loyalty and reduces churn, while providing personalized care that drives practice growth in Tebra’s free guide to optimizing your practice.

What is under the HIPAA privacy rule?

The HIPAA privacy rule dictates how protected health information (PHI) can be collected, stored, and used. 

PHI is any health information that is individually identifiable — such as name, date of birth, and social security number. It also includes data such as vehicle identifiers, serial numbers, and biometric identifiers like fingerprints or voice prints.

Best practices for receiving online patient testimonials

The ideal patient testimonial is timely, positive, and doesn't share sensitive information — though if a patient shares their own information, that is up to their own discretion. For example: "I'm a patient at [Practice Name], and I'm consistently impressed by the outstanding care I receive. The team here makes me feel comfortable, answers all my questions, and genuinely cares about my well-being."

When you receive patient reviews, it’s important to acknowledge receipt by responding promptly, while staying in compliance with HIPAA. Thanking the patient for their feedback, maintain patient anonymity, and encourage private, offline follow ups if needed: “Thank you for your review and your trust in our team. For privacy and HIPAA compliance, we are unable to discuss medical details publicly, but we're here to assist you privately with any concerns.”

Remember, if your clinic is seeking more patient reviews, it’s important to be cautious about how you solicit them. For instance, incentivizing reviews might not be ethical. Marcus Fernandez, attorney and co-owner at KFB Law, explains: “Offering incentives in exchange for testimonials may be viewed as coercive and compromise the integrity of the disclosure.”

Train your team

Ensure that anyone in your organization who manages, solicits, or responds to online reviews thoroughly understands HIPAA compliance. Regular training sessions can ensure that your team is up-to-date with the latest guidelines and best practices.

The impact of HIPAA non-compliance

There are significant financial penalties and legal repercussions for not adhering to HIPAA.

The path of enforcement lies through the Health and Human Services (HHS) Office of Civil Rights (OCR). The penalties work on a 4-tier sliding scale; the worse the violation, the higher the penalty. 

As of the time of writing, the most recent financial penalties according to the Federal Register include: 

Minimum penalty per violationMaximum penalty per violationCMP limit for identical violations in a calendar year
Tier 1.  Unknowing violation$137$68,928$2,067,813
Tier 2. Violation due to reasonable cause $1,379$68,928$2,067,813
Tier 3. Violation due to willful neglect and corrected within 30 days$13,785$68,928$2,067,813
Tier 4. Violation due to willful neglect and not corrected $68,928$2,067,813$2,067,813

The monetary aspect isn’t the only issue. Legal consequences might also involve criminal charges, especially in cases where a practice or team member intentionally disclosed or misused PHI for personal gain or harm.

Beyond HIPAA, consider state privacy statutes. Patient testimonials and word-of-mouth recommendations are essential for healthcare providers’ reputations. A single HIPAA violation, especially if public, can taint your reputation for years.

Patients entrust healthcare providers with some of their most personal and sensitive information. A breach, whether accidental or negligent, signals to patients that their privacy is not a priority. The wider problem is that this perception might cause patients — if they stay with your practice — to hesitate in sharing vital health details in the future, which can compromise the quality of care they receive.

Benefits of HIPAA-compliant reviews

Ensuring patient testimonials align with HIPAA guidelines guarantees that your practice protects patient privacy while leveraging the benefits of positive feedback.

It's important to clarify that patients can share their own information if they choose; it’s healthcare providers and practices who must ensure they do not violate HIPAA by sharing patient PHI without consent.

While patients cannot violate HIPAA, you can empower them to protect their PHI with suggestions on what to include in their reviews and testimonials. For instance, reviews might center around the patient's experience at the practice, rather than around their specific medical details. This approach not only ensures that feedback is genuine but also makes it more relatable to other potential patients, while reminding patients that their details will be public.

For your organization, compliant testimonials showcase your commitment to upholding both quality care and patient privacy, which boosts your professional credibility.

Review management and continuous monitoring 

Patient testimonials can appear in a number of places — from your personal website to social media channels to third-party review sites and online directories. That’s why a proactive approach to continuously monitoring patient testimonials is vital.

In some instances, taking no action, including refraining from acknowledgment, may be the most appropriate course. When a patient's communication potentially discloses PHI, it's important to exercise restraint and assess whether any response is necessary.

Exploring real-life scenarios

Let’s explore at some potential situations you might face as a healthcare provider — and how to handle them:

Dissatisfied patient

Devi leaves a negative review for her healthcare provider about waiting times and mentions she had to wait, even though she has severe asthma.

Public response example: "Due to unforeseen circumstances, sometimes wait times can be longer than we’d like; for this we apologize. We value your feedback and take it seriously. Please feel free to contact our office directly so we can discuss your concerns further."

Private message example: "We appreciate your feedback and are here to address your concerns. We also want to remind you that sharing personal health information online can be risky.”

Third-party review platforms

A patient, Emily, shares a detailed review on a platform like Yelp, discussing her recent surgery and the complications she faced.

Public response example: "Thank you for your feedback. We're here to support you and address any concerns you may have."

Private message example: "Thank you for sharing your experience. We value your privacy and encourage our patients to be cautious about sharing specific medical details online. If you wish, you may revise the more detailed parts of your review to protect your privacy."

Social media mentions

A patient, Han, tags the clinic in a Facebook post, expressing gratitude for their service but shares a picture which has other patients in the background.

Public response example: "Hi, thank you so much for your kind words! We’re always thrilled to hear positive things about our clinic."

Private message example: "We’re truly grateful for your feedback and for sharing your experience. We noticed the photo you posted has other patients in the background. To respect their privacy, would you mind editing or replacing the image? We deeply appreciate your understanding."

Group therapy testimonial

A patient, Alex, from a group therapy session, mentions the names of other attendees and the topics discussed in their review.

Public response example: "Thank you for sharing your thoughts. Group therapy sessions are a valuable part of our offerings, and we're glad you found it beneficial."

Private message example: "We're grateful for your positive feedback on our group therapy sessions. To ensure the confidentiality of all attendees, we kindly ask you to edit your review to omit the names and specific discussions. We appreciate your understanding in maintaining the privacy of all members.”

HIPAA-compliant patient testimonials and trust online

The importance of HIPAA compliance in managing patient testimonials is a crucial factor in today's digital age where online reviews significantly influence healthcare decisions. The frequency of online reviews means that it's essential that these testimonials are not only positive but also HIPAA-compliant.

Free report
Reviews are just part of how patients find your practice.
Learn more

Protecting patient privacy and maintaining trust are paramount. By adhering to HIPAA rules, your organization can continue to foster trust, uphold patient privacy, and build a positive reputation while leveraging online patient reviews to promote your practice. 


How do you comply with HIPAA?

HIPAA compliance requirements include the following:

  • Designate a privacy officer to oversee HIPAA compliance.
  • Conduct regular risk assessments to identify patient data risks and vulnerabilities.
  • Develop an incident response plan to handle security incidents and data breaches.
  • Create and introduce HIPAA-compliant written policies and procedures.
  • Adhere to HIPAA Privacy Rule Checklist to ensure compliance.
  • Uphold patient rights by respecting patient privacy and access.
  • Deliver specific training on HIPAA requirements and best practices.
  • Obtain patient consent as required for certain disclosures.
  • Regularly audit PHI access for security and compliance assurance.

How to avoid HIPAA pitfalls when managing online reviews

  • Understand PHI by knowing the details that are considered protected health patient information.
  • Don't confirm patient relationships by never acknowledging publicly whether someone is a patient.
  • Train your team to ensure they are well-versed in HIPAA guidelines, especially when interacting online.
  • Use templates for standard, HIPAA-compliant responses across online platforms.
  • Use generic responses without addressing specific treatments or conditions. Encourage direct office contact for detailed discussions.
  • Monitor reviews by employing tools to oversee reviews and promptly address any issues.
  • Act quickly if a response from your team potentially violates HIPAA. Remove it promptly and follow up privately if needed.

Can healthcare providers use patient testimonials in marketing materials while adhering to HIPAA?

Yes, healthcare providers can use patient testimonials in marketing materials, but they must ensure:

  • Any personally identifiable information or specific medical details are removed or anonymized unless the patient has explicitly allowed its use.
  • The patient has given explicit and written consent to share their testimonial.
  • The testimonial doesn't inadvertently disclose any PHI that the patient hasn't agreed to share.

75% of people look online to find a doctor. Patients take a critical look at web presence, online business profiles, and reviews when they decide to pick a health provider. Learn where your practice should be online in the 2023 Patient Perspectives report.

You Might Also Be Interested In

75% of people look online to find a doctor. Patients take a critical look at web presence, online business profiles, and reviews when they decide to pick a health provider. Learn where your practice should be online in the 2023 Patient Perspectives report.

Subscribe to The Intake:
A weekly check-up for your independent practice

Becky Whittaker, specialist SEO copywriter

Becky Whittaker is a specialist SEO copywriter with over a decade of experience and an interest in healthcare and legal marketing. Becky believes that independent practices are critical because they have more opportunities to deliver better patient care and personalize patients’ experiences. She also has a personal connection to the healthcare industry, as her sister-in-law is a pediatrician.

Reviewed by

Baran Erdik, physician and healthcare consultant

Dr. Baran Erdik, MD, MHPA is a physician with further specialization in internal medicine/cardiology. He has traveled the world, working as a physician in New Zealand, Germany, and Washington State. He’s been published numerous times and currently works in healthcare compliance and consulting.

Get expert tips, guides, and valuable insights for your healthcare practice