When a patient leaves a negative Google review about your dental practice, your instinct might be to explain what actually happened. That instinct can get you in serious trouble. HIPAA applies to how you respond to online reviews, and violations carry penalties starting at $100 per incident and scaling up to $50,000 or more for willful neglect.

Here is what you need to know to respond to reviews without putting your practice at legal risk.

The Core Rule: Never Confirm the Patient Relationship

Under HIPAA, even acknowledging that someone is (or was) a patient at your practice is a disclosure of protected health information (PHI). This is the rule that catches most providers off guard. Even if the reviewer names themselves, describes their treatment in detail, and posts their full name -- you still cannot confirm any of it in your response.

You cannot:

  • Confirm they visited your practice
  • Reference any treatment, procedure, or diagnosis
  • Mention specific dates of appointments
  • Discuss their insurance or billing details publicly
  • Share any information from their patient file

What You Can Say

You can speak in general terms about your practice policies and values. You can express concern. You can invite the person to contact you directly. The key is to keep your response generic enough that it does not confirm or deny any specific patient interaction.

Example 1: HIPAA-Safe vs. Violation

HIPAA violation:

“We are sorry your root canal was uncomfortable. We did administer extra anesthesia as you requested during your March 15 visit.”

HIPAA-safe:

“Patient comfort is very important to our practice, and we are sorry to hear about this experience. We would like to learn more and address your concerns directly. Please call our office at [number] so we can discuss this privately.”

Example 2: HIPAA-Safe vs. Violation

HIPAA violation:

“We can see from your records that your insurance was verified before the appointment and the copay was explained at check-in on January 8th.”

HIPAA-safe:

“We understand that billing questions can be frustrating. Our practice always works to verify insurance benefits and communicate costs clearly before treatment. We would like to review this matter with you privately -- please reach out to our billing team at [number].”

Example 3: HIPAA-Safe vs. Violation

HIPAA violation:

“Sarah, we are sorry you had to wait. We had an emergency extraction that morning that pushed all of our afternoon appointments back.”

HIPAA-safe:

“We value everyone's time and understand how inconvenient delays can be. We are always working to improve our scheduling process. If you would like to discuss your experience further, please do not hesitate to contact us directly.”

Why This Matters for AI-Generated Responses

If you use a general-purpose AI tool to draft review responses, there is a real risk it will generate a response that references specific treatments, dates, or patient details drawn from the review text. The AI does not know HIPAA rules, and a response that mirrors the reviewer's claims can still constitute a violation.

ReplyChief is built specifically for healthcare practices. Every AI-generated response is designed to follow HIPAA guidelines by default -- never confirming patient status, never referencing treatment details, and always directing the conversation to a private channel. If protecting your practice while saving time on review management matters to you, get started today.