Online Reviews and HIPAA

Written By GT

Executive summary

Small clinics get pulled into online review battles for understandable reasons: reviews affect revenue, staff morale, and patient trust. HIPAA’s problem is that public platforms turn a moment of defensiveness into a legally regulated disclosure event. OCR enforcement actions show a consistent pattern: providers responded to reviews by confirming identities, referencing visits, naming treatment details, or discussing insurance and payment. OCR treated those replies as impermissible disclosures of PHI, often paired with program gaps like missing policies and procedures for public platforms.

The operational takeaway is not “never respond,” it is “never respond with PHI, and never confirm the reviewer is your patient.” In the New Vision Dental settlement, OCR found the practice sometimes disclosed full names where only Yelp monikers were used and included details about visits and insurance in its public responses. In Elite Dental’s resolution agreement, OCR documented disclosure of a reviewer’s last name, treatment plan details, and insurance and cost information when replying to a Yelp post, and described additional disclosures to other patients without valid authorizations.

This article gives a defensible playbook: the legal framework, response scripts that stay out of PHI territory, escalation rules for when to stop replying publicly, vendor and BAA considerations for reputation management, and an incident-response approach if PHI is posted.

Informational note: This report is for informational purposes only and does not constitute legal advice.

What OCR enforcement shows clinics get wrong

OCR’s online review enforcement is concrete, not theoretical. The cases below are high-signal because they involve small practices, common platforms, and the exact failure mode clinics repeat.

Elite Dental Associates agreed to pay $10,000 and adopt a corrective action plan after a complaint alleged Elite posted PHI on its Yelp review page in a response that included the reviewer’s last name and details of treatment, insurance, and costs. OCR also recorded that it found disclosures of other patients’ PHI in responses to reviews without valid authorizations, and it identified missing or inadequate privacy policies for public platforms and deficiencies in the Notice of Privacy Practices.

New Vision Dental paid $23,000 and entered a corrective action plan after OCR found impermissible disclosure of patient PHI in responses to online reviews. OCR’s agreement describes a complaint alleging the practice habitually disclosed PHI on its Yelp business page, including posting full names where only Yelp monikers were used and adding details about visits and insurance beyond what patients posted. The corrective action plan is especially important because it required breach notices to affected individuals under the Breach Notification Rule and substitute notice steps.

Manasa Health Center paid $30,000 after OCR investigated a complaint alleging it disclosed PHI in responses to negative online reviews. The agreement specifies Manasa impermissibly disclosed the PHI of four patients in responses to negative Google Reviews and failed to implement required policies and procedures.

Dr. U. Phillip Igbinadolor, D.M.D. & Associates received a $50,000 civil money penalty for disclosing a patient’s PHI on a webpage response to a negative online review. OCR’s Notice of Proposed Determination documents that the patient used a pseudonym, while the practice responded with the patient’s name and details about appointment history, treatment plans, and insurance approval, and OCR explicitly characterized the response as not permitted or required by the Privacy Rule.

Across these matters, OCR treated “they started it” as legally irrelevant. Patient self-disclosure online does not create a HIPAA authorization for the provider. The enforcement documents repeatedly frame the provider’s responses as impermissible disclosures “without valid authorization.”

Legal framework for responding to online reviews

The HIPAA Privacy Rule’s default position is simple: a covered entity may not use or disclose PHI except as permitted or required by the Privacy Rule or as authorized by the individual. 45 CFR § 164.502 sets the core rule for permitted and required uses and disclosures, including permitted disclosures for treatment, payment, and health care operations, and it is the regulatory baseline OCR cites in the online-review enforcement agreements.

Public replies on Google, Yelp, Facebook, and similar platforms generally do not fit within treatment, payment, or health care operations disclosures to the public. More importantly, even if a clinic believes a public reply is “operations,” that does not create permission to disclose PHI on a public webpage. OCR’s enforcement documents treat these posts as impermissible disclosures, not as permissible operational communications.

If a clinic wants to disclose PHI publicly for any purpose, it should assume it needs a HIPAA authorization that meets 45 CFR § 164.508, because the Privacy Rule requires authorization for uses and disclosures that are not otherwise permitted or required. Section 164.508 also contains explicit authorization requirements for marketing uses and disclosures. In the New Vision Dental corrective action plan, OCR required policies and procedures that address authorizations under § 164.508 and specifically referenced public postings on websites and social media as uses and disclosures for which authorizations may be required.

Marketing risk is a secondary trap. Clinics sometimes want to repost reviews, quote them in ads, or highlight patient stories. OCR’s marketing guidance explains that communications meeting the definition of marketing generally require individual authorization, with limited exceptions, and points back to § 164.508 for the authorization requirements. If a clinic repurposes a patient-identified testimonial created in the course of care or connected to the clinic’s relationship with the individual, the clinic can drift into marketing authorization territory fast.

Business associate rules matter when a clinic hires a reputation management firm. Under § 164.502(e), a covered entity may disclose PHI to a business associate only if it obtains satisfactory assurances documented in a written contract meeting the applicable requirements in § 164.504(e). OCR’s business associate guidance states plainly that covered entities must obtain written satisfactory assurances via contract before a business associate handles PHI on their behalf.

When a review response is permissible versus impermissible

A clinic’s public response is permissible under HIPAA only when the response contains no PHI and does not confirm or imply the reviewer is a patient. The distinction is operational rather than philosophical: if you avoid disclosure, you avoid the HIPAA disclosure problem.

Patient-authored reviews are the most tempting trap. The reviewer may mention a diagnosis, a procedure, a visit date, or staff names. The New Vision case is a clear example of why clinics lose: OCR described the practice responding with full names where only Yelp monikers were used and adding details about visits and insurance. That is exactly the kind of “confirmation plus additional detail” pattern that creates PHI disclosure. Even if a patient posts their own details, the practice’s public confirmation that the person received treatment is still a disclosure by the practice.

Third-party allegations are riskier. A spouse, coworker, or anonymous person can post claims about a patient’s care. The clinic has no safe way to validate identity publicly. Any reply that confirms the person is or is not your patient can itself disclose PHI. In practice, the safest public posture is to treat every post as potentially non-patient-authored and respond with a privacy-preserving generic statement.

Anonymous posts are similar. You cannot verify the relationship. The only safe public approach is content that says nothing patient-specific. The moment you say “we have no record of you” or “you were seen on this date,” you are disclosing PHI either way, because you are acknowledging what your records do or do not show about an identifiable individual, as OCR’s UPI enforcement narrative illustrates.

The consistent pattern OCR enforces is that clinics must separate reputation management from PHI disclosure. There is no “right to defend yourself” exception in § 164.502.

Escalation rules, verification, and documentation that is defensible

A clinic’s risk is highest when staff improvise. The corrective action plans in New Vision and Manasa emphasize internal reporting procedures that require workforce members to report potential violations quickly and require prompt investigation and mitigation. A defensible small-clinic process mirrors that logic by designating who may respond publicly, requiring preapproved scripts, and forcing escalation when the review contains clinical assertions.

Escalation rules should be strict because the public forum is the failure domain. The practical trigger to stop replying publicly is any review that mentions dates, staff names, procedures, diagnoses, insurance, or anything that could tie the reviewer to care. That is exactly what OCR documented as problematic in the Elite and New Vision matters. The second trigger is any review that escalates into “prove it,” demands refunds, or threatens complaints, lawsuits, licensing boards, or media. Those situations should move into a controlled channel with identity verification.

Verification steps matter once you move offline. HIPAA does not prescribe one identity verification method, but private follow-up should be gated so you do not accidentally disclose PHI to the wrong person. The clean operational approach is to ask the person to call the clinic and follow your standard identity verification process before discussing specifics. The public reply should never include instructions that require the reviewer to post identifying information in the comment thread.

Documentation is how you defend decisions later. New Vision’s corrective action plan required policies with internal reporting and investigation procedures and referenced breach notices in the context of online review disclosures. A small clinic should maintain a simple “public reviews log” capturing the review URL, the response used, who approved it, and whether escalation occurred. This log is not required by one explicit HIPAA rule, but it aligns with OCR’s repeated expectation that clinics have policies, procedures, training, and evidence of implementation.

Right of access issues are a special escalation path. When a reviewer complains about being denied records, the clinic should treat it as a potential right-of-access issue and shift to a controlled workflow under § 164.524, including the 30-day response deadline and limited denial rules, rather than debating publicly.

Vendor and BAA considerations for reputation management and platforms

Most social platforms are not business associates for your clinic, and you should assume you cannot get a HIPAA business associate agreement from them. The conduit concept OCR uses for USPS and couriers is narrow and applies to entities that merely transport PHI without persistent storage, beyond transient access. That logic does not fit social platforms that store and publish content. The practical conclusion is that the platform is simply a public recipient, and therefore you must not disclose PHI into it.

Reputation management firms are different. If a firm is truly only managing public-facing communications without receiving PHI from the clinic, it may fall outside business associate status. But the moment the clinic sends patient-specific details to help the firm “verify” the reviewer, draft a rebuttal, contact the reviewer, or manage a complaint pipeline tied to the patient’s care, the firm is performing a service on behalf of the clinic that involves access to PHI. That is a classic business associate relationship, and § 164.502(e) requires satisfactory assurances in a written agreement.

A common vendor trap is review solicitation. If a vendor pulls patient contact lists from the scheduling system to solicit reviews, the vendor is receiving PHI. In many cases, that is business associate activity and requires a BAA. Depending on how the solicitation is structured, it can also raise marketing questions, especially if it involves remuneration or targeted outreach tied to services. OCR’s marketing guidance explains that uses or disclosures of PHI for marketing generally require authorization, with limited exceptions, and directs entities to § 164.508.

Incident handling when a staff member posts PHI in a response

When PHI appears in a public response, treat it as an impermissible disclosure and walk the breach framework rather than guessing. OCR’s breach guidance and 45 CFR § 164.402 make clear that an impermissible disclosure is presumed to be a breach unless the entity demonstrates a low probability that PHI has been compromised based on the four required factors.

Immediate containment should prioritize removal and limiting further dissemination. In the New Vision corrective action plan, OCR required NVD to remove postings and issue breach notices for individuals whose PHI was disclosed in removed postings, which implies OCR treats removal as a mitigation step but not a substitute for breach evaluation. Practically, clinics should take down or edit the reply immediately, request removal if the platform requires a special process, and consider de-indexing requests if search engines cached the content.

Evidence preservation is the step clinics skip and then regret. Capture screenshots, URLs, timestamps, the exact text, and the account used to post. Preserve audit logs from any reputation management tool that posted on your behalf. Document who had access credentials. This evidence supports factor three of the breach risk assessment, whether PHI was actually acquired or viewed, albeit imperfectly for public platforms.

Risk assessment follows the four required factors. For online review disclosures, factor two, the unauthorized person factor, is often adverse because the PHI was disclosed to the general public. Factor one depends on what was revealed; Elite’s resolution agreement shows how quickly disclosures can include treatment plans and insurance details, which increases impact. Factor three is usually hard to prove because you often cannot know who viewed it, which pushes toward conservative conclusions unless you have evidence the post was never visible. Factor four depends on mitigation, including prompt removal and any credible evidence that the content was not retained or further disseminated.

If notification is required, deadlines are not flexible. Individual notice must be provided without unreasonable delay and no later than 60 days after discovery of the breach, and the discovery definition is designed to prevent internal delay games. Notice to the Secretary depends on whether 500 or more individuals are affected or fewer than 500, with the under-500 category logged and reported annually within 60 days after the end of the calendar year. Media notice is required if more than 500 residents of a state or jurisdiction are affected. If a business associate posted the content, it must notify the covered entity following discovery under § 164.410. Law enforcement delay rules exist but require an official statement and are not a general purpose “pause button.”

The burden of proof sits on the covered entity or business associate to demonstrate that notifications were made as required or that the incident did not constitute a breach. Documentation retention under HIPAA administrative requirements includes a six-year retention requirement for required documentation, which should inform how long you keep incident records, response logs, and policy evidence.

Templates

The goal of templates is not to “look compliant.” It is to remove improvisation from staff behavior, because improvisation is what OCR enforcement repeatedly punishes in this context.

A takedown request email should be written as a privacy and safety request, not as a confession. You are asking the platform to remove content that contains sensitive personal information. Keep it factual and avoid adding more PHI in the request itself.

text

Copy

Subject: Request to remove content containing sensitive personal information

Hello [Platform Support],

We are requesting removal of content posted on [Platform] that contains sensitive personal information about an individual.

URL: [link]
Account that posted the reply (our account): [account name]
Date/time posted (approx.): [timestamp]

We have removed/edited the content on our side where possible, and we request that any remaining copies, caches, or quoted versions hosted by the platform be removed consistent with your privacy policies.

Please confirm ticket number and next steps.

Thank you,
[Name]
[Title]
[Clinic]
[Phone]

Staff policy language should be short enough to be remembered and strict enough to prevent “helpful” oversharing.

text

Copy

Public review response policy

1) Only designated staff may respond to public reviews.
2) Never confirm or deny that a reviewer is a patient.
3) Never include names, dates, visit details, treatments, diagnoses, insurance, billing, or any information derived from our records.
4) Use only approved scripts. If the review mentions clinical details, billing disputes, threats, or requests for records, do not respond publicly. Escalate to the clinic manager/privacy lead.
5) Any suspected inappropriate post must be reported immediately for investigation and, if needed, breach analysis.

Internal linking suggestions

A strong internal cluster improves search visibility and keeps readers in your ecosystem while they are in a high-intent compliance moment. For this topic, the highest-value internal links are:

  • Voicemail and message content under HIPAA (privacy-safe scripts and patient preferences)

  • “We sent records to the wrong person, is it a breach?” (risk assessment and notification logic)

  • “What happens when OCR gets a complaint?” (intake, timelines, evidence binder)

  • “Is my IT or marketing vendor a business associate?” and “BAA required terms” (vendor governance)

These connect directly to the same compliance muscles OCR highlights in the settlements: policies, training, incident reporting, and breach notification execution.

Sources

OCR enforcement actions and agreements

https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/elite/index.html

https://www.hhs.gov/sites/default/files/elite-dental-ra-cap.pdf

https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/new-vision/index.html

https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/new-vision-ra-cap/index.html

https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/manasa/index.html

https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/manasa-ra-cap/index.html

https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/upi/index.html

https://www.hhs.gov/sites/default/files/upi-npd.pdf

https://www.hhs.gov/sites/default/files/upi-nfd.pdf

Core HIPAA Privacy Rule and authorizations

https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.502

https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.508

https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/marketing/index.html

Business associates and BAAs

https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/index.html

https://www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions/index.html

https://www.hhs.gov/hipaa/for-professionals/faq/243/is-a-business-associate-contract-required-for-inadvertent-contact-with-phi/index.html

https://www.hhs.gov/hipaa/for-professionals/faq/245/are-entities-business-associates/index.html

Breach framework and notification timelines

https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-D/section-164.402

https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html

https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-D/section-164.404

https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-D/section-164.406

https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-D/section-164.408

https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-D/section-164.410

https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-D/section-164.412

https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-D/section-164.414

https://www.hhs.gov/hipaa/for-professionals/breach-notification/breach-reporting/index.html

Documentation retention

https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.530

Right of access references useful for escalation cases

https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.524

https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html

https://www.hhs.gov/press-room/ocr-settles-with-concentra.html

GT
Previous

Paid-in-Full Restrictions to Health Plans Under HIPAA
Next

What Can We Leave on Voicemail Under HIPAA?