Yes, HIPAA Violations Regarding Online Review Responses Will Get You Sanctioned

DOCS legal counsel reviews the good and bad ways to respond to negative online patient reviews. Here's a hint: Your response should always prioritize professional integrity and your patient's rights under HIPAA.

This article does not constitute legal advice. You should consult your attorney for specific advice.

By J. Kathleen Marcus, Esq

As discussed in a previous Incisor article, there are good and bad, appropriate and inappropriate ways to respond to online patient reviews. But how you respond should never be emotionally based and should always maintain professional integrity and adherence to patient rights under the Health Insurance Portability & Accountability Act (HIPAA).

As several dentists have recently discovered, both the federal government and state dental boards will sanction responses to online patient reviews that violate HIPAA.

In an order issued by the U.S. Department of Health and Human Service (HHS), Office of Civil Rights on June 1, 2021, but announced in March of this year, a North Carolina dentist was ordered to pay a $50,000 civil penalty for responding to a patient review on its Google page, writing:

“It’s so fascinating to see [Complainant’s full name] make unsubstantiated accusations when he only came to my practice on two occasions since October 2013. He never came for his scheduled appointments as his treatment plans submitted to his insurance company were approved. He last came to my office in March 2014 as an emergency patient due to excruciating pain he was experiencing from the lower left quadrant. He was given a second referral for a root canal treatment to be performed by my endodontist colleague. Is that a bad experience? Only from someone hallucinating. When people want to express their ignorance, you don't have to do anything, just let them talk. He never came back for his scheduled appointment Does he deserve any rating as a patient? Not even one star. I never performed any procedure on this disgruntled patient other than oral examinations. From the foregoing, it's obvious that [Complainant’s full name] level of intelligence is in question and he should continue with his manual work and not expose himself to ridicule. Making derogatory statements will not enhance your reputation in this era [Complainant’s full name]. Get a life.”

Legally and Ethically, It’s a Bad Idea

This response by the dentist is rude, unprofessional, and unproductive, but the federal government stepped in following a complaint filed by the patient because the response violated the patient’s HIPAA rights. In addition to publishing the patient’s name – alone a HIPAA violation – the dentist published dates of treatment and details of the dental treatment.

But the actionable conduct by the dentist did not stop there. When ordered to remove this Protected Health Information (PHI) from the internet by HHS, the dentist refused.

This is not the first dentist fined for violating HIPAA in responses to online patient reviews. In 2019 a Texas dental practice was fined for disclosing names and PHI in response to a YELP review, and as recently as this past June an Iowa dentist was sanctioned for disclosing a patient’s name and details of treatment in response to an online review.

As with other healthcare providers sanctioned for HIPAA violations, the dollar amount is just one penalty to which providers are subject. Dentists who violate HIPAA in responding to online reviews will be required to produce their HIPAA policies, prove that these policies are given to all of their patients, and correct the breach to the extent possible (for example removing what the dentist has published online), as well as create and abide by a corrective action plan. While a dental practice is under a corrective action plan, all of its public communication and online conduct will be observed by HHS and/or the dental board.

In addition to federal HIPAA liability, disclosing any patient information in response to an online review can lead to state dental board sanction, as it did this past June before the Iowa Dental Board. A dentist responded to an online review by disclosing the patient’s name and details of treatment, leading to disciplinary action for violation of the Iowa Code provision regarding failure to maintain the confidentiality of patient records which carries the risk of loss of licensure.

How You Can Appropriately Respond

The appropriate response to a negative review is limited to:

  1. Ignoring the review or
  2. Inviting the author to contact the practice for a private conversation.

Dentists can never disclose the identity of a patient or discuss any element of a specific patient’s treatment without the patient’s explicit consent. A negative review left by a patient on the internet does not change these laws.

Dentists should take seriously HHS Office of Civil Rights Director Roger Severino when he says, “Social media is not the place for providers to discuss a patient’s care. Doctors and dentists must think carefully about patient privacy before responding to online reviews.”


Author: J. Kathleen Marcus, Esq., is uniquely qualified to advise and advocate for sedation dentistry, she draws on a healthcare law background that started over three decades ago. A 1988 graduate of Temple University School of Law, she was Research Editor of the Temple Law Review; she previously attended Bennington College and has a B.A. in Philosophy. Pennsylvania licensed, Kate spends her free time practicing sustainability in her suburban Philadelphia garden and on her land in the Guatemalan highlands around Lake Atitlan.

DOCS Membership

Upcoming Events
Atlanta, GA skyline
August 23- 24, 2024
October 04- 05, 2024
February 28- 01, 2025

More Articles