3 Healthcare Practices That Were Fined for Responding to Google Reviews
The Office for Civil Rights has issued over $85,000 in fines to healthcare practices specifically for HIPAA violations in their online review responses. Here's what they did wrong — and how to protect your practice.
$85,000+ in Total Fines
For responding to online reviews
Responding to online reviews is essential for any healthcare practice. 84% of patients check online reviews before choosing a provider, and Google has confirmed that responding to reviews impacts local search visibility.
But there's a hidden danger that most practices don't realize until it's too late: every review response is a potential HIPAA violation.
Under HIPAA, even acknowledging that someone is your patient constitutes a disclosure of protected health information (PHI). If the patient hasn't signed a specific authorization for public communication, confirming the relationship — even in response to their own review — violates federal law.
The Office for Civil Rights (OCR) has made this painfully clear through enforcement actions. Let's look at three real cases.
Case #1: The North Carolina Dental Practice
U.S. Department of Health and Human Services, 2022
What Happened:
A dental practice in North Carolina received a negative Google review from a patient. In their response, the practice owner disclosed the patient's name and details about their treatment plan.
The Violation:
- Confirmed the reviewer was a patient of the practice
- Referenced specific treatment details
- Used the patient's full name in a public forum
The Penalty:
OCR issued a $50,000 fine — the practice's first HIPAA violation. The practice was also required to implement a corrective action plan and undergo monitoring.
Case #2: Manasa Health Center
New Jersey Mental Health Practice, 2020
What Happened:
A mental health practice responded to a negative online review by attempting to defend their care. In doing so, they disclosed information about the patient's mental health diagnosis.
The Violation:
- Disclosed sensitive mental health information publicly
- Confirmed the therapeutic relationship
- Referenced specific aspects of the patient's treatment
The Penalty:
OCR settled for $25,000 plus a corrective action plan. Mental health information is considered especially sensitive under HIPAA, making this violation particularly serious.
Case #3: Elite Dental Associates
Texas Dental Practice, 2019
What Happened:
Elite Dental Associates responded to multiple patient reviews on Yelp, disclosing patients' health conditions, treatment plans, and insurance information in their responses.
The Violation:
- Revealed health conditions in public responses
- Discussed insurance and billing details
- Multiple violations across several review responses
The Penalty:
The practice paid $10,000 to settle the investigation. While the lowest fine on this list, it came with mandatory policy changes and compliance training.
The Pattern: Why Practices Keep Making This Mistake
In every case, the practice was trying to do the right thing: defend their reputation, correct misinformation, or provide context to potential patients reading the reviews.
The problem is that you cannot defend yourself without violating HIPAA. The moment you confirm someone was your patient, reference their visit, or discuss any aspect of their care, you've disclosed protected health information.
Common HIPAA Violations in Review Responses
- ✗"When you visited our office on Tuesday..."
- ✗"We're sorry your cleaning didn't meet expectations..."
- ✗"Dr. Smith, who saw you, takes great pride in..."
- ✗"We've noted your concerns in your file..."
- ✗"Your insurance was processed correctly..."
How to Respond to Reviews Without Violating HIPAA
The key is to respond in a way that never confirms the patient relationship andmoves all substantive discussion offline.
✓ HIPAA-Compliant Response Template
"Thank you for your feedback. We're committed to providing excellent care and take all concerns seriously. We'd welcome the opportunity to discuss this further — please contact our office directly at [phone number]."
This response works because it doesn't confirm patient status, doesn't reference any treatment, and invites offline resolution.
The Rules:
- Never confirm they are/were a patient — even if they say so themselves
- Never reference appointments, treatments, or diagnoses — even vaguely
- Never discuss billing, insurance, or records — these are all PHI
- Always move the conversation offline — provide a phone number or email
- Keep responses generic — applicable to anyone, not just the reviewer
📋 Free resource
Want the exact words to use? Download the HIPAA-Safe Review Response Template Kit — 18 pre-written templates for every scenario, including the PHI-heavy ones.
Get the free templates →Stop Worrying About HIPAA Violations
Stellarep.ai generates HIPAA-compliant review responses automatically. Our AI is specifically trained to never disclose protected health information. See it live →
14-day free trial • No credit card required
The Bottom Line
Responding to reviews is essential for your practice's reputation and Google visibility. But the cost of getting it wrong is steep: $141 to $71,162 per violation, with annual maximums exceeding $2 million.
The practices in these cases weren't being negligent — they were trying to provide good customer service. They just didn't realize that the rules for healthcare are different.
Don't let a well-intentioned review response become a $50,000 mistake. If you want to see how your current reviews stack up for HIPAA risk, run a free audit — no account required.