The HIPAA-Safe Review
Response Template Kit
18 pre-written, HIPAA-compliant response templates for every review scenario your practice will ever face — organized by star rating, practice type, and risk level.
Plus: The exact list of what you cannot say in a review response without risking a $50,000+ fine.
Get instant access
Enter your email and we'll unlock the full kit right here — no inbox hunting, no waiting.
No spam. Unsubscribe anytime. We hate junk mail too.
The HIPAA Landmine List
What you absolutely cannot say when responding to a patient review
⚠️ IMPORTANT NOTICE — READ BEFORE RESPONDING TO ANY REVIEW
Under 45 C.F.R. §§ 164.502(a) and 164.514(b), the permissible uses and disclosures of Protected Health Information (PHI) in the context of public-facing digital communications are governed by a complex intersection of the Privacy Rule's minimum necessary standard (§164.502(b)), the individual's right to restrict disclosures (§164.522), and the facility directory provisions (§164.510(a)). Note that even implicit confirmation of a treatment relationship constitutes a PHI disclosure under Preamble to the HIPAA Privacy Rule (65 Fed. Reg. 82462). Refer also to OCR Resolution Agreements No. 2019-01-16 and associated Corrective Action Plans, as well as HHS Guidance released October 2022 on online tracking technologies which may interact with how identifiable health information is handled in response workflows that involve third-party platforms such as Google Business Profile. The analysis below represents a non-exhaustive list; covered entities should consult qualified HIPAA privacy counsel before establishing a review response policy, as state-level privacy laws (e.g., CMIA in California, MHPA in New York) may impose additional or conflicting restrictions not addressed herein.
🔴 Absolute prohibitions — Never include any of the following:
✗ The patient's name or any identifier
Even if they used it themselves in the review
✗ Confirmation that they are/were your patient
This alone can trigger OCR enforcement
✗ Any reference to specific appointments, visits, or dates
Regardless of how vague you believe it to be
✗ Diagnoses, symptoms, or conditions mentioned in the review
Even to deny or correct them
✗ Treatments, procedures, or prescriptions
Including referrals and specialist recommendations
✗ Billing, insurance, or financial information
Copay amounts, coverage disputes, collections
✗ Staff member names involved in their care
Unless generically reassigning responsibility
✗ Any implied knowledge of what happened during a visit
Phrasing like 'I understand your experience' may qualify
✗ Photographs or descriptions that could identify a patient
Even in aggregate or statistical form
✗ Medication names or dosages
Even to clarify 'standard protocol'
🟠 Gray areas — Require case-by-case compliance review:
📊 OCR Penalty Tier Matrix (as of 2026)
| Tier | Culpability Level | Per Violation | Annual Cap |
|---|---|---|---|
| Tier 1 | Did not know (§160.406(a)) | $137 – $68,928 | $2,067,813 |
| Tier 2 | Reasonable cause (§160.406(b)) | $1,379 – $68,928 | $2,067,813 |
| Tier 3 | Willful neglect – corrected (§160.406(c)) | $13,785 – $68,928 | $2,067,813 |
| Tier 4 | Willful neglect – not corrected (§160.406(d)) | $68,928 – $2,067,813 | $2,067,813 |
* Figures adjusted per HIPAA inflation adjustment. State AGs may impose concurrent penalties. Consult qualified HIPAA counsel.
💡 The safe alternative
Every template in this kit is written to acknowledge, empathize, and invite further contact — without confirming, denying, or disclosing anything that touches PHI. That's the formula. Use it. If you want it done automatically for every review, StellaRep handles it in seconds →
🔒 Enter your email above to unlock the full kit
18 templates + HIPAA checklist — free, instant access
18 Ready-to-Use Templates
Copy, customize the [brackets], and post. That's it.
Glowing 5-star — General Practice
Patient wrote:
"Dr. [name] is amazing. The whole staff was so kind. Best doctor I've ever had."
✅ Your HIPAA-safe response:
Thank you so much for this kind review — it genuinely made our week! Our team works hard every day to make sure every visit feels comfortable and caring, and it means the world to hear that it shows. We look forward to seeing you at your next visit. — [Practice Name]
5-star — Dental Practice
Patient wrote:
"Painless cleaning, friendly hygienist, in and out in under an hour. 10/10."
✅ Your HIPAA-safe response:
We love hearing this! Efficiency and comfort are two things we focus on deeply, so knowing we hit both marks is incredibly rewarding. Thank you for choosing [Practice Name] — we appreciate your trust and look forward to your next visit! 😊
5-star — Optometry
Patient wrote:
"New glasses prescription is perfect. Great selection, no pressure to upsell."
✅ Your HIPAA-safe response:
Thank you for the wonderful feedback! We believe the best eye care experience is one where you leave feeling confident and cared for — never pressured. We're so glad you found your perfect pair. See you next year! — The [Practice Name] Team
5-star — Physical Therapy
Patient wrote:
"After 6 weeks of PT, my shoulder is finally pain-free. Couldn't be happier."
✅ Your HIPAA-safe response:
Reviews like this are why we do what we do — thank you! Recovery journeys take commitment and trust, and we're honored you placed yours with us. The [Practice Name] team cheers you on every step of the way. Wishing you continued strength and wellness! 💪
The patient voluntarily shared their diagnosis or treatment. Your response must acknowledge their kindness WITHOUT engaging with the clinical details.
5-star — Patient mentions specific diagnosis
Patient wrote:
"Finally got my diabetes under control. Dr. [name] adjusted my medication and I feel like a new person."
✅ Your HIPAA-safe response:
Thank you for taking the time to share such a heartfelt review. We're deeply touched that your experience with our practice has been such a positive one. Our entire team is dedicated to providing compassionate, personalized care — and it's feedback like yours that keeps us motivated every day. We truly appreciate your trust in us. — [Practice Name]
⚠️ CAUTION: Do NOT reference diabetes, medication, or any health outcome — even positively.
5-star — Patient mentions surgery or procedure
Patient wrote:
"The surgery went perfectly. Dr. [name] walked me through every step. Zero complications."
✅ Your HIPAA-safe response:
Thank you so much for sharing this — it means everything to hear. Our team approaches every patient interaction with the utmost care and attention, and knowing that showed during your time with us is deeply meaningful. Thank you for trusting [Practice Name]. We hope to continue earning that trust for years to come.
⚠️ CAUTION: Do not confirm, reference, or imply any procedure, surgery, or clinical outcome.
Negative reviews with no protected health information. These are the easiest to respond to correctly.
1-star — Wait time complaint
Patient wrote:
"Waited 45 minutes past my appointment time with no explanation."
✅ Your HIPAA-safe response:
Thank you for this feedback — you're right to expect your time to be respected, and we're sorry your visit didn't reflect that. We take scheduling and wait times seriously and are actively working to improve this experience. We'd love the opportunity to make it right. Please reach out to us directly at [phone/email] and we'll take care of you. — [Practice Name]
2-star — Front desk attitude
Patient wrote:
"The front desk staff was rude and dismissive when I called to ask a question."
✅ Your HIPAA-safe response:
We're sorry to hear about your experience and appreciate you letting us know. Every patient deserves to be treated with warmth and professionalism from the moment they contact us, and that clearly didn't happen here. Please contact our office manager directly at [phone/email] — we want to understand what happened and ensure it doesn't occur again. Thank you for giving us the chance to do better.
1-star — Billing complaint
Patient wrote:
"Got a surprise bill months later. No one explained the costs upfront."
✅ Your HIPAA-safe response:
We understand how frustrating an unexpected bill can be, and we sincerely apologize for the confusion around your financial experience with our office. Transparency matters, and we want to make this right. Please call us at [phone] or email [billing email] and our team will review your account personally. We appreciate your patience and the opportunity to address this. — [Practice Name]
1-star — General dissatisfaction, vague
Patient wrote:
"Terrible experience. Would not recommend."
✅ Your HIPAA-safe response:
We're sorry to read this, and we genuinely want to understand what happened. Your experience clearly fell short of the care we strive to provide every patient, and that matters to us. Please reach out to us at [phone/email] — we'd welcome the chance to hear your story and make it right. — [Practice Name]
High-risk territory. The patient has revealed PHI in their complaint. Your response must be empathetic but clinically neutral — never engage with the medical details.
1-star — Patient mentions misdiagnosis or wrong treatment
Patient wrote:
"Dr. [name] told me I had anxiety but I actually had a thyroid condition. Wasted months of my life."
✅ Your HIPAA-safe response:
We're truly sorry to read about your experience, and we want you to know your concerns are taken seriously. Every patient deserves thorough, attentive care, and we understand how deeply personal and frustrating health journeys can be. We would very much like the opportunity to speak with you directly. Please contact our Patient Advocate at [phone/email] so we can address your concerns privately and personally. — [Practice Name]
⚠️ CAUTION: Never reference the diagnosis, condition, or treatment mentioned. Do not confirm or deny clinical decisions. Do not apologize for a specific medical outcome.
2-star — Patient shares mental health details
Patient wrote:
"I came in for depression and they rushed me out in 10 minutes. Felt like just a number."
✅ Your HIPAA-safe response:
Thank you for sharing this with us, even though we know it wasn't easy. Every person who walks through our doors deserves to feel heard and valued — not rushed. We take this feedback to heart. If you're open to it, please reach out to us directly at [phone/email]. We want to make this right. — [Practice Name]
⚠️ CAUTION: Do not reference depression, mental health, or the nature of the visit.
1-star — Patient alleges specific harmful outcome
Patient wrote:
"They gave me the wrong medication and I ended up in the ER."
✅ Your HIPAA-safe response:
We are deeply sorry to read this, and your safety and wellbeing are our top priority. We want to understand your experience fully. Please contact us directly at [phone] or email [address] — our practice administrator will personally follow up with you. We take concerns like this with the utmost seriousness. Thank you for bringing this to our attention.
⚠️ CAUTION: CRITICAL: Do not confirm, acknowledge, or discuss the medication, the ER visit, or any clinical facts. Contact your malpractice carrier and HIPAA privacy officer before making any further public response.
Mental Health / Behavioral Health — General positive
Patient wrote:
"Best therapist I've ever had. Changed my life."
✅ Your HIPAA-safe response:
Thank you for sharing this — we are so moved. The courage it takes to seek support is immense, and knowing our practice has been a meaningful part of your journey is the highest honor. We're here for you, every step of the way. — [Practice Name]
⚠️ CAUTION: Even with a positive review mentioning therapy, do not confirm a therapeutic relationship.
MedSpa — Positive with treatment detail
Patient wrote:
"Just got my Botox done and I look 10 years younger. Love Dr. [name]!"
✅ Your HIPAA-safe response:
Thank you so much — this review put a huge smile on our faces! Our team is passionate about helping every guest feel their most confident and radiant. We love what we do, and we love hearing that it shows. Can't wait to see you again! ✨ — [Practice Name]
📝 Note: MedSpa contexts may have different PHI exposure depending on state laws — consult your compliance officer regarding cosmetic vs. medical treatments.
Chiropractic — 5-star, mentions back pain
Patient wrote:
"My chronic back pain is finally gone after 8 sessions. Life changing!"
✅ Your HIPAA-safe response:
This is absolutely wonderful to hear — thank you for sharing! Our entire team is committed to helping patients move better and live more comfortably, and hearing about a meaningful change in someone's quality of life is exactly why we do this work. We're honored to be part of your wellness journey. — [Practice Name]
⚠️ CAUTION: Do not reference 'back pain,' number of sessions, or specific outcomes.
Pediatric — Parent leaving review
Patient wrote:
"Dr. [name] is amazing with kids. My 5-year-old actually looks forward to appointments now!"
✅ Your HIPAA-safe response:
This absolutely made our day — thank you! Creating a warm, welcoming environment where young patients feel safe and even excited to visit is something our whole team works incredibly hard to achieve. We love having your family as part of our practice. See you next time! 🌟 — [Practice Name]
Urgent Care — Negative, wait time + quality concern
Patient wrote:
"Waited 2 hours, saw the doctor for 3 minutes, and left without answers."
✅ Your HIPAA-safe response:
We sincerely apologize for your experience and understand how discouraging it must have felt to leave without feeling fully cared for. Urgent care visits should be efficient and thorough — and it sounds like we fell short on both counts. Please contact our patient experience team at [phone/email]. We want to hear the full story and do right by you. — [Practice Name]
Fake or clearly mistaken review (wrong practice)
Patient wrote:
"They gave me the wrong blood type before my surgery." (Your practice doesn't perform surgery)
✅ Your HIPAA-safe response:
Thank you for reaching out. We want to make sure your feedback reaches the right team — it's possible this review may have been intended for a different provider. Please contact us directly at [phone] so we can help clarify and ensure your concerns are properly addressed. We take every patient concern seriously. — [Practice Name]
📝 Note: Never say 'this wasn't us' publicly in a way that implies you've reviewed patient records.
Staff responds before reviewing — how to handle
Patient wrote:
"Your receptionist Sarah was so rude to me on the phone."
✅ Your HIPAA-safe response:
Thank you for letting us know. Every interaction with our team should be a positive one, and we're sorry this experience didn't reflect that. Please reach out to our office manager directly at [phone/email] — we'd like to hear more and make this right. — [Practice Name]
⚠️ CAUTION: Do not name or identify the staff member in your response — even to defend them.
Patient threatens legal action in review
Patient wrote:
"I'm consulting a lawyer about what happened to me here. Avoid this place."
✅ Your HIPAA-safe response:
We take your concerns very seriously. Please contact our practice directly at [phone/email] so we can address this appropriately and with the attention it deserves. — [Practice Name]
⚠️ CAUTION: STOP. Contact your malpractice carrier and legal counsel before posting ANY response. This is a one-sentence acknowledgment only.
Never write a review response from scratch again.
StellaRep detects new reviews, drafts a HIPAA-safe response in seconds, and waits for your approval. You click once. It posts.
No credit card • 2-min setup • HIPAA compliant
Click → your browser's print dialog → Save as PDF