.png)
BLOG POST
Most local businesses can ask for reviews any way they want. Medical practices can't.
The same review request a restaurant or auto shop sends without thinking — "Hi Sarah, thanks for visiting us today. Mind leaving a Google review?" — can technically constitute a HIPAA violation when sent by a doctor's office. The Office for Civil Rights has fined practices tens of thousands of dollars for far less, including a $50,000 penalty against a dental practice that simply replied to a Google review with details about a patient's visit.
The good news: medical practices absolutely can — and should — collect Google reviews. They just need to do it differently than other businesses. This guide covers exactly what's allowed, what isn't, and how to build a review system that brings in patients without putting your practice at regulatory risk.
One important note up front: This post is informational, not legal advice. HIPAA enforcement turns on specific facts and your state may have additional privacy rules (some, like Texas, are stricter than HIPAA). Before rolling out any review request program, run it past your practice's privacy officer or healthcare attorney.
Patients research healthcare providers more carefully than almost anything else they buy. According to recent data, 84% of patients check online reviews before selecting a new provider, more than half read at least six reviews before deciding, and 61% now trust online reviews over personal referrals from friends and family.
That last statistic deserves a moment. For decades, word-of-mouth from friends was the gold standard in healthcare marketing. That has flipped. The strangers writing your Google reviews are now more influential than the patient your prospective patient knows personally.
Combine that with the participation gap — surveys show 57% of patients rarely or never leave reviews, and dissatisfied patients are statistically more likely to post than happy ones — and you get the situation most medical practices recognize: a small number of negative or neutral reviews dominating the page, while hundreds of satisfied patients walked out without saying a word.
The fix isn't complicated. You just have to ask. The hard part is asking in a way that doesn't violate federal law.
Before we get to tactics, two pieces of HIPAA background that govern every decision in this post.
First, what counts as Protected Health Information (PHI). PHI is broader than most people assume. It's not just diagnoses, lab results, and treatment notes. Per HHS, PHI includes any of 18 identifiers — name, phone number, email address, dates of service, and so on — when those identifiers are combined with anything that confirms a person is or was a patient or sought healthcare services. The mere fact that "Jane Smith is a patient at Dr. Garcia's clinic" is PHI, even with no medical detail attached.
Second, the patient doesn't waive their rights by going public. This is the part that surprises providers. Even if a patient writes a Google review naming their doctor, describing their procedure, and posting their full medical history, the practice is still bound by HIPAA. You cannot acknowledge them as a patient. You cannot confirm their visit. You cannot respond with "We're sorry your knee surgery didn't go as planned" — even though they wrote about the knee surgery themselves. The patient's voluntary disclosure does not authorize yours.
Both rules cut against the natural instinct most practice owners have when they think about review marketing. The instinct is "personalize the message, reference the visit, respond warmly." All three of those instincts can get you fined.
When sending a review request to a patient, you cannot include:
When responding to a Google review publicly, you cannot:
This is what tripped up the dental practice OCR fined $50,000. They responded to a negative Google review with their version of events about the patient's visit. That response confirmed the patient relationship and disclosed details about the encounter — both PHI under HIPAA. The patient filed an OCR complaint. The practice paid.
Here's the framework that keeps practices on the right side of HIPAA while still generating reviews at scale. It rests on two principles.
A review request that doesn't reference any specific visit, condition, provider, or healthcare service isn't disclosing PHI even if it's sent to a patient. The trick is making sure your messages truly are generic — no clinical references, no department names, no clues about what the patient came in for.
A compliant message looks like this:
Hi {First Name}, thanks for choosing {Practice Name}. If you have a moment, we'd appreciate a Google review: {Review Link}
A non-compliant version of the same message looks like this:
Hi {First Name}, thanks for visiting Dr. Chen for your follow-up today. We'd love a Google review of your appointment: {Review Link}
The first one says nothing about why this person is receiving the message. The second one confirms a patient relationship, names a provider, references a follow-up visit, and ties the recipient to a specific clinical encounter. One is a marketing message; the other is unencrypted PHI.
The second principle is about who handles the data on the way out. When your practice management system passes patient names and contact info to a third-party tool to send the review request, that third-party tool now has identifiers — and depending on what else it has access to, it may need to be a Business Associate under HIPAA.
This is where vendor selection matters. There are essentially three patterns:
Pattern A: Vendor handles only generic identifiers (name, phone, email) — no clinical data. Many review request tools work this way. Because no clinical context flows to the vendor, and the messages they send are generic, the data being processed isn't PHI in any clinical sense. The compliance burden is dramatically reduced. Some practices and counsel still execute a BAA out of caution.
Pattern B: Vendor handles patient identifiers plus clinical context. This includes any tool that integrates with your EHR and pulls visit type, appointment notes, provider names, or diagnoses to personalize messages. Here the vendor is unambiguously a Business Associate, and a signed BAA is mandatory before any data flows.
Pattern C: Mixed. Some practices want to combine the two — generic outbound messages but EHR integration on the back end. This is workable but requires careful vendor configuration and a BAA.
The cleanest, lowest-risk option for most practices is Pattern A: pick a tool that's intentionally designed not to ingest PHI, send generic messages, and execute a BAA anyway as belt-and-suspenders.
This is how TrueReview is set up for healthcare clients. The platform's terms prohibit putting PHI in the messages it sends, the message templates default to generic, no-clinical-context wording, and a BAA is available for medical practices that want one. The result is a system where you can scale review requests across hundreds of patients per month without any clinical data ever leaving your EHR.
Here's what the actual workflow looks like in practice — the same workflow most well-run medical practices use to systematically generate Google reviews without compliance headaches.
The simplest, lowest-risk trigger is a checkout or discharge action in your front-office system — the patient is leaving the building, the visit is closed in the system, and someone (or something) initiates a review request. Avoid triggers that depend on clinical data ("send to patients who completed their post-op follow-up") because those triggers themselves can encode PHI.
The minimum data your review tool needs is name + phone or name + email. Don't pass diagnosis, visit type, provider name, or treatment details. If your practice management system or EHR can be configured to push only first name, last name, and contact info to the review tool, that's the cleanest setup.
The SMS or email that goes out should reference only the practice name, never the specific visit. Templates that work:
SMS:
Hi {First Name}, thanks for choosing {Practice Name}. If you have a moment, we'd appreciate a quick Google review: {Review Link}
SMS (alternate):
Hi {First Name} — quick favor: would you mind leaving {Practice Name} a Google review? It really helps. {Review Link}
Email subject line:
A quick favor, {First Name}?
Email body:
Hi {First Name},
Thanks for choosing {Practice Name}. If you have a moment, would you mind leaving us a Google review? Honest feedback from people like you helps others find us.
[Leave a Google Review →]
Thanks so much,The {Practice Name} team
Notice what's missing: no reference to the visit, no provider name, no clinical specifics, no "follow-up" or "post-op" language, no date references that would tie this message to a specific encounter.
If the patient doesn't respond, one polite reminder 3-5 days later is appropriate. After that, stop. More than two messages crosses into nuisance territory and can violate other rules (TCPA, state SMS regulations) on top of the HIPAA concerns.
Reviews are coming in publicly. Your team needs a documented policy for how to respond. We'll cover the response framework next.
Responding to reviews is where most HIPAA violations actually happen — not in the request, but in the response. The single rule that prevents almost every violation is this: never confirm a patient relationship in a public response.
Here are the safe response patterns.
Don't say: "Thanks for being our patient!" or "We're so glad we could help with your knee surgery!"
Do say something like:
Thank you for the kind words! We appreciate you taking the time to share your feedback.
Or:
We're grateful for your support. Reviews like yours help us continue to do our best work.
Generic, warm, doesn't confirm anything. You can post this exact text on dozens of reviews and never once acknowledge anyone as a patient.
This is the higher-stakes case. The instinct is to defend yourself, explain what really happened, or apologize for the experience. All three are HIPAA traps.
The OCR-safe template most healthcare attorneys recommend is some variation of:
We take all feedback seriously and are committed to providing the best possible care. Due to federal privacy regulations, we cannot discuss specifics about any individual's experience publicly. If you'd like to discuss your concerns directly, please contact our office at {phone number} and ask for our Office Manager.
This response says: we hear you, we care, and the law prevents us from saying more here. It moves the conversation to a private channel where you can actually address the concern without HIPAA exposure.
Whatever response template you adopt, build it once with your privacy officer or attorney, and then use the same wording every time. Don't improvise on a Tuesday afternoon when a frustrated front-desk staffer reads a one-star review.
Once more, because it trips up so many practices: if a patient publicly names their condition, their procedure, their provider, or anything else in their review, you still can't reference any of it in your response. Their disclosure doesn't waive your obligation. The patient can write whatever they want; you can only respond in the generic, non-confirming pattern above.
Beyond automated SMS and email, several lower-risk channels work especially well in healthcare.
A QR code on a clipboard, on the discharge paperwork, or printed on a small card handed out at checkout lets patients leave a review without your practice ever sending them an electronic message. This is one of the cleanest HIPAA setups possible because no message goes out at all — the patient self-initiates. Place QR codes:
Front-desk staff or medical assistants asking verbally — "If you were happy with your care today, we'd really appreciate a Google review; here's a card with the link" — has no HIPAA implications because nothing about the encounter is being transmitted electronically to a third party. Train staff to make this ask part of the standard checkout flow.
Adding a simple line to every staff member's email signature — "Happy with your experience? Leave us a Google review." with a link — generates passive review traffic with zero PHI risk because the signature is generic and goes to everyone.
A few practices that show up in healthcare review marketing but should be avoided:
Personalized "we miss you" or "it's been a while" emails. These reference the patient relationship and timing of past visits. Both are PHI.
Sending review requests with the provider's name in the subject line or first sentence. This combines the patient identifier with provider identity, which can disclose the type of care.
Filtering messages by department or condition. Even if the message itself is generic, the act of querying your EHR for "all patients seen for procedure X this month" and then sending them a review request can create PHI in your vendor's logs.
Incentivizing reviews. This isn't HIPAA, but it's worth flagging — Google's review policies prohibit offering anything of value in exchange for reviews, and healthcare-specific anti-kickback statutes can apply when the incentive comes from a Medicare-participating provider. Just ask; don't pay.
Buying or generating fake reviews. Same reason, doubled. Google's algorithms catch this, and HHS will not be sympathetic if a fake-review scheme implicates patient identifiers.
When evaluating any review request software for a medical practice, ask the vendor these questions specifically:
TrueReview is set up to answer all six of these well: BAAs are available for healthcare clients, message templates default to generic wording with clinical references prohibited by terms of service, the platform doesn't ingest EHR clinical data, contact information is encrypted in transit and at rest, and there's an established base of medical, dental, optometry, and other healthcare clients to reference.
A medical practice that runs a HIPAA-compliant Google reviews program tends to have all of these in place:
Practices that get all of this right typically see Google review counts increase 5-10x within the first six months, with no HIPAA incidents and no complaints to OCR. Practices that try to wing it tend to either generate very few reviews (out of caution) or generate violations (out of carelessness). The framework above is designed to avoid both.
Ready to set up review requests that protect both your reputation and your compliance? Start your free 14-day trial of TrueReview — generic-by-default templates, BAAs available for healthcare practices, and integrations with the practice management tools you already use. No setup fees, no contracts.
.png)
