A restaurant owner can respond to a bad review by saying, "We're sorry your steak was overcooked — we'll do better." A dentist can't. The moment a dental practice acknowledges someone as a patient on a public platform, HIPAA's Privacy Rule applies. The wrong response can cost more than the original review ever could.

That case isn't unusual. A 2019 dental practice paid $10,000 to settle similar claims after responding to a Yelp review with the patient's last name, treatment plan details, insurance information, and cost figures. OCR's 2024-2025 enforcement intensification — including the restart of formal HIPAA audits — means the next wave of these cases is already in progress. Tier 4 penalties for willful neglect in 2025 reach $2,190,294 per violation.

This is the playbook for navigating that landscape. Which reviews actually qualify for removal under Google's policies, how to respond without disclosing PHI, and what to do about the reviews that can't be removed at all — without triggering a separate problem ten times larger than the original review.

The HIPAA Constraint Most Dental Practices Underestimate

The HIPAA Privacy Rule's relevant constraint on online responses is more aggressive than most practices realize. The general principle: confirming the existence of a patient relationship is itself protected health information. So is anything that confirms what services the practice provided to that patient.

In practical terms, this means a dental practice responding to a Google review cannot say:

• The reviewer is a patient or was a patient
• When they came in (specific dates or general timeframes)
• What services were performed
• Who treated them
• What was discussed in the appointment
• What the cost was
• Whether insurance was involved
• Anything about their treatment plan, history, or condition

The challenge is that almost every natural-sounding response includes at least one of those elements. "We're sorry you were dissatisfied with your cleaning last month" confirms the patient relationship, the service, and the timing — three separate disclosures in a single empathetic sentence. The OCR has consistently treated this kind of natural-feeling response as a HIPAA violation.

The constraint applies whether the reviewer is real or fake. Even if the review is from a competitor or a former employee posing as a patient, a response that says "you were never actually our patient" implicitly confirms knowledge of who is and isn't a patient. The safer approach assumes that every review response must avoid acknowledging the patient relationship at all, regardless of whether the reviewer actually was a patient.

This isn't a theoretical concern. The UPI case ($50,000 CMP), the 2019 Yelp case ($10,000 settlement), and others have established the enforcement pattern. OCR treats it as low-hanging fruit: the violation is on a public webpage, the evidence is permanent, and the cases are easy to substantiate.

What You Can — and Can't — Say in a Response

Responding to negative reviews matters. Silence reads as indifference to potential patients reading your listing. But the response has to stay inside the HIPAA boundary.

The principle: write the response so that it could plausibly be addressed to anyone who might encounter your practice, not to the specific person whose review you're responding to. Generic language. No specifics. No acknowledgment that this person was, is, or wasn't a patient.

Common Dental-Specific Review Violations

Some reviews on a dental practice's Google profile qualify for removal under Google's content policies. These are the patterns that consistently meet the standard. Each one is a different report category in Google's Reviews Management Tool — getting the category right matters more than getting the report submitted quickly. For the full taxonomy of Google's review policies, our policy violations checklist walks through each category.

The Reporting Workflow That Works for Dental Practices

The actual submission process for each of these violation types runs through the same channel — Google's Reviews Management Tool, accessed through your verified Google Business Profile. The flow:

1. Sign in to your Google Business Profile.
2. Navigate to Reviews.
3. Locate the review you want to report.
4. Click the three-dot menu next to the review and select "Flag as inappropriate."
5. Select the violation category that best matches the issue (Conflict of interest / Off topic / Harassment / Spam / Fake content / etc).
6. Submit. Google typically responds within 1-3 weeks, sometimes faster for clear-cut violations.

Most first-time reports get rejected even when they're legitimate. The automated system errs toward leaving content up. Don't take a single rejection as final. Use your one-time appeal through the Reviews Management Tool, and document the basis carefully. For the longer-form appeal mechanics, our dispute and appeal walkthrough covers the full process.

A practical note specific to dental practices: the report you submit to Google is internal — it doesn't appear on your public listing, and it doesn't disclose anything about the patient relationship. Documentation in the report can include details that would be inappropriate to disclose in a public response. The submission is the place to substantiate your case; the response thread is not.

What to Do About Reviews That Can't Be Removed

Some reviews are protected speech that Google's content policies cover. A patient who had a genuinely negative experience and wrote about it honestly is leaving a legitimate review, even if you believe it's unfair. No service, no report, and no legal action will remove it. The path forward is recovery, not removal.

Build review velocity around it. A 3.9-star practice with 47 reviews is fragile. One bad review represents 2% of total feedback. The same practice with 400 reviews has the bad review representing 0.25%. Volume of positive reviews dilutes the visual impact of individual negative ones, both for human readers and for Google's ranking signals. Patient request workflows — text messaging satisfied patients post-appointment with a one-click review link — are the highest-leverage tool for review velocity in dental.

Respond compliantly. Use the templates above. Public response demonstrates engagement; private channels handle the actual issue. Both serve different purposes.

Track your overall rating trajectory. A single review matters less than the trend. If your overall rating has been stable or improving over six months, one outlier review is a small data point against a strong pattern. New patient bookings respond to the trajectory more than to any single review.

Don't escalate. The temptation to publicly correct false claims is real, especially when the review attacks the practice's competence. Resist it. Every additional public response increases HIPAA exposure. The OCR cases that resulted in the largest penalties involved practices that responded multiple times, each response disclosing additional PHI.

Review Velocity for New Patient Growth

Removal is reactive. Review velocity is the proactive complement — and for most dental practices, the higher-leverage piece of reputation management.

The math: Google's local ranking algorithm weights both review quantity and review recency heavily. A practice that has accumulated 5 new reviews in the last month outperforms a practice with the same total review count but no recent activity. New patients searching "dentist near me" see both your star rating and your review recency. Both matter.

The system that works for most practices: a post-appointment SMS or email to every satisfied patient with a direct link to your Google review page. Sent the same day or next-day, while the experience is fresh. The conversion rate from "patient who received the request" to "actual review left" is typically 15-25% when the friction is low (one tap, no forms).

TrueReview is built around this workflow for dental and other healthcare practices. The system handles the request automation; you handle the patient interactions that earn the positive reviews. Review Radar — included in TrueReview's Small Business and Premium plans — runs in parallel, scanning incoming reviews against Google's content policies and flagging the ones that may qualify for removal so you can act on them within the window where the violation is freshest and the report is most likely to succeed.

For the broader review-removal landscape and the methods that work, our pillar guide on removing Google reviews covers every legitimate path. For the specific question of how to handle a bad review honestly — including when removal isn't the right move — our post on removing bad Google reviews walks through the response-vs-remove decision in detail.

The dental practice that handles reviews well treats HIPAA as a hard floor, Google's content policies as a tool, and review velocity as the strategic priority. The practice that handles reviews badly treats them as personal disputes to win, which is how the OCR's enforcement archive gets longer every quarter.

The reviews you can remove are the ones that violate Google's specific policies — competitor reviews, ex-employee reviews, off-topic billing complaints, fake accounts, harassment. The reviews you can't remove are the ones that genuinely describe a patient's experience, even when that experience was unfair to your practice. The path forward for the first category is the reporting workflow above. The path forward for the second category is more reviews from your happy patients, not more responses to your unhappy ones.

For dental-specific reputation tooling that handles both — review velocity for new patient growth and policy-violation detection for the reviews that qualify for removal — start a free trial of TrueReview or visit our dental industry page for the full feature set. The path you're trying to walk is narrower than the SERP makes it look, and the consequences of stepping off it are larger than most practices realize.