Select Page

Health care providers have a particular challenge to navigate when responding to online reviews. If you practice in the US or coordinate care with US providers, you may already be aware that because of HIPPA (Health Insurance Portability and Accountability Act) you are greatly limited with regard to what and how you can communicate with your patients online. Canada has its own federal law, PIPEDA (Personal Information Protection and Electronic Documents Act) that safeguards the privacy of Canadian patients. Are you confident that you are following the privacy rules when responding to patient reviews online?

There are several noted examples of violations of HIPPA/ PIPEDA by health care professionals who were unaware of the law (see link below). According to HIPPA/ PIPEDA, all healthcare providers are forbidden to disclose any health information of a patient without their permission.

To play it safe you might think that to avoid violating HIPAA or PIPEDA you should just ignore responding to patient reviews. But, that won’t do you any good since 78 percent of people say that seeing an organization respond to their reviews makes them believe that the company cares about them. So, what you need to do is respond to online reviews while staying HIPPA/ PIPEDA complaint. In this post, I’ll show you how you can do that!

Before we get started though, please know that I’m not a lawyer. This information is provided here to make you aware of the issue of privacy as you respond to your online reviews. In Canada, each province may have its own privacy legislation and I’ve included a list along with some links to resources below. For information specific to your situation, I suggest that you contact your lawyer.

1.    Keep the Privacy of the Patient Intact

In order to stay HIPPA/ PIPEDA compliant, you must never share your patients’ personal information when responding to online reviews. This means that you should not specify that the person who posted the review visited your practice as that is personal information.

Patient: “I can’t speak highly enough about this clinic! When I threw out my back they treated me with the proper sense of urgency and compassion it warranted. They really cared about my pain.”

Don't do thisNon-HIPPA/ PIPEDA Compliant Response: “Thanks Jake for the review. We’re glad you’re feeling better. Don’t forget to ice your back and stay on top of your meds.”

Do thisHIPPA/ PIPEDA -Compliant Response: “Thank you. We always strive to make everyone feel better without the headaches of accessing care.”

2.    Never Acknowledge That the Reviewer is a Patient

Just because the reviewer has mentioned that he/she is a current or previous patient of your practice does not mean that HIPPA/PIPEDA does not apply. The goal of your response here should be two-fold; address the cause of the patient’s dissatisfaction or issue and provide potential patients who read the review with a better perspective. State the facts like you’re mentioning your policy and stick to writing little rather than breaking privacy by giving a lengthy response.

Patient: “The staff was so rude to me. I had to wait for four hours beyond my appointment time and when Dr. Smith finally saw me, it felt like she was in a rush.”

Don't do thisNon-HIPPA/ PIPEDA Compliant Response: “We apologize that this happened on your last visit. We always try our best to ensure that appointments are on time, and are sorry that we were unable to meet your expectations.”

Do thisHIPPA/ PIPEDA -Compliant Response: “As per our policy, when we schedule patients, we adjust the time with the doctor according to particular needs of a patient to ensure all patients are attended on time. In case of emergency situations, we sometimes fall behind schedule.”

3.    Don’t Respond Immediately

We cannot say the right things when we’re mad. So when you read a review, take your time and wait to respond to ensure that your response is HIPPA/ PIPEDA compliant.

4.    Take the Conversation Offline

Try to remember that the patient wrote a review because he/she wanted to be heard. By addressing their review privately, you can handle the situation better. If the patient is satisfied, he/she may edit or remove their review.

Patient: “Your treatment didn’t work. I feel even worse now.”

Don't do thisNon-HIPPA/ PIPEDA Compliant Response: “Sorry that you are not feeling better. Most patients who receive Graston treatment see a big improvement.”

Do thisHIPPA/ PIPEDA -Compliant Response: “As per our policy, we protect the personal information of patients. Please call us at [Phone Number] and we’ll help you right away.”

It may seem a little impersonal to keep your responses short and policy-based but doing so will ensure that you protect not only the privacy of your patients, but you’ll be protecting yourself from violating the privacy laws. Better safe than sorry.


Doctors fire back at bad Yelp reviews — and reveal patients’ information online:

Summary of the HIPAA Security Rule:

Summary of Privacy Laws in Canada:

The Personal Information Protection and Electronic Documents Act (PIPEDA -Canada):

What You Need to Know About HIPAA and Canada Health Information Privacy:

Alberta has the Personal Information Protection Act.

British Columbia’s provincial law is called the Personal Information Protection Act.

Manitoba does not have its own provincial law, so only PIPEDA applies here.

New Brunswick’s law is the Personal Health Information Privacy and Access Act.

Newfoundland and Labrador are covered under the Personal Health Information Act.

Nova Scotia’s provincial law is the Personal Information International Disclosure Act.

Ontario’s law is called the Personal Health Information Protection Act.

Prince Edward Island does not have its own provincial law, so only PHIPA applies here.

Quebec’s law is called An Act Respecting the Protection of Personal Information in the Private Sector.

Saskatchewan does not have its own provincial law, so only PHIPA applies here.

Northwest Territories, Nunavut, and Yukon PHIPA applies in these areas.