Responding to Google reviews sounds like a simple marketing task. It's not. For medical aesthetics practices, one careless sentence in a public response can trigger a HIPAA complaint to the Office for Civil Rights — and fines range from $100 to $50,000 per violation, with an annual cap of $1.9 million.
We've helped practices clean up after exactly this kind of mistake. Every time, the practice owner said the same thing: "I was just trying to be friendly." The reviewer was upset. The practice owner wanted to set the record straight. And in doing so, they confirmed the reviewer was a patient.
That's the violation. Under HIPAA's Privacy Rule and 2022 OCR guidance, confirming that someone is or was a patient is itself a disclosure of Protected Health Information (PHI) — even if you don't mention their diagnosis, their treatment, or their visit date. The person is associated with your practice in a way that reveals care delivery. That's PHI.
Below are the 8 rules we apply to every review response we draft for Obris Launch clients. Each one exists because someone, somewhere, got burned by ignoring it.
Rule 1: Never confirm the person is a patient
This is the single most-violated rule in medical review responses. Here's how it gets broken:
That response — warm, normal-sounding, probably the instinct of any practice owner — is a HIPAA breach. "Trusting us with your care" confirms Sarah received care. "Your procedure went well" confirms a procedure happened. Two disclosures in one sentence, now public and indexed by Google.
Notice the difference: no confirmation of patient status, no mention of procedure, no personal address. The response works whether or not Sarah is actually a patient — which is exactly the safety margin HIPAA demands.
Rule 2: Don't echo clinical details, even if the reviewer mentioned them
Reviewers often disclose their own clinical information. "I had my wisdom teeth removed here." "Dr. Jones treated my depression." "This is where I got my filler." The reviewer is permitted to share their own PHI. The practice is not.
If your response echoes the clinical detail — even to agree or acknowledge — you've made your own disclosure. The fact that the reviewer said it first is not a defense.
Response: "So glad you're happy with your Botox results!"
Response: "Thank you for taking the time to share. We appreciate it."
Rule 3: Never name staff members in response to a complaint
If a review names a staff member negatively ("Dr. Jones was rude"), responding with "I'll speak with Dr. Jones about this" confirms both that the reviewer interacted with Dr. Jones and that the interaction was part of care delivery. That's PHI.
Replace specific staff references with generic team language: "our team," "the relevant team member," "office management." Handle the staff conversation internally, never in the public response.
Rule 4: Don't offer compensation publicly
Three reasons this rule matters:
- FTC endorsement rules. If a compensation offer precedes a revised positive review, it looks like paid endorsement — a §255 violation.
- Platform TOS. Google and Yelp both prohibit offering compensation in exchange for review changes.
- Signal to other reviewers. Publicly offering refunds to unhappy reviewers invites manipulation.
Move the conversation offline: "Please call our office at [phone] so we can address this directly." That's the compliant path.
Rule 5: Don't argue facts in public, even when the reviewer is wrong
Even if the reviewer's account is factually inaccurate — wrong date, wrong service, wrong person's experience — correcting them publicly requires describing what actually happened. Which requires referencing patient records. Which is a disclosure.
Every factual correction in that response references records. Move the conversation offline, every time.
Rule 6: Route to a non-clinical offline contact
When inviting a reviewer to continue the conversation offline, be specific about where — and don't route to a clinician.
Acceptable offline paths:
- Office main phone line
- A dedicated feedback email (not an individual provider's email)
- A patient relations form
Not acceptable: inviting them to contact Dr. [Name] directly, or a specific staff member's email. The generic path avoids implying a specific clinical relationship.
Rule 7: No exclamation points in responses to 1-star or 2-star reviews
This isn't a HIPAA rule — it's a tone rule that saves you from other problems.
Exclamation points in a response to a negative review read as dismissive or cheerful-in-denial. "We're sorry to hear that!" sounds wrong because it is wrong. The reviewer is upset. Match the register. Period, not exclamation.
Rule 8: Flag escalation triggers; don't draft alone
Some reviews should never get a public response drafted by a marketer. They should go straight to the practice owner (and often their attorney). The triggers:
- Allegations of a specific clinical injury ("my tooth cracked," "I had an allergic reaction")
- Billing fraud, insurance dispute, or discrimination allegations
- Reviewers naming specific staff in negative reviews
- Reviewers in visible mental distress or making threats
- Language suggesting platform TOS violations (harassment, doxxing, third-party info)
For any of these, the right response may be no public response at all — plus a formal process (platform removal request, legal review, internal documentation).
Per-vertical rule additions
On top of these eight, each medical vertical has additional overlays:
- Medi-spa: AmSpa norms — name the medical director, clarify scope-of-practice (RN vs. NP vs. MD), no off-label claims for prescription products like Botox or GLP-1s.
- Plastic surgery: ASPS guidelines — no guaranteed-outcome language, name the certifying board (American Board of Plastic Surgery), patient photos require written authorization plus IRV disclaimer.
- Cosmetic dermatology: AAD aesthetic guidelines + FDA promotional rules — on-label-only language for prescription products, ABMS verification on credential claims.
- Medi-spa: FDA + state medical board — no disease-treatment language for aesthetic services, no "cure" or "heal" words.
- Aesthetic-only clinics (laser, IPL, injectables, hair restoration): state medical board rules apply to anything that could reveal a patient relationship — and weight-loss injectable compounding rules vary by state. Default to the most generic template available.
What a good response template looks like
Here's the generic-but-warm response Obris Launch defaults to for positive reviews. It works whether or not the reviewer is a patient, and it satisfies every rule above:
"Thank you for the kind words. We aim to make every visit to [Practice Name] a positive one, and feedback like this helps the whole team. We appreciate you taking the time to share."
For 3–4 star (mixed) reviews:
"Thank you for the feedback. [Practice Name] takes every review seriously, and we're always looking for ways to improve the experience. We'd welcome the chance to discuss your visit directly — please reach our office at [phone] or [feedback email] when it's convenient."
For 1–2 star (negative) reviews:
"We're sorry to hear about your experience. [Practice Name] is committed to providing every visitor with professional and respectful service, and we take concerns like these seriously. Please reach our office directly at [phone] so we can better understand and address the concern."
Notice what's missing: patient status, clinical detail, staff names, compensation, disputes. That's not coincidence. That's the discipline that keeps these responses safe for the next ten years, not just until the next OCR guidance update.
Obris Launch drafts every review response for you
Our team monitors reviews across 7 platforms and drafts HIPAA-safe responses for your approval — usually within 2–4 business hours of a new review appearing.
See how it works →The underlying principle
There's a short test you can run on any draft response before posting: Would this response make sense if written by a marketer who has no idea whether the reviewer is a real patient?
If yes, you're safe. If the response only makes sense because you know something about the reviewer's care, you're revealing that knowledge — and that's the disclosure.
Medical review management is a compliance discipline disguised as a marketing task. The practices that treat it that way respond faster, more consistently, and without the 3am "did I just violate HIPAA" anxiety that follows a late-night reply.