Got a Fake Google Review by a Competitor? Read this.

Disclaimer: This article is for informational purposes only and is not legal advice. HIPAA rules are complex and enforcement can vary based on specific circumstances, and some states have their own privacy laws that may be stricter than HIPAA. Always consult with your practice's legal counsel or HIPAA compliance officer before responding to online reviews or acting on anything in this article.

Quick Summary

Responding to a Google review as a medical practice is trickier than it looks. Plenty of dentists, doctors, and medspas have been fined tens of thousands of dollars for saying the wrong thing in a public reply. Even a simple "thank you for visiting our clinic" can be a HIPAA violation because it confirms the person was a patient. This article covers what you can and can't say when responding to reviews, real cases where practices got fined, and what to do when someone leaves a review that isn't even really from a patient.

Why This Is a Harder Problem Than It Looks

When a restaurant gets a bad Yelp review, they can respond with context. They can say the customer was rude, that they stiffed the server, that they came in five minutes before closing. They can defend themselves.

Medical practices don't have that option. If a patient leaves a one-star Google review, you're already at a disadvantage. You can't publicly prove your side of the story without risking a HIPAA violation. That makes review responses one of the most stressful parts of running a medspa or clinic.

Worse, a lot of practice owners don't even realize they're breaking the rules when they respond. They think they're defending their reputation. Then they get hit with an OCR investigation and a fine.

Real Cases Where Practices Got Fined

These are real healthcare providers who paid real money for responding to reviews the wrong way.

• Manasa Health Center, New Jersey: $30,000 settlement for disclosing four patients' diagnosis and treatment information in Google review responses.

• Elite Dental Associates: $10,000 settlement for multiple PHI disclosures in review responses.

• New Vision Dental: $23,000 settlement for a similar violation.

• Dr. U. Phillip Igbinadolor, a North Carolina dentist: $50,000 civil penalty for responding to a patient review by naming the patient, describing the treatment plan, and discussing specific visits.

Former OCR Director Melanie Fontes Rainer put it directly: "Simply put, this is not allowed. The HIPAA Privacy Rule expressly protects patients from this type of activity."

HIPAA fines can range from $100 to $50,000 per violation depending on severity, and many providers also end up with corrective action plans and ongoing monitoring from the Office for Civil Rights on top of the fine.

Even saying "thank you for visiting our clinic" can technically be a HIPAA violation because it confirms the person was your patient.

What You Can Say in a Public Reply

You can respond to Google reviews. You just have to do it without disclosing any Protected Health Information (PHI). That means:

• Don't confirm the person was your patient

• Don't mention specific treatments or appointments

• Don't reference what the reviewer said about their visit

• Don't acknowledge any clinical details

What you can do is keep the response completely generic. A safe response to a negative review might look like:

"Thank you for sharing your feedback. We take all concerns seriously and would welcome the opportunity to discuss this privately. Please reach out to our office directly at [phone number] so we can better understand your experience."

That response doesn't confirm the person is a patient, doesn't mention any details, and moves the conversation offline. It's about as safe as you can get.

Another option is to acknowledge that HIPAA limits what you can say publicly:

"As a medical practice, we're unable to respond publicly to specific claims due to HIPAA. If you'd like to discuss any concerns, please contact our office directly at [phone number] so we can help."

This kind of response does two useful things. It shows other readers that you take patient privacy seriously, and it explains why you're not engaging with the details of the review. Most potential patients reading it will understand.

Move the Conversation Offline

After you post a generic public reply, the next step is to reach out privately if possible. Have someone on your team (ideally the practice manager or owner) try to identify the reviewer through internal records and call them directly to resolve the concern.

A lot of negative reviews come from genuine misunderstandings that can be cleared up in a 10-minute phone call. If the patient feels heard, they'll often edit or remove the review on their own. You can't ask them directly to remove it (that's bad practice and sometimes against Google's policies), but a real conversation where you listen and address their concern often leads to that outcome naturally.

What to Do About Reviews From People Who Weren't Even Patients

Here's where it gets complicated. We see this all the time with our clients.

A common example: a husband calls the front desk asking for his wife's medical information. The staff, doing the right thing, refuses to share it without consent. He gets angry and leaves a one-star review online. The wife is the patient, but she never had any issue with the practice. The review is from someone who wasn't even the patient, upset about a policy the practice is legally required to follow.

This puts the clinic in murky water. Responding directly and saying "we couldn't share information because your wife is our patient" would confirm that the wife is a patient, which is a HIPAA violation. Even ignoring the review doesn't feel right because now there's an unfair one-star sitting there.

The right move is to leave a general response that explains the policy without confirming anything specific. Something like:

"We take patient privacy seriously and are legally required to protect all medical information under HIPAA. We cannot discuss any patient's care without their written authorization, regardless of the relationship."

In rare cases where a review contains clearly false claims that damage your business, some practices consider pursuing legal action for defamation. This is a complex area of law that varies significantly by state, and it should only be considered with proper legal counsel, since defamation suits against reviewers can be difficult to win and sometimes draw even more public attention to the original review. If you're considering this path, talk to a lawyer first.

When Reviews Violate Google's Own Policies

If a review is clearly fake, was written by someone who was never a patient, or violates Google's review policies (contains offensive language, is from a competitor, names staff members in a personal attack, or has nothing to do with an actual visit), it can usually be removed through Google's support process. Google's automated system only catches a fraction of these, but there's a direct support form that most practice owners don't even know exists. It's the most effective way we've found to get fake reviews taken down.

We've written a full step-by-step guide on how to do this in our How to Remove One-Star Google Reviews Using Google's Hidden Support Form article.

A Few Rules to Keep Your Team Safe

Beyond responding yourself, make sure your team knows the rules. A few basic guidelines:

• Don't let front desk staff respond to reviews on their own. Route all review responses through a single person, ideally the owner or a trained manager.

• Create a template for generic, HIPAA-safe responses that anyone can use without thinking.

• Have your legal counsel or HIPAA compliance officer review your response process before putting it in place, especially since some states have privacy laws that go beyond HIPAA.

If You Want Help Managing All of This

Keeping up with review responses, removing fake reviews, and handling the HIPAA side of things takes real time. Solora's Reputation Booster handles review response management, and we also work on removing fake reviews entirely for you and we only accept payment after it's gone. Click here if you have a fake review that needs to be removed

Reach out if you want to see whether it makes sense for your practice. As always, have your legal counsel or HIPAA compliance officer review any response process before putting it in place.