How to Respond to Your Medspa’s Reviews in Compliance with HIPAA Guidelines

With 88% of patients trusting online reviews just as much as personal recommendations, it’s clear they play a vital role in reputation management.


Responding to online reviews is essential as 54% of patients expect a response in 7 days, and businesses that respond within an hour are 60 times more successful than those that wait 24 hours.


Imagine this.


While sipping a coffee on an ideal day, you receive a review notification. You open it to see a positive review left by your patient on Google. You reply, cheerfully stating, "Thanks for your review. We are happy that our treatment helped you last week."


Guess what? You have just violated HIPAA guidelines and could end up with a fine between $100 to $50,000. HIPAA levies hefty fines and penalties against providers who reveal personal health information without patient consent. In the above case, you have acknowledged that they are your patient. Knowing the ins and outs of HIPAA policies allows you to avoid slip-ups and protect your patients' privacy.


What is HIPAA? And why do you have to care about it?


HIPAA stands for the Health Insurance Portability and Accountability Act of 1996. The act outlines how medical professionals interact or communicate with their patients online. HIPAA guidelines are in place to protect patients' privacy, and as a healthcare provider, you need to familiarize yourself with them to stay compliant. Otherwise, steep fines or even lawsuits can ensue.

But don’t let this deter you from responding to your patients! While fear of violating HIPAA guidelines can cause medspa providers to think twice before responding to a negative review, it is critical for the health and reputation of your business to respond promptly and professionally. Some research even shows that a review page that’s "too perfect" can raise suspicion. The key is knowing how to deal with positive and negative reviews in a compliant way.


Below are a few best practices to help you stay connected with your patients on review sites like Google and Facebook while preserving their privacy.

Dos and Don'ts to Remember While Responding to Online Reviews

1. Do: Keep the Patient’s Privacy Top of Mind


While HIPAA guidelines may look intimidating, they all boil down to one crucial point – don’t share a patient’s personal information. This includes any information that someone could use to identify them, such as:


  • Name

  • Contact information, like phone number or email

  • Birthdate/age

  • Appointment date/time

  • Diagnoses

  • Treatment/results

  • Photos or identifiable images


You could be unintentionally sharing a personal detail even by confirming that a patient visited your medspa in your response to a review.


Example Review:


"I had a wonderful experience at X Clinic last week. The massage practitioner was professional, and the place was tidy. I'll visit again."


Remember: simply confirming that the patient visited your business last week counts as a HIPAA violation. Try this for a response:


"Thank you for the feedback. Our goal is to make all of our patients feel their best, and we strive to do this by creating a clean and comfortable environment."


In the example above, you are still thanking the patient for their review without directly confirming that they visited your business.

2. Don't: Disclose the Patient's Diagnosis or Treatment

Imagine having your medical history on display for the entire internet to read. It wouldn't feel too great. The same applies to your patients. When it comes to their service or treatment, it's always better to avoid the subject entirely.


In some cases, patients might leave your clinic a review where they mention their symptoms or diagnosis. While it's up to the patient's discretion to disclose this information, you risk violating HIPAA guidelines if you repeat or share the information in any form.


Example Review:


"I'm so glad I was able to visit X Skin Clinic to treat my rosacea. After only one treatment, I saw noticeable improvement."


Rather than replying to let them know you're glad that they're satisfied with their treatment, respond with:


"Thank you for the great feedback. Our custom menu of treatments is designed to make patients feel refreshed and leave with glowing skin after each visit."


3. Do: Take Critical Issues Offline or to a Private Communication Channel


In some instances, clients might leave questions that are easily answered online. These include inquiries about your business hours, the services you offer, and the best way to contact you.


Some scenarios, however, are difficult to answer online without violating the patient's privacy. A good rule of thumb is that if a situation feels urgent, it probably is.


Example Review:


"I visited X Spa last week and had an allergic reaction to one of the products they used on my skin. I'm looking for guidance, but they didn't respond to the email I sent this morning. I most likely won't visit again."


If a patient is unhappy with their care at your business, it is better to deal with it by moving the conversation to a private communication channel, like phone or email. You can ask for more details about why the treatment didn't meet their expectations and resolve the issue quicker. You may even persuade them to remove the negative review, so it doesn't hurt your reputation.

4. Don't: Share Patient Photos on Social Media

Some patients love to leave photos as part of their online review. Who can blame them – it feels good to show off a successful transformation.


If you're quick to hit the share button so you can show your social media followers how great your patient's experience was, think again. According to HIPAA guidelines, posting a patient's photo on social media platforms like Facebook and Instagram is a violation.


While it might seem harmless to post a photo of a patient without mentioning them by name, keep in mind that it still infringes on their privacy. Facial recognition software on platforms like Facebook is getting better every day. Whether a patient is celebrating an incredible weight loss transformation or the results of their new laser treatment, it's good practice to leave their photos off social altogether. Let the reviews speak for themselves.

Additional Tips to Protect Patient Privacy

Here are some recommended best practices when responding to patient reviews:


  • Don’t directly acknowledge whether the reviewer has ever visited your clinic. Respond graciously but avoid saying it was "nice to meet them," or you "hope to see them again soon."

  • Focus on general office policies and goals instead of acknowledging a specific treatment or service. For example, your weight loss clinic may respond by saying that your goal is to help patients shed unwanted pounds, and you're glad the reviewer feels they have done that.

  • Use generic language whenever possible. Avoid getting too personal or speaking about your specific interaction with a reviewer. It's best to use broader terms like "our patients."


The same practices apply if a patient leaves a negative review. It's always better to deal with a complaint professionally and compliantly.


Example Review:


"Yesterday, when I visited X Spa, I sat in reception for 15 minutes after my appointment started before the staff came out to get me. There was no explanation, and nobody apologized to me for the delay."


In your rush to make things right with the patient, you might post something non-compliant like:


"We're sorry that your experience with us last week didn't meet your expectations. Please get in touch with us so we can make it right."


Instead, remember to avoid confirming that the reviewer was a patient at your medspa. Stick to the facts and encourage them to move the dialogue to a more private channel:

"Our clinic's policy is to schedule enough time between patients to avoid long waits, but occasionally, we run into unexpected situations or emergencies that lead to delays. We appreciate your feedback and thank you for taking the time to share. Don't hesitate to get in touch with our Office Manager at (phone number) if you have any further comments or suggestions."


The second response not only respects the patient's privacy but shows that you've taken the time to address their concern and want to continue the conversation.

Let ezRepute Help You Stay Compliant


With a growing demand for medspa treatments, the best way to set yourself apart from the competition is with excellent service. This means responding to your patients’ reviews thoughtfully, while protecting their privacy.


Avoid infringing on your patients’ privacy with a reputation management platform like ezRepute. Our platform allows you to manage all patient reviews from Google, Facebook and 250+ sites for every location. Seeing everything in one place lets you keep your finger on the pulse and make sure everything you post follows HIPAA guidelines.

ezRepute also helps you address patient concerns more promptly, reducing the chances of receiving a negative review. Turn your reviews into a learning opportunity with actionable insights and uncover trends, strengths, and weaknesses to help you take your patient experience to the next level. Let your software do the heavy lifting while you focus on your patients.

21 views0 comments