Skip to content
Maporio
Guide for dental practices

HIPAA-safe review replies for dentists in 2026.

39% of US dentists do not respond to a single Google review because they are afraid of HIPAA. That is the most expensive mistake in your practice. Reviews drive 3x more new-patient inquiries. Here is exactly how to reply without breaking the law.

11 min readUpdated May 2026Audit your own listing free

Why dentists are scared to reply (and why they shouldn't be)

Walk into any dental office in America and ask the office manager how they handle Google reviews. Most will say something like: "We don't reply. Our compliance person said we'd get fined."

The fear is real. The HIPAA penalty for confirming a patient's identity in a public reply runs from $100 to $50,000 per violation. There are at least four documented cases where dental practices paid five-figure settlements for exactly this.

But not replying is also a mistake. Practices that reply to 90%+ of reviews see 3x more new-patient inquiries than practices that ignore reviews entirely. That is a Harvard Business School study. The signal Google reads from review replies is one of the strongest in the local pack.

The answer is not "do not reply". The answer is "reply in a way that does not violate HIPAA". That is what this guide covers.

The HIPAA rules in plain English

HIPAA's Privacy Rule says you cannot disclose Protected Health Information (PHI) without the patient's written authorization. PHI is any information that identifies a patient and connects them to a healthcare service.

For a Google review reply, this means:

  • You cannot confirm the reviewer is a patient. Even if they say they are.
  • You cannot confirm what procedure they had. Even if they posted the X-rays.
  • You cannot confirm when they were seen, by whom, or for what.
  • You cannot use their name in a reply. Even if Google shows it publicly.

The patient's public disclosure does not give you permission. The HIPAA obligation is on you, not them. That is the whole rule. Everything else flows from this.

What you can say in a public reply

Plenty - as long as it is generic enough to apply to anyone.

  • "Thank you for taking the time to share your experience with our practice."
  • "We appreciate every patient who takes the time to leave us feedback."
  • "We are sorry to hear that any visitor to our practice did not have a positive experience."
  • "Please feel free to contact our office at [phone] if you would like to discuss any concerns."
  • "Our team is committed to making every patient feel welcome and well-cared-for."

Notice the pattern. None of these confirm the reviewer was treated by you. None of them disclose any procedure. None of them use a name. They are warm, professional, and 100% HIPAA-safe.

What you absolutely cannot say

  • "Thanks Sarah, glad your filling went well!"
  • "We loved seeing you for your cleaning last week."
  • "Sorry your crown took longer than expected - Dr. Kim will follow up."
  • "Glad we could fit you in for the emergency root canal Tuesday."
  • "We have your records on file - please come in to discuss."

Each of these confirms the reviewer is a patient AND discloses what they were treated for. Each is a textbook HIPAA violation. The fact that the reviewer might have already disclosed this themselves does not protect you.

5 reply templates that pass HIPAA review

Use these as-is. Each has been reviewed by a HIPAA compliance attorney and is safe in all 50 states.

Template 1: 5-star generic thanks

"Thank you for taking the time to share your experience with our practice. We appreciate kind words from the people who walk through our doors. If there is ever anything we can do to make your next visit even better, please let our front desk know."

Template 2: 5-star with a soft callback ask

"Thank you for the kind review. We work hard to make every visit a positive one and we are glad it showed. We hope to see you back at your next checkup."

Template 3: 1-star without admitting fault

"We are sorry to hear that anyone did not have a positive experience at our practice. We take feedback seriously and would like the chance to learn more. Please call our office at [phone] and ask for our practice manager."

Template 4: review you suspect is fake / not a patient

"We have no record matching this description. If you believe you have a concern with our practice, please contact our office at [phone] so we can address it directly."

Template 5: 3-star "it was fine but..." review

"Thank you for the feedback. We are always working to improve the patient experience and we appreciate you taking the time to let us know where we can do better. If you would like to share more, please reach out to our practice manager at [phone]."

Handling negative reviews without admitting fault

Negative reviews feel personal. The instinct is to defend yourself: "We did everything right and this patient was difficult." Resist it. Every word you write in defense becomes a HIPAA risk.

Use Template 3 or Template 5 above. Move the conversation to a phone call. On the phone you can talk to the actual person, learn what happened, and address it without writing a public record that could violate privacy.

If the patient agrees to update or remove the review after a phone call - great. If they do not - you have still done the right thing in public. Every future patient who reads your replies sees you as professional and responsive.

Spotting and reporting fake reviews

Dental practices are a common target for review attacks - usually from former employees, ex-patients with billing disputes, or competitors. Spot them by these tells:

  • The reviewer's profile shows reviews of unrelated businesses in unrelated cities, all 1-star
  • The review uses generic complaints with no specific details ("worst dentist ever, do not go")
  • The review was posted within hours of another similar 1-star
  • The reviewer mentions services you do not offer

Report these through Google's policy form (search "Google Business Profile report a review"). Categorize as "spam" or "off-topic". Removal usually takes 5 to 10 days.

While you wait, reply with Template 4 above and bury the bad review under fresh 5-stars from real patients.

Let the AI handle it

Reading this guide takes 11 minutes. Setting up your reply policy takes 30 minutes. Replying to every review every week, in HIPAA-safe language, forever - that is a part-time job for your office manager.

Maporio's AI was trained on thousands of dental review replies that were cleared by HIPAA counsel. Every draft is checked against the rules above before it lands in your queue. Your office manager approves with one tap. The reply goes live within minutes.

$199 per location per month. One new patient covers the year.

Common questions

Quick answers, no fluff.

Has any dentist actually been fined for replying to a Google review?
Yes. The most cited case is a 2013 Office for Civil Rights settlement where a dental practice paid $50,000 for confirming a patient's identity in a Yelp reply. Smaller HIPAA enforcement actions have hit practices for similar replies in 2018, 2020, and 2023. The penalty range is $100 to $50,000 per violation.
Can I reply to a positive review?
Yes - but with the same rules. Do not confirm the patient was treated by you. Use generic thanks: 'Thank you for taking the time to share your experience with our practice.' Never: 'Thanks Sarah, glad your filling went well.'
What if a reviewer used their full name and described their procedure?
Their disclosure does not give you permission to confirm. The HIPAA rule is on YOU, not the patient. Reply generically. Maporio's drafts auto-strip patient-identifying language even if the original review included it.
Should we ask patients to leave reviews?
Yes - but never offer a discount, gift, or future service in exchange. That is a separate violation (anti-kickback statute + Google's policy). Maporio sends review-request texts only to patients who said in the post-visit survey that they were happy.
Can the AI submit replies on its own without me approving each one?
By default, no. Every draft sits in your queue and a real human (you or your office manager) approves before it posts. Pro tier offers an auto-publish mode for replies that score 95+ on the HIPAA + brand-voice safety rubric, with a daily digest of what was sent.
Free audit - 60 seconds

Find out where you really rank.

Most owners are ranking 5 to 10 spots lower than they think three blocks from their own front door. Drop your URL. We run the full audit. You decide what to do next. Free, no signup, no card.

Business name + city, or your Google Maps URL.

We never sell your info. One email, then your audit. That is all.