Star Reply · Blog · Dental Practices

The HIPAA Fines That Started With a Google Review Response

6 min read · Compliance · Dental Practices

This is not a hypothetical risk.

The Office for Civil Rights (OCR) has taken enforcement action against dental practices for HIPAA violations in online review responses. The violations were not clinical errors, data breaches, or stolen records. They were replies to Google reviews that confirmed a patient relationship.

Most dental practices know they should respond to their Google reviews. What almost none of them know is that responding the wrong way can trigger a federal investigation.

HIPAA’s Privacy Rule prohibits the disclosure of Protected Health Information (PHI) without patient authorisation. PHI includes not just medical records, but any information that could identify a person as a patient of a covered entity. When a dental practice responds to a Google review and uses the reviewer’s name in a way that confirms they received treatment, that is a disclosure of PHI.

What the violations actually looked like

OCR enforcement actions related to online review responses have involved dental practices responding to negative reviews with language that confirms the reviewer was a patient. Common examples include:

Confirms patient status

"We're sorry you felt that way during your appointment, Sarah. As your dentist, we always try to make patients feel comfortable."

Why it’s a violation: Names the reviewer and confirms they were a patient under the practice's care. This is a disclosure of PHI.

References treatment details

"We understand your concern about the billing for your root canal. Our front desk would be happy to go over the charges with you."

Why it’s a violation: Confirms the nature of treatment received. Even referencing a procedure type is PHI when it can be linked to an identifiable person.

Confirms a date of service

"Thank you for coming in last Tuesday. We hope you're feeling better and look forward to seeing you at your follow-up."

Why it’s a violation: Confirms the reviewer was present at the practice on a specific date. This is enough to constitute a PHI disclosure.

Why this is happening more, not less

Two things are happening at the same time. Dental practices are responding to more reviews than they used to, partly because AI tools have made it faster. And OCR enforcement of HIPAA in the digital space has been increasing. The overlap is where the risk lives.

The most dangerous scenario is a practice that starts using a generic AI tool to speed up responses. A generic tool has no knowledge of HIPAA. It will generate warm, personalised, empathetic responses that sound professional and read well. It will use the reviewer’s name, acknowledge what they said, and thank them for being a patient. Every instinct the tool has is toward personalisation. That is exactly what HIPAA prohibits in this context.

The compliance problem in plain English

In the restaurant industry, a personalised response is better marketing. In a dental practice, the same personalised response can be a federal violation. The exact feature that makes AI responses valuable for other businesses is the feature that makes it dangerous for yours.

What a HIPAA-compliant response actually looks like

A compliant response to a Google review does four things: it acknowledges the reviewer, it does not confirm or deny that they were a patient, it stays focused on the practice’s values rather than the reviewer’s specific situation, and it invites the conversation to move offline.

Non-compliant

HIPAA-safe

“"James, we're sorry about the wait during your filling appointment. Please call us and we'll make it right."”

“"We appreciate you sharing your experience. We hold ourselves to a high standard of patient care and are sorry to hear this visit did not reflect that. Please reach out to our office directly so we can address your concerns."”

“"We're so glad we could help with your anxiety around dental visits, Lisa. Our sedation team will be happy to see you again."”

“"Thank you for taking the time to leave this review. Helping patients feel comfortable and at ease is something our whole team cares deeply about. We look forward to welcoming you back."”

The four rules for a compliant dental review response

Never confirm the reviewer is a patient.

Do not say "as your dentist," "during your visit," "when you came in," or anything that confirms a clinical relationship. Respond as if you cannot verify who this person is.

Never reference treatment, procedures, or clinical details.

Even a passing mention of the type of work done ("your crown," "your extraction") is PHI if it can be tied to an identifiable person.

Never use the reviewer's name to confirm identity.

Using a first name in a response signals to regulators that you have identified this person as a patient. If you use a name at all, do so in a way that is clearly generic.

Always move the conversation offline.

"Please contact our office directly" is not just good customer service. It is the right compliance posture. It shows you are willing to resolve issues in a controlled, private channel.

The practical problem for most dental practices

Writing responses that are warm, professional, and compliant at the same time is genuinely difficult. It requires thinking in a constrained way that does not come naturally. Most front desk teams are not trained in it, and most practice owners do not have time to audit every response before it posts.

StarReply builds these rules into every response it generates for dental practices. The AI produces responses that are empathetic, professional, and specific to the sentiment of the review without ever confirming patient status, referencing treatment, or disclosing PHI. You see every response before it goes anywhere. You approve it, then post it to Google.

Built for Dental Practices

Respond to every review. Never risk a compliance issue.

Star Reply generates HIPAA-safe review responses for dental practices. Professional, empathetic, compliant. You approve every response before it posts.

Start Free Trial, No Card Needed

30-day free trial · No credit card · Cancel anytime