Med Spa Review Response Policy: HIPAA-Safe Replies and Escalation

Online reviews are the front door of an aesthetic practice. A prospective patient searches "med spa near me," reads Google and Yelp reviews, and makes a booking decision — often before visiting the practice's website. For med spas, reviews are also a regulatory minefield. Responding to a patient's review in a way that confirms the reviewer was treated, names the procedure, or discusses clinical outcomes is a HIPAA violation — even if the patient disclosed all of that information in the review itself.

This article is for med spa owners, practice managers, and front-desk staff who respond to online reviews. It covers what HIPAA permits and prohibits in public review responses, how to build scripted replies that protect the practice, how to handle adverse-event complaints posted publicly, and how to escalate when a review crosses into defamation or extortion.

Why Review Responses Carry HIPAA Risk

The HIPAA Privacy Rule prohibits covered entities from disclosing protected health information (PHI) without patient authorization. PHI includes any information that could identify a patient and relates to their health condition, treatment, or payment for healthcare services.

A review response that says, "We're glad you loved your Botox results, Sarah!" discloses two pieces of PHI: (1) that Sarah is a patient, and (2) that she received Botox. This is a violation even though Sarah posted a positive review and used her real name. The responsibility to maintain confidentiality always rests with the practice.

OCR has enforced this principle repeatedly. A North Carolina dental practice was fined $50,000 in 2022 for responding to a patient's Google review with anecdotal information about their visit. A New Jersey psychiatric practice was fined $30,000 in 2023 and placed under a two-year corrective action plan for revealing diagnostic information when responding to negative Google reviews. In 2019, a dental office was fined $10,000 for disclosing a patient's full name, insurance information, treatment plan, and cost information in a Yelp response. In 2013, OCR issued a warning letter to a plastic surgery practice for disclosing a minor patient's information in response to a parent's Yelp review. In 2025 alone, OCR settled enforcement actions totaling over $9.4 million across 20 cases, with the Cadia Healthcare settlement ($182,000) specifically involving social media disclosure without patient authorization. OCR has stated that even acknowledging that a reviewer is a patient constitutes a HIPAA violation.

The patient disclosed first — why it still matters

Patients who post reviews voluntarily share their experience. That does not waive their HIPAA protections. A patient saying "I got filler here" on Google does not authorize the practice to confirm, deny, or discuss the treatment publicly. The asymmetry is deliberate: the patient chooses what to share; the practice must protect everything.

The Principles of HIPAA-Compliant Review Responses

1. Never confirm or deny a patient relationship

The response must not acknowledge — directly or indirectly — that the reviewer was a patient. This means no "Thank you for choosing our practice," no "We loved treating you," no "Your results look amazing."

2. Never reference specific treatments

Do not mention any procedure, product, device, or clinical outcome. "We're glad your skin looks great after your treatment" references both the treatment and the outcome. "We appreciate your feedback" does not.

3. Never include any identifying information

Do not use the reviewer's name, the provider's name, the date of visit, the treatment area, or any detail that could link the review to a specific patient encounter.

4. Keep responses generic and professional

The most HIPAA-safe responses are brief, professional, and contain no clinical or patient-specific content. The American Med Spa Association's guidance is blunt: respond to a positive review with a simple "Thank you." Respond to a negative review with "Please call our office." Any other response increases compliance risk.

5. Move the conversation offline

For any review that requires a substantive response — especially negative reviews or adverse-event complaints — direct the reviewer to contact the practice privately. Use a generic phone number or email that is already public on the practice's listing.

Scripted Responses by Scenario

Positive reviews

Reviewer: "Absolutely love my results! Best med spa in the city!"

HIPAA-safe response: "Thank you for your feedback! We appreciate you taking the time to share your experience."

Do not say: "We're so glad you love your lip filler results, Jessica! Dr. Smith did an amazing job as always." That response confirms the patient relationship, identifies the provider, and discloses the procedure.

Negative reviews (general complaint)

Reviewer: "Terrible experience. Waited an hour and staff was rude."

HIPAA-safe response: "We take all feedback seriously and would like to learn more. Please contact our office at [phone number] or [email] so we can address your concerns."

Do not say: "We're sorry your botox appointment ran late. We had an emergency that day." That confirms the patient received Botox and discloses operational details.

Negative reviews (adverse-event complaint)

Reviewer: "I got burns from the laser treatment here. My skin is scarred and they didn't even care."

HIPAA-safe response: "We take all feedback seriously. Please contact our office at [phone number] so we can discuss your concerns directly."

Do not say: "We're sorry about the reaction after your CO2 laser treatment. Complications like this are rare and we followed all protocols." That confirms the procedure, characterizes the complication (framing it defensively), and discloses clinical information publicly.

Internal escalation: When a review describes what sounds like an adverse event — burns, scarring, vascular occlusion, infection, nerve damage — the response team must escalate internally before responding. See the adverse-event escalation section below.

Reviews that contain misinformation

Reviewer: "This place uses fake Botox. Don't go here."

HIPAA-safe response: "We take all feedback seriously and would like to address your concerns. Please contact our office at [phone number]."

Do not engage with the specific allegation publicly. Do not say, "We only purchase authentic Allergan Botox from authorized distributors." That response, while factually correct, confirms the practice administers Botox and may draw further public attention to the allegation.

Reviews from non-patients

Reviewer: "My friend went here and had a horrible reaction."

HIPAA-safe response: "Thank you for your feedback. We take all comments seriously. Please encourage your friend to contact our office directly at [phone number]."

Even though the reviewer was not a patient, the response must not confirm or deny that the friend was a patient.

Adverse-Event Escalation Workflow

When a review describes a clinical complication — burns, scarring, fat loss, infection, vascular occlusion, nerve damage, disfigurement — treat it as a potential adverse event until proven otherwise. The public nature of the review does not change the practice's clinical and regulatory obligations.

Step 1: Pause the response

Do not respond immediately. Flag the review for the medical director and practice manager. Set an internal deadline: respond within 24–48 hours, after the clinical team has reviewed the complaint.

Step 2: Identify the patient (internally)

Using the reviewer's name, profile photo, and review details, attempt to identify the patient in the practice's records. This identification is internal only — it is not disclosed publicly.

If the patient can be identified:

• Pull the treatment chart.
• Review the documented treatment, parameters, products used, and follow-up notes.
• Determine whether an adverse event was documented at the time of treatment or reported by the patient after the visit.
• If the adverse event was not previously documented, create an incident report now.

Step 3: Clinical outreach

Have the medical director or treating provider reach out to the patient directly by phone — not through the review platform. The purpose of the call is clinical: to assess the patient's condition, offer an in-person evaluation, and document the complaint in the medical record.

Document the outreach attempt, whether the patient was reached, and what was discussed. This documentation protects the practice in the event of a subsequent complaint to the state board or a malpractice claim.

Step 4: Determine reporting obligations

If the adverse event involves a medical device (laser, RF device, IPL, etc.), evaluate whether the event meets the threshold for manufacturer notification or FDA MedWatch filing. Burns, scarring, and disfigurement from energy devices meet the FDA's definition of a serious injury under 21 CFR 803.3.

If the event involves an injectable product, evaluate whether the manufacturer should be notified. Hyaluronic acid filler causing vascular occlusion, for example, should be reported to the product manufacturer and may warrant a voluntary MedWatch report.

Step 5: Post the public response

After the clinical team has reviewed the complaint and the patient has been contacted (or an outreach attempt has been documented), post the generic HIPAA-safe response. The response does not change based on what the clinical review found. It remains: "We take all feedback seriously. Please contact our office at [phone number] so we can discuss your concerns directly."

Step 6: Document everything

Create an internal file that includes:

• Screenshot of the review (including date, platform, reviewer name, and content).
• Patient identification and chart review summary (internal only).
• Clinical outreach documentation.
• Adverse event report (if applicable).
• Manufacturer notification (if applicable).
• MedWatch filing confirmation (if applicable).
• Copy of the public response posted.
• Any subsequent communication with the reviewer.

This file is part of the practice's quality assurance documentation and should be retained per the practice's record retention policy.

Staff Scripts and Training

Who responds

Designate one or two people as the review response team. Typically this is the practice manager and/or front-desk lead. All review responses go through them. Clinical staff should not respond to reviews on personal accounts or from the practice's accounts without authorization.

Training requirements

Train the review response team on:

• What constitutes PHI and why it cannot be disclosed in public responses.
• The scripted responses for each scenario (positive, negative, adverse event, non-patient).
• When to escalate to the medical director or practice manager before responding.
• The internal adverse-event escalation workflow.
• How to screenshot and document reviews for the internal file.
• Platform-specific response guidelines (Google, Yelp, RealSelf, Facebook, Instagram).

Document the training. Include the date, attendees, and material covered. This documentation supports the practice's HIPAA compliance program and demonstrates workforce training if OCR investigates.

Scripts for the front desk

Keep a laminated card or saved document at the front desk with the approved response scripts. The card should include:

Positive review script: "Thank you for your feedback! We appreciate you taking the time to share your experience."

Negative review script (general): "We take all feedback seriously and would like to learn more. Please contact our office at [phone] or [email] so we can address your concerns."

Adverse event review script: "We take all feedback seriously. Please contact our office at [phone] so we can discuss your concerns directly. → ESCALATE TO MEDICAL DIRECTOR BEFORE POSTING."

Non-patient review script: "Thank you for your feedback. We take all comments seriously. Please encourage [your friend/the person involved] to contact our office directly at [phone]."

Platform Escalation

When to request removal

Most review platforms allow businesses to flag reviews for removal. Grounds for removal vary by platform but typically include:

• Reviews from non-patients who never visited the practice (if the platform's terms require a genuine customer experience).
• Reviews that contain threats, harassment, or hate speech.
• Reviews that contain explicit PHI (if another provider or third party posted the patient's information).
• Reviews that are part of an extortion attempt — the reviewer demands payment or free services in exchange for removing the review.

File a removal request through the platform's business tools. Document the request, the date, and the platform's response. Do not expect the platform to remove a review simply because it is negative or inaccurate — platforms generally do not arbitrate factual disputes.

Responding to extortion

If a reviewer explicitly or implicitly demands payment, free treatment, or other compensation in exchange for removing or modifying a review:

1. Do not negotiate publicly. Do not offer compensation in the review response or in a direct message on the platform.
2. Screenshot the review and any messages. Preserve evidence before the reviewer deletes or modifies the post.
3. Report to the platform. File an extortion report through the platform's business support tools. Google, Yelp, and most major platforms have specific policies against review extortion.
4. Consult legal counsel. If the demand involves a threat of reporting to a state board, filing a lawsuit, or public defamation, involve the practice's attorney before responding.
5. Document everything. The internal file for this review should include all screenshots, the platform report, and the legal consultation summary.

Responding to false factual claims

If a review contains factually false claims — for example, stating the practice uses counterfeit products, operates without a medical director, or employs unlicensed staff — the practice may need to respond more substantively than the generic script allows. In this situation:

1. Consult legal counsel before responding.
2. Consider whether a public response is necessary or whether direct legal communication with the reviewer is more appropriate.
3. If a public response is made, keep it factual, brief, and free of any PHI. "We are unable to confirm or deny whether any individual is a patient. We can confirm that our practice is staffed by licensed providers operating under appropriate medical supervision." This response addresses the allegation without violating HIPAA.

Building the Review Response Policy

A written review response policy should include:

1. Scope. Which platforms are monitored, how frequently, and by whom.
2. Response authority. Who is authorized to post responses. Who must approve responses before posting (medical director for adverse-event reviews).
3. Scripts. Approved response templates for each scenario.
4. Escalation workflow. When to escalate to the medical director, practice manager, or legal counsel before responding.
5. Adverse-event protocol. The clinical escalation steps when a review describes a complication.
6. Documentation requirements. How reviews are captured, filed, and retained.
7. Training requirements. How often the response team is trained, what the training covers, and how attendance is documented.
8. Platform escalation. When to request removal, how to report extortion, and when to involve legal counsel.

The policy should be reviewed and signed by every team member who may encounter or respond to reviews. Review it annually or whenever there is a significant change in platform policies, HIPAA enforcement guidance, or state regulations.

Sources

• U.S. Department of Health and Human Services. "HIPAA Administrative Simplification: Regulation Text (45 CFR Parts 160 and 164)." https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html
• Bass, Berry & Sims PLC. "How Can Healthcare Providers Respond to Online Patient Reviews Without Violating HIPAA?" https://www.bassberry.com/news/how-can-healthcareproviders-respond-to-online-patient-reviews-without-violating-hipaa
• American Med Spa Association. "Tips to Respond to Patient Review Without Violating HIPAA." https://www.americanmedspa.org/news/tips-to-respond-to-patient-review-without-violating-hipaa
• Paubox. "Understanding HIPAA Compliance in Online Review Responses." https://www.paubox.com/blog/understanding-hipaa-compliance-in-online-review-responses
• DJ Holt Law. "Responding to Negative Google Reviews: HIPAA Compliant Strategies." https://djholtlaw.com/responding-to-negative-google-reviews-hipaa-compliant-strategies
• GatherUp. "HIPAA-Compliant Review Responses — with Examples." https://gatherup.com/blog/hipaa-compliant-review-responses
• HIPAA Journal. "HIPAA Violation Fines — Updated for 2026." https://www.hipaajournal.com/hipaa-violation-fines
• Shumaker, Loop & Kendrick, LLP. "HIPAA Enforcement Risks and Mitigation Strategies: Summary of Recent Office for Civil Rights Actions." https://www.shumaker.com/insight/client-alert-hipaa-enforcement-risks-and-mitigation-strategies-summary-of-recent-office-for-civil-rights-actions