Reviews matter for regenerative medicine clinics in ways they do not for most businesses. Patients check online reviews before choosing a provider. Reviews are a direct local ranking signal. A strong review profile is often the difference between a patient choosing your clinic or the one above you in the local pack. Most clinic owners know this. What fewer know is that two federal frameworks govern how reviews can be requested, used, and responded to. HIPAA and the FTC’s Consumer Reviews Rule. Getting either one wrong can result in enforcement action and real fines.
TLDR: HIPAA prohibits disclosing protected health information in review responses, including the fact that someone is your patient. Real OCR fines have been issued for exactly this. The FTC’s Consumer Reviews Rule (effective October 21, 2024) prohibits fake reviews, suppression of negative reviews, review gating, and undisclosed incentivized reviews, with civil penalties over $50,000 per occurrence. This guide covers what you can and cannot say in review responses, how to ask for reviews compliantly, and how patient testimonials in regen marketing carry a third layer of exposure on top of both.
Important Note
This article is for educational purposes only and does not constitute legal, medical, or regulatory advice. Marketing strategies discussed should be reviewed by qualified legal counsel before implementation, particularly regarding HIPAA, FTC, FDA, and state-specific advertising regulations. Regen Portal is a marketing company, not a law firm or compliance consultancy.
Most regen clinic owners are running review strategies that work for businesses outside healthcare and fail inside it. The standard playbook (ask everyone, respond to every review, defend the clinic when reviews go negative) is exactly what creates HIPAA exposure. The compliant playbook is different, narrower, and once internalized, easier than the standard version because it removes the temptation to defend the practice in public.
This article walks through what HIPAA actually restricts in review responses, the OCR enforcement cases that establish the precedent, how to respond to positive and negative reviews compliantly, what the FTC’s October 2024 Consumer Reviews Rule prohibits, why review gating is now a violation, and how patient testimonials in regen marketing create a third layer of risk under FDA and FTC.
What HIPAA Actually Restricts (And What It Does Not)
HIPAA restricts the disclosure of protected health information, commonly called PHI. PHI is individually identifiable health information that could be used to identify a specific patient in connection with their health status, treatment, or payment.
HIPAA does not prohibit asking patients for reviews. The request itself is not a PHI disclosure.
HIPAA does prohibit disclosing PHI in response to a review. This is where most clinics get it wrong. Even acknowledging that someone is your patient is a PHI disclosure. If a patient posts a Google review, the patient has chosen to share their own information publicly. That is the patient’s right. But the clinic responding by confirming “thank you for being our patient” or “we are glad your knee responded well to treatment” is disclosing PHI without authorization. The treatment relationship itself is PHI. The HHS guidance on HIPAA marketing rules covers the broader framework for permissible PHI uses in marketing contexts.
HIPAA applies to covered entities and their business associates. Most regenerative medicine physicians, physician groups, and licensed clinical practitioners qualify as covered entities. Not all regen clinic operators do. The classification depends on the specific business structure and electronic transactions involved. Consult qualified legal counsel to confirm whether HIPAA applies to your specific practice.
The OCR Enforcement Record on Review Responses
The enforcement record makes the stakes concrete. Real fines have been issued specifically for HIPAA violations in review responses. Three documented cases account for $90,000 in total penalties.
A North Carolina dental practice received a $50,000 OCR civil monetary penalty in 2022 after a negative Google review. The practice’s response confirmed the patient’s name and disclosed details about their treatment plan. The penalty was issued for that confirmation alone, and was elevated to a civil monetary penalty (rather than a settlement) because the practice refused to cooperate with OCR’s investigation. A corrective action plan and ongoing monitoring were required.
Manasa Health Center, a New Jersey psychiatry practice, settled for $30,000 after responding to a negative online review. The response attempted to defend the quality of care and in doing so disclosed information about the patient’s mental health diagnosis. The complaint was filed with OCR in 2020, and the resolution agreement was announced in June 2023. The settlement included a corrective action plan.
Elite Dental Associates of Texas paid $10,000 in 2019 after disclosing patient health conditions, treatment plans, and insurance information across multiple Yelp review responses. This case is worth noting separately because it involved repeated violations across several reviews, which shows how the exposure compounds when a practice has a pattern of responding with PHI rather than a single incident.
Across these three documented cases, the fines total $90,000.
The pattern is consistent. The violation is not in receiving a review. The violation is in confirming PHI in the response. The patient relationship. The procedure. The outcome. The diagnosis. The patient’s decision to post publicly does not waive the clinic’s obligations under HIPAA.
How to Respond to Reviews Compliantly
The compliant response approach is the same for positive and negative reviews. Do not confirm the reviewer is a patient. Do not reference any procedure or outcome. Do not disclose any clinical detail.
Positive Review Response Template
A compliant response thanks the reviewer for sharing their experience, mentions the practice’s commitment to patient care generally, and invites further conversation through a private channel.
“Thank you for taking the time to share your experience. We appreciate your kind words and are committed to providing quality care to everyone who visits our practice. If you ever have questions or would like to speak with us directly, please reach out at [phone or email].”
What this response does not do: confirm the reviewer is a patient, reference the procedure, or describe any outcome.
Negative Review Response Template
This is where most violations happen. The instinct is to defend the practice. The compliant approach is to acknowledge the negative experience generally, express a commitment to addressing concerns, and invite a private conversation.
“We are sorry to hear you had a negative experience. We take all feedback seriously and would like the opportunity to understand your concerns. Please contact us directly at [phone or email] so we can address this properly.”
Notice what is absent. No confirmation of the treatment relationship. No reference to the procedure. No discussion of clinical findings. No defense of care provided. The response invites the reviewer to a private channel where, if the reviewer initiates contact and identifies themselves, the conversation can proceed with appropriate authorization.
The compliant rule for both response types is the same. Public response is brief, general, and contains zero PHI. Detailed conversations happen in private channels where the patient can authorize discussion of their own information.
The FTC Consumer Reviews Rule (October 2024)
The FTC’s Final Rule on Consumer Reviews and Testimonials took effect October 21, 2024. The Rule formalizes specific prohibitions and makes them independently enforceable. Civil penalties run up to $53,088 per violation as of 2025, or per day for ongoing violations.
The Rule covers six areas in total. The four most directly relevant to clinic review strategy are below. (The other two address company-controlled “independent” review websites and fake social media indicators like purchased followers, which apply less directly to typical clinic operations.)
Creating, buying, or disseminating fake reviews. This includes staff-written reviews, reviews from people who have not used the practice, and paid review services that generate inauthentic reviews. The penalty applies per fake review, which means a sustained fake-review campaign can compound quickly.
Suppressing honest negative reviews. Selectively publishing only positive reviews is now an independently enforceable violation. This includes deleting negative Google reviews through improper flag-and-remove tactics, filtering review widgets to hide negative content, and any systematic practice that prevents honest negative feedback from being published.
Paying for positive reviews without clear and conspicuous disclosure. Incentivized reviews are not banned by the FTC. They must be disclosed. The disclosure must be prominent enough that ordinary patients can see and understand it.
Insider reviews without disclosure. Reviews written by staff, owners, or anyone with a material connection to the practice must disclose that connection clearly.
The Consumer Reviews Rule applies independently of the FTC’s revised Endorsement Guides (July 2023). The Endorsement Guides set the standards. The Rule makes specific practices directly enforceable with civil penalties.
Incentivized Reviews: What Is and Is Not Allowed
Clinic owners often ask if they can offer something in exchange for a Google review. The answer is no. And the consequences are serious.
Google bans any incentive given in exchange for a Google review. That includes cash, discounts, gift cards, free services, raffle entries, loyalty points, or anything else of value. Google calls these “Fake Engagement” under its prohibited content policy.
The rule applies in every direction. It does not matter if you disclose the incentive. It does not matter if you ask for an “honest” review instead of a positive one. The FTC sometimes allows incentives when you disclose them properly. Google does not. The two rule sets are not the same, and Google’s is stricter.
Violations come with real costs. Google can remove every review tied to your incentive campaign. Google can post a public warning on your profile. Google can block your profile from getting new reviews. Google can suspend your profile entirely.
Enforcement has gotten tougher since 2024. Google now uses automated systems to flag patterns that suggest paid or rewarded reviews, even when no one openly admits to offering an incentive. Patterns like sudden review spikes, similar phrasing across reviews, or reviews tied to the same IP range can all trigger a flag.
What this means for your practice: Stop running review contests. Stop offering anything for a review. The risk is not worth a handful of extra five-star ratings.
The better path is asking every patient at the right moment, with no incentive attached. The next section covers how.
How to Ask for Reviews Compliantly
The request itself is not a HIPAA violation. What the request must avoid is referencing specific treatments or outcomes in a way that creates a PHI trail outside a compliant channel.
Ask in person at checkout or at the end of the visit. A verbal request from a front office team member is the lowest-risk method. “If you are satisfied with your experience, we would appreciate it if you shared a review on Google.” No written record, no digital transmission, no PHI involved. This is the highest-leverage and lowest-risk method available.
Use a general post-visit follow-up that does not reference treatment. A short message that references the visit generally is fine. “Thank you for visiting [practice name]. If you would like to share your experience, we would appreciate a Google review at [link].” The message references the practice, not any specific treatment or outcome.
If automating, use a HIPAA-compliant review management platform. Platforms that send review requests on behalf of healthcare practices and store patient contact data must have a Business Associate Agreement (BAA) in place. Standard reputation management platforms not designed for healthcare are not HIPAA-compliant by default. The BAA is the operative legal instrument. Without one, the platform’s handling of patient contact data may itself create exposure.
Do not use review gating. Review gating is the practice of sending review requests only to patients who first indicated satisfaction on an internal survey. The FTC’s Consumer Reviews Rule now treats this as suppression of negative reviews. Google’s own prohibited and restricted content policy for Maps reviews mirrors this, banning incentivized reviews, fake engagement, and the practice of discouraging negative reviews. If you screen for satisfaction before pushing patients to Google, you are filtering negative feedback out of the public review profile. That is a Rule violation under FTC and a policy violation under Google’s own platform rules.
The compliant approach is simple. Ask every patient. Take whatever rating they give. Let the review profile be honest.
Patient Testimonials in Marketing: The Third Layer
For regen clinics specifically, patient testimonials used in marketing carry a third compliance layer beyond HIPAA and FTC.
If a patient testimonial describes a disease outcome (“my knee pain was gone after stem cell therapy,” “my exosome treatment resolved my joint condition”) and the clinic uses that testimonial in marketing, the testimonial becomes a disease outcome claim for an unapproved procedure. As covered in our compliance playbook for regen clinic email marketing, disease outcome claims for unapproved procedures create FDA and FTC exposure separate from the HIPAA question.
The practical guidance: testimonials used in regen clinic marketing should describe the experience of working with the practice and provider, not the clinical outcome of the procedure. “The consultation was thorough and the provider explained everything clearly” is safe. “My joint pain was gone after three months” is not.
For patients who post outcome testimonials on Google or other public platforms, the clinic should not republish them in marketing materials. Republishing a third-party testimonial makes the clinic the advertiser responsible for the underlying health claim, regardless of who originally said it. The same logic applies to before-and-after content shared in any marketing channel.
The testimonial issue is one of the highest-risk patterns in regen clinic marketing across channels.
How This Looks in Practice
A regen clinic had a strong Google review profile until a patient posted a negative review describing a dissatisfying consultation. The practice owner, frustrated, responded publicly. The response explained that the patient had received a complete evaluation, referenced the specific clinical findings, and described why the clinic had recommended a different treatment than the patient had requested.
The response was well-intentioned. It was also a HIPAA violation. It confirmed the reviewer was a patient. It disclosed clinical evaluation findings. It described the clinic’s treatment recommendation. All three were PHI disclosed without authorization. The practice deleted the response and consulted qualified legal counsel.
After a process change: all review responses were routed through the practice manager using the compliant templates above. The owner did not respond directly to any review. Positive reviews received a generic thank-you. Negative reviews received an invitation to contact the office privately. No PHI in any public response, ever.
The review profile improved over time. Not because the negative review was managed away. Because the practice implemented a consistent in-person review request at checkout, the volume of organic positive reviews increased, and the negative review became a smaller part of a larger and growing total. The strategy that works in healthcare is not response defense. It is volume through compliant requests and brief, generic public responses.
Frequently Asked Questions
Can I Ask Patients to Leave a Review?
Yes. The request itself is not a HIPAA violation. Keep the request general and do not reference specific treatments or outcomes in the message. In-person verbal requests at checkout are the lowest-risk method.
Can I Acknowledge That Someone Is My Patient in a Review Response?
No. Acknowledging the treatment relationship is itself a PHI disclosure under HIPAA. Even saying “thank you for being our patient” violates the rule. The compliant response is to thank the reviewer for sharing their experience without confirming any relationship.
What Happens If I Suppress or Delete Negative Reviews?
Suppression of honest negative reviews is now a violation of the FTC Consumer Reviews Rule, with civil penalties up to $53,088 per violation as of 2025. Review gating (only sending review requests to satisfied patients) is treated as suppression. Improperly flagging legitimate negative reviews for removal is also covered.
How Do I Respond to a Negative Review Without Violating HIPAA?
Use a brief, generic response that expresses concern about the negative experience and invites private contact. Do not confirm the reviewer is a patient. Do not explain what happened. Do not defend the care. Move the conversation to a private channel where, if the reviewer chooses to identify themselves, you can have a substantive discussion with proper authorization.
Can I Use Patient Testimonials in My Marketing?
Yes, with two cautions. First, you need HIPAA-compliant authorization from the patient to use their information in marketing. Second, the content of the testimonial should describe the experience of working with the practice, not the clinical outcome. Outcome-based testimonials for unapproved procedures create FDA and FTC exposure on top of the HIPAA question.
Does HIPAA Apply to My Specific Practice?
Most regenerative medicine physicians, physician groups, and licensed clinical practitioners qualify as HIPAA covered entities. The exact classification depends on the business structure and the electronic transactions involved. Consult qualified legal counsel to confirm covered entity status for your practice.
What Is Review Gating and Why Is It Prohibited?
Review gating is the practice of sending review requests only to patients who indicate satisfaction on an internal survey before being directed to Google. The FTC Consumer Reviews Rule treats this as suppression of negative reviews because it systematically filters honest negative feedback out of the public profile.
Key Takeaways
HIPAA prohibits disclosing PHI in review responses. Confirming the treatment relationship, referencing the procedure, or describing clinical findings in a public response is a violation, even when the patient posted publicly first.
OCR has issued real fines for review response violations. Documented cases include $50,000 for confirming a patient name and treatment details, and $30,000 for disclosing a mental health diagnosis in a defense response.
The FTC Consumer Reviews Rule (Oct 2024) prohibits fake reviews, suppression of negative reviews, undisclosed incentivized reviews, and insider reviews. Civil penalties exceed $50,000 per occurrence.
Review gating is now a violation. Sending review requests only to satisfied patients before directing them to Google is treated as suppression of negative reviews.
Incentivized reviews require disclosure under FTC rules, but Google independently prohibits all incentivized Google reviews regardless of disclosure. Most clinics will be better served asking every patient without incentives.
Patient testimonials in regen marketing carry a third compliance layer. Outcome-based testimonials for unapproved procedures create FDA and FTC exposure separate from HIPAA.
Legal counsel is not optional. Consult qualified legal counsel before launching any review strategy, before responding to your first review under a new template, and before using any patient testimonial in marketing.
Let’s Build a Review Program That Works
If your clinic’s review strategy is built on the standard playbook (defend the practice, screen for satisfaction, respond to every review with detail), you are running real HIPAA and FTC exposure for marginal benefit. The compliant approach is simpler, more sustainable, and produces better long-term review profiles because the volume is honest.
Regen Portal builds reputation management and review programs for regenerative medicine clinics with HIPAA and FTC compliance built into the process from the first message a patient receives.
For a conversation about your specific situation, reach out at [email protected].
For deeper dives on compliance, reputation management, and marketing strategy, subscribe to the Regen Portal YouTube channel: https://www.youtube.com/@oatellez
About Regen Portal
Regen Portal is a marketing company serving the regenerative medicine industry. We provide SEO, content creation, social media management, paid advertising, website development, and branding services for clinics, manufacturers, distributors, and independent providers. Some strategies discussed in our educational content align with services we offer. For more information, contact us.
About the Author
Oscar Tellez is the founder of Regen Portal, a marketing company built for the regenerative medicine industry. With over 15 years of experience spanning clinical operations, product distribution, and digital marketing, Oscar has helped hundreds of practices, manufacturers, and distributors grow through compliant, high-performance marketing strategies. He holds a B.S. in Exercise Physiology and Health Promotion from Florida Atlantic University.
