Call Us Today! 877-659-2467

Google Reviews on Medical Websites: HIPAA Compliance Risks

HIPAA Risks of displaying Google Reviews on a medical website

Patients trust online reviews. A strong Google rating can influence where someone chooses to receive care. As a result, many medical practices display Google reviews directly on their websites to build credibility and attract new patients.

While this may seem harmless, healthcare organizations should carefully evaluate the HIPAA implications before embedding or displaying patient reviews. What appears to be a simple marketing strategy can create privacy and compliance risks.

Can Medical Practices Display Google Reviews on Their Website Without Violating HIPAA?

Patients may voluntarily post reviews about their own healthcare experiences on Google. HIPAA does not prevent patients from sharing their own health information publicly.

The compliance issue arises when a healthcare provider republishes those reviews on its own website.

Republishing a patient’s review may be viewed as using or disclosing protected health information (PHI) for marketing or promotional purposes. Even though the patient made the information public, HIPAA does not automatically grant the provider permission to reuse it.

The fact that information is publicly available does not eliminate a covered entity’s HIPAA obligations.

Does a Google Review Contain PHI?

Protected Health Information is individually identifiable health information that relates to an individual’s past, present, or future health, healthcare, or payment for healthcare.

Many patient reviews include statements such as:

  • “Dr. Smith treated my diabetes.”
  • “The staff helped me through chemotherapy.”
  • “I had cataract surgery here.”
  • “My child received ADHD treatment.”

When a healthcare provider republishes these reviews, the practice is associating an identified individual with healthcare services it provided. That combination may constitute PHI.

What If Only Initials Are Used?

Some practices believe replacing the patient’s full name with initials eliminates the HIPAA concern.

Unfortunately, it may not.

Initials often do not fully de-identify an individual. Combined with other information, such as the provider’s specialty, procedure performed, date of service, location, or the original review still available on Google, the individual may remain identifiable.

HIPAA’s de-identification standard requires that there be no reasonable basis to identify the individual. Simply changing “John Smith” to “J.S.” rarely satisfies that standard.

No.

Posting a review on Google demonstrates that the patient chose to share information with the public. It does not necessarily authorize the healthcare provider to reuse that information for its own marketing.

HIPAA authorizations have specific regulatory requirements. They generally must:

  • Clearly describe the information being used or disclosed.
  • Identify who may use the information.
  • Identify who may receive it.
  • Explain the purpose of the disclosure.
  • Include an expiration date or event.
  • Inform the individual of their right to revoke the authorization.
  • Be signed by the patient or personal representative.

A Google review does not meet these requirements.

Embedded Google Reviews May Create Additional Privacy Risks

Many practices use Google review widgets that automatically pull reviews onto their websites.

These widgets may introduce additional privacy concerns beyond the review itself.

Depending on how the widget functions, it may:

  • Load content directly from Google servers.
  • Place cookies on visitors’ browsers.
  • Collect IP addresses or device identifiers.
  • Share website activity with third parties.
  • Trigger analytics or advertising technologies.

If review widgets operate alongside analytics, advertising pixels, or other tracking technologies, practices should carefully evaluate whether protected health information could be disclosed to third parties.

Healthcare organizations should inventory all third-party technologies operating on their websites and determine whether appropriate safeguards, contracts, and configurations are in place.

OCR Has Increased Scrutiny of Website Tracking

The U.S. Department of Health and Human Services Office for Civil Rights (OCR) has repeatedly emphasized that healthcare organizations are responsible for understanding how third-party technologies collect and transmit information from their websites.

Authenticated patient portals, appointment scheduling systems, online bill payment pages, and other areas where visitors interact with healthcare services require particular attention.

Even public-facing websites deserve careful review when technologies collect information that could become individually identifiable in a healthcare context.

Best Practices for Medical Practices

If your practice wants to highlight positive patient experiences, consider these recommendations:

  • Obtain a HIPAA-compliant authorization before republishing identifiable patient testimonials.
  • Avoid copying reviews directly from Google without authorization.
  • Do not assume publicly posted information removes HIPAA obligations.
  • Evaluate whether review widgets transmit visitor information to third parties.
  • Conduct periodic website privacy and security reviews.
  • Review all analytics, advertising pixels, chat tools, and embedded third-party content.
  • Work with legal counsel or your HIPAA compliance team before implementing new marketing technologies.

Another Approach

Consider asking satisfied patients to provide a separate written testimonial using a HIPAA-compliant authorization form designed specifically for marketing purposes.

This approach provides clear documentation that the patient understands how the testimonial will be used and protects both the patient and the practice.

The Bottom Line

Google reviews are valuable marketing tools, but healthcare providers must approach them differently than most businesses.

A patient may choose to publicly discuss their healthcare experience, but that does not automatically give the provider permission to republish that information on its own website. In addition, embedded review technologies may introduce separate privacy risks that require careful evaluation.

HIPAA compliance extends beyond policies and training. It includes understanding how everyday marketing decisions can affect patient privacy.

Before displaying patient reviews on your website, make sure your practice has evaluated both the HIPAA authorization requirements and the privacy implications of the technology used to display them.

Disclaimer: This article is intended for educational purposes and does not constitute legal advice.

Protect Your Organization Before It’s Too Late

At Aris Medical Solutions, our HIPAA Keeper cloud-based platform makes HIPAA compliance simple. It guides your organization through every requirement with a clear, step-by-step process. From risk analyses and policies to employee training and required documentation, you’ll have everything needed to remain compliant, protected, and audit-ready. Best of all, your HIPAA Compliance Officer is never on their own. Every client has access to a Certified HIPAA Security Analyst who provides expert guidance, answers questions, and helps ensure your compliance program is implemented correctly.

Protect your practice — and your patients.

Schedule a free HIPAA checkup today at Aris Medical Solutions.

About Suze Shaffer

Suze Shaffer is the owner and president of Aris Medical Solutions. She specializes in HIPAA compliance, risk management, and cyber security. She believes that by educating her clients in understanding why and what needs to be done to protect their practice they have a better outcome.

Suze has been instrumental in helping clients nationwide with risk management, implementing privacy and security rule policies and procedures, and ultimately protecting patient data. She includes state and federal regulatory requirements to ensure clients are protected in all areas.

She has spoken at numerous conferences and functions. She continues to educate organizations how to minimize the risks of data breaches. HIPAA compliance is not an option, it is mandatory for every organization that comes in contact with protected health information to have reasonable and appropriate security measures in place. Unfortunately, most organizations don’t realize they are not compliant until they suffer a data breach or they are faced with an audit or investigation.

Did you know that the Office for Civil Rights (OCR) is the agency that investigates data breaches? Have you seen the heavy fines that have been imposed for non-compliance?

All 50 states now have their own set of privacy laws and the State's Attorney General may also investigate privacy violations!

Share This HIPAA Blog

HIPAA Checklist vs True Compliance

July 8, 2026
©2026 Aris Medical Solutions – HIPAA Risk Management | HIPAA Compliance Consultants | All Rights Reserved | Terms and Conditions | Privacy Policy
The content and images on this website is owned by Aris Medical Solutions and their owners. Do not copy any content or images without our consent.
Powered by Bandwise LLC