I recently had a practice reach out to me asking about how HIPAA applies to patient testimonials. I am re-posting this “oldie but goodie” in response to that question.

Patient reviews have become a critical component to practices. They help attract new patients, they paint a picture of your staff and of you as a care provider, and they serve as a valuable form of advertisement. But they can also cause huge problems and cost a lot of money in the form of penalties if you don’t follow important rules set down by the government that keep you in compliance with HIPAA. How big? In a recent case, an organization was found not to have followed appropriate practices when posting pictures and protected health information of clients on their website. The $25,000 fine also came with a plethora of restrictions that this clinic will be following for the next THREE YEARS.

Protecting yourself from this costly mistake and ensuring you remain HIPAA compliant only requires a few simple, but important, steps.

First – Be certain that you are NOT revealing any protected health information, and remind clients who may wish to write testimonials for you of this as well. Also, make certain anyone who posts information or testimonials understands this requirement as well.

Second – For any patient testimonial, you must have an agreement and authorization form signed by your patient. Planet HIPAA has created a FREE Client Testimonial Authorization Form (scroll through the blog to the link) which you can use to be certain your organization is staying compliant. This simple form can be used to educate both staff and patients and will help protect you against accidentally releasing protected information.

Third – A written copy of HIPAA policies must be made available to all patients, and a policy that explains A) the use and disclosure of patient health information for website/social media pages; B) a description of the process for obtaining patient authorization to use their information; and, C) creation and use of a valid authorization form. This policy must be read and understood by each employee, and should include the employee’s signature indicating their compliance.


The cost to a practice for not following these procedures can be costly both in terms of money and in terms of resources. Even when the release of personal health information is accidental and without malice, the ramifications to even a large practice can be catastrophic. With a small amount of forethought, and attention to the details, you can still benefit from the testimonials of your patients without risking their privacy and your operations. By following these simple requirements, you can protect both your patients and your practice.

To learn more about HIPAA compliance, visit the Department of Health and Human Services site by clicking here!

P.S. Want to know more about HIPAA? We’ve created an entire guide all about how HIPAA applies to texting and email. Check it out.