For most local businesses, responding to a negative review is straightforward: acknowledge the situation, apologize if warranted, offer a resolution. For therapists, that playbook creates a compliance exposure the moment you confirm the person leaving the review was ever in your care.
HIPAA's Privacy Rule (45 CFR § 164.502) prohibits disclosing protected health information without patient authorization. The identity of someone receiving mental health treatment is itself PHI. A response that says "We're sorry your experience in our sessions fell short of expectations" has just confirmed a treatment relationship—publicly, in writing, indexed by Google.
The APA Ethics Code adds another layer. Standards 5.01 through 5.06 govern public statements, advertising, and testimonials. Therapists may not solicit testimonials from current clients or from former clients who may be in a vulnerable position. This effectively rules out the most common reputation-building tactic used by dentists, lawyers, and nearly every other local service professional: asking satisfied clients to leave a review.
The result is an asymmetric challenge. Dissatisfied patients face no such constraints—they can write detailed, emotionally charged reviews freely. Therapists responding to those reviews must operate within a narrow compliance corridor.
This is not a reason to avoid reputation management. It is a reason to approach it with a clear, pre-planned framework rather than reacting in the moment. Therapists who have that framework in place respond consistently, calmly, and compliantly—and that consistency is itself a trust signal to prospective patients reading the exchange.
Educational note: The regulatory summary above reflects general interpretations of federal HIPAA rules and APA guidelines. State licensing boards may impose additional or conflicting requirements. This content is not legal advice. Consult a healthcare attorney and your state board for guidance specific to your practice.