A single negative review sparked a response that crossed a professional line — and didn't end online. What followed turned a moment of frustration into an expensive lesson in privacy, professionalism, and restraint.
Posted in Case Studies on Thursday, April 23, 2026
Dr. Harris Pollard is the owner of a single-provider clinic in the Indianapolis suburbs. Due to the size of the community he practices in, Dr. Pollard is sensitive to market factors which impact his business, including the needs and viewpoints of his patients. He has invested time, energy, and money to develop his practice into a recognizable and respected facility in the area.
Dr. Pollard tries to be forthcoming with information to his patients regarding their treatment, provider decision-making, and patient satisfaction, and encourages his satisfied patients to leave helpful and productive reviews of his clinic and care on social media and review aggregators. His patients have generally been happy, leaving Dr. Pollard with more than 140 positive reviews on a popular aggregator. He usually responds to the reviews, thanking the patient and providing a short blurb about the services his clinic provides. He feels this helps him engage more with the community and market his services in a public setting without the need for expensive ad-buys; positive reviews lead to more patients.
Case Analysis
In early 2024, Dr. Pollard noticed that a handful of negative reviews had been posted, including issues with clinic staff and criticisms of Dr. Pollard’s treatment decisions.
One particularly negative review suggested Dr. Pollard made an inappropriate treatment recommendation which stalled the patient’s recovery. Infuriated that his professional qualifications and decision making were being publicly questioned, Dr. Pollard decided to respond and, in so doing, posted a screenshot of the patient’s chart note from Dr. Pollard’s electronic charting platform.
Dr. Pollard also suggested in his response that the patient was not being truthful with her medical providers and that the patient only sought care with Dr. Pollard so that her workers’ compensation claim would continue to be paid for and she would have access to the “prescription medication she so clearly needs.”
After an exchange of comments on the platform, the patient decided to file a complaint with the state Chiropractic Board about Dr. Pollard’s behavior and his disclosure of protected health information. In response, Dr. Pollard then reengaged on the review platform and threatened the patient with a lawsuit for filing “such a bogus complaint.”
The Chiropractic Board, however, did not find the complaint bogus. Instead, after a thorough investigation, the Board found that Dr. Pollard’s actions violated patient state and federal confidentiality protections, publicly humiliated the patient by posting the patient’s chart online and suggesting the patient had medication dependency issues, and harassed the patient by claiming he would retaliate against the review by filing a lawsuit.
The Outcome
All told, the Board disciplined Dr. Pollard, fining him $25,000 and mandating 25 hours of continuing education in compliance, protected health information and confidentiality, HIPAA, unprofessional conduct, and professional standards. They also issued a formal public reprimand for his actions.
It is notable, though, that the Board made no finding as to the specific care Dr. Pollard provided to the patient — the Board disciplined Dr. Pollard not for any treatment, care, or medical decision-making, but instead emphasized Dr. Pollard’s unprofessional and violative conduct in responding to a negative review.
This suggests that had Dr. Pollard reacted differently, the Board investigation would likely have led to no findings and been dismissed without incident. Instead, Dr. Pollard will now have a public reprimand on his record.
What Can We Learn?
Confirming Patient Status May Violate HIPAA
The clear basis for Dr. Pollard’s discipline was his actions in violating patient confidentiality protections.
First, HIPAA protects all "individually identifiable health information" held or transmitted by a clinic, in any form. Such information includes the individual’s name, physical condition, and provision of health care services from the provider. Even if a reviewer identifies themselves, a provider cannot confirm they are, or were, a patient. In other words, public confirmation of a patient/provider relationship may be a HIPAA violation if done by the provider. It is important to appreciate that a patient’s own disclosure is not permission for the provider to disclose anything.
As applied to Dr. Pollard, even acknowledging the patient was in fact his patient violated her patient privacy protections.
Posting a Patient's Chart is a Clear HIPAA Violation
Under the HIPAA Privacy Rule, a provider cannot disclose an identifiable patient’s specific medical condition, diagnosis, or treatment, dates of service, or billing/payment information.
Dr. Pollard publicly posted the patient’s chart on the review forum, clearly violating HIPAA protections. But even an inadvertent disclosure of identifiable health information is still a HIPAA violation. In fact, the violation of privacy rights is one of the leading causes for federal investigations by the Department of Health and Human Services. These inadvertent violations can likely be resolved via corrective action, such as a policy statement from the clinic on how they will address patient privacy in the future. Willful violations of HIPAA, though, can lead to further investigation, audit, and financial penalties, with willful penalties ranging from $14,000 to a maximum $2.1 Million.
Planning Ahead
Consider creating a template for your responses to reviews. Regardless of whether a review is positive or negative, providers must be cautious in how they respond. For positive reviews, consider implementing a brief template response thanking the reviewer for their time and effort without confirming that they are your patient. Even boilerplate responses suggest you value your patients and their time in commenting and recommending you to others.
For negative reviews, consider a template response which shows you take patient feedback seriously, addresses that patient privacy laws preclude any disclosure of further information, and invites the reviewer to contact the clinic to discuss their concerns.
Never disclose any treatment rendered, dates of service, or ongoing issues with the reviewer in a public setting.
Don't also be afraid of negative reviews. Often your public response to pesky reviewers says more of your professional reputation and candor than most positive reviews can accomplish. One bad review will not destroy your practice or reputation. Only 3% of all reviews directed at Dr. Pollard were negative. But reacting to a negative review can impact your license and your ability to treat the patients who value you and your effort.
About the Author
Joseph A. Pickels is a Senior Associate with Brisbee & Stockton, LLC in Hillsboro, Oregon. He focuses his practice on healthcare and professional liability defense and represents healthcare providers and employers before state and federal courts, administrative and licensing boards, and with OSHA and HIPAA compliance in Oregon and Washington
Although this case study is based on a real case, names, dates and details have been changed to protect patient and doctor privacy.