HIPAA Compliance
Last Updated: March 22, 2026
NotedRx helps dental and healthcare practices respond to online patient reviews while reducing the risk of inadvertent HIPAA violations. This page explains our approach to compliance and the role NotedRx plays in your practice's compliance efforts.
NotedRx Does Not Guarantee HIPAA Compliance
NotedRx is a risk-reduction tool, not a compliance guarantee. While our platform is designed to generate responses that avoid common HIPAA pitfalls, no software can guarantee full compliance with HIPAA or any other healthcare regulation.
Your practice is solely responsible for its own HIPAA compliance. This includes reviewing and approving every response before it is posted publicly, maintaining appropriate HIPAA training for staff, and consulting with qualified legal counsel about your compliance obligations.
NotedRx should be used as one componentof your overall compliance strategy—not as your only safeguard.
The Problem We Solve
Online reviews create a unique HIPAA challenge for healthcare practices. When a patient posts a review, they may reveal details about their care. But when a practice responds, it must be extremely careful not to:
- Confirm or deny that the reviewer is a patient
- Reference any specific treatments, procedures, or diagnoses
- Mention appointment dates, times, or other scheduling details
- Disclose any information that could be considered protected health information (PHI)
Even well-intentioned responses like “We're sorry about your experience during your visit” can be interpreted as confirming a patient relationship—a potential HIPAA violation. Fines for HIPAA violations can range from $100 to $50,000 per violation, with annual maximums up to $1.5 million.
How NotedRx Reduces Risk
Compliance-First Response Generation
Our AI is specifically designed to generate responses that do not confirm or deny patient relationships, reference specific treatments, or disclose PHI. This is not a filter applied after generation—it is built into the core logic of how responses are created.
No Patient Acknowledgment
Generated responses use general language that addresses the reviewer's concerns without acknowledging whether they are a patient. Responses refer to "everyone who visits our office" rather than "your visit" or similar confirming language.
No Treatment References
Even when a review mentions specific procedures or treatments, generated responses do not reference those details. The AI is trained to address concerns at a general level without echoing clinical specifics.
Offline Resolution Guidance
Responses are designed to invite the reviewer to continue the conversation through private channels (phone, in-office), which is consistent with HIPAA best practices for handling patient concerns.
What NotedRx Is
- A tool that helps practices draft review responses that avoid the most common HIPAA mistakes
- An AI assistant that generates responses following HIPAA-conscious guidelines
- A time-saving solution that standardizes the quality and safety of review responses
- A risk-reduction layer in your practice's overall compliance strategy
What NotedRx Is Not
- Not a guarantee of HIPAA compliance. No software can guarantee compliance with HIPAA in all circumstances. Automated systems can reduce risk but cannot eliminate it entirely.
- Not a replacement for legal counsel. NotedRx does not provide legal advice. Practices should consult with qualified healthcare attorneys about their specific compliance obligations.
- Not a replacement for HIPAA training. Staff should still be trained on HIPAA requirements, including how to handle patient communications and review responses.
- Not a Business Associate. NotedRx does not access, store, or process electronic health records or clinical patient data. We process publicly posted review text and practice profile information to generate response drafts.
- Not a compliance audit or certification. Using NotedRx does not constitute a HIPAA compliance audit, and we do not certify that your practice is HIPAA compliant.
Your Responsibilities
When using NotedRx, your practice is responsible for:
- Reviewing every responsebefore posting it publicly. AI-generated content should always be reviewed by a human who understands your practice's specific context and compliance requirements.
- Maintaining a HIPAA compliance program that includes staff training, risk assessments, and policies for handling patient information.
- Not adding PHI to the platform beyond what appears in the original review text. Do not input patient names, chart details, treatment information, or other PHI when generating responses.
- Consulting legal counsel for questions about your specific compliance obligations under HIPAA, state privacy laws, or other applicable regulations.
Data Handling
NotedRx processes review text through our AI system to generate responses. Here is how we handle this data:
- Review text and generated responses are encrypted in transit and at rest
- We do not use your review data to train AI models or share it with other customers
- We do not access, store, or process electronic health records or clinical patient data
- You can delete your review data and generated responses at any time
- For full details, see our Privacy Policy
OCR Guidance on Online Reviews
The U.S. Department of Health and Human Services Office for Civil Rights (OCR) has addressed the topic of healthcare providers responding to online reviews. The key guidance is clear: providers must not disclose PHI in response to a review, even if the patient has already shared details publicly.
NotedRx's response generation is designed with this guidance in mind. However, OCR guidance evolves, and practices should stay informed about current regulatory expectations.
Questions
If you have questions about how NotedRx approaches HIPAA compliance, or if you need information for your practice's compliance records, contact us at support@notedrx.com.
For questions about your practice's specific HIPAA obligations, we recommend consulting with a qualified healthcare compliance attorney.