Not responding to negative posts may give other readers the impression the review is legitimate, even when it is not, so your instinct is to fight false claims being made against your business. While the HIPAA does not specifically address handling online reviews, it is still possible to extrapolate what is and isn't permitted.
Patients can disclose their own information as much as they want, but healthcare providers should not actively aid the patient in the disclosure. In the case of a review, the patient is the one who initiates the public disclosure of protected health information (PHI); therefore, you are not at fault of anything...yet.
Avoid Acknowledgement of Patient Status
At the root of online reviews is the reasonable assumption that the person leaving the review is a patient of the provider for which the review is intended. Since healthcare providers are precluded from identifying patients in any way, the mere act of acknowledging the reviewer is a patient is a HIPAA violation. This doesn't mean you can't respond, you just can't aid in the patient's self disclosure.
Here is an example of a possible reply to a bad review. Notice the absence of patient status being acknowledged.
Clinical Information Disclosure
The typical review, good or bad, will usually contain some form of clinical information. Confirming clinical information is far more precarious than patient status acknowledgement. Avoid ever posting anything related to the symptoms or treatment of an individual online. Even when a patient posts a raving review of your masterful skills, never add to the disclosure already made by the patient.
If you have a happy patient wanting to tell everyone about their great experience, it's best to guide them to authorizing the use of their post as a testimonial, but you can still reply with a "Thank you!" After all, the HIPAA doesn't exist to take away human decency, quite the opposite in fact.
So, can you reply to negative reviews? Yes. As long as you follow the guidelines above.