Healthcare providers, beware: You cannot respond to bad online reviews by disclosing your patients’ protected health information (or PHI).

As you know, PHI refers to any health information that identifies or could be used to identify a patient. If you’re not sure what counts, do your homework or call your lawyer. But don’t disclose it online or you may have to deal with the federal government.

Earlier this month, the U.S. Department of Health & Human Services (HHS) settled with a small dental practice that allegedly divulged the PHI of some patients in responding to reviews on its Yelp page. The investigation began when a patient complained that it disclosed her last name, treatment plan, and insurance information in responding to her review. The government then discovered other instances of it as well.

The dental practice did not admit liability in the settlement, but it did have to pay $10,000, bring itself into compliance, and certify its compliance to the government for at least two years. If it doesn’t then it could incur much stiffer fines and penalties. Plus, it likely paid a lot more in legal fees to defend and resolve the case.