Negative online reviews are a concern for many businesses—but they present a unique challenge for healthcare providers, who are restricted by federal and state privacy laws in how to respond. Is the answer to have patients sign a form agreeing in advance of treatment not to make or post negative comments? According to a recent decision by a federal judge in Washington State, the approach tried by one plastic and cosmetic surgery practice runs afoul of a little-known federal law called the Consumer Review Fairness Act (“CRFA”). The case presents a cautionary tale for doctors and other providers who are looking for ways to protect their image and brand.

In this post, we look at the CRFA and how it was analyzed and applied in the federal court case, and offer takeaways from the decision that went against the medical provider. 


The federal CRFA, enacted in 2016, prohibits the use of gag clauses and nondisparagement provisions in consumer form contracts. The statute is enforced by the Federal Trade Commission and at the state level and has no private right of action, but it carries significant consumer protection and class action implications. The statute became effective in March 2017.

Section 2(b) of CRFA generally voids form contracts that prohibit or restrict “the ability of an individual who is a party to the form contract to engage in a ‘covered communication.’” “Covered communication,” in turn, is defined as a “written, oral, or pictorial review, performance assessment of, or other similar analysis of, including by electronic means, the goods, services, or conduct of a person by an individual who is a party to a form contract[.]” A “form contract,” meanwhile, generally means one with standardized terms that are:

  1. used by a person in the course of selling or leasing goods or services; and
  2. imposed on an individual without a meaningful opportunity to negotiate the standardized terms. The statute explicitly states that “form contract” does not include an employer-employee or independent contractor contract.

In addition to voiding certain form contracts, Section 2(c) of the statute holds that “it shall be unlawful for a person to offer a form contract containing a provision described as void in subsection (b).”   

The first CRFA enforcement actions, announced in May 2019 by the FTC, involved entities as diverse as a Pennsylvania-based heating and air conditioning company, a Massachusetts-based flooring company, and a Las Vegas-based trail riding company. Subsequent FTC actions have involved credit repair, property management, vacation properties, and other ventures with various moneymaking schemes.

The statute also authorizes the attorney general of a state to bring a civil action on behalf of the residents of that state, and these have been even rarer. Yet as the State of Washington noted in its September 2023 Motion for Partial Summary Judgment, the goals that drove the CRFA to be enacted in the first place are especially relevant in the health care context—i.e., “the importance of ensuring that consumers can freely communicate regarding a seller’s goods, services, and conduct.” After this decision, we may be seeing more CRFA litigation, and more in the health care space.

State of Washington v. Alderwood Surgical Center

Defendant Allure Esthetic (doing business under several names, including Alderwood Surgical Center), and its owner, Javad A. Sajan, M.D, were understandably concerned with maintaining a strong and positive reputation online. Yet for Plaintiff State of Washington, and ultimately, the U.S. District Court for the Western District of Seattle, all three versions of defendants’ pre-service form nondisclosure agreements (“NDAs”)—presented to more than 10,000 patients between 2017 and 2022—crossed the CRFA line. The State reserved the question of whether defendants’ post-service NDAs violated the CRFA, as well as its Health Insurance Portability and Accountability Act (HIPAA) and state Consumer Protection Act claims.

The first version of the pre-service agreements, used briefly in August 2017, prohibited patients from posting any “negative review,” meaning “anything less than 4 stars and any negative comments.” It also required patients to agree to a $250,000 fine and, in case of a problem, to contact Allure and to allow a response from the business— “with my personal health information.”

While the second version did not prohibit negative reviews, patients still had to contact the practice and to allow for a response first, with the same agreement regarding personal health information. Instead of a $250,000 fine, patients had to agree to pay monetary damages for any losses to the business caused by the negative review. The third NDA, meanwhile, restricted and potentially prohibited patients from posting negative reviews with no financial penalty. The agreements were eventually moved online as part of the new patient process, where patients had to agree or decline.

Finding no need for oral argument, U.S. District Judge Ricardo S. Martinez granted the State of Washington’s motion for partial summary judgment, finding that “the NDAs at issue clearly include language prohibiting or restricting patients from posting negative reviews.” The judge agreed that the documents at issue were precisely the kind of form contract envisioned by the CRFA—prohibiting or restricting the ability of individuals to engage in a covered communication, void from the inception, and also unlawful for the defendants to offer. “The State argues, and the Court agrees, that they were offered as identical form contracts on a take-it-or-leave-it basis,” Judge Martinez wrote. “It is indisputable that Allure’s pre-service NDAs were used in the course of selling services to patients.”

The judge rejected defendants’ assertions that the NDAs were not form contracts and that the patients had a meaningful opportunity—as opposed to a possibility—of modifying the terms (some patients elected to make handwritten changes to the NDAs or to refrain from signing). Even the lack of an explicit financial penalty in the third version, the court found, was not enough to escape CRFA scrutiny. The NDAs at issue violated the CRFA on its face in unlawfully restricting patient reviews, it stated, “because each version prohibits or restricts the ability of an individual who is a party to the form contract to engage in a covered communication…and impose[s] a penalty or fee against an individual who is a party to the form contract for engaging in a covered communication.”

Challenges for Health Care Providers: Implications and Takeaways

Healthcare providers concerned about negative commentary will want to consider consulting with counsel and other professionals about the best proactive approaches as well as response and mitigation plans.  However, the Alderwood Surgical decision is an opportunity to look at potential risks and options that might be considered. As noted in the pleadings, a 2023 survey of nearly 600 plastic surgery patients saw online reviews as an important factor in deciding to have surgery.

No doctor we know agrees with the saying that “all publicity is good publicity.” Negative commentary can be damaging to any business, but perhaps more so to one involving professional services and people’s healthcare. While the decision did not discuss the HIPAA Privacy Rule protecting individuals’ health information, the inability to respond publicly due to privacy and confidentiality laws is both real and frustrating for providers. Getting patients to agree as a condition of treatment not to post negative comments might seem attractive.

However, Alderwood Surgical demonstrates the risk of taking this approach the wrong way and leads us to some questions and observations.

First, is it even worth trying? Will dissatisfied patients really be deterred from posting comments because of a form they signed? Will they even remember? Would the provider take steps to enforce the agreement (which might draw more publicity)? Could some patients hesitate to post positive comments based on their understanding of the form? Could there be negative publicity even for asking? 

Second, if there is a pre-treatment agreement not to post negative reviews, the approach needs to be thoughtful and compliant. The CRFA does not prohibit all agreements of this type.  But it does limit how they can be obtained and what they can say. Providing an individualized process with a meaningful opportunity to decline or negotiate terms will be a logistical challenge, especially for those practices using portals and electronic processes.  One lesson of Alderwood Surgical is that simply including a pre-treatment agreement in an online new patient packet, as one of many forms, may be suspect to CRFA analysis.

Third, there is a risk/benefit calculus to be done. On the legal side, the CRFA is not the only law that might apply. State consumer protection laws, which can be enforced by state agencies and private litigants, including through class action lawsuits, must also be recognized.  And there are important business considerations as well. 


Negative online reviews are and will continue to be a challenge. There are many ideas about how to avoid or minimize them, and how to respond when they happen. Alderwood Surgical and its analysis of the CRFA suggest that pre-treatment agreements not to negatively comment is an approach that requires great care and might be best to avoid.       

For additional information about the issues discussed above, or if you have other questions or concerns, please contact the author or the Epstein Becker Green attorney who regularly handles your legal matters.

Epstein Becker Green Staff Attorney Ann W. Parks contributed to the preparation of this post.

Back to Health Law Advisor Blog

Search This Blog

Blog Editors


Related Services



Jump to Page


Sign up to receive an email notification when new Health Law Advisor posts are published:

Privacy Preference Center

When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer.

Strictly Necessary Cookies

These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.

Performance Cookies

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.