The most common question we get from OR staff isn't about how the rating scale works.
It's "can anyone trace this back to me?"
That fear is rational. It's also the single biggest reason useful peer review hasn't existed before now — not because the data wasn't there, but because the cost of being identified outweighed the value of contributing.
So the design of Physician Signal starts with that question, not the rating engine.
The fear is structural
If you've worked in an OR for more than a year, you already know the math:
The room is small. A scrub tech, a circulator, the anesthesiologist, the rep, the resident. If a review names a specific intraop incident, the surgeon can usually narrow down who saw it within a handful of people.
Speaking up has career costs. Documented research shows that nurses and techs rate their safety climate substantially lower than surgeons rate theirs — and one of the biggest gaps is in non-punitive response to error. Honest feedback in clinical settings is more dangerous to the giver than to the receiver.
Hospitals retaliate. Sometimes formally — a service reassignment, a contract not renewed. More often quietly — the schedules that slowly stop including you, the assignments that stop reflecting your seniority.
If reviewing a surgeon honestly carries those risks, almost no one does it. Or they do it once, anonymously on a low-traffic site, and never again.
For the data to exist at scale, the anonymity has to be load-bearing — not a courtesy, not a setting.
What Physician Signal does (and doesn't) collect
The model behind every design decision is: collect the minimum required to verify the reviewer is a real clinician, and nothing else.
What we collect:
• Professional role category (OR Nurse, Surgical Tech, Anesthesiologist, etc.)
• Optional soft verification signals (work email domain, hospital affiliation) — used only to attach a "Verified" badge, never displayed in identifiable form
• The ratings themselves
• An optional written review
What we don't collect, or never store in a linkable way:
• Full name (never asked, never displayed)
• Employer name (never displayed; if collected via verification, stored separately from the review)
• Specific institution where you worked with the surgeon
• IP address linked to the review record
• Geolocation
• Account-required login (you can review without creating an account)
The display badge — "Verified OR Nurse" or "Verified Surgical Tech" — is the only role-level information attached to the review. There are millions of OR nurses in the U.S. The badge says you're one of them. It doesn't say which.
The schema-layer detail most platforms get wrong
The technical part of anonymity that's easy to overlook: search engines.
When Google indexes a doctor's profile, it parses the structured data on the page. If the review schema includes the reviewer's name, role, or hospital — even on a noindex page — that information can still leak via cached snippets, search-result previews, or scrapers.
The Physician Signal schema is hardcoded to display authors as "Anonymous Verified Reviewer" in the structured-data layer, regardless of what role badge appears on the visible page. That separation is deliberate. The UI gives the reader enough context to interpret the review ("a surgical tech said this"). The schema gives Google nothing that could be aggregated into a profile of who you are.
The legal layer
Two protections matter here, and neither is absolute:
Reviews as professional opinion, not factual claim. Review content on Physician Signal is framed and structured as professional opinion. That framing matters for First Amendment protections under U.S. law: opinion is harder to attack as defamation than fact-claims are. We don't allow reviews that name specific patient incidents, dates, or identifying case details — partly for HIPAA reasons, partly because anonymized opinions are more durable legally than detailed allegations.
The subpoena question. If a court ordered us to produce identifying information about a specific review, what could we hand over? The honest answer: very little, because we don't store much. The verification-email domain (if you used soft verification) is the most identifying piece. We are not a journalistic outlet with shield-law protections — but we also don't store enough information to make a subpoena particularly useful in practice.
This is a deliberate design choice. The cheapest way to protect users is not to have the data in the first place.
What we don't promise
Nothing is 100% private on the internet. We say this in plain English:
• A reviewer who names a surgeon and describes a specific case incident in enough detail can, in principle, be inferred by anyone in the room that day. We discourage this in the review guidelines.
• We can be hacked. Our database is encrypted at rest and our access controls are tight, but the only data that's truly safe is data that was never collected. We collect almost none.
• A subpoena could compel us to produce what little we have. What we have is structured to be minimally useful.
If you want zero risk, the only option is not to participate. If you want low risk plus meaningful contribution to a system that's been waiting for OR voices for thirty years, the math has tilted.
Why this changes who writes
The reviewers who have always been willing to speak up — under their own names, in formal complaints, to medical boards — are a small population. They're not representative of what OR staff actually see. They're the ones with the highest professional risk tolerance and the most career capital to spend.
The reviewers we want are the ones who've never reported anything in their lives. The travelers, the senior techs, the circulators who've watched fifteen years of patterns and never had a channel that didn't cost them more than the information was worth.
The point of structural anonymity is to bring those reviewers into the dataset. Not because their opinions are more correct — but because they're who actually staffs the rooms, and their observations are what the patient ultimately needs to know.
The shift
The old way to handle this was a one-time post on an anonymous forum, knowing it would never be aggregated, never be verified, never affect anything.
The new way is a verified, structured observation that joins a network of similar observations from other rooms. Anonymous at the surface, untraceable underneath, and aggregated into a signal that — for the first time — patients and hospitals can actually use.
That's not just a privacy promise. It's the whole product.
Search any surgeon's Insight Score
Not medical advice. Reviews are professional opinions only.