Online reviews are critical for healthcare practices. Patients searching for a new dentist, chiropractor, or medspa rely heavily on Google ratings — and practices with more recent, high-quality reviews consistently rank higher in local search results. But healthcare providers face a compliance layer that other businesses don't: HIPAA.

The good news is that HIPAA does not prohibit patients from leaving reviews, and it does not prevent you from asking patients to share their experience. It does, however, put strict limits on how you send review requests and what information those messages can include. Get it wrong and you risk a breach notification obligation, OCR investigation, and significant fines.

This guide covers the practical rules for dental offices, chiropractic practices, and medspas. It is not legal advice. HIPAA compliance is fact-specific and depends on your exact workflows, technology stack, and state laws. Consult a qualified healthcare attorney or compliance officer for guidance on your specific situation.

What HIPAA Governs (and What It Doesn't)

HIPAA's Privacy Rule applies to covered entities — including healthcare providers that transmit health information electronically — and their business associates. It protects Protected Health Information (PHI): any individually identifiable information relating to a person's health condition, treatment, or payment for treatment.

Critically, HIPAA governs what you do with patient information. It does not govern what a patient voluntarily chooses to share publicly. If a patient independently decides to post a Google review mentioning their treatment, that is the patient's own speech — not a HIPAA-covered disclosure by you.

The compliance question, then, is about your outbound communications: specifically, what information your practice is including in the messages you send to patients.

The Core Rule: No PHI in the SMS Body

When you send an automated SMS review request, the message body must not contain Protected Health Information. This is the single most important rule for healthcare practice review automation.

PHI includes:

  • The patient's name (when combined with any health-related context)
  • Appointment dates, diagnoses, treatments, or procedures received
  • Any reference to the fact that the person is or was a patient
  • Insurance information or billing details

What a compliant review request SMS looks like:

"Hi [First Name], we'd love to hear about your recent visit. Leave us a Google review here: [link]. Reply STOP to unsubscribe."

That is borderline — "recent visit" may imply a health context. Some attorneys recommend removing any visit reference entirely:

"Hi [First Name], [Practice Name] here — your feedback matters to us. Share your experience on Google: [link]. Reply STOP to unsubscribe."

What a non-compliant SMS looks like:

"Hi Jane, thanks for your teeth whitening appointment on Tuesday at Dr. Smith's office! Leave us a review…"

That message contains PHI (name + treatment + provider + date). Sending it via automated SMS — or any channel — without appropriate authorization would be a HIPAA violation.

Business Associate Agreements (BAAs)

If your practice uses an SMS platform (such as Twilio) to send automated messages, that vendor is a business associate under HIPAA — they are handling electronic communications on your behalf and potentially have access to patient data in transit. HIPAA requires you to have a Business Associate Agreement (BAA) in place before using their services in a way that involves PHI.

Twilio offers a BAA for healthcare customers on eligible paid plans. Many other SMS and reputation management platforms do as well.

Before sending any patient communications through a third-party SMS or review platform, confirm:

  1. The vendor offers a BAA
  2. You have signed it
  3. The BAA covers the specific services you are using (not all BAAs cover all product features)

If a vendor does not offer a BAA, you should not use their platform for patient communications that touch PHI — period.

Email Review Requests and HIPAA

The same rules apply to email. The email subject line and body must not contain PHI. A subject like "How was your appointment, Jane?" is problematic if it identifies a person as a patient.

Safe subject lines:

  • "We'd love your feedback"
  • "Tell us about your experience at [Practice Name]"

If you send email through a third-party email service provider (ESP), that provider also needs to be covered by a BAA.

Patients Can Still Leave Reviews Voluntarily

Nothing in HIPAA prevents patients from deciding to leave a Google review on their own. If a patient writes "I had a root canal here and Dr. Smith was amazing" — that's the patient's own free speech. You didn't disclose anything; they did.

This also means:

  • You can have a link to your Google review page on your website
  • You can display a sign in your waiting room with a QR code to your Google profile
  • You can verbally mention to patients at checkout that you'd welcome their feedback online

None of those constitute a HIPAA violation because they don't involve using PHI to solicit the review.

What you cannot do is tailor your outreach based on health information. For example, you cannot send review requests only to patients who had positive outcomes, or suppress requests to patients who had complications — that would involve using PHI to target communications and could also implicate review gating and Google policy restrictions.

State Laws Add Another Layer

Several states have privacy laws that impose additional requirements beyond HIPAA:

  • California (CMIA): The Confidentiality of Medical Information Act gives patients additional rights and imposes stricter consent requirements for using medical information for marketing
  • Texas, New York: State medical privacy statutes may apply alongside HIPAA
  • Washington: My Health MY Data Act (2024) broadly expands covered health data beyond HIPAA's definition

Medspas in particular often operate in a gray zone — some services (e.g., Botox, filler) may be medical procedures subject to HIPAA while others (e.g., massage, facials) may not be. The safest approach is to apply HIPAA-level standards across the board.

Practical Setup Checklist for Healthcare Practices

Before running SMS or email review campaigns:

  • Review requests send only the patient's first name and no health-related context
  • SMS platform vendor has signed a Business Associate Agreement with your practice
  • Email platform vendor has signed a Business Associate Agreement
  • Patient opt-in consent is collected at intake (separate from treatment consent)
  • Opt-in language discloses that messages are for practice feedback, not treatment-related
  • STOP/HELP keyword handling is active (TCPA requirement — see TCPA compliance for SMS review requests)
  • Review requests go to all eligible patients, not filtered by sentiment or outcome
  • Staff are trained not to respond to public reviews in ways that confirm or disclose PHI

Responding to Patient Reviews: Another HIPAA Trap

When a patient leaves a negative review on Google that references their treatment, the instinct is to respond and explain what happened. That impulse can get you into trouble.

Responding to a public review in a way that confirms the person is a patient, or that references their treatment, is a HIPAA disclosure. Even saying "We're sorry about your experience on March 3rd" confirms an appointment date.

Safe responses acknowledge without confirming PHI:

"We take all feedback seriously. Please contact our office directly at [phone number] so we can address your concerns."

That confirms nothing about whether the reviewer is or was a patient. It demonstrates responsiveness without triggering a HIPAA issue.

Rankings Require Reviews — and Reviews Require a Plan

For healthcare verticals, a consistent flow of new patient reviews is one of the highest-leverage local SEO activities. Google's local ranking algorithm weighs review quantity, recency, and rating — meaning practices that collect reviews systematically outrank those that rely on patients acting spontaneously.

The path to more reviews without HIPAA exposure is straightforward:

  1. Collect opt-in consent at intake
  2. Send a brief, PHI-free follow-up message after appointments
  3. Use a platform with a signed BAA
  4. Send the review link to every eligible patient — no filtering, no gating

For vertical-specific SEO strategy, see our guides on local SEO for dentists, local SEO for chiropractors, and local SEO for medspas.

Where GBP Autopilot Fits

GBP Autopilot is designed for HIPAA-aware verticals: review request messages contain only the customer's first name and a link — no appointment details, no treatment references, no PHI. The platform uses Twilio for SMS, and Twilio offers BAA coverage for healthcare customers on eligible plans. Review requests go to all customers without filtering by sentiment, consistent with Google's policies on review gating.

If you're running a dental office, chiropractic practice, or medspa and evaluating review automation tools, BAA availability and PHI-free message templates should be near the top of your checklist — alongside price and automation features.

This article is for general informational purposes only and does not constitute legal advice. HIPAA compliance is highly fact-specific. Consult a qualified healthcare attorney or compliance officer for guidance specific to your practice.

Sources