HIPAA Review Requests for Med Spas & Dental
A Sugar Land dental practice got a compliance warning after their review SMS disclosed appointment details. See compliant templates and consent logging.
Lakeside Family Dentistry in Sugar Land had been running a review request automation since November 2024 when their compliance officer flagged a problem in January 2025. The SMS template the practice was using included the patient’s name, the appointment date, and the procedure type.
The message read something like: “Hi Sarah, thanks for coming in for your crown prep on Thursday. We hope everything went smoothly. Would you mind leaving us a quick Google review?”
That message, readable by anyone who picked up Sarah’s phone, disclosed that Sarah had a specific dental procedure on a specific date at a specific practice. That combination of information (patient identity plus treatment type plus provider context) meets the definition of protected health information under HIPAA.
The compliance officer required the template to be rewritten before the next send cycle. No fine was issued. The practice got lucky. Others have not.
Business details anonymized. Based on a real LeadExploder account matching this profile.
What counts as PHI in a review request context?
Protected health information under HIPAA is defined as individually identifiable health information held or transmitted by a covered entity, per U.S. Department of Health and Human Services HIPAA guidelines (hhs.gov/hipaa). The three elements that combine to create PHI in a review request are patient identity, clinical or treatment information, and provider or facility context.
Any two of these three elements together can constitute PHI. A message that uses a patient’s first name and mentions their appointment type meets the threshold. A message that references the specific date and the treatment type meets the threshold even without the patient’s name, if the message is sent to the patient’s phone number and thus implicitly identifies them.
The most common violations in review request templates fall into two categories.
The first is appointment-specific language. “Thanks for coming in for your Botox appointment yesterday” or “We hope your root canal went well today” includes clinical information combined with implicit patient identity (the phone number the message was sent to). It does not matter that the patient already knows what they had done. What matters is that the information is being transmitted in a way that could be disclosed to a third party who sees the message.
The second is provider-specific language combined with treatment context. “Thanks for seeing Dr. Martinez for your filler today” ties a specific provider to a specific treatment category for a specific patient. That combination creates PHI.
What does the compliant template look like versus the risky one?
These two templates illustrate the difference. Neither is hypothetical. The first is the type of template that generates compliance warnings. The second is the corrected version.
Non-compliant (do not use):
Hi [First Name], thanks for coming in for your [procedure] with [Provider Name] on [date]. We hope everything went well. If you have a moment, we would love a Google review. [Link]
Compliant:
Hi [First Name], thanks for visiting us today. If you have a moment to share your experience, we would really appreciate a quick Google review. It helps our team and helps other patients find us. [Link]
The compliant version contains the patient’s first name and a reference to a visit. It does not specify the visit type, the provider, the date, or any clinical detail. It is a generic service communication that does not disclose health information.
The two templates will perform similarly in terms of review conversion. The personalization that drives conversion is the timing (sent within 90 minutes of the appointment) and the patient’s first name, not the procedure reference. Most patients know why they were in your office. They do not need you to remind them in the message.
BAA requirements for SMS platforms used in patient communication
Any SMS platform or automation tool your practice uses to send messages to patients is classified as a business associate under HIPAA if it processes, stores, or transmits protected health information. This classification does not depend on whether your outbound messages contain PHI. The platform processes patient names, phone numbers, and appointment triggers, all of which may constitute PHI when held in combination.
Before enabling any SMS-based review request system for patient communication, confirm that the vendor has executed a Business Associate Agreement (BAA) with your practice. A BAA is a written contract in which the vendor agrees to safeguard PHI, report breaches, and comply with applicable HIPAA requirements. Without a BAA, using the platform for patient communication is a HIPAA violation regardless of message content.
When evaluating SMS vendors, request their BAA documentation proactively. Do not accept verbal assurances. Many general-purpose SMS and CRM platforms offer BAAs, but they are typically an add-on that requires a specific request and sometimes a higher-tier plan. Confirm the BAA is in place before the first send cycle, not after.
For practices that have already been sending review requests through a platform without a BAA, document the gap and remediate it before the next cycle. The exposure from an existing period of non-compliant sends does not grow by stopping the sends immediately, and stopping is the right first step.
The four elements of proper SMS consent logging
Maintaining a consent log is both a compliance requirement and a practical defense in the event of a patient complaint or HHS audit. The log should capture four elements for each patient record.
Who consented. The specific patient’s identity, typically captured through your intake system, linked to the patient record in your practice management software.
When consent was provided. The date the patient signed or acknowledged the communication preferences form at intake. This date matters because patients who were seen before a specific form was in place may not be covered by it.
What they consented to. The exact language of the consent they agreed to. Most practices capture consent for “appointment reminders, health updates, and practice communications.” Review requests fall under practice communications. If your consent language is limited to appointment reminders only, it may not cover review requests, and the form should be updated.
How opt-out was made available. Every outbound SMS should include a mechanism for the patient to stop receiving messages, typically the phrase “Reply STOP to opt out.” Your log should confirm this language was included in the message templates your system was sending during the consent period.
If all four elements are documented, your practice has a defensible record of compliant consent. If any element is missing, you have a gap that needs to be addressed before the next send cycle.
Non-compliant versus compliant in practice: two side-by-side examples
The difference between a compliant and non-compliant review request program is clearest in a direct comparison. Here are two real-world scenarios, described without identifying details.
Non-compliant practice (before remediation): A dermatology office sends post-appointment review requests using a template that includes the patient’s first name, the appointment date, and the treatment area (“Thanks for coming in for your acne consultation on Tuesday”). The SMS platform they use does not have a BAA with the practice. Consent is captured on a paper form at intake with language that says “I agree to receive appointment reminders.” The practice has sent approximately 600 messages over four months.
That scenario represents 600 potential HIPAA violations: PHI disclosed in the message content, no BAA on the platform, and consent that does not cover operational communications beyond appointment reminders.
Compliant practice (after remediation): The same practice rewrites the template to remove all clinical references. The message now reads: “Hi [First Name], thank you for visiting us today. If you have a moment, a Google review would really help other patients find us. [Link] Reply STOP to opt out.” The practice executes a BAA with the SMS vendor and updates the intake consent form to include “appointment reminders, operational communications, and practice updates.” A consent log is maintained in the patient management system with the date and form version for each patient.
The second scenario is HIPAA-compliant. The conversion rate on the review request is comparable to the non-compliant version, because the procedure reference in the original template was not a meaningful driver of conversion. Timing and the one-tap link are the drivers.
What is the operational cost of getting this wrong?
HIPAA civil penalties are structured in four tiers based on culpability, per the U.S. Department of Health and Human Services HIPAA guidelines (hhs.gov/hipaa). The least severe tier, violations where the covered entity did not know and could not have known, runs from $137 to $68,928 per violation. The most severe tier, willful neglect not corrected within 30 days, runs from $68,928 to $2,067,813 per violation, with an annual cap per violation category of $2,067,813.
A review request SMS template containing PHI sent to 200 patients constitutes 200 separate violations. At the minimum tier, that exposure runs from $27,400 to $13.8 million. The annual cap limits the maximum, but the investigation and corrective action plan that accompany any enforcement action carry their own costs in staff time, legal fees, and operational disruption.
Beyond direct penalties, an HHS complaint triggers a review of your broader technology and process stack. A single non-compliant review request template can expose gaps in your EHR access controls, your staff training records, and your vendor agreements that were not the subject of the original complaint.
Lakeside Family Dentistry caught the issue before any complaint was filed. The corrected template took 20 minutes to rewrite and has been running without issue since February 2025. Their review count went from 44 to 118 in six months using the compliant version. The star average moved from 4.5 to 4.8.
The compliant template works. It just requires stripping the clinical detail that creates exposure.
Building the compliant system end to end
A fully compliant HIPAA-compliant review request system for a dental or med spa practice requires four components to work together: a compliant message template (no PHI in the outbound content), a BAA with the SMS platform, documented patient consent that covers operational communications, and a consent log with the four elements described above.
For practices integrating review requests into a broader patient communication and intake workflow, the guide on dental practice AI intake covers how to structure consent capture and communication preferences at the intake stage in a way that covers multiple downstream use cases, including review requests, appointment reminders, and recall campaigns.
What to do this week
Pull the exact text of your current review request SMS template and read it against this checklist:
Does it mention the appointment type, procedure, or any treatment category? Rewrite it to remove that reference.
Does it mention a specific provider by name in combination with any clinical context? Remove the provider reference or remove the clinical context.
Does it include a one-tap Google review link? If not, add one. Friction is the other main conversion killer.
Does the platform you use to send it have a BAA signed with your practice? If you are not certain, ask your vendor before the next send cycle.
These four checks take less than an hour. The exposure they eliminate is significant.
Book a demo and see the review automation running live.
Alex Rocha is the founder of Mastodon Marketing, a Houston-based growth agency that runs marketing for service businesses across 70+ client sites. He built LeadExploder as the operating system he wished his clients had on day one. Learn more about Alex →
Frequently asked questions
Are SMS review requests to patients considered marketing under HIPAA?
It depends on the content. A generic message asking a patient to share their experience, sent after an appointment, without referencing the appointment type, procedure, or any clinical detail, is generally considered operational communication and not marketing under HIPAA. A message that references a specific procedure, condition, or treatment in combination with patient identity crosses into PHI territory and may require prior authorization. Use generic language only in review request templates.
Do I need written consent to text patients for review requests?
HIPAA requires that patients have an opportunity to agree to or restrict certain types of communications. Most practices collect a communication preferences form at intake. If your intake form includes a checkbox or signature authorizing SMS communication for appointment-related purposes, review requests sent without clinical detail are generally covered. You should also maintain a log of which patients opted in, the date of consent, and the opt-out mechanism you provided. Consult your compliance officer or healthcare attorney for the specific requirements in your state.
What if a patient responds to the review request and mentions their procedure in the reply?
You are not responsible for what a patient voluntarily discloses in their reply. Your obligation is to control what your outbound message contains. Do not reference any clinical detail in your reply or subsequent communications. If the patient's message is received by your staff in a platform that stores SMS conversations, ensure that platform has a Business Associate Agreement (BAA) with your practice, as the conversation may constitute PHI in storage.
Can a med spa ask customers about their specific treatment in a review?
Not in the review request message itself. The request should invite a general review of the experience. What the customer then chooses to write in their Google review is their own disclosure and is outside your control. Avoid prompting customers to mention specific treatments in their review text, as that phrasing in the request message itself could constitute a disclosure of what you believe they received.
