A dental practice in Minneapolis sent its review request emails with the subject line: “How was your root canal today, [First Name]?” The open rate was high. The HIPAA compliance officer’s response was not positive.
Mentioning a specific procedure in an outbound marketing communication, even a review request, is a potential HIPAA violation. The subject line had disclosed protected health information to any third party who might have access to the patient’s email inbox, and it had done so in a marketing context that HIPAA’s Privacy Rule treats with particular scrutiny. The practice had been asking patients for reviews this way for eight months before anyone flagged it.
This is the compliance dimension of review acquisition that most dental marketing guides don’t address, and that creates real regulatory exposure for practices that copy tactics designed for non-healthcare businesses without adapting them to the HIPAA environment.
Understanding how to ask patients for Google reviews dental practices can deploy safely requires understanding two distinct compliance frameworks simultaneously: Google’s own review policies, which prohibit certain solicitation tactics regardless of industry, and HIPAA’s Privacy Rule, which restricts how dental practices can use and disclose patient health information in outbound communications. Getting either one wrong produces different but equally serious consequences.
This guide covers both frameworks, gives you the specific language structures and communication formats that satisfy both simultaneously, and identifies the most common request tactics that create compliance exposure without the practice owner realizing it.
Table of Contents
The two compliance frameworks that govern dental review requests
Framework 1: Google’s review policies
Google’s guidelines for review solicitation are specific and enforced practices that violate them risk having their reviews removed, their GBP profile penalized, or in egregious cases, their listing suspended.
Review gating is the practice of filtering patients before the review request, asking them to rate their experience on an internal scale first, and only directing satisfied patients to Google. Google’s guidelines explicitly prohibit this: businesses must not “discourage or prohibit negative reviews or selectively solicit positive reviews from customers.” Any review request workflow that includes a pre-screening question, “How would you rate your experience today?” with only satisfied respondents being directed to Google, is a guideline violation.
Incentivized reviews are reviews solicited in exchange for a reward, a discount on a future service, entry into a prize drawing, or any form of compensation. Google’s guidelines state that businesses should not “offer or accept money or product to write reviews.” A practice that enters all review-writers into a monthly gift card drawing is offering implicit compensation, and the reviews accumulated under that system are in violation.
Bulk third-party solicitation using reputation management software that sends mass review requests to patient lists without individual communication context is a gray area that Google has increasingly scrutinized. The safest approach is individual, contextual communication rather than bulk automated blasts with no personalization beyond a name field.
What Google permits: asking patients directly to share their honest experience on Google, providing a direct link to the practice’s GBP review form, and asking at the point of service, via follow-up text or email, or through a card or handout. The request must be genuine, asking for an honest review, not a positive one, and must not filter or incentivize.
Framework 2: HIPAA’s Privacy Rule as applied to review requests
HIPAA’s Privacy Rule restricts how covered entities, which include dental practices, can use and disclose protected health information (PHI) in communications. A review request sent to a patient becomes a HIPAA compliance issue the moment it includes, implies, or could be used to infer any element of PHI.
PHI includes: the patient’s name in combination with any clinical information, appointment dates or types, procedures performed, diagnoses, treatment plans, or any other individually identifiable health information. A review request that says “Thank you for your visit today” does not disclose PHI; it contains no clinical information. A review request that says “Thank you for coming in for your cleaning and whitening consultation today” contains PHI — it discloses the specific services the patient received.
The distinction is clinical specificity. A generic thank-you message that could apply to any patient at any business is safe. A message that reveals anything specific about why the patient was at a dental practice, even something as seemingly innocuous as “your checkup,” introduces PHI into a marketing communication.
The safe communication formula: a HIPAA-safe review request contains the patient’s first name, a generic thank-you that contains no clinical specificity, a direct link to the Google review form, and a request for honest feedback. Nothing more.
Correct: “Hi [First Name], thank you for choosing [Practice Name]. We’d love to hear about your experience. Your feedback helps us serve our patients better and helps others find quality dental care. [Review link]”
Incorrect: “Hi [First Name], thank you for coming in for your cleaning today. We hope your smile is feeling fresh!
The second version discloses that the patient received a cleaning of PHI in a marketing context.
The three review request channels and their compliance profiles
In-person request at checkout
The in-person request is the most HIPAA-safe channel available because no PHI is transmitted in writing to any external system. The conversation happens between the clinical team member and the patient in a controlled environment.
The most effective in-person ask comes from the clinical team member who performed the treatment before the patient reaches the front desk, when the positive clinical experience is freshest and the patient’s attention is not divided.
“Before I walk you out, we really appreciate your trust in choosing our practice. If you’re willing to share your experience on Google, it would mean a lot to us. We’ll send you a quick link.”
That request, made chair-side by the treating provider, converts at meaningfully higher rates than a front desk ask at checkout because the relational context is stronger and the timing is better.
Text message follow-up
Text is the highest-converting review request channel for dental practices in the US market. According to BrightLocal’s 2024 Local Consumer Review Survey, patients are more likely to leave a review when asked via text than via email, 35% conversion versus 24% for email, and more likely to do so within the first 24 hours of the request.
Compliant text template: “Hi [First Name], thanks for visiting [Practice Name] today. If you have a moment, we’d love your feedback on Google: [direct link]. It really helps our team and future patients.”
Non-compliant text template: “Hi [First Name], hope your extraction went smoothly! We’d love a Google review when you have a moment: [link].”
The non-compliant version mentions the specific procedure for PHI in a written marketing communication.
Timing: send within two hours of the appointment. Review intent peaks immediately after a positive experience and decays rapidly over the following 24 to 48 hours.
Email follow-up
Email is the appropriate channel for patients who did not provide a mobile number or who prefer email communication. The compliance requirements are identical to text with no clinical specificity in the subject line or message body.
The subject line is the highest HIPAA risk point in email review requests. Subject lines are visible in notification previews on mobile devices and potentially to anyone with access to the patient’s device.
Compliant subject line: “Thank you for choosing [Practice Name]” Compliant subject line: “We’d love your feedback, [First Name]” Non-compliant subject line: “How was your cleaning today, [First Name]?” Non-compliant subject line: “Your root canal follow-up [Practice Name].”
The message body follows the same formula as a text generic thank-you, direct Google review link, and one sentence of context. Keep the email under 100 words. A review request email that reads like a newsletter will not convert. One that reads like a direct, personal thank-you note will.
What to say and what never to say: language that works and language that creates risk
Language that works
“We’d love to hear about your experience.” Generic, non-clinical, Google-guideline compliant. Invites honest feedback without filtering for positivity.
“Your feedback helps other patients find quality dental care in [city].” Provides a social motivation without implying that the feedback should be positive. Includes a geographic signal without clinical disclosure.
“We’d really appreciate your honest feedback.” The word “honest” signals to Google’s systems and to the patient that the request is for genuine experience-based content, not a manufactured positive review.
Language that creates risk
“If you had a great experience, we’d love a five-star review.” Explicit review gating a direct Google guideline violation. Any review acquired through this framing is at risk of removal.
“Leave us a review, and we’ll apply a discount to your next visit.” Explicit incentivization a Google guideline violation and potentially a violation of FTC endorsement disclosure guidelines.
“Hope you’re recovering well from your [procedure].” Clinical specificity in a marketing communication HIPAA exposure, regardless of how well-intentioned the follow-up is.
“Tell us what we did right today!” Framing that preemptively filters for positive content a softer version of review gating that still violates the honest feedback principle Google’s guidelines require.
The review request at scale: what changes when you have multiple patients per day
Patient communication platform integration
Most practice management software used by US dental practices, such as Dentrix, Eaglesoft, Open Dental, Carestream, integrates with patient communication platforms that can automate same-day text and email follow-ups triggered by appointment completion. Platforms including Birdeye, Podium, NexHealth, and Weave all offer dental-specific review request workflows.
The compliance responsibility does not transfer to the platform vendor. The practice is the HIPAA-covered entity. The message templates configured in the platform are the practice’s responsibility, and they must be reviewed against the HIPAA compliance criteria above before being activated. A platform’s default template may include clinical language that creates exposure. Configure your own templates using the compliant language framework above, not the vendor’s out-of-the-box defaults.
The opt-out requirement
Review request communications are marketing communications under HIPAA’s definition. Under HIPAA’s Marketing Rule, patients have the right to opt out. Your review request system must include an opt-out mechanism, typically an unsubscribe link in email or a “Reply STOP to opt out” text instruction, and must honor opt-out requests promptly.
Frequency limits
One request per visit, sent within two hours of the appointment completion, is the correct cadence. Configure your platform to suppress duplicate requests. A minimum interval of sixty to ninety days between requests to the same patient prevents the negative experience of repeated solicitation after a single visit.
Common mistakes dental practices make when asking for reviews
Using kiosk or tablet review stations
In-office review kiosks and tablets stationed at checkout, where patients can leave a Google review before leaving the practice, violate Google’s guidelines. Reviews should represent the genuine experience of the reviewer from their own device, in their own time. A review left on a practice-owned device on the practice’s premises does not meet this standard. Reviews collected this way are at high risk of detection and removal by Google’s systems.
Not providing the direct review link
A review request that asks patients to “find us on Google and leave a review” without providing a direct link creates unnecessary friction that dramatically reduces conversion. Most patients who receive a generic request without a link intend to leave a review, navigate to Google, search the practice name, find the listing, locate the review section, and abandon the process somewhere in that sequence. Generate your direct review link from your GBP dashboard and include it in every review request communication.
Sending requests from a generic sender identity
A review request sent from a generic “[email protected]” or an unrecognized platform number is less likely to be opened than one that appears to come from a recognized contact. Where your patient communication platform allows, configure the sender identity to match the practice name patients recognize from their appointment reminders.
For the complete automated review request system that eliminates front desk dependency and maintains HIPAA compliance at scale, the dental review request system guide covers the full platform selection, template configuration, and compliance verification process. And for the timing framework that identifies the highest-conversion moments in the patient visit sequence, the best time to ask for a dental Google review covers the specific triggers that produce the strongest results.
Key takeaways
- HIPAA compliance and Google guideline compliance are two distinct frameworks that must be satisfied simultaneously. A review request that is Google-compliant but contains clinical specificity violates HIPAA. A review request that is HIPAA-safe but includes incentivization or review gating violates Google’s policies. Both frameworks apply to every review request a dental practice sends.
- Clinical specificity is the primary HIPAA risk in review request communications. Any message that mentions a specific procedure, appointment type, diagnosis, or clinical detail discloses protected health information in a marketing context. The safe formula: patient first name, generic thank-you with no clinical reference, direct Google review link, honest feedback request.
- Review gating and incentivization are the primary Google guideline risks. Pre-screening patients before directing them to Google is explicit review gating. Offering any reward for leaving a review is explicit incentivization. Both produce reviews at risk of removal and profiles at risk of penalty.
- Text outperforms email for review request conversion. According to BrightLocal’s 2024 Local Consumer Review Survey, 35% of patients who receive a text review request leave a review, versus 24% for email. Send within two hours of appointment completion.
- The direct review link is non-negotiable. A request without a link converts at a fraction of the rate of one with a direct link to the review submission form. Generate your direct link from your GBP dashboard and include it in every request channel.
Your next action this week
Audit your current review request process against the two compliance frameworks in this article.
If you are currently asking patients for reviews, check three things. First: Does your request language contain any clinical specificity? If yes, rewrite the template using the compliant language framework above. Second: Does your request workflow include a pre-screening step that filters patients before directing them to Google? If yes, remove it. Third: Does your request include an opt-out mechanism? If not, add one before your next send.
If you have no review request process in place, configure a compliant text template this week using the formula above, patient first name, generic thank-you, direct review link, honest feedback request, and set it to send within two hours of appointment completion. That single change, consistently executed, is the highest-return review acquisition action available to any dental practice.
For the complete picture of how to ask patients for Google reviews, dental practices can deploy fits into your broader local search strategy, including how review velocity, recency, and response rate interact with your GBP ranking signals. The complete guide to getting more Google reviews for your dental practice is the reference document that connects every piece of this cluster.