How to Use Patient Testimonials Without Violating HIPAA

Written Consent Requirements

Patient testimonials are one of the most powerful marketing tools for a dental or medical practice. Potential patients trust peer recommendations far more than marketing claims. However, HIPAA regulations create strict boundaries around what you can share and how you can share it. The Health Insurance Portability and Accountability Act explicitly prohibits sharing protected health information (PHI) without patient consent, including names, treatment details, and identifiable health conditions.

Written consent is the foundation of all testimonial marketing. Before publishing any patient statement, video, photo, or name, you must have documented, signed consent from the patient. This consent must be separate from the standard HIPAA authorization that patients sign at intake. A testimonial consent form should clearly specify:

• •What information or media the practice can use (photo, name, written quote, video)
• •Where it will be published (website, Google, social media, print ads)
• •How long the consent is valid (indefinite, one year, revocable at any time)
• •Patient signature and date

Generic consent is insufficient. The more specific your consent form, the better protected both you and the patient are. Oral permission is never acceptable in healthcare marketing. Keep all signed consent forms in a secure file, separate from the patient's medical record, for a minimum of seven years.

The consent should also address compensation. If you provide a discount, gift card, or free treatment in exchange for a testimonial, you must disclose this in the testimonial itself or in a disclaimer. The FTC requires that endorsements reflect honest opinions and that material connections (like compensation) be clearly disclosed.

Video Testimonials and Releases

Video testimonials are exceptionally powerful for websites and social media. A patient speaking directly to the camera about their experience builds trust in ways that written quotes cannot match. However, video testimonials introduce additional HIPAA and legal complexity because they capture not just words, but the patient's face and voice.

A video release must be separate from written testimonial consent. It should include:

• •Permission to record the video on specified date and time
• •Permission to edit and publish the video in any format
• •Permission to use the patient's likeness, name, and voice in perpetuity
• •Acknowledgment that the patient has reviewed and approved the final video

Never publish a video without explicit written approval from the patient. Show them the final edit before posting. Some practices have patients review a proof on video conferencing, which documents their approval. Store the signed release with the video file for audit purposes.

When filming, keep the conversation focused on the patient's experience and results, not on protected health information. A patient can say "I was struggling with severe tooth decay" but should not disclose their specific diagnosis, treatment plan details, or health conditions beyond what directly relates to the cosmetic outcome.

Social Media and Review Sites

Publishing testimonials on social media and review sites adds another compliance layer. Google Reviews, Yelp, Healthgrades, and ZocDoc are public platforms where consent requirements still apply. You cannot take a patient testimonial from one channel and republish it on another without consent for that specific channel.

Many practices mistakenly assume that if a patient left a public review on Google, the practice owns the right to share that review elsewhere. This is incorrect. The patient wrote the review for Google, not for your social media marketing. Republishing it on Facebook, Instagram, or your website without explicit permission violates the spirit of consent and could expose you to legal liability.

The safest approach is to screenshot or quote Google reviews with a clear attribution to the platform ("Jane D. on Google Reviews") and to provide a link back to the original review. This respects the patient's original intent while leveraging social proof. If you want to use a review more prominently, reach out to the patient and ask for written permission to republish.

For testimonials you actively collect on your website or via email, be explicit about where you plan to use them. Your consent form should list all platforms: website, Google Business Profile, Facebook, Instagram, LinkedIn, print materials, email newsletters. If you add a new platform later, you may need fresh consent.

Building a HIPAA-Safe Testimonial Workflow

A sustainable testimonial program requires systems, not just one-off efforts. Design a workflow that captures consent at the right moment in the patient journey and stores everything securely.

Here is a repeatable framework:

• •At appointment completion, the front desk offers patients a testimonial opportunity. Keep it simple: "Would you be willing to share your experience with us in a video or photo? We'd love to feature your story."
• •If interested, provide the patient with a one-page consent form (digital or paper). Include options for written quote, photo, video, or all three.
• •Store the signed form in a secure folder, separate from the medical record. Use Google Drive, Dropbox, or a HIPAA-compliant cloud service with access controls.
• •Schedule the patient for a video shoot or photo session within a week, while they are most enthusiastic.
• •Edit and send the patient a proof for approval. Document their approval in email or in writing.
• •Publish to your website, Google Business Profile, and social channels according to the consent form.
• •Maintain a log of published testimonials with dates and channel references.

This workflow ensures consistency and creates an audit trail. If you are ever questioned about a testimonial, you can produce the signed consent, the approval email, and the publication record.

Before and After Photos

Before and after photos are one of the most effective ways to demonstrate clinical results. However, they are also one of the highest-risk compliance areas. A before and after photo is, by definition, identifiable to the patient. Even if you crop out the person's eyes, the teeth alone are often distinctive enough for someone who knows the patient.

HIPAA does not explicitly ban before and after photos, but they are considered PHI because they document a patient's treatment. You must have written consent that specifically authorizes the use of photographs in marketing. Generic consent is not sufficient.

Best practices for before and after photos:

• •Use a photo release form that clearly states you are collecting images for marketing purposes
• •Specify which platforms you will use (website, social media, print ads, trade shows)
• •Crop out identifiable features when possible (eyes, distinctive facial features)
• •Use discreet labeling: "Patient results" instead of names when possible
• •Provide an easy opt-out mechanism if the patient later wants their photos removed

Store before and after photos in a separate, password-protected folder with the signed release. Do not include patient names in the file names.

Avoiding Common HIPAA Pitfalls

Even well-intentioned practices make mistakes when handling testimonials. Here are the most common pitfalls and how to avoid them:

• •Using old reviews without permission: A patient left a review three years ago. You cannot republish it on social media without asking first. The original review was written for a specific platform and purpose.
• •Revealing medical conditions in testimonials: A patient says "My root canal pain is gone." The public now knows this patient had a root canal. While the patient chose to disclose this, you should help guide them away from overly specific clinical details.
• •No documentation of consent: You have a verbal agreement, but no signed form. If there is a dispute, you have no proof of permission. Always get it in writing.
• •Sharing testimonials across platforms without review: A video was approved for your website. You should not automatically republish it on TikTok without showing the patient where it will appear.

Consider working with your practice's compliance officer or legal counsel to review your testimonial consent forms and workflow at least annually. Regulations evolve, and reputation management practices should keep pace.