Are patient testimonials allowed under HIPAA?

Yes, but only with the patient's signed permission. The HIPAA Privacy Rule requires valid written authorization before you publish any testimonial that involves a patient, on your website, social media, print, or anywhere else. The patient must volunteer the story and sign a form that names exactly where it can be used. If the patient writes a review on their own Google or Yelp profile, that is their speech and HIPAA does not restrict it. The risk is on your side: the moment you repost, confirm, or respond to it as their provider, you can disclose protected health information, and that requires authorization.

What is the difference between a patient review and a patient testimonial?

A review is something a patient writes on their own, on a public platform like Google or Yelp. You did not collect it and you do not control it. A testimonial is content you gather and publish yourself: a quote on your website, a video on your Instagram, a story in an ad. Reviews are mostly the patient's free speech. Testimonials are your marketing, which means HIPAA applies and you need signed authorization before you use the patient's name, image, or health details.

What does a HIPAA testimonial authorization form need to include?

A valid authorization names the patient and the practice, describes exactly what will be used (their words, first name, photo, or video), lists where it will appear (your website, Instagram, Facebook, ads), states an expiration date or event, and tells the patient they can revoke permission in writing at any time. It needs the patient's signature and the date. Keep the signed form on file. If you ever pull the testimonial down because the patient revokes, honor it promptly.

Can I respond to a patient review online without breaking HIPAA?

You can respond, but you cannot confirm the person was a patient or mention any detail of their care. In 2023 a North Carolina dental practice paid a 50,000 dollar HIPAA settlement after a review response named the patient and shared treatment details. Safe replies stay generic: thank the person for the feedback, invite them to call the office to discuss it privately, and never reference their visit, diagnosis, or treatment. When in doubt, say less.

Why are video testimonials so effective for medical practices?

Because choosing a doctor is a trust decision, and people trust a face they can see and hear far more than a paragraph of text. Surveys show a large share of consumers now find online reviews as trustworthy as a recommendation from a friend, and many trust video over written reviews. A 60 second clip of a real patient saying the staff was kind and the results were worth it does more for a nervous prospect than any line you could write about yourself. With signed authorization, one good video can book patients for years.

Patient Testimonials Without Breaking HIPAA

A smiling doctor in a clinic hallway, the kind of trust a patient testimonial helps a practice build — Patient testimonials build trust before a new patient ever walks in. The catch is doing it without exposing protected health information. Photo via Pexels.

Let us start with why this matters enough to get right. When someone is choosing a doctor, a dentist, or a med spa, they are not buying a product they can return. They are deciding who to trust with their body, their face, or their kid. That is a scary call to make, and people make scary calls by looking at what other people did first. The numbers back it up: surveys collected by Shapo and others show that roughly 93 percent of consumers read reviews before they buy, and a majority now trust online reviews about as much as a recommendation from a friend. A real patient's words do something your own marketing never can: they vouch for you.

So testimonials are gold. The problem is that you work in one of the few industries where repeating what a happy customer told you can be illegal. Let us untangle that, because most of the fear around it comes from not knowing where the line actually sits.

First, know the difference between a review and a testimonial

These two words get used like they mean the same thing. For HIPAA, they are worlds apart.

A review is something a patient writes on their own, on a platform you do not control, like their personal Google or Yelp account. That is the patient's free speech. They can say they saw you, name their procedure, post their before and after, whatever they want. HIPAA does not gag a patient about their own care. It never has.

A testimonial is content you collect and publish: a quote on your homepage, a video on your Instagram, a patient story in a Facebook ad. The second you put it out under your practice's name, it stops being their speech and becomes your marketing. And the moment your marketing reveals that a specific person is your patient, or anything about their treatment, you are disclosing protected health information. That is what needs permission.

93% of consumers read reviews before they choose. In healthcare, a real patient's story is the single most persuasive thing on your page. Source: review research compiled by Shapo, 2025.

The one rule that keeps you safe: get it in writing

Here is the whole foundation, in one sentence. Before you publish any testimonial that identifies a patient, you need their signed written authorization. The HIPAA Privacy Rule is clear on this: a valid, written authorization is required before a covered provider uses a patient's story, photo, or health details in marketing, on any channel.

A verbal "sure, you can use that" does not cut it. A thumbs up in a text message does not cut it. You want a real form on file. And the form is not a vague blanket waiver, it has to spell out the specifics. Pulling from guidance summarized by compliance advisors and the rule itself, a clean authorization includes:

Who: the patient's name and your practice's name and contact info.
What: exactly what gets used, their words, first name, a photo, a video clip, a before and after.
Where: the specific places it can appear, your website, Instagram, Facebook, Google, paid ads.
How long: an expiration date or event, so it is not open ended forever.
The off switch: a plain line telling the patient they can revoke permission in writing whenever they want.

Then get the signature and the date, and keep the form. That is it. A patient signs once, and that testimonial is yours to use, cleanly, for as long as the authorization says.

The 50,000 dollar mistake to never make

The fastest way practices get burned is not with testimonials at all. It is with review replies. An owner sees an unfair one star review, gets defensive, and fires back something like "You were actually a no show for two of your three appointments and we still treated your infection for free." Feels justified. It just confirmed the person was a patient and disclosed their treatment to the entire internet.

This is not hypothetical. In 2023 a North Carolina dental practice agreed to a 50,000 dollar settlement with federal regulators after a staff response to a negative online review revealed a patient's protected health information. The lesson is brutal and simple: you can respond to reviews, but you can never confirm someone was a patient or reference a single detail of their care. Keep it generic, invite them to call you privately, and move on.

Safe vs unsafe review reply

Unsafe: "We're sorry your crown felt loose, but you missed two follow ups where we could have fixed it." (Confirms patient + discloses treatment. This is the violation.)

Safe: "Thank you for the feedback. We take every concern seriously and would love the chance to make it right. Please give our office a call so we can talk it through." (Names nothing. Says nothing about care.)

We wrote a full playbook on this exact problem in how to respond to negative reviews without breaking HIPAA. If your team handles your Google profile, make it required reading.

Why video testimonials are worth the extra effort

If you are going to do the work of getting authorization, get the most powerful version of a testimonial while you are at it. That is video. A written quote is good. A 60 second clip of a real person looking into a camera and saying "I was terrified of dentists my whole life and this team made it easy" is on another level, because the viewer reads honesty in a face that they will never read in a paragraph.

The data leans this way too. Bazaarvoice's 2025 shopper report found testimonials and peer reviews are central to buyer trust, and consumers increasingly trust short video over text. For a nervous patient deciding between two practices, watching someone like them describe a good experience can be the thing that tips them into booking. One authentic clip, filmed on a phone in your waiting room, can outwork a month of polished ads.

You do not need a studio. You need a willing patient, a signed form, decent light, and one or two simple questions: "What were you worried about before you came in?" and "What would you tell someone thinking about booking?" Real beats fancy every time. The same way a real photo of your team beats stock, a real patient beats a paid actor reading a script.

A simple system for collecting testimonials

The reason most practices have a thin pile of testimonials is not HIPAA. It is that nobody asks. The happy patients walk out the door and never think to say anything publicly. You have to build the ask into the visit. Here is a routine that works and stays clean:

Ask at the peak. The best moment is right after a great result or a warm goodbye, when the patient is genuinely happy. A simple "Would you be open to sharing your experience to help other patients?" gets a yes far more often than an email a week later.
Make the form easy. Hand them a short, plain language authorization, or text them a link to a digital one. Less legal jargon, more "here is exactly what we'd use and where." People sign what they understand.
Separate reviews from testimonials. For patients who just want to leave a Google review, send them a direct link and let them write whatever they want on their own profile. No form needed, because that is their speech. Save the authorization for content you will publish yourself.
Store and track consent. Keep every signed form, and note the expiration. If someone revokes, pull their content down quickly. One organized folder saves you a world of trouble later.

Do this for a few months and you stop scrambling for proof. You build a library of real patient voices you can drop onto landing pages, into ads, and across social, all of it backed by paper.

Where the testimonials actually go to work

A testimonial sitting in a folder helps nobody. The point is to put those voices exactly where prospects hesitate. On your website, that means real quotes and faces near your booking buttons and on your service pages, not buried on a lonely "reviews" tab. We build that trust layer into every website we design for practices, because a page that shows real patients converts the nervous visitor that a wall of self praise never will. It pairs directly with getting your Google reviews flowing, the two reinforce each other.

On social, patient stories are some of the highest performing content a healthcare brand can post, which is a big part of what we manage inside our social media service. And in paid ads, a real testimonial almost always beats a clever headline, though if you run them on Meta you have to be careful, because the platform now restricts a lot of health targeting. We broke that down in our guide to whether Facebook ads still work for medical practices.

How EtherealMinds keeps this clean for you

We only work with healthcare practices in the United States, so HIPAA is not an afterthought for us, it is the water we swim in. When we help a practice build out its reviews and testimonials, we set up the authorization process, train the front desk on the safe way to ask, and make sure every story you publish is backed by a signed form. Then we put those voices to work across your patient acquisition system, your site, your social, your ads, so the trust a happy patient hands you actually shows up where the next patient is deciding.

Patient testimonials are too valuable to skip out of fear, and too risky to wing. The middle path is a small amount of structure: ask at the right moment, get the signature, store it, and use it everywhere it counts. Do that, and the kindest thing a patient ever said about you stops being a nice memory and starts being the reason a stranger books.

Turn happy patients into your best marketing

Book a free strategy call. We will show you how to collect patient testimonials the HIPAA safe way and put them to work across your website, social, and ads, so the people who already love your practice help bring in the next ones.

Book a free strategy call →

How to Get Patient Testimonials Without Breaking HIPAA