How Dental Practices Get More Google Reviews (HIPAA-Safe Playbook)

Most conversations I have with dental practice owners about Google reviews start the same way. "We do good work, our patients love us, and we have forty-seven reviews, most of them from 2021." Then you can hear the part they've been dreading. They tried sending review request texts last year, and their compliance person shut it down within a week because somebody on the team wrote "thanks for your crown today" in the template, and that's PHI. The program died. The reviews stayed at forty-seven. And the practice down the street with a less-experienced associate dentist is now ranking above them on Google because their reviews aren't four years old.

Here's the playbook I've seen dental practices use to grow review velocity without crossing the HIPAA line. Crossing that line in a review-request text is much easier than most practice managers realize, which is why so many practices either run an unsafe program for a year or give up and run nothing at all. We'll walk through the wording that's safe, the wording that isn't, the operational handoff at the front desk, and the piece of the dental business model that makes review velocity unusually fragile here: the six-month recall cycle.

Why Dental Practices Get Stuck at the Same Review Count

Structurally, a dental practice should be one of the easier local businesses to get reviews for. Patients are booked weeks in advance, the front desk has every phone number on file, the appointment ends in a predictable handoff at the front, and the relationship is multi-year and high-trust, especially for general dentists with long-tenured patients. None of that is true for a coffee shop, which somehow has 800 reviews to your forty.

What holds practices back isn't the patient relationship. It's two specific constraints. The first is HIPAA, or more precisely, the very reasonable internal caution about HIPAA, which causes most practices to either send nothing or send something so generic and infrequent that it doesn't move the needle. The second is the recall cycle. Patients don't come in once a week. They come in every six months, sometimes every twelve. Whatever review-velocity engine you build has to work with a much slower input than the salon down the street. A salon can drive three reviews a week off a stylist's repeat clients alone. A dental practice can't, so every patient interaction has to count.

The good news is that within both constraints there's a clear safe path. It just has to be designed deliberately instead of cobbled together from whatever your practice management software ships by default.

The HIPAA Line in a Review-Request Text

The HIPAA rule that matters here is the one most dental teams already know in principle. Protected health information is anything that identifies a patient and discloses anything about their treatment, diagnosis, condition, or care. What catches practices off-guard is how easily an apparently friendly review-request text crosses that line. "Hi Sarah, thanks for your visit today, a quick Google review would mean a lot" is fine. "Hi Sarah, thanks for your root canal today" is, depending on how you read the rule and how cautious your compliance person is, a disclosure of treatment information by SMS to an unencrypted channel. Don't send that one.

The principle to give the team is simple. The review request can identify the patient by first name. It can thank them for visiting. It cannot describe what was done, why they came in, what the dentist found, what was prescribed, what the follow-up plan is, or anything else that would tell a third party (including the carrier handling the SMS) anything about the patient's health. Even apparently harmless additions like "thanks for bringing the kids in for their cleaning" can be argued either way, and they aren't worth the argument.

The text also can't name the procedure indirectly. "Thanks for letting us take care of that tooth today" is the kind of phrasing a friendly front-desk person might write, and it isn't safe. Neither is "hope you're feeling better." Neither is "we know that wasn't easy." All of these telegraph treatment information to anyone reading the message, including anyone who happens to pick up the patient's phone. Keep it bland on purpose. Honestly, bland is safe.

Safe Wording vs Unsafe Wording (With Examples)

The templates that actually work live in a pretty narrow band. They have to mention the patient by first name (or it converts terribly), thank them for the visit (or it sounds like a marketing blast), put the Google review link as the last thing in the message (or it buries the action), and say absolutely nothing about why they came in. There's still some room inside that band to vary tone by practice.

A safe general template:

Hi [first_name], thanks for coming in today, really appreciate you. If you have a minute, a quick Google review would mean a lot to our team: [review_link]

A safe practice-owner-signed variant:

Hi [first_name], it's Dr. Chen. Thanks for stopping by today. If you have a sec, a Google review would mean a lot: [review_link]

The unsafe versions that practice management vendors sometimes ship in their default templates library include phrases like "thanks for your appointment for [procedure_name]," "hope your [tooth/jaw/gums] are feeling better," "thanks for letting us help with [treatment]," and the worst offender, the auto-populated procedure field in the merge tag. If your software offers a "procedure" merge tag in the review-request template, leave that field empty. Always. There is no version of including procedure information in an unencrypted SMS that's worth the regulatory exposure.

A useful internal rule for the front desk and the marketing person: if you couldn't read the entire text out loud in the lobby without anyone learning anything about the patient's health, the text isn't safe. Rewrite until it passes.

The Front-Desk Handoff That Actually Asks

The other failure mode that pins dental practices at the same review count is the front-desk ask itself, even when it's been formally adopted in a team meeting. Checkout at a dental office is genuinely chaotic. A patient is checking out, the next patient is checking in, the hygienist is asking about the next opening for a specific code, and somebody's insurance just bounced. "Remember to ask for a review at checkout" is the first instruction to drop off the front desk's mental stack on a busy morning, and busy mornings are exactly when the patient volume is.

The fix is the same one that works in salons and restaurants: take the ask off the front desk entirely and put it on a schedule that fires automatically from the appointment-completed event in the practice management software. The front desk doesn't have to remember anything. The patient gets the HIPAA-safe text twenty to forty-five minutes after walking out the door. Conversion is meaningfully higher than the in-person ask anyway, because the patient is at home, the appointment is fresh, and the ask is asynchronous so it doesn't feel like social pressure.

What the front desk should do, optionally, is one short verbal pre-warm on the way out: "you might get a text from us later, totally fine to ignore if you're busy, but it really helps us if you have a sec." That isn't a review ask. It's giving the automated SMS social permission to land. The same softening is documented in our review-request automation guide, and I've seen it lift SMS conversion by another fifteen percent or so when practices run both versions side by side.

There's a separate operational question, which is who the review is "from." For solo practices, it's trivially the practice owner. For multi-provider practices, which are common in dentistry, there's a real question about whether the text is signed by the practice or by the specific provider the patient saw. Signing from the specific provider lifts conversion meaningfully because it feels personal, but it requires your practice management software to know which provider the patient saw and merge that into the template. If your software supports the merge tag, use it. If it doesn't, sign the text from the practice name. Just never blank-sign it, which reads as spam.

Cosmetic Patients: Your Highest-Conversion Cohort

Within a general dental practice's patient mix, there's one cohort that converts on review requests at roughly three times the rate of everyone else, and most practices don't separate them out. Cosmetic patients (veneers, Invisalign, whitening, bonding, full smile makeovers) are emotionally invested in a way that hygiene-cleaning patients just aren't. They saved up. They thought about it for months. They're looking at themselves in the mirror differently now, and the visible change is the kind of thing people talk about online.

The catch is that the HIPAA constraint applies to this cohort more strictly, not less, even though it's tempting to lean into the cosmetic angle in the text. You can't send "thanks for your veneers consultation today" or "hope you love your new smile." Both telegraph treatment information. What you can do is send the standard bland text and trust that the patient, on her own, will write a review that mentions the procedure. She almost always will. Cosmetic patients write specific, detailed, glowing reviews when prompted, because the procedure is the whole reason they came in and is naturally what they want to talk about.

A practice with even a small cosmetic case mix, say five cosmetic patients a month, shouldn't treat those five patients as part of the general flow. They're your highest-conversion review-target cohort. Make sure the text actually gets sent. A surprising number of practices have automation rules that exclude cosmetic patients because the records are flagged differently, and the reviews never go out. Get the timing right too: for veneers and bonding, same-day works; for Invisalign treatment closeouts, the day-after-debond morning is the highest-emotion moment and a great send window. Bland text, big result.

The Six-Month Recall Cycle Problem

Here's the part that makes dental fundamentally different from every other local services vertical, and the part most "get more Google reviews" advice completely ignores. Your average patient comes in twice a year. That means the universe of patients who could conceivably leave a review in any given month is something like one-sixth of your active patient base. A salon with 800 active clients can drive 100+ reviews a year off the same base because clients come in every six weeks. A dental practice with 800 active patients can drive maybe 30 a year off the same base if every single one of them leaves a review, which they won't.

Two things follow. First, review velocity in a dental practice decays much faster than people expect when the system isn't running. Stop sending requests for a month and your run-rate goes to zero for that month. There's no "catch up." The patients you didn't ask in September aren't going to leave a review in November because the visit is no longer fresh. The warm window we cover in the pillar post on getting more Google reviews is even less forgiving in dental, because the next interaction with the patient is six months away.

Second, hygiene appointments, which most practices treat as the lower-revenue, lower-priority side of the book, are actually the volume engine for the review program. They're the most frequent patient touch, they end on a predictable note, and the post-cleaning patient is in a genuinely good mood (clean teeth, no bad news, out in forty minutes). If your automation only fires on dentist-seen visits and not on hygiene visits, you're throwing away two-thirds of your possible review volume. Wire the hygiene chairs in.

The BAA Question (and Why Most Practices Get It Wrong)

One more topic worth covering directly, because it's the place where practice attorneys and SMS vendors most often talk past each other. The question is whether the SMS vendor handling your review-request text needs a Business Associate Agreement, or BAA, with the practice under HIPAA.

The conservative legal read is that any vendor handling messages that could contain PHI needs a BAA. The practical industry read is that a review-request text containing no procedure information, no diagnosis, no treatment plan, and just the patient's first name plus a thank-you plus a link is probably not PHI in itself, because identifying a patient as having visited a specific provider isn't really a disclosure of health information beyond what's already publicly inferable from anyone visiting that provider. But "probably not PHI" isn't the same as "definitely not PHI," and conservative compliance teams will want a BAA in place anyway as defense in depth. There's also a separate compliance overlay around SMS regulation generally, which we cover in our TCPA-compliance post. The consent requirements there apply on top of HIPAA, not instead of it.

The honest answer for a practice: ask your SMS vendor whether they sign BAAs, and ask your compliance counsel whether they want one. Some vendors will sign. Some won't. Practices that won't run an SMS program until they have a BAA in place are making a defensible choice. Practices that run an SMS program with no BAA and no compliance review of the template wording are taking a risk they probably don't fully see. The middle path of a bland template, no procedure information, and a vendor that will sign a BAA when asked is where most well-run practices land, and it's where this playbook lives.

What practices shouldn't do is conclude that the regulatory uncertainty means they shouldn't run a program at all. The practice across town is running one. Their reviews are accumulating. Yours aren't. The gap will keep growing for as long as you're idle. The right move is to run the safe version of the program.

Frequently Asked Questions

Frequently Asked Questions

Is sending a review request text to a dental patient a HIPAA violation?

+

Not by itself, as long as the message contains no procedure, diagnosis, or treatment information. A first-name thanks plus a Google link is generally considered safe. Anything referencing what was done is not.

Does a dental practice need a BAA with its SMS vendor?

+

Conservative compliance counsel will want one as defense in depth, even when the templates contain no PHI. Ask the vendor directly; many will sign, and the ones that won't are a signal you should pick a different vendor.

Should hygiene appointments trigger review request texts?

+

Yes. Hygiene visits are the highest-frequency patient touch and the primary volume engine for dental review programs. Automations wired only to dentist-seen visits leave roughly two-thirds of possible review volume on the table.

When should a dental practice send the review request text?

+

Within 30 to 60 minutes of the patient leaving the office for hygiene and standard appointments. For cosmetic closeouts like Invisalign debond, the morning after captures the highest-emotion mirror moment.

Can a dental practice mention the doctor by name in the review text?

+

Yes, and it lifts conversion meaningfully. Signing the text from the specific provider the patient saw is HIPAA-safe and feels personal. Never blank-sign, which reads as marketing spam.

How many reviews does a dental practice need to outrank competitors locally?

+

Recency matters more than absolute count. A practice posting 8 to 12 fresh reviews per month consistently will outrank competitors with larger but stale review bases inside a year.

A dental practice that gets the wording right, wires the automation to both dentist and hygiene appointment-completed events, and treats cosmetic patients as a separate higher-priority cohort can comfortably triple review velocity inside a quarter without crossing any HIPAA line or asking the front desk to remember anything new. If you want the SMS, the HIPAA-safe templates, and the automation running by the end of the week, that's what ThankYouReview does for practices in this exact situation. Otherwise, write one bland, first-name-only text, wire it to your appointment-completed event in your practice management software, and ship it Monday. The recall cycle is unforgiving, the warm window after a visit is short, and the practices that compound on Google are the ones that built the safe version of the system and left it running.