How Med Spas Get More Google Reviews (Without Crossing FDA or HIPAA Lines)

Almost every med-spa owner I talk to has the same complaint, phrased almost identically. Their clients love them, they book again, they refer their sisters, they come back every twelve weeks like clockwork, and yet the Google page has fifty-six reviews after six years and most are from 2021. Then comes the real problem. They don't even know what they're allowed to say in a text. The injector keeps reminding them they can't put "Botox" in writing because of HIPAA, the marketing person says they can't promise results because of the FDA, so they just don't ask. That's the med-spa review problem in two sentences. The retention is great. The ask is locked behind two regulatory walls nobody on the team has time to figure out.

Here's the playbook I've watched med-spas use to go from a trickle of reviews a year to a steady three or four a week, without an injector ever performing the ask in the treatment room, without a single text referencing a brand-name drug or a treatment outcome, and without crossing the FDA or HIPAA lines that make most owners freeze up the first time they try this. It's specific to how a med-spa actually runs (consultation, treatment, followup, the swollen-but-happy phase) because the generic "send a review request after every visit" advice falls apart the moment you remember that "every visit" includes a Botox patient who can barely smile and a consultation-only client who hasn't received any service yet.

Why Med Spas Underperform on Google Reviews

On paper, med-spas should be one of the highest-review-velocity verticals in local search. The treatments are expensive, the clients are emotionally invested, the result is visible in the mirror, and the rebook rate is exceptional. A satisfied filler client is going to look in the mirror every morning for the next nine months and remember exactly which clinic she went to.

And yet the typical independent med-spa runs years behind the dermatology practice down the street. The reason isn't service quality. It's that the post-visit communication flow is the most regulated piece of marketing comms in any local-services category. A salon can text "thanks for letting Tasha take care of your balayage today." A med-spa can't say "thanks for the Botox today, you're going to love it." The brand name, the implied outcome, and the disclosure of what procedure actually happened each bump into FDA marketing rules, HIPAA privacy rules, or both.

So most owners do what risk-averse operators do everywhere. They send nothing. They tell the front desk to "mention it on the way out," which fails the same way it always does. And the Google profile sits at fifty-six reviews for another year.

The FDA + HIPAA Layer Most Owners Don't Think About

Two separate regulatory frameworks land on a med-spa's review-request text at the same time, and most owners conflate them. They're worth pulling apart because the wording fixes are different.

The FDA piece is about how you market medical treatments. The agency takes a dim view of off-label promotion, before-and-after claims tied to specific drugs, and any messaging that implies a particular outcome from a particular product. A text that says "we know you're going to love your filler results, leave us a review!" is exactly the kind of thing a pharma compliance person would tell you to stop sending. You're pairing a brand-name product with an outcome claim, in writing, to a patient, from a medical practice. The fact that you didn't manufacture the filler doesn't matter. You're advertising a medical outcome.

The HIPAA piece is about whether the text itself, sitting on the patient's lock screen, discloses protected health information. "Thanks for your Botox appointment today" is technically a disclosure of a medical procedure to whoever happens to be looking at the patient's phone: her partner, her mother, the kid playing with her phone in the back seat. Most owners hear this and assume it's a theoretical concern. It isn't. I've seen complaints filed over exactly this kind of disclosure, and even if the complaint goes nowhere, the patient's trust in the practice is broken the day she realizes her husband saw a text referencing a procedure she didn't want to discuss.

The fix for both is the same. The post-visit text never references the procedure, never references the drug, and never implies a result. It thanks the patient for the visit, mentions the clinic by name, and asks for a Google review. That's the whole message. The lift in conversion from being specific about the procedure is real in other verticals, but it isn't real here, because the legal and trust cost outweighs it. There's a longer write-up of the SMS-compliance side in our TCPA compliance guide for review request SMS, and a lot of the same principles apply to HIPAA-adjacent messaging.

Safe Wording for the Post-Visit Text

The wording that works at a med-spa is almost aggressively generic, and that turns out to be a feature. Something like:

Hi Megan, thanks for visiting us at Lumen Aesthetics today. If you have a moment, a quick Google review would mean a lot to our team: [review_link]

That's it. No procedure, no drug, no promised outcome. Just the clinic name, the patient's first name, and the Google link.

Two subtle things matter in that text. "Thanks for visiting" is the broadest possible phrasing. It works for an injector appointment, a laser session, a follow-up, or a consultation, with no edit. One template handles every appointment type, so nobody at the front desk has to pick the right one under pressure. And "would mean a lot to our team" deflects the ask away from the individual provider, which matters in clinics where the injector is a nurse practitioner under a supervising physician. You don't want the text reading like an outcome endorsement from the nurse.

The patient knows exactly what she just did at your clinic. The text doesn't need to remind her. It just needs to give her a one-tap path to the Google review screen while she's still in the warm window.

The 48-72 Hour Window for Injectables

This is where med-spa timing diverges from almost every other vertical. The standard post-visit-SMS playbook is "send within an hour." For an injector appointment, that's the worst possible time.

A Botox patient at thirty minutes post-injection is sometimes mildly red, occasionally bruising, and almost always self-conscious about what she looks like in the rearview mirror on the drive home. A filler patient is worse. Lips, mid-face, and tear-trough work all swell visibly for twenty-four to forty-eight hours, and she's told everyone in her life she "didn't have anything done." Asking her for a review while she's looking at a swollen face produces no review at all, and sometimes a defensive three-star where she conflates the temporary swelling with the actual work.

The window for injectables is forty-eight to seventy-two hours after the appointment. Long enough for the bruising to fade and the filler to settle, short enough that the visit hasn't been buried by the rest of the week. The patient looks in the mirror on day three, sees the result she paid for, and the text arrives that afternoon. In my experience, conversion in this window runs three to four times higher than a same-day send.

This requires a system that knows what category of appointment just happened. Not the procedure (which the SMS isn't going to reference) but the type, so it can pick the right delay. Most EMR and booking systems tag appointment types internally. The automation reads that tag and picks a forty-eight-hour delay for injector visits where it would pick a one-hour delay for a facial. There's more on wiring this up in our review-request automation guide.

Same-Day vs Next-Day for Facials and Light Treatments

Not every med-spa appointment is an injector visit. Hydrafacials, chemical peels, dermaplaning, IPL, laser hair removal: these fill out the schedule between injector days, and they follow a different emotional arc.

A facial client walks out glowing. That isn't marketing copy. Her skin is literally flushed, the makeup is gone, and she's been told for ninety minutes that her cheekbones are great. The thirty-to-sixty-minute window after a facial is the highest-emotion review window of any med-spa appointment. Send same-day, ideally within an hour of checkout.

Light laser treatments like IPL, mild Clear + Brilliant, and hair removal sit in the middle. The patient is mildly red for a few hours, and the result isn't fully visible for two or three days. A next-day send, around eighteen to twenty-four hours later, catches her when the redness has resolved and the early result is starting to show. Body contouring follows a similar one-to-two-day delay because the visible effect builds over the first forty-eight hours.

The point isn't that every clinic has to build seven different flows. It's that one universal "send at 1pm the next day" leaves volume on the table from both ends. Too late for facials, too early for filler.

The Consultation Cohort You're Ignoring

This is the lever almost every med-spa owner misses, and honestly, it's the one I'd start with if I were rebuilding a clinic's program from scratch.

Med-spas run a high volume of consultation-only appointments. The patient comes in, meets the injector, gets a treatment plan and a quote, and leaves to think about it. Most clinics never ask this cohort for a review, on the theory that they haven't received the service yet.

That theory is wrong. A consultation visitor received a thorough, professional, in-person consultation from a licensed practitioner, in a clean facility, after being greeted by a friendly front desk and walked through her concerns at length. That's a service experience, and a lot of patients are willing to review it. Reviews from this cohort describe the staff, the cleanliness, the lack of pressure to book, and that mix is exactly what new prospects want to see. A Google page full of "the injector was patient and didn't push me into more than I wanted" reads as more trustworthy than a page full of pure result reviews.

There are no FDA or HIPAA issues with the consultation-cohort text either, because no procedure happened. "Thanks for coming in to chat with us today, if you have a moment, a quick Google review would mean a lot" is fully clean. Send it the same evening or the next morning.

Handling Clients Who Don't Want to Be Public

The med-spa version of the privacy question is sharper than in any other vertical. Some percentage of any client base genuinely doesn't want their name associated publicly with any aesthetic treatment, whether for professional reasons, family reasons, or just because the topic is personal. Asking that patient for a review, even with a generic text, can damage the relationship.

The fix isn't to suppress the entire cohort, because most clients don't fall into this group and you'll never know who does unless you give them a path to say so. The fix is the opt-out. The text has a one-tap "no thanks" option, and that opt-out is permanent. No follow-up, no second prompt, no marketing reactivation. The visible respect for the patient who said no is what builds trust here.

A second piece is the soft consult at intake. Some clinics include a simple line on the new-patient form: "We occasionally send a thank-you text after appointments, okay to include you?" with a checkbox. That's both a legal protection (an explicit opt-in on file) and a relationship signal. Clients who check no get flagged to never receive any post-visit messaging.

A version of this dynamic shows up in dental practices too. We unpack the parallel in our dental practice review post.

Why Med-Spa Reviews Compound Differently

The piece that takes most med-spa owners a year to internalize is that the Google page is the primary surface a prospective patient uses to decide whether your clinic is a serious medical practice or a dressed-up beauty bar. Aesthetic patients are an unusually research-driven cohort. They cross-reference your page with RealSelf, with Reddit threads, with the injector's Instagram, with how you respond to negative reviews. A clinic with two hundred recent, varied reviews (some about results, some about consultations, some about the front desk) reads as a real medical operation. A clinic with thirty stale reviews from 2022 reads as a side hustle.

The same dynamic that makes reviews so high-leverage for med-spas makes the regulatory care necessary. A patient who feels her privacy was respected leaves a review and refers her friends. A patient who got a text saying "thanks for your Botox today!" never comes back, and tells the group chat. The wording isn't a small detail. It's the whole thing.

Frequently Asked Questions

Frequently Asked Questions

Is it a HIPAA violation to text a med-spa patient about a Google review?

+

Not if the message contains no procedure, drug name, or treatment information. A first-name thanks plus a Google link is safe. Anything referencing what was done by name crosses the line.

When should a med-spa send the review request after a Botox or filler appointment?

+

Between 48 and 72 hours after the appointment. Earlier sends catch visible swelling and bruising and either produce no review or a defensive low-star rating. Day three is the conversion peak.

Should med-spas ask consultation-only visitors for Google reviews?

+

Yes. Consultation visitors received a real service experience and write the staff-and-trust reviews that prospective patients use to decide. There are no FDA or HIPAA constraints because no procedure was performed.

Can a med-spa offer a free treatment in exchange for a Google review?

+

No. Google explicitly prohibits incentivized reviews, and the FDA takes a dim view of any outcome-tied promotion. Both the platform penalty and the regulatory risk are severe.

Does the SMS vendor for a med-spa need to sign a BAA?

+

Conservative compliance counsel typically wants one even when the templates contain no PHI. Many vendors will sign; if yours will not, that is a meaningful signal.

How should a med-spa respond to a negative review claiming filler swelling was a bad result?

+

Respond publicly, briefly, with empathy and an offer to discuss privately. Never disclose treatment specifics in the public reply. The response is read by prospects more than the review itself.

None of this requires the injector or the laser tech to do anything different. Patients still book, the clinic still treats, the front desk still checks them out. What changes is that the warm window after the appointment, calibrated by visit type, scrubbed of procedure references, with a permanent opt-out for the patients who need it, stops getting wasted. If you want the HIPAA-safe SMS, the timing-by-visit-type delays, and the consultation-cohort flow running by end of week, that's the entire reason ThankYouReview exists. Otherwise, write one generic text that mentions only the clinic, pick the right delay for your highest-volume visit type, and ship it on Monday. The reviews don't come from the treatment room. They come from the mirror on day three.