As a Marketing for a medical professional, getting great reviews from patients is vital. Presenting those great reviews and making sure prospective new clients see them is also vital – you want new patients to be assured and comforted by word-of-mouth accounts of just how great your practice is. However (and it is a big however), when it comes to sharing reviews and patient information online to promote your practice, there are certain guidelines that you must adhere to Marketing For Medical, and be one-hundred-and-ten percent certain your practice doesn’t violate.

HIPAA (the Health Insurance Portability and Accountability Act of 1996) is a piece of American legislation that provides data privacy and security provisions for safeguarding medical information. RiseMD has spoken to several top medical lawyers, some charging over $1,000 an hour, to gather the most important details of HIPAA compliance, and to tell you the things HIPAA forbids you from doing with patient reviews and medical information.

To adhere to HIPAA, you cannot: Marketing For Medical

       1.Take any existing patient lists and upload them anywhere on the internet. Not to Facebook to create a Custom Audience, not to Google, not anywhere online. In fact, you can’t even take patient lists out of the office. Patient lists and all patient-related data must stay secured in your office, and cannot be shared with anyone.

  1. Upload any patient lists to any email software. That means Mail Chimp, Constant Contact, Active Campaign, GetResponse and all of the other big email software.

Only HIPAA approved e-mail systems are allowed. You, nor your medical professional, can upload patient information to those email software.

  1. Give patient lists to a physical snail mail company to send postcards or physical materials to patients.


  1. Use call tracking software, such as CallRail. Now, this is a bit of a grey area –  you can use this software to record phone calls with individuals who are not yet patients, but the moment they become patients, this could get you in serious trouble, being that you have their information stored online and shared with CallRail. Let me take that back – it’s a very grey area, and every medical lawyer we spoke to advised to avoid doing this completely.


  1. Generate leads with existing clients, meaning Facebook pages or landing pages that collect people’s phones and emails. With the general public, this is totally fine, as long as your practice adheres to general public rules and regulations. However, you run into a huge problem when your leads become patients via your existing clients – that instant, you immediately start violating HIPAA regulations by having their info on the internet either in a funnel such as Unbounce or Clickfunnels or on Facebook. Again, this is a very gray area that is more dark than gray. So, it’s best for medical practices to stay away from opt-in lead generation.

       6. Answer or respond to any Google, Yelp or other online reviews on behalf of the practice. Not even:
“Thank you, for your 5-star rating!” And of course, do not answer or respond to any negative online reviews. 

The above guidelines are not an exhaustive list – there are much more ways a practice can violate HIPAA. Penalties for those violations are severe, for the medical professional AND for the marketer – up to a $250,000 fine for each infringement, and jail time. And yet, violations of HIPAA are too common. The HIPAA agency isn’t even close to the largest government regulatory agency, and they still hire more agents all the time to keep an eye on marketing for medical professionals and marketers.

Don’t put yourself in danger. If you’d like RiseMD to do an audit of your marketing for medical content to make sure it’s HIPAA-compliant.