The HIPAA-safe digital marketing operating manual for fertility clinic teams.

A1Handling patient reviews

Every review response is a published statement. Build the habit of writing as if your reply will be read by an OCR auditor, the patient's attorney, and a journalist on the same day — because eventually, on a long enough timeline, it will be.

Decision flowchart

A1.1 — Pre-cleared response templates

These templates do not acknowledge patient status, do not reference treatment, and direct any clinical conversation to a private channel. Use as-is or as a starting point for the response generator in your reputation management tool.

A2Responding to public Q&A

The Q&A panel on Google Business Profile is open to anyone — including non-patients — and any party can post an answer. If your clinic does not answer first, a third party may. Active management is the protocol.

Safe to answer

• Hours, parking, accessibility, and directions to either location
• Insurance plans accepted and self-pay options at a general level
• Service categories offered (IVF, IUI, fertility preservation, donor programs, third-party reproduction) — without endorsing one for the asker
• How to request an initial consultation and what to bring
• Languages spoken by the front-desk team
• General educational content with a link to the relevant resource page

Route to a private channel — never answer publicly

• "What is my chance of success with [my condition]?" — Always route to a consultation
• "Will [medication] interact with my prescriptions?" — This is medical advice; never answer publicly
• "Did Dr. [name] treat my friend?" — Never confirm or deny any patient relationship
• "How much will my treatment cost?" — Cost depends on individualized assessment; route to financial counselor
• "What protocol should I do for [diagnosis]?" — This is clinical recommendation; route to a consultation
• Any question naming a specific person, regardless of whether they are or were a patient

Safe vs unsafe answers — side by side

A3Using the GBP "Posts" feature

Posts on Google Business Profile show inside the local pack and on the clinic's profile card. They are indexed and surfaced for local-intent fertility queries. Use them for content that builds visibility without putting any patient at risk.

Safe-to-share post categories

• Staff introductions (physician, embryologist, nurse navigator) — credentials and clinical interests only, not patient anecdotes
• Educational content on conditions, treatments, and processes — at a general level, with a link to the relevant resource page
• Clinic hours, holiday closures, weather closures, and location-specific operational updates
• Event announcements: open houses, free educational webinars, support group meetings, awareness-month observances
• New service line announcements (e.g., genetic testing program, fertility preservation expansion)
• Awards, accreditations, and SART/CDC reporting milestones (without specific outcome claims)
• Community involvement: charity walks, conference participation, advocacy work
• Hiring announcements that do not reveal department-specific patient volume

Never share via Posts

• Patient testimonials or quotes — even with first name only, even with the patient's permission via DM rather than signed authorization
• Specific treatment outcomes, success rates tied to individual cases, or "success story" framing of any kind
• Photos of patients, partners, or families, even if they consented to a photo for a different purpose (intake, in-room imaging, etc.)
• Baby photos, pregnancy announcements, or birth announcements that patients send to the clinic — these require a signed Patient Authorization for Media and Testimonial Use to repost
• Before-and-after imagery of any kind, including ultrasound images
• Outcome guarantees, superlatives, or any of the blocked keywords ("100% success," "guaranteed," "best fertility clinic," "no risk," "we ensure pregnancy")
• Photos taken inside clinical areas, treatment rooms, embryology lab, or anywhere a patient or chart could be visible
• Internal staff photos taken in clinical areas without verifying no patient information is visible (whiteboards, screens, charts)

Pre-publish QA checklist

Before any GBP post goes live, run through this. The audit log should show this checklist was completed by a second reviewer.

• No patient names, photos, or identifying details appear anywhere in the post or in any image
• No outcome guarantees, superlatives, or blocked keywords appear in the copy
• If the post links externally, the destination is a clinic-owned property with HIPAA-compliant analytics
• If the post promotes an event, registration runs through a HIPAA-compliant intake form (not a marketing-list signup)
• Image alt text contains no patient information
• Post has been approved by the Practice Administrator or Privacy Officer
• Post is logged in the publishing calendar with publish date, approver, and category

B1Interacting with users — comments & DMs

Every public reply is permanent. Every DM creates a record. Treat the inbox as a regulated communication channel, not a customer-service window.

Engagement rules

• Move clinical conversations off-platform within one reply. The first response from the clinic should always direct the user to the secure portal, a known phone line, or a HIPAA-compliant intake form.
• Never confirm patient status in any thread, even if the user identifies themselves first. The clinic's silence on identity is itself part of the privacy posture.
• Never provide medical advice in comments or DMs. Educational content can be shared at a general level only, and only with a clear "this is not medical advice" framing.
• Document every escalated interaction. Screenshot, tag with date/time/platform, save to the social media moderation log.
• Personal accounts stay personal. Staff who post about the clinic from personal accounts must include the "views are my own" disclaimer and may not respond to clinic-related comments from those accounts.
• Run the blocked-keyword check on every public reply. "Guaranteed," "100% success," "we ensure pregnancy," and the rest of the list are forbidden anywhere — including in casual replies.
• Time-limit DM responses. Set a published response window ("we respond within one business day, Monday–Friday") so that delays are not perceived as evasions.

DM template — request for medical advice

DM template — request to confirm an appointment, billing, or chart detail

Comment template — public thread, user asks something private

B2Managing user-generated content (UGC)

UGC is content patients, partners, or community members publish about your clinic on their own accounts — tags, mentions, comments on your posts, stories that mention your handle, hashtag use, and replies. The clinic does not control what users post, but the clinic does control how it engages with that content. Engagement is regulated.

Protocol — patient shares their own PHI publicly

DM template — gently asking a patient to remove or edit a public PHI post

The reshare risk

This is the rule digital marketers most often get wrong: a patient publicly posting about their treatment does not give the clinic permission to repost, like, or share that content. The fact that something is publicly viewable on the patient's own account does not waive HIPAA. The clinic's amplification of a patient's PHI through a like, share, or repost can itself constitute an impermissible disclosure. To use any patient-shared content (photos, videos, testimonials, reviews) in clinic marketing — including as a "regram" with credit, including in a story shoutout, including as a screenshot in a future post — the clinic must have a signed HIPAA-compliant Patient Authorization for Media and Testimonial Use on file before publication.

Compliant content creation — photos, videos, testimonials

• Photo and video shoots involving patients require a signed authorization specifying intended use, platforms, and duration of use, signed before the shoot
• The authorization must specify that the patient may revoke at any time in writing, and the clinic must have a documented removal workflow when revocations come in
• Testimonials must be the patient's own words; the clinic may edit for length and clarity but may not script outcomes or insert clinical claims the patient did not make
• If a patient testifies to outcomes ("we got pregnant on our second cycle"), the clinic should not amplify that specific outcome claim — the testimonial may need editing to remove individualized success metrics
• Pair every testimonial with a "results not typical / individual results vary" disclosure compliant with FTC Endorsement Guides — placed prominently, not buried in fine print
• Retain the signed authorization for the longer of seven years or the duration the content is used
• Do not solicit testimonials from active patients during treatment; wait until the treatment cycle is complete and the patient has had time to reflect
• Never offer compensation, discounts, free services, or any incentive in exchange for a testimonial — this triggers FTC disclosure requirements and may constitute review gating

Embed-on-website considerations

If your website embeds a social media feed (Instagram, Facebook), the embed must be moderated, not live. An unmoderated live feed will surface tagged content the moment it's posted — a patient could tag the clinic in a post containing PHI and that PHI would appear on the clinic website automatically. Use a moderated tool such as Smash Balloon (with manual approval enabled) or a similar approval-required aggregator. Review the displayed feed weekly. Confirm the embed does not load third-party tracking pixels (Facebook Pixel, Instagram tracking) on a HIPAA-relevant page; cookie-less or server-side feed solutions are preferred.

// CORRECT — moderated, manual-approval feed
[smashballoon-instagram moderation="manual" cookies="none" approval-required="true"]

// INCORRECT — auto-display, third-party tracking
<script async src="//instagram.com/embed.js"></script>
<blockquote class="instagram-media" data-instgrm-permalink="..."></blockquote>

REF-01Blocked keywords list

Any of the following terms must never appear in published clinic content — including social posts, replies, ad copy, page metadata, blog content, video captions, email content, or any external-facing material. Pre-publish QA must screen every asset against this list.

• "Guaranteed results," "we guarantee," "guaranteed pregnancy," any guarantee language
• "100% success," "100% effective," any percentage success claim tied to individuals or small groups
• "Promised outcome," "we promise," "we'll get you pregnant"
• "Cure," "cures infertility" — fertility care does not cure
• "Best fertility clinic," "the best," any superlative ranking claim
• "We ensure pregnancy," "ensure success," any insurance-of-outcome language
• "No risk," "risk-free," "zero risk" — all medical procedures carry risk
• "Pain-free procedure," "no pain," any absolute pain claim
• "No complications possible," "complication-free"
• Gendered defaults that exclude valid family-building paths ("women trying to conceive," "moms-to-be") — use inclusive language
• Unexplained medical acronyms used without definition

REF-02Regulatory citations

If a question arises about the basis for a compliance decision, the following are the citations to reach for:

• HIPAA Privacy Rule: 45 CFR §164.502 (general rules), §164.508 (uses and disclosures requiring authorization), §164.514 (de-identification standard)
• HIPAA Reproductive Health Information Protections: Updates to the Privacy Rule providing additional safeguards for reproductive health information
• HITECH Act: Breach notification requirements, including the Breach Notification Rule under 45 CFR Part 164 Subpart D
• FTC Consumer Review Rule: 16 CFR Part 465 (effective October 21, 2024) — fake reviews, AI-generated testimonials, incentivized reviews, review gating, and undisclosed material connections. Civil penalties up to $53,088 per violation.
• FTC Endorsement Guides: 16 CFR Part 255 — disclosure of material connections in endorsements and testimonials
• State privacy laws: Confirm any state-specific requirements applicable to your locations (Ohio in this policy's case)

REF-03The 18 HIPAA identifiers

These are the elements that, alone or in combination, can identify an individual. Treat any social media reference to a patient that includes any of these as a potential PHI disclosure.

• Names
• Geographic subdivisions smaller than a state (street address, city, county, zip code with first three digits in some cases)
• All elements of dates (except year) — birth date, admission, discharge, death
• Telephone numbers
• Fax numbers
• Email addresses
• Social Security numbers
• Medical record numbers
• Health plan beneficiary numbers
• Account numbers
• Certificate or license numbers
• Vehicle identifiers and serial numbers including license plates
• Device identifiers and serial numbers
• Web URLs
• IP addresses
• Biometric identifiers including fingerprints and voiceprints
• Full-face photographs and any comparable images
• Any other unique identifying number, characteristic, or code

REF-04Escalation contacts

Fill these in for your clinic and post them visibly at the social media workstation. The "one business hour" notification window for suspected HIPAA incidents starts when the incident is discovered, not when the team gets to it.

# Internal Escalation Directory — Update Quarterly
privacy_officer:        "[Name] · [phone] · [email]"
practice_administrator: "[Name] · [phone] · [email]"
patient_advocate:       "[Name] · [phone] · [email]"
billing_manager:        "[Name] · [phone] · [email]"
communications_lead:    "[Name] · [phone] · [email]"
legal_counsel:          "[Firm] · [contact] · [phone]"
malpractice_carrier:    "[Carrier] · [policy #] · [claims line]"
it_security:            "[Provider] · [contact] · [phone]"

# Notification windows
phi_incident_window:    "1 business hour to Privacy Officer"
breach_assessment_sla:  "24 hours after notification"
hhs_notification:       "60 days from discovery (if breach confirmed)"

REF-05Pre-publish QA checklist

Every public-facing post — social, GBP, blog, ad — passes through this before publication. Check every box.

• No patient names, photos, or identifying details (including in image alt text and metadata)
• No outcome guarantees, superlatives, or blocked keywords in the copy
• If patient-identifying content is included, signed authorization is on file in patient record
• If reproductive health information is involved, additional safeguards review has been completed
• No clinical recommendations or medical advice in the post or accompanying graphics
• If the post contains an endorsement or testimonial, FTC disclosure language is present and prominent
• Approved by Practice Administrator or Privacy Officer with signature/timestamp logged
• Logged in the publishing calendar with publish date, approver, category, and platforms
• If embedded on website, confirmed not to load third-party tracking pixels on HIPAA-relevant pages
• Image alt text reviewed for any inadvertent PHI
• Hashtags reviewed — no hashtags that group the clinic with PHI-revealing community tags
• If video, captions/transcript reviewed for any clinical claims or PHI

REF-06Glossary

• PHI (Protected Health Information): Any individually identifiable health information held or transmitted by a covered entity, in any form. Includes the 18 identifiers above when combined with health information.
• Covered Entity: A health plan, health care clearinghouse, or health care provider that transmits health information electronically. Most fertility clinics qualify.
• Business Associate: A vendor that creates, receives, maintains, or transmits PHI on behalf of a covered entity. Social media management tools that handle DMs containing PHI are typically business associates and require a BAA.
• Authorization: A signed permission from a patient allowing the use or disclosure of their PHI for purposes not otherwise permitted by HIPAA — including marketing.
• Material Connection (FTC): Any relationship between an endorser and the brand they endorse that could affect the weight or credibility of the endorsement. Must be disclosed clearly and conspicuously.
• Review Gating: Selectively soliciting reviews only from patients believed to be satisfied. Prohibited under the FTC Consumer Review Rule.
• UGC (User-Generated Content): Content created and posted by users about the clinic — comments, mentions, tags, reviews, story shares, hashtag use.
• Breach (HIPAA): The acquisition, access, use, or disclosure of PHI in a manner not permitted by the Privacy Rule that compromises its security or privacy. Triggers HITECH notification requirements.
• Privacy Officer: The person designated by the practice to be responsible for the development and implementation of HIPAA privacy policies and procedures, and for handling complaints and incident response.
• Notice of Privacy Practices (NPP): The legally required notice given to patients describing how their PHI may be used and disclosed and their rights regarding that information.