When should I ask for a review after an injectable or treatment?

Day 3-5 for neurotoxin (results develop over 3-14 days; ask at the early window once peak effect is visible). Day 5-7 for filler (most swelling has settled). Day 14 for laser hair removal (results visible after first regrowth cycle skip). Day 30 for chemical peels (full healing complete). The principle: ask when the patient can fairly evaluate the result, not when the procedure ended. Asking too early gets you 'too soon to tell' responses; asking too late and the emotional anchor to your work has faded.

How do I handle the HIPAA dimension of reviews?

Three rules. (1) Never confirm in a public response that the reviewer was your patient — even when it's obvious from context. The right phrasing: 'We're sorry your experience didn't meet expectations. We hold every treatment to the same standards. Please reach out to discuss directly.' Never: 'Sarah, your Botox treatment on Tuesday...' (2) Don't request reviews that ask the patient to disclose specific treatments or outcomes. The SMS ask: 'How did your visit go?' — not 'How was your Botox?' (3) If a patient posts a review describing their specific treatment publicly, you can respond at a service level but never confirm or deny the specifics of their care.

What about the patient who threatens a negative review unless they get a refund or correction?

Apply your normal policy regardless of the threat. If a touch-up is appropriate under your policy, offer it because it's right — not because of the threat. If the situation doesn't merit a correction under policy, don't capitulate to the threat. The patient who threatens to leverage reviews into refunds is often a chronic pattern; document the interaction. The eventual public review (if it happens) gets a calm, professional response. See [`reputation-management`](/playbooks/reputation-management) for the full framework.

Can I use before/after photos in marketing if I get review consent?

Photo consent and review consent are separate. The patient can leave a positive review while declining photo use, and vice versa. Capture both consents explicitly and distinctly. Photo consent for marketing requires HIPAA-grade authorization (typically a separate form specifying the purposes — social media, website, ads — and a duration). Review consent doesn't require photo authorization. Don't conflate the two; the legal protections are different.

How long until I see local-pack ranking changes for 'medspa near me'?

90-180 days typically — slower than other beauty industries because medspas compete in a smaller universe of competitors per market, and the existing competitors often have years of accumulated reviews. The path: 8-15 reviews per month consistent for 6 months typically moves a well-positioned medspa into local-pack contention. Combined with GBP completeness ([`google-business-profile`](/playbooks/google-business-profile)) and citation discipline ([`local-seo-checklist`](/playbooks/local-seo-checklist)), the local-pack appearance compounds within 12 months.

How to Get More Reviews for a Med Spa

Med spas operate in one of the highest-friction review environments in the beauty/wellness industry. Patients are reluctant to publicly disclose cosmetic treatments. The medical-spa intersection means responses have to avoid outcome claims and PHI confirmation that would be routine in a hair salon. The result: most medspas run at 1-3 reviews per 100 treatments — far below what's possible with a deliberately-scoped flow.

The framework is the same as the cross-industry [`review-generation-engine`](/playbooks/review-generation-engine), with three medspa-specific adjustments that respect the regulatory and patient-privacy realities.

The medspa-specific timing window

The 24-hour ask that works for hair salons doesn't work for medical aesthetics. Results develop over days:

**Neurotoxin (Botox, Dysport, Xeomin, Daxxify)**: ask day 5-7. Peak effect at days 7-14.
**Hyaluronic acid filler**: ask day 5-7. Most initial swelling has settled.
**Laser hair removal**: ask day 14-21. Results visible after the first regrowth-cycle skip.
**Chemical peels**: ask day 30. Full healing complete; skin response visible.
**Microneedling / RF microneedling**: ask day 14-21. Initial redness settled; skin texture visible.
**CoolSculpting / body contouring**: ask 8-12 weeks post-treatment. Results take time.

The principle: ask when the patient can fairly evaluate the result, not when the procedure ended. Asking too early gets "too soon to tell" responses or a partial-result review that doesn't reflect your work fairly.

The PHI-safe SMS

The rating SMS adapts:

Step 1 — Generic visit framing, not treatment-specific

Hey [first name] — how did your visit with us go? Reply 1-5 (5 = loved it).' Don't ask 'How was your Botox?' or 'How are your results?' The generic framing protects HIPAA while still getting the rating that routes to the public review flow.

Step 2 — Route the reply

4-5 → SMS back with the Google review link and a one-line ask. 'Glad to hear it. Would you share that with a quick Google review? [link]' 1-3 → SMS back with the owner-follow-up message. 'Thanks for the honest feedback — Dr. [name] would like to follow up directly. What's the best way to reach you?

The medical-claim guardrails on response

Public responses to medspa reviews must avoid three categories of language:

Avoid: outcome confirmation

❌ "So glad your Botox treatment gave you the results you wanted."

✓ "Thanks for the kind words! Looking forward to your next visit."

The first response implicitly confirms the patient received Botox and that it produced specific results. Both are PHI-adjacent disclosures.

Avoid: diagnostic or therapeutic language

❌ "Glad we could help with your acne — your skin looks amazing."

✓ "Thanks for sharing — we love seeing happy patients."

The first response makes a medical claim about acne and skin appearance. Neither is appropriate in a public business response.

Avoid: identity confirmation in problem responses

❌ "Sarah, we're sorry your filler treatment on Tuesday didn't meet expectations."

✓ "We're sorry your experience didn't meet expectations. We hold every treatment to the same standards. Please reach out to discuss directly."

Even when context makes the patient's identity obvious, the response shouldn't confirm it publicly. The second version handles the reputational layer without crossing HIPAA lines.

The photo-consent layer

Med spa photos are gold for marketing — but photo consent is separate from review consent. A patient who leaves a glowing review hasn't consented to use of her treatment photos. The discipline:

Step 3 — Capture photo consent at the visit, separately

Photo consent for marketing requires its own form, specifying purposes (social media, website, advertising), duration (typically time-limited with renewal), and the patient's identifying choices (face visible, face concealed, body-only, etc.). The form lives in the patient chart, not in the booking record. HIPAA-grade authorization is the standard.

Step 4 — Don't conflate review consent with photo consent

The review SMS asks for a rating; the photo-consent process is separate. A patient can leave a 5-star review while declining photo use, and vice versa. Treat them as two separate decisions; capture each consent explicitly.

The owner-response cadence for negative reviews

When a 1-3 rating routes to the owner's inbox, the response protocol:

Step 5 — Personal owner outreach within 24 hours

The medical director (or designated provider) reaches out personally. Listen first. Don't promise specific medical outcomes. Offer a complimentary follow-up consultation to assess the result objectively. If the situation merits a touch-up under your policy, offer it. Most patients who feel heard become 5-star reviewers later; most who get a corporate response go public with the complaint.

For public 1-2 star reviews that have already been posted, the response is:

"We're sorry your experience didn't meet expectations. We hold every treatment to the same standards and we've documented your feedback to review with our team. Please reach out at [phone] so Dr. [name] can follow up directly."

No PHI confirmation. No outcome claims. No identity confirmation. The response is calm, professional, and moves the conversation off the public platform.

What to measure

**Reviews per month** (target: 8-15 per 100 treatments)
**Average rating across recent reviews** (target: 4.7+)
**Response rate to public reviews** (target: 100% within 48 hours)
**PHI-compliance audit** (target: 100% of responses pass the no-PHI, no-outcome-claim review)
**Photo-consent capture rate** (target: 40-60% of patients consent to marketing use)
**Local-pack ranking position** for "medspa near me" in your service area (track monthly; 90-180 day timeline)

What this looks like at 90 days

A med spa that runs this flow consistently typically sees:

25-50 new Google reviews accumulated in 90 days
Average rating holding at 4.7+ because the 1-3 routing catches problems before they go public
PHI-safe response posture that survives any regulatory audit
A growing photo library (with proper consent) that powers social-media marketing
Visible movement in local-pack ranking for medspa search terms over the 90-180 day window

The medspa review flow is the highest-leverage local-SEO investment, run with the regulatory caution the industry requires. The work is the same as other industries; the guardrails are the difference.

The medspa that wins local search isn't the one with the most aggressive review-collection strategy. It's the one whose review collection respects the patient privacy and medical-claim guardrails that the industry's regulators take seriously.

How to get more reviews for a med spa