View All

Testimonials, Reviews and Privacy Law: What You Should Know

December 1, 2020 | Online Review Regulation

Table of Contents

  • Common Questions About Testimonials and Reviews
  • Federal Trade Commission Guide Concerning the Use of Endorsements and Testimonials in Advertising 
  • Google Terms of Service
  • The HIPAA Privacy & Security Law
  • Where Did HIPAA Come From?
  • Can I Take Testimonial Videos on My Cell Phone?
  • Do I Need to Comply with HIPAA Privacy and Security Data Standards?
  • What are all the Identifiers that are Considered PHI under HIPAA
  • Who Owns the Video?
  • Who is the Best Person to Collect a Client Video Testimonial?
  • The WOW Promoter hosts ALL Videos on the AWS S3 HIPAA-compliant Servers
  • Summary
  • Free Offer and Privacy Policy

Common Questions About Testimonials and Reviews

  1. A happy customer gives a Google Review to her doctor.  The doctor copies the review from Google Reviews and posts it to his Facebook page.  Is this legal?  Is this a violation of the Google Terms of Service?
  2. A customer posts an image of herself with her pet dog to Instagram and tags a local veterinarian.  The veterinarian ‘Likes’ the image and downloads it for use on their website or other social media sites as a testimonial.  Is this legal?  Do you need a Media Release to use the image?
  3. A patient gives a video testimonial to a chiropractor that is uploaded to YouTube.  The patient signs the Media Release that gives the chiropractor the ability (through HIPAA’s Marketing Safe Harbor) the ability to use the patient’s image, likeness and name for marketing purposes.  Can the chiropractor re-purpose the video to another social media site?

What are the relevant laws governing use and reuse of testimonials, reviews and customer images for your businesses’ marketing purposes?

We are going to discuss three relevant policies/laws/statutes that every social media marketer should be familiar with:

Federal Trade Commission Guide Concerning the Use of Endorsements and Testimonials in Advertising 

The FTC statute, as implied in the name, regulates advertisements.  Google Reviews are not advertisements.  

If the words, image, photo or video of a customer making an endorsement of a product or service is re-purposed into an advertisement then this statute does come into play.

To answer Question #1 from above, as soon as the physician places the test from the Google Review anywhere other than it’s original format, it becomes an advertisement and would be bound by the FTC statute.   

A further inquiry into question #1 reveals that the Google TOS prohibits copying and pasting its Reviews which are, technically, Google property.  

So, in general, copying customer testimonials and reviews is legal and would not activate the FTC statute in this specific instance would seem to expose the physician to a violation of the Google Terms of Service.  This could lead to having his Google Account de-activated – including his Google My Business listing.

Here is an excellent resource on the FTC website set-up in a question and answer format.

The HIPAA Privacy & Security Law

The Health Insurance Portability and Accountability Act, or HIPAA, is  the medical industry’s patient privacy and security law.  The Act is designed to prtect consumers and patients from unauthorized use or disclosure of their health data; called Personal Health information (PHI).

Here is how HIPAA defines ‘Marketing’:   

“The HIPAA Privacy Rule gives individuals important controls over whether and how their protected health information is used and disclosed for marketing purposes. 

With limited exceptions, the Rule requires an individual’s written authorization before a use or disclosure of his or her protected health information can be made for marketing. 

So as not to interfere with core health care functions, the Rule distinguishes marketing communications from those communications about goods and services that are essential for quality health care.”  

For most online and social media purposes, a Customer Release for Social Media is sufficient to protect the healthcare business from HIPAA breaches and associated liability.

Intentional violations of HIPAA, that is, those violations a health care provider could have or should have prevented, start at $50,000, per incident.

Question:  What if you have 100 unencrypted patient videos on the doctor’s cell  phone?  HIPAA penalties could accumulate by the penalty amount ($50,000)  multiplied by the number of incidents (100).

To protect yourself against HIPAA violations, you have probably asked  your patient to sign a Media Release before you took their video.  The written Media Release typically gives you the ability to use the  patient’s words, likeness, image and video for marketing purposes.

HIPAA provide hospitals and doctors a ‘ Marketing Safe Harbor’ that allows them  to use patient testimonials for marketing purposes when the video/media  release is signed.  HIPAA specifically states that the patient gets to  control how their video is used.  In other words, they may want to know if you will use their video on TV, Facebook, YouTube, etc.

The patient expects, of course, that their video will remain in your safe possession and control.  What you DON’T get to do is hold your patients’ video on an unencrypted or unprotected device, such as a  doctor’s personal cell phone.  The risk that the unencrypted cell phone could be lost or stolen is what exposes most medical practices to a HIPAA violation.

Note:  The WOW video app automatically  prompts the patient to sign an individualized photo/video/media release  with patient signature, stored as a PDF within the app and hosted in the cloud.

Where Did HIPAA Come From?

With the growth of the web and increasing online data transfer, The  Congress of the United States acted in 1996 to protect the privacy and  security of American citizens:

“The Congress recognized that advances in electronic technology  could erode the privacy of health information. Consequently, Congress  incorporated into HIPAA provisions that mandated the adoption of Federal  privacy protections for individually identifiable health information…”

To comply with HIPAA, online data (video) storage can be encrypted in  HIPAA-secure databases. Fortunately, you have several choices when  selecting your HIPAA-compliant database:

“If you are collecting, storing or transmitting PHI to a covered entity then you definitely should be HIPAA compliant.”

“According to security guidelines established by HIPAA, anyone  who develops mHealth, eHealth, or wearable applications that deal with  Protected Health Information (PHI) — are required to meet national  standards for Physical, Administrative, and Technical security of health  information.”Source:  Attorney’s web page

If you are not doing business in America, with Americans, or if you  do not deal with Personal Health Information (PHI) then you may not need  to worry about HIPAA compliance.  For instance, a plastic surgeon or a  physical therapy clinic who charges all-cash for services, even medical  services, may not be bound by HIPAA.  Check with your attorney to be  100% certain.

Be aware however, most states also have privacy laws protecting consumers and regulating personal health data and how it should be  handled.

Can I Take Testimonial Videos on My Cell Phone?

Nevertheless, many of our customers still ask us “Can I shoot my client testimonial videos on my cell phone?”

To help answer our customers, we’ve tried to pose several questions you should ask yourself and answer so you can make your own decision.

  • Do I need to comply with HIPAA Privacy and Security data standards if my customers are in the United States?
  • Who owns the video of the the client testimonial?
  • Who is the best person on my team to collect a client video testimonial?

Below are some factors to consider as you answer the following question: “Can I use my own cell phone to collect client video testimonials for my small business?”

Do I Need to Comply with HIPAA Privacy and Security Data Standards?

HIPAA applies to medical information, called Personal Health  Information (PHI) that is transmitted electronically.  In most cases,  this means medical data for services that are billed to patient insurance companies, including Medicare.

What are all the Identifiers that are Considered PHI under HIPAA

  • Name
  • Address (including subdivisions smaller than state such as street address, city, county, or zip code)
  • Any dates (except years) that are directly related to an individual,  including birthday, date of admission or discharge, date of death, or  the exact age of individuals older than 89
  • Telephone number
  • Fax number
  • Email address
  • Social Security number
  • Medical record number
  • Health plan beneficiary number
  • Account number
  • Certificate/license number
  • Vehicle identifiers, serial numbers, or license plate numbers
  • Device identifiers or serial numbers
  • Web URLs
  • IP address
  • Biometric identifiers such as fingerprints or voice prints
  • Full-face photos
  • Any other unique identifying numbers, characteristics, or codes 

HIPAA applies to almost all hospitals, physicians, physical  therapists, dentists, chiropractors, medical laboratories and imaging  facilities in the United States.  If a facility bills some patients cash  but bills insurance to other patients, only the insurance-billed health  data is considered PHI but, interestingly, HIPAA would apply to ALL of  the facility’s data.

Who Owns the Video?

Obviously, the business entity should own ALL the business assets,  including valuable patient video testimonials. Placing video on a  personal tablet or cell phone makes the provenance of the video  difficult.

It’s slightly creepy to think client testimonial video will reside on  a business owners’ personal cell phone because your kids may also use  your phone, etc.

Proper accounting of business assets would demand that ALL the assets  – phone AND videos, be owned and maintained by the business entity, not  by an individual.  Even the owner of the business is typically  ’employed’, as W2 wage employees, by the corporate entity they own.

Most states’ Articles of Incorporation require that business assets  be properly managed, maintained and seperated from personal assets in  order to maintain the legal ‘corporate veil’ that shields business  owners from the actions of the corporation.

The business entity should also own and control the cloud storage  account. Many cloud service providers offer upgraded hosting accounts  that comply with various data privacy standards used in different  industries (HIPAA is not the only one!).

Often, the cost of these upgrades, on a monthly basis, is just a  fraction of the value of acquiring a new customer through your video  testimonials on social media.

Who is the Best Person to Collect a Client Video Testimonial?

70% of small businesses are run by the Owner/Operator.  The ‘secret’  to successfully growing your business is delegating those tasks which  some other member of your team can do at least 80% as well as you can  do.  This is the young lady making $15 per hour from the beginning of  this blogpost.

Collecting client testimonial videos via a kiosk at the point-of-sale  is a task that should be delegated.  The logical next step is to help  this young lady become as efficient as possible by using technology.   

This was the example where her cost of labor to collect a video  testimonial was about $4.20 while the app is free.  The cost of labor is insignificant compared to the cost of a HIPAA breach at $50,000 per incident.

Invest in technology and train your office manager to ask happy  clients for their testimonial.  Even one testimonial for every ten  ‘asks’ could result in a powerful new video every day – 20 per month on  your business Facebook page or YouTube channel! THAT level of content  creation is sure to dominate the local internet in your business  category!

The WOW Promoter hosts ALL Videos on the AWS S3 HIPAA-compliant Servers

With the app-based video testimonial solution, all the videos are  safely hosted in the Amazon S3 cloud.  There is no risk of a lost cell  phone or a lost tablet creating HIPAA liability with fines and penalties  for Dr. Lopez’ office.  Everybody can sleep better at night.

Citation: AWS HIPAA Compliance blogpost – 3rd party reference

Even if your business is not a medical clinic, hosting your video in  the cloud just makes sense.  Why would you keep business assets on  personal mobile devices?  Why would you keep customer videos on  employees’ mobile devices?

Of course you can can take a client testimonial video on your personal cell phone.

The proper question, for a small business owner, is…“Should you take a customer testimonial video on your personal cell phone?”

Full Disclosure: Our  company creates and sells business software that runs on mobile tablets  and phones. We promote certain BEST PRACTICES small businesses should  use in collecting client testimonial videos. 

The latest app upgrades of the WOW App uses the Amazon Web Services (AWS) S3 hosting protocol to ensure the cloud industry’s highest  standard of patient data privacy and security for HIPAA compliance.


Hopefully, these questions and answers give you the full flavor of  the potential and the challenges of client video testimonials for social  media advertising.

Here is a summary of what we just covered:

  1. Do I need to comply with HIPAA Privacy and Security data standards? 
  •   It depends on who you are.  Whoever you are, you can be assured that  no video is stored locally on WOW Promoter tablets – all video is  hosted on HIPAA-compliant Amazon Web Services (AWS) upgraded cloud  storage accounts.

2. Who owns the video testimonial on the app? 

  •   You own the videos and you control them.

3. Who is the best person to collect a client video testimonial?  This is the value of the free WOW Promoter app – you don’t need to pay an employee to do ANY of the following to collect a video:

  • Don’t need to take the video
  • Don’t need to upload the video
  • Don’t need to post the video – all of this happens in the app automatically (once you set it up).

Get Viral Videos and make NFTs with the WOW Promoter App

Promote your business online using the faces, the voices and the words of your BEST customers speaking directly to NEW customers in online video.

Some of these videos may go viral.

Gift the NFT to your customer for online sharing.

Get ALL the free tools to create Viral Videos

Make $$$ in perpetuity with NFT Smart Contracts when your customers trade your viral videos.

Set up your account by emailing

The app is free – go download at Apple App Store or the Google Play store.

Click the image to download the app to your mobile device:

Turn your viral videos into NFT
Turn your viral videos into NFTs