Google Local Services Ads for Medical Practices: Setup and Compliance
Google Local Services Ads occupy a unique position in healthcare advertising. They appear above standard search results, above paid search ads, and come with a "Google Guaranteed" or "Google Screened" badge that signals trust to potential patients. The pay-per-lead model means you only pay when a patient calls or messages you directly through the ad. For medical practices competing for local patient acquisition, LSAs can be the most efficient channel in the entire marketing budget.
They also create compliance challenges that no other Google Ads format shares. When a patient calls your practice through an LSA, Google records the call. When a patient sends a message, Google stores it on their servers. When a lead comes in, Google's system captures the patient's name, phone number, and often a description of the medical service they need. All of this data lives in Google's infrastructure, and Google does not sign a Business Associate Agreement.
Understanding how LSA's policies and data handling intersect with HIPAA is essential before any medical practice activates this ad format.
How Google's LSA Screening Process Works for Healthcare
Google Local Services Ads require verification before healthcare providers can advertise. The screening process varies by specialty and location, but for medical practices, it typically includes:
License verification. Google verifies that your practice holds valid state licenses for the services you advertise. For physicians, this means confirming active medical licenses. For dental practices, dental licenses. For mental health providers, clinical licenses. Google uses third-party verification services to check license status against state databases.
Insurance verification. Google may require proof of professional liability insurance. The minimum coverage requirements vary by practice type and state.
Background checks. Business owners associated with the LSA profile may be required to pass background checks. This applies to the business owner, not necessarily every provider in a multi-provider practice.
Google Screened badge. Healthcare providers that pass verification receive a "Google Screened" badge (not "Google Guaranteed," which is reserved for home services). The badge appears in the LSA unit and signals to patients that Google has verified the provider's credentials.
This screening process is a platform requirement, not a compliance measure. Passing Google's verification does not mean your LSA setup is HIPAA compliant. It means Google has confirmed you are a licensed provider. The data handling questions remain.
Where LSA Lead Data Creates HIPAA Exposure
The compliance challenge with LSAs is structural. Unlike standard Google Ads, where you control your landing page and can choose what data reaches Google, LSAs route patient interactions through Google's own infrastructure.
Phone calls through LSAs. When a patient taps the call button on your LSA, the call routes through a Google-assigned tracking number. Google records these calls and uses the recordings for lead quality verification. The patient does not know they are being recorded by Google. If the patient describes their medical condition during the call ("I need to schedule a colonoscopy" or "I'm looking for a psychiatrist for my anxiety"), that health information is now recorded on Google's servers. Google is not a Business Associate. There is no BAA covering this data.
Message leads. Google's messaging feature lets patients send text messages directly through the LSA. These messages are stored on Google's platform. Patients frequently include health information in their initial message: "I have been having chest pains and need to see a cardiologist" or "My child needs an ADHD evaluation." This health data, combined with the patient's name and phone number, constitutes PHI sitting in Google's systems without a BAA.
Lead categorization. Google categorizes leads by service type. When your practice offers multiple specialties, the LSA system associates each lead with the specific service the patient requested. This creates a record in Google's system that connects an identifiable individual to a medical service.
Lead sharing across your team. The LSA dashboard makes lead information available to everyone in your practice who has access. If your front desk staff, billing team, or marketing team all access the same LSA dashboard, the patient's health-related inquiry is visible to users who may not need that information, potentially violating the HIPAA minimum necessary standard.
Managing LSA Compliance Within Platform Constraints
Because Google controls the LSA infrastructure, healthcare practices cannot implement the same server-side architecture used with standard Google Ads. The mitigation strategies are different.
Acknowledge the inherent limitation. LSAs route patient communications through Google's infrastructure. You cannot prevent Google from receiving patient-initiated health information during calls or messages. This is a risk your compliance team needs to evaluate and document.
Train front desk staff on call handling. When patients call through an LSA, your staff should be aware that Google records the call. Staff should avoid confirming specific diagnoses, discussing test results, or providing medical advice during the initial call. Keep LSA calls focused on scheduling: "I'd be happy to schedule you for a consultation. Let me get your preferred date and time."
Move conversations off Google's platform quickly. When a patient sends a message through LSAs, respond promptly with a request to continue the conversation through your practice's secure channels. "Thank you for reaching out. I'll have our scheduling team call you directly from our office line to get you set up." This minimizes the amount of health-related communication that lives on Google's servers.
Use LSA service categories carefully. Google lets you specify which services to advertise in your LSA. The services you select become part of Google's lead categorization system. Opt for broad service categories ("Family Medicine," "General Dentistry") rather than highly specific ones ("Erectile Dysfunction Treatment," "Eating Disorder Therapy") when possible. Narrow, sensitive service categories create a more specific health association for every lead that comes through.
Do not upload patient data back to Google. Some practices try to close the attribution loop by uploading conversion data (which leads became patients) back to Google. For LSAs, this means telling Google which patients who called through the ad actually booked appointments. In healthcare, this creates a confirmed association between an identified individual and a medical service in Google's systems. Avoid this.
Monitor your LSA reviews. Patient reviews on your LSA profile sometimes contain health information. A patient writes: "Dr. Smith performed my hip replacement and the recovery was excellent." That review associates an identifiable individual with a specific medical procedure on Google's platform. You cannot control what patients write, but you can monitor reviews and respond appropriately without confirming clinical details.
The Enforcement Landscape for Healthcare Advertising Data
The risk of routing patient communications through a third-party platform without a BAA is not theoretical.
NewYork-Presbyterian Hospital ($300K NY AG, 2023). NYP used third-party tracking pixels on its website for marketing from 2016 to 2022 with no internal policies or procedures for vetting tracking tools before deployment. The breach affected over 54,000 individuals. Enforcement came from the New York Attorney General. Source
The NYP case is relevant to LSAs because it established that healthcare organizations have a duty to vet the data handling practices of every marketing tool they use. Running LSAs without evaluating how Google handles patient data in the lead funnel demonstrates the same lack of vetting that generated NYP's enforcement action.
Aspen Dental ($18.4M class action, 2025). Aspen Dental used Meta Pixel and Google tracking tools on aspendental.com that transmitted appointment booking information to Meta and Google without consent. Source
Aspen Dental's case shows that dental and multi-location practices face the same tracking liability as hospital systems. LSAs are particularly popular with dental practices and multi-location medical groups. The data flows are different from pixel tracking, but the fundamental issue is the same: patient health information reaching Google's servers without a BAA.
Should Your Practice Use LSAs? A Decision Framework
LSAs are not inherently non-compliant. They are a platform where compliance requires accepting certain limitations and implementing mitigations rather than engineering a fully controlled data pipeline.
Use LSAs when:
Your practice offers general services where lead inquiries are unlikely to involve sensitive health disclosures (general practice, dentistry, optometry, physical therapy)
You can train staff to handle LSA calls appropriately
You have processes to move patient conversations off Google's platform quickly
Your compliance team has documented the risk assessment and accepted the residual risk
Avoid or limit LSAs when:
Your practice specializes in sensitive health categories (mental health, addiction treatment, HIV care, reproductive health)
Your patient population is likely to disclose sensitive information during initial contact
Your compliance framework requires a BAA with every vendor that handles patient-identifying information
You cannot control which team members access the LSA lead dashboard
Supplement LSAs with compliant infrastructure. Even if you use LSAs for lead generation, your website still needs compliant tracking. When patients click through from your Google Business Profile (which is linked to LSAs) to your website, every script on that site becomes part of the data flow. Use server-side tracking on your website, implement a web scanner to monitor for unauthorized scripts, and ensure consent is managed server-side for any data collection that occurs after the patient leaves Google's platform.
FAQ
Does Google sign a BAA for Local Services Ads?
No. Google does not sign Business Associate Agreements for any of its advertising products, including Local Services Ads. This means healthcare practices using LSAs must accept that patient data shared through the LSA platform (calls, messages, lead information) is not covered by HIPAA's Business Associate requirements. Your practice should document this risk in your compliance assessment and implement mitigations to minimize the health information that flows through Google's platform.
Are LSA phone call recordings a HIPAA violation?
Google records LSA phone calls for lead quality purposes. If a patient discloses health information during the call, that health data is recorded on Google's servers without a BAA. Whether this constitutes a HIPAA violation depends on your compliance framework's interpretation. The conservative approach is to assume it creates risk and train staff accordingly. Many practices instruct front desk staff to redirect callers to a direct practice line for any clinical discussions: "Let me transfer you to our scheduling line so we can discuss your needs in detail."
Can I use LSAs for mental health or addiction treatment practices?
Google has specific policies around advertising mental health and addiction treatment services. LegitScript certification may be required for addiction treatment advertising. Beyond Google's policies, the sensitivity of these specialties makes LSAs particularly risky from a HIPAA perspective. Patients seeking mental health or addiction treatment are likely to disclose sensitive information during their first contact, and that information flowing through Google's infrastructure creates significant compliance exposure. Many practices in these specialties choose standard Google Ads with server-side tracking instead.
How do I handle LSA patient reviews that contain health information?
You cannot prevent patients from including health details in reviews. You can respond to reviews without confirming or expanding on clinical details. A compliant response to "Dr. Smith did my knee surgery and it was great" would be: "Thank you for your kind words. We're glad you had a positive experience." An non-compliant response would be: "We're happy your knee replacement recovery went well." Monitor reviews regularly and consult your compliance team about any reviews that disclose sensitive information.
Can I track which LSA leads become patients?
You can track this internally within your own systems. You should not upload this data back to Google's platform. Telling Google that a specific person who called through an LSA became a patient for a specific service creates a confirmed health data association in Google's systems. Keep attribution data in your own HIPAA-compliant analytics infrastructure and use it internally for ROI calculations without sending it to Google.
Google Local Services Ads offer a compelling lead generation channel for medical practices, but they require a different compliance approach than standard digital advertising. The key is understanding what you can control, what you cannot, and how to minimize the health information that flows through a platform that will not sign a BAA.
Ours Privacy helps medical practices build the compliant infrastructure around their advertising channels, including server-side tracking, consent management, and continuous web scanning for every page that receives traffic from LSAs or any other source.
Related reading:
Google Ads for Healthcare: The Complete Setup Guide
Dental Group Advertising: Scaling Paid Media Across Locations
What Is a Business Associate Agreement?
Healthcare Marketing Compliance Audit Checklist
Continue Learning
Explore more HIPAA compliance resources for healthcare marketers.
Tool Compliance Reviews
Find out which marketing tools are HIPAA compliant and which ones put your organization at risk.
Server-Side TrackingServer-Side Tracking Guides
Replace risky client-side pixels with secure, compliant data collection that protects patient privacy.
Advertising Platform Guides
Step-by-step guides for running compliant healthcare campaigns on Google, Meta, TikTok, and more.
GlossaryHealthcare Marketing Glossary
Clear definitions for healthcare marketing, privacy, and compliance terms explained for marketing teams.