DCI rules on online patient communication: what dental clinics in India can (and can't) say

Most Indian dental clinics under-communicate online out of fear. They've heard "you can't talk about patients on social media" and they've chosen the safe route: say nothing at all. That's a costly read.

The rules are narrower than the fear suggests. You can run an active Google Business Profile, post weekly, respond to every review, run WhatsApp follow-up flows, and publish patient stories — without violating Dental Council of India (DCI) regulations, the National Medical Commission's 2022 online communication guidelines, the IT Rules 2021, or the Digital Personal Data Protection Act 2023 (DPDPA).

This page is the short version of what you can and can't do, with the specific clauses that govern each one. It's not legal advice — talk to a healthcare compliance lawyer for edge cases — but it's the working understanding we've built with the clinics on GrowthPilot.

The four sources that actually matter

1. DCI Regulations on Professional Conduct, Etiquette & Code of Ethics (2014, amended). Sets the advertising and confidentiality rules for dental practitioners.
2. NMC Telemedicine Guidelines (2020) + Registered Medical Practitioner Regulations (2022). Apply to dentists by extension when communication crosses into clinical advice.
3. IT (Intermediary Guidelines and Digital Media Ethics) Rules, 2021. Governs anything you publish on social media or your website.
4. Digital Personal Data Protection Act, 2023 (DPDPA). Governs how you collect, store, and use patient personal data — including names, photos, and contact details.

What you CANNOT do

1. Confirm or deny that someone is/was your patient in public

This is the single rule that catches most clinics off-guard. The DCI Code of Ethics treats the existence of a doctor-patient relationship as confidential information. If a reviewer posts "I came for an RCT" and you reply "Yes, your RCT on the 14th", you've confirmed the relationship and breached confidentiality — even though they outed themselves first.

Stick to general, experience-level language: "We're sorry your experience wasn't what you expected". Never confirm clinical detail.

2. Reference specific clinical details, diagnoses, or treatments by patient name

Even with consent, posting "Dr Patel completed a 6-veneer smile makeover on Ms X" without explicit, written, treatment-specific DPDPA consent is risky. Before/after photos in particular need: written consent referencing the specific images and channels, no identifying facial features, and a revocable opt-out mechanism.

3. Solicit reviews via incentives

DCI's anti-incentive provisions and Google's own policies both prohibit "leave us a review and get 10% off your next cleaning". You can ask. You cannot pay (in cash, discount, or kind).

4. Make superlative claims ("best dentist in Mumbai")

The DCI advertising clauses prohibit superlative self-promotion. "Best", "most experienced", "number one" — these draw warnings from the state council. "Experienced", "qualified", "trusted by [N] families" — fine.

5. Provide clinical advice in DM/comments without a formal consultation

The 2020 NMC telemedicine guidelines apply to dentists when the advice crosses into diagnosis or prescription. A patient WhatsApping "my gum is bleeding, should I take this medicine?" needs a proper consult before you advise. "That sounds like something to come in for — book here" is always safe.

What you CAN do

1. Respond to every Google review

Provided you don't confirm clinical detail (see above), public responses are not just allowed — they're encouraged by Google's local search ranking. Our complete playbook for negative-review responses is here.

2. Post on Google Business Profile / Instagram / Facebook weekly

Education-first content (tips, FAQs, awareness day posts), clinic news (new equipment, staff intros), and general health content is unambiguously fine. Treatment offers and promotions need careful framing — see the advertising section below.

3. Run a patient referral program — without incentivising the review itself

DCI allows referral schemes that reward patients for introducing new patients. The line is: you can reward the introduction, not the review. "Refer a friend, get ₹500 off your next cleaning" — fine. "Leave us a 5-star review, get ₹500 off" — not fine.

4. Use WhatsApp Business for appointment confirmations, reminders, and follow-ups

These are administrative communications, not clinical advice. WhatsApp Business's template messaging system is well-suited for this. DPDPA-wise, get explicit consent at registration covering "administrative communications including reminders and follow-ups via SMS, WhatsApp, and email".

5. Publish patient testimonials with proper consent

Written, dated, treatment-specific, revocable consent is the bar. Keep the signed forms — physical or digital — for at least 7 years. DPDPA-aligned consent language should reference the specific platforms (your website, Google, Instagram, etc.) and the specific use (testimonial, not advertisement).

6. Run paid Google / Meta ads with disclaimers

Ads are allowed if they: avoid superlative claims, don't guarantee outcomes, identify the registered practitioner's name + registration number, and follow Google's health vertical policies (which require a certificate for some categories like cosmetic surgery; dental cleaning is unrestricted).

The DPDPA layer (new, 2023)

DPDPA changed what consent looks like for patient data. The practical implications for an Indian dental clinic:

• Consent must be specific, informed, and freely given.A blanket "we may contact you" clause buried in a registration form does not meet the bar.
• Patients can withdraw consent at any time, and your systems must support that.If a patient says "stop messaging me", you need a workflow to honour it within a reasonable time.
• Children's data (under 18) needs verified parental consent.Material for paediatric practice content.
• Data fiduciary obligations.You're responsible for what your software vendors do with patient data. Ask vendors for their DPDPA compliance posture and DPA agreements.

Where GrowthPilot fits

We built our review-response AI to refuse to reference clinical details even when the reviewer mentions them — exactly because of the DCI confidentiality rule. We never store patient identifiers, never include them in prompts to model providers, and our consent flows for testimonial and patient-story content are DPDPA-aligned out of the box.

This is a working summary, not legal advice. The DCI Code of Ethics and DPDPA are interpreted in evolving ways by state councils and the courts. For specific situations — defamation by a reviewer, employee data, paediatric consent edge cases — consult a healthcare-specialised lawyer in your state.