Healthcare SEO: YMYL medical content, HIPAA, provider directories

A comprehensive installation and audit reference for organic search strategy specific to medical practices, hospitals, dental practices, mental health practices, telehealth platforms, healthcare…

The YMYL Strict Vertical, HIPAA-Aware Patterns, MedicalEntity Schema, Medical Reviewer Credentialing, Multi-Location Provider Operations, Mental Health Sensitivity, and the Full Healthcare Audit Rubric

A comprehensive installation and audit reference for organic search strategy specific to medical practices, hospitals, dental practices, mental health practices, telehealth platforms, healthcare information sites, and any site publishing medical YMYL content. Healthcare SEO is the strictest vertical operating under the YMYL framework. The conversion event is an appointment booking, a new patient inquiry, an insurance verification, a telehealth signup, or a clinical referral. The trust bar is set by regulators (the Office for Civil Rights, the Federal Trade Commission, state medical boards, state attorney general consumer protection units), by Google's Search Quality Raters under the September 2025 medical YMYL clarifications, and by the lived consequences of bad medical information reaching patients in distress. Dual-purpose: installation manual and audit document.

Cross-stack implementation note: the code samples in this framework are written in plain HTML for clarity. For React, Vue, Svelte, Next.js, Nuxt, SvelteKit, Astro, Hugo, 11ty, Remix, WordPress, Shopify, and Webflow equivalents of every pattern below, see framework-cross-stack-implementation.md. For pure client-rendered SPAs (no SSR/SSG) see framework-react.md. For Tailwind-specific concerns (purge, dynamic classes, dark-mode CLS, focus accessibility) see framework-tailwind.md.

1. Document Purpose

1.1 What This Document Is

Canonical reference for healthcare SEO across every healthcare site type: solo physician, multi-physician group, multi-location health system, hospital, dental practice, mental health practice, telehealth platform, addiction treatment, durable medical equipment, supplement brand with medical claims, health publisher. The per-vertical operational playbook translating the YMYL principles in framework-ymyl.md into specific clinical-context patterns.

Healthcare YMYL is the strictest in the YMYL universe (Stan Ventures December 2025 Core Update analysis, sample of approximately 4,200 health domains): approximately 67 percent of YMYL sites without clear physician authorship saw ranking declines; well-credentialed sites gained visibility. AI Overview presence is uniquely high (SE Ranking 2026 AI Overview citation study, approximately 100,000 health and medical queries): AI Overviews on 82.4 percent of health-related searches and 44.1 percent of medical YMYL queries; 34 percent of citations from reliable medical sources; YouTube cited approximately 20,621 times versus 5,464 organic appearances; academic and medical journals at just 0.48 percent. Strategic asymmetry: AI Overviews are highly likely to appear, the AI is somewhat conservative about which sources to cite, and sites installing the credibility scaffolding here benefit disproportionately because the AI is actively looking for sources it can trust.

1.2 Three Operating Modes

Mode A, Install Mode: Build healthcare SEO infrastructure. Follow Sections 2 through 13. Mode B, Audit Mode: Evaluate an existing site. Skip to Section 13. Mode C, Hybrid Mode: Audit first, install for failing items. Most healthcare engagements run as Mode C.

1.3 How Claude Code CLI Should Consume This Document

1. Read Section 2 for client variables (practice type, specialty, locations, HIPAA posture, reviewer status).
2. Read Section 3 for what healthcare SEO is as a vertical of YMYL.
3. Apply Section 4 for HIPAA-aware patterns before touching forms, tracking, or reviews.
4. Apply Section 5 for MedicalEntity schema.
5. Apply Section 6 for medical reviewer credentialing.
6. Apply Section 7 for healthcare local SEO including multi-location.
7. Apply Sections 8 through 10 for canonical page types: condition, treatment, provider.
8. Apply Section 11 for reviews management.
9. Validate using Section 13 audit rubric.
10. Operate Section 14 maintenance cadence.

1.4 Conflict Resolution Rules

Tracking captures appointment booking pages: audit immediately, remove if it captures PHI, replace with HIPAA-aware setup before new SEO work. Patient testimonials without written authorization: remove pending verification (OCR September 2025 Cadia Healthcare enforcement noted 150 patient stories shared without valid written permission). Medical content without credentialed reviewer: pull from index (noindex then 410) or assign credentialed reviewer before next core update. Reviews mentioning PHI in response: edit responses to remove provider acknowledgement, condition, visit date. Telehealth marketing not gated by state: audit per Section 7.4 (the IMLC covers 43 states plus DC and Guam per American Medical Association 2026 IMLC Issue Brief). Outcome claims without per-patient disclaimer: add "results may vary"; FTC enforcement priority since the August 2024 fake-reviews rule. HIPAA Notice of Privacy Practices missing or outdated: replace before any digital marketing push (45 CFR 164.520).

1.5 Required Tools and Validators

NPPES NPI Registry (npiregistry.cms.hhs.gov), Federation of State Medical Boards Physician Data Center (fsmb.org/PDC), state medical board directories per state, PubMed (pubmed.ncbi.nlm.nih.gov), MedlinePlus (medlineplus.gov), the September 11 2025 Search Quality Rater Guidelines (services.google.com/fh/files/misc/hsw-sqrg.pdf), Google Business Profile Manager, validator.schema.org and Rich Results Test, BrightLocal or Whitespark for healthcare-vertical citation audit, HIPAA-aware GA4 per Section 4.3, HIPAA-compliant CRM or EHR integration.

1.6 Scope and Boundaries

Covers organic search strategy for medical, dental, mental health, and adjacent licensed healthcare practices; YMYL operational layer specific to healthcare; HIPAA-aware SEO patterns; MedicalEntity schema; healthcare local SEO; reviews management in HIPAA context. Does not cover paid search compliance beyond inline mention (see Google Ads Healthcare and Medicines Policy, last updated April 2026), telehealth platform engineering, EHR integration, insurance contracting, or LegitScript certification process (see Section 12.10). General YMYL principles live in framework-ymyl.md.

2. Client Variables Intake

# HEALTHCARE SEO CLIENT VARIABLES

# Practice classification
business_name: ""
primary_domain: ""
practice_type: ""                # solo_physician | group_practice | multi_location | hospital | dental | mental_health | telehealth | dme | supplement_brand | health_publisher
specialty_primary: ""
specialties_secondary: []
ownership_model: ""              # physician_owned | health_system | private_equity | nonprofit | public_hospital

# Provider roster and locations
total_providers: 0
physicians_count: 0
nurse_practitioners_count: 0
physician_assistants_count: 0
psychologists_count: 0
lcsws_count: 0
dentists_count: 0
location_count: 0
location_model: ""               # single | multi_storefront | hybrid | telehealth_only | service_area
locations: []                    # per framework-localseo.md Section 2

# Insurance
insurance_plans_accepted: []
medicare_accepted: false
medicaid_accepted: false
medicaid_states: []
out_of_network_billing_supported: false

# HIPAA posture (CRITICAL)
is_hipaa_covered_entity: false   # 45 CFR 160.103
is_hipaa_business_associate: false
notice_of_privacy_practices_current: false
hipaa_privacy_officer_assigned: false
hipaa_security_officer_assigned: false
last_hipaa_risk_assessment_date: ""
business_associate_agreements_with_vendors: false

# PHI in digital surfaces (CRITICAL)
forms_collect_phi: false
forms_route_phi_to_hipaa_compliant_destination: false
analytics_strips_phi_before_capture: false
ad_pixels_present_on_phi_pages: false
chat_widget_is_hipaa_compliant: false

# Telehealth
offers_telehealth: false
telehealth_states: []
interstate_medical_licensure_compact_member: false
psychology_interjurisdictional_compact_member: false
nurse_licensure_compact_member: false
provides_controlled_substance_telemedicine: false

# Medical reviewer status (CRITICAL)
has_medical_reviewer_program: false
medical_reviewers_count: 0
medical_reviewers:
  - name: ""
    credentials: []              # MD, DO, NP, PA, RN, PhD, DDS, DMD, PsyD, LCSW, etc.
    license_state: ""
    license_number: ""
    npi_number: ""
    specialty: ""
    board_certifications: []
reviewer_assignment_method: ""   # specialty_match | rotation | single_all | manual

# Counts and schema and trust booleans
medical_condition_pages_count: 0
treatment_procedure_pages_count: 0
provider_pages_count: 0
location_pages_count: 0
mental_health_pages_count: 0
mental_health_pages_with_crisis_banner_at_top: 0
google_business_profile_review_count: 0
healthgrades_review_count: 0
zocdoc_review_count: 0
doximity_profile_claimed: false
aggregate_rating_average: 0.0
reviews_response_rate: 0.0
has_medicalorganization_schema: false
has_physician_schema_per_provider: false
has_medicalcondition_schema_per_page: false
has_medicalprocedure_schema_per_page: false
has_aggregaterating_schema: false
has_healthinsuranceplan_schema: false
schema_validated: false
has_editorial_policy_page: false
has_corrections_policy_page: false
has_medical_disclaimer_page: false
has_mental_health_crisis_resource_pattern: false
has_hipaa_notice_of_privacy_practices_page: false
nap_consistency_score: 0.0
last_clinical_content_review_date: ""

Save as healthcare-seo-variables.yml in the project root.

3. What Healthcare SEO Is

Healthcare SEO is organic search optimization for licensed clinical care delivery and medical information sites. Three stacked constraints no other SEO vertical faces simultaneously:

Constraint one, YMYL strict. Medical content is the original YMYL category and the strictest expression of the bar. The September 11 2025 Search Quality Rater Guidelines retain medical YMYL as canonical full-YMYL and emphasize that for health and safety topics, "consistency with well-established expert consensus is important for medical advice" (Google LLC Search Quality Rater Guidelines, September 11 2025 release, 182 pages). The December 2025 core update post-rollout analysis (Stan Ventures, approximately 4,200 health domains) found approximately 67 percent of YMYL sites without clear credentialed authorship saw ranking declines while well-credentialed sites gained share. Trust infrastructure is the primary ranking lever post-December 2025.

Constraint two, regulatory. Healthcare SEO sits inside a regulatory envelope drawn primarily by HIPAA (1996), implemented through 45 CFR Parts 160 and 164 (Privacy Rule at Subpart E, Security Rule at Subpart C, Breach Notification Rule at Subpart D), overseen by OCR. The Privacy Rule restricts use and disclosure of PHI (45 CFR 160.103). The marketing provision at 45 CFR 164.508(a)(3) requires written authorization before PHI is used for marketing, with limited exceptions for face-to-face communication, nominal-value gifts, and treatment-related communications. Beyond HIPAA: the FTC's truth-in-advertising authority including the August 14 2024 fake-reviews rule (civil penalties up to 50,120 dollars per violation as of 2026), state medical board advertising rules, state attorney general consumer protection, and state-level consumer health data privacy laws (Washington My Health My Data Act, Connecticut Data Privacy Act, analogous statutes in California, Texas, Nevada).

Constraint three, operational care delivery. Unlike e-commerce or SaaS, the conversion event in healthcare SEO is a relationship with clinical risk attached. SEO that drives bookings to providers who cannot safely deliver care, or that drives crisis-state mental health seekers to pages without crisis resources, produces harm.

The four pillars apply with healthcare distinctions. SEO drives high-intent: "[specialty] near me," "[condition] symptoms," "[treatment] cost." AEO drives answer-engine extraction; sites with MedicalEntity schema, credentialed reviewer markup, and primary-source citations get cited more often even at lower organic position. AIO drives Google AI Overview visibility on 82.4 percent of health-related searches per the 2026 SE Ranking study; the citation surface is partially decoupled from organic rank. GEO is the unifying generative engine optimization frame across Google AI Overview, ChatGPT, Perplexity, Claude Search, and emerging health-specific AI assistants.

4. HIPAA-Aware SEO Patterns

The intersection of HIPAA and SEO is where most healthcare engagements fail their first audit. Standard SEO instrumentation (Google Analytics on appointment pages, Meta Pixel on booking confirmations, third-party chat widgets) captures data that becomes PHI in a covered-entity context.

4.1 The PHI Boundary

PHI is individually identifiable health information held or transmitted by a covered entity or business associate (45 CFR 160.103). The 18 HIPAA identifiers at 45 CFR 164.514(b)(2)(i) include names, geographic subdivisions smaller than state, dates other than year, telephone, fax, email, SSN, medical record number, health plan beneficiary number, account numbers, certificate or license numbers, vehicle and device identifiers, web URLs, IP addresses, biometric identifiers, full-face photographs, and any other unique identifying number or characteristic.

In digital marketing context, an IP address sent to Google Analytics by a visitor on /depression-treatment/ is PHI in the hands of a covered entity, because the URL plus the IP creates an individually identifiable health datum. The OCR December 2022 bulletin on online tracking technologies (revised guidance March 2024) clarified that tracking technologies on sites accessible by individuals seeking information about medical conditions constitute a disclosure of PHI when transmitting to a third party without a BAA.

4.2 No PHI in URLs

URLs are visible in browser histories, referrer headers, search query strings, analytics records, server logs, and shared links. A URL revealing condition, provider relationship, or treatment selection is itself a disclosure if it travels to non-BAA destinations.

Acceptable patterns: /conditions/depression/ (generic), /providers/dr-jane-smith/ (directory), /services/telehealth/, /locations/bentonville/, /book-appointment/ (intent, no condition revealed). Unacceptable: /patient-portal/jane-doe/appointments/depression-followup/, /appointment-confirmation/?id=12345&condition=anxiety&provider=jsmith, /forms/intake/?condition=hypertension&insurance=bluecross, /lab-results/12345.pdf.

When booking flows must pass patient-specific state, route through HIPAA-compliant infrastructure (EHR portal, HIPAA-compliant scheduler like NexHealth, Klara, or Tebra) rather than URL parameters consumed by general web infrastructure.

4.3 No PHI in Tracking

Standard Google Analytics 4 captures IP, user agent, page URL, referrer, and event parameters. Each can become PHI in healthcare context. HIPAA-aware GA4 configuration: (1) sign a BAA with the tracking vendor, or use a HIPAA-compliant proxy (Google does not sign BAAs for standard GA4; HIPAA-compliant alternatives include Freshpaint, Aloware, Heap with HIPAA configuration, self-hosted Plausible on covered-entity infrastructure); (2) configure IP anonymization (anonymize_ip true for server-side IP truncation); (3) strip query strings on PHI-adjacent pages (use a GTM custom variable returning location.pathname for page_location on /book-appointment/, /contact/, /telehealth/, condition and treatment pages); (4) disable cross-domain remarketing on PHI-adjacent pages (block Meta Pixel, Google Ads remarketing, LinkedIn Insight Tag, TikTok Pixel); (5) use a HIPAA-aware tag management approach (Freshpaint and Aloware act as proxies stripping identifiers; self-hosted server-side GTM offers strongest control).

Audit pattern: visit each PHI-adjacent page in a clean browser with devtools network panel open. Flag outbound calls to non-BAA destinations (googleadservices.com, connect.facebook.net, linkedin.com/li/track, tiktok.com, hotjar.com).

4.4 No PHI in Reviews

Reviews are public. Any response acknowledging a clinical relationship, confirming a visit, referencing a condition, or addressing specific care delivered is a HIPAA disclosure. The HIPAA-safe review response template thanks the reviewer (acceptable, non-PHI) and invites private dialogue to a compliant channel (phone or email), explicitly citing HIPAA as the reason for restraint in the public response. The template avoids confirming the reviewer is or was a patient, referencing the visit, mentioning the provider, addressing the specific complaint, or apologizing for specific care.

Thank you for taking the time to share feedback about your experience with our practice.
We value all input. Our team is committed to delivering quality care, and we welcome
the opportunity to discuss specific concerns directly. Please contact our patient experience
team at [phone] or [email] so we can speak with you privately. We are unable to discuss
specific care details in this public forum to protect patient privacy in accordance with HIPAA.

Negative review responses get the same template. The reflex to defend the practice by explaining clinical reasoning is the most common HIPAA violation in review response. Train all review-response staff on this restriction.

4.5 Forms That Route PHI Separately

Public healthcare forms collect non-PHI fields (name, preferred contact, general intent) and PHI fields (date of birth, insurance member ID, medical record number, symptoms). Pattern: a single form with two <fieldset> regions (non-PHI contact data and clearly labeled PHI region with explicit encryption disclosure), posting to a server-side router (e.g., /api/intake-router) that splits the payload: non-PHI to a standard CRM (HubSpot, Mailchimp, email); PHI exclusively to a HIPAA-compliant destination (EHR, HIPAA-compliant patient management, encrypted email with BAA-covered transit). The two payloads share a non-PHI correlation token, never a PHI identifier. Self-hosted pattern: nginx on Bubbles or Debian fronting a form handler service that splits and routes, signed BAA with EHR or scheduler, no inline pixels on the form page. Document the routing logic in the Notice of Privacy Practices (45 CFR 164.520(b)).

4.6 Page-Level HIPAA Audit Checklist

Apply to every page, with PHI-adjacent pages (book-appointment, contact, condition, treatment, telehealth) held to the strictest interpretation. H1: URL contains no PHI identifier. H2: no inline ad-platform tracking pixels without BAA (no Meta, LinkedIn, TikTok, Google Ads remarketing on PHI-adjacent pages). H3: analytics anonymizes IP and strips query strings per Section 4.3. H4: chat widget, if present, is from a HIPAA-compliant vendor with signed BAA (Klara, Tebra, NexHealth, Doxy.me, or equivalent). H5: forms collecting PHI route PHI separately per Section 4.5. H6: page links to current HIPAA Notice of Privacy Practices via footer. H7: review responses on page are HIPAA-safe. H8: third-party embeds (Vimeo, YouTube, Instagram, TikTok) on PHI-adjacent surfaces use privacy-enhanced or self-hosted equivalents.

A page fails the HIPAA audit if any check fails on a PHI-adjacent surface.

5. MedicalEntity and Related Schema

The MedicalEntity branch of schema.org is the schema graph layer specific to healthcare. As of schema.org V30.0 (March 19 2026), MedicalEntity remains the canonical superclass: MedicalCondition, MedicalProcedure, MedicalGuideline, Drug, Substance, MedicalStudy, MedicalTherapy. MedicalEntity coexists with MedicalOrganization, Physician (with the 2025 split into IndividualPhysician and PhysiciansOffice), Hospital, MedicalClinic, DentalClinic, MedicalWebPage, and Person with hasCredential. Pattern: every medical entity gets an @id, related entities cross-reference by @id, the graph is internally consistent across pages.

5.1 The MedicalOrganization Anchor

Every practice needs a root MedicalOrganization entity. Multi-location: root is parent organization; each location is a sub-entity via branchOf. For hospitals swap MedicalOrganization for Hospital. For dental practices use Dentist or MedicalClinic with medicalSpecialty Dentistry. For mental health use MedicalClinic with medicalSpecialty Psychiatric.

Required fields on the root entity: @type: MedicalOrganization, stable @id, name, url, logo, telephone, address: PostalAddress, geo: GeoCoordinates, openingHoursSpecification, medicalSpecialty, availableService (array of @id refs to Service entities), employee (array of @id refs to Physician entities), healthPlanNetworkTier (array of @id refs to HealthInsurancePlan entities), areaServed, sameAs network with seven or more authoritative sources (NPI Registry, state medical board, Healthgrades, Zocdoc, Vitals, WebMD Doctors, Doximity, Facebook, LinkedIn), aggregateRating: AggregateRating with ratingValue, reviewCount, bestRating: 5, worstRating: 1.

5.2 The Physician Entity Per Provider

Each provider gets a dedicated Physician entity. The 2025 split between IndividualPhysician and PhysiciansOffice resolves longstanding ambiguity; use IndividualPhysician for the practitioner.

Required fields: @type: ["Physician","Person"], stable @id, name, honorificPrefix ("Dr."), honorificSuffix (MD, DO, DDS, MD MPH, etc.), image, url, knowsLanguage, medicalSpecialty array (schema.org MedicalSpecialty enumeration values), hasCredential array of EducationalOccupationalCredential entries with credentialCategory "degree", "certification", or "license" (license entries include identifier, recognizedBy GovernmentOrganization, and url to state medical board verification), memberOf/worksFor @id refs to MedicalOrganization root, knowsAbout (@id refs to MedicalCondition entities), availableService (@id refs), identifier array with NPI as PropertyValue (propertyID: NPI, 10-digit value, url to NPPES Registry), sameAs network of seven or more authoritative sources (Healthgrades, Zocdoc, Vitals, WebMD Doctors, Doximity, state medical board verify URL, NPPES Registry, LinkedIn).

The sameAs network is load-bearing for entity reconciliation. Healthcare entities with sameAs networks of seven or more authoritative sources show meaningfully stronger Knowledge Graph presence than those with three or fewer (Hill Web Creations 2026 physician schema markup analysis, observational sample).

5.3 The MedicalCondition Entity

Each condition page gets a MedicalCondition entity. Required fields: @type: MedicalCondition, stable @id, name, alternateName (common and clinical synonyms), code array with ICD-10-CM and SNOMED CT codings, signOrSymptom array of MedicalSignOrSymptom, cause array of MedicalCause, riskFactor array of MedicalRiskFactor, possibleTreatment (array of @id refs to MedicalProcedure entities), associatedAnatomy: AnatomicalStructure, typicalTest, epidemiology, expectedPrognosis, guideline array of MedicalGuideline with guidelineDate, evidenceLevel, evidenceOrigin.

code linking to ICD-10-CM and SNOMED CT lets AI Overview confirm clinical identity. possibleTreatment cross-references procedure pages. guideline references the underlying practice guideline (ADA Standards of Care, AHA Hypertension Guidelines, APA DSM-5-TR, analogous body-issued guidance) and assigns evidence level via schema.org MedicalEvidenceLevel enumeration (EvidenceLevelA for high-quality RCTs and meta-analyses, EvidenceLevelB for well-designed observational studies, EvidenceLevelC for consensus expert opinion).

5.4 MedicalProcedure, MedicalWebPage, HealthInsurancePlan, Drug, MedicalGuideline

Five remaining schema types emitted on the appropriate page and cross-referenced into the graph via @id.

MedicalProcedure (treatment page): @type: MedicalProcedure, code with CPT, procedureType, bodyLocation, preparation, followup, howPerformed, indication, contraindication, expectedOutcome, performedBy (@id refs to Physician entities), guideline with evidenceLevel.

MedicalWebPage (wraps every YMYL medical article): @type: MedicalWebPage with stable @id, url, headline, datePublished, dateModified, lastReviewed (credentialed reviewer's verification date, distinct from dateModified), reviewedBy (@id ref to reviewing Physician), author (@id ref to Person), publisher (@id ref to MedicalOrganization root), mainEntity (@id ref to MedicalCondition or MedicalProcedure), specialty: MedicalSpecialty, audience: MedicalAudience with audienceType: Patient, aspect: ConditionDescription. The Search Quality Rater Guidelines treat lastReviewed and dateModified as separate signals; the gap between them signals whether content is being actively maintained.

HealthInsurancePlan (per accepted plan, referenced by MedicalOrganization's healthPlanNetworkTier): @type, name, url, healthPlanCoverageArea.

Drug with DrugLegalStatus for substance use disorder treatment programs: @type: Drug, name, alternateName, legalStatus: DrugLegalStatus with applicableLocation: US and Schedule III/IV/V name, prescriptionStatus: PrescriptionOnly, drugClass. SUD telemedicine has specific DEA considerations under the Ryan Haight Act and the 2023 telemedicine flexibilities extension.

MedicalGuideline standalone for standards of care (high-signal for SQRG "consistency with well-established expert consensus"): @type: MedicalGuideline, name, guidelineDate, evidenceLevel, evidenceOrigin, recognizingAuthority.

6. Medical Reviewer Credentialing

The medical reviewer is the single highest-leverage trust signal in healthcare SEO. The December 2025 core update post-rollout analysis (Stan Ventures, approximately 4,200 health domains) found medical sites without clear physician authorship saw rankings collapse; specialty-matched reviewers outperform general reviewers on specialty content (RankVed 2026 healthcare YMYL 20-point compliance analysis, observational sample).

6.1 Credentialing Matrix

Credentials and verification sources, by use case: MD and DO for internal/surgery/specialty (NPPES plus state medical board); NP and PA for primary care and specialty per certification (NPPES plus state board); RN and LPN for nursing content (state nursing board); DDS and DMD for dental content (NPPES plus state dental board); DPM (state podiatry board); DPT (state PT board); OD (state optometry board); RD and RDN for nutrition with health claims (Commission on Dietetic Registration); PsyD and PhD clinical for mental health (state psychology board); LCSW (state social work board); LPC, LMHC, LMFT for counseling and family therapy (state board); CNM (American Midwifery Certification Board); Pharm.D (state board of pharmacy); AuD (state audiology board).

Specialty content needs reviewers holding board certification from the corresponding board recognized by ABMS for MDs and DOs (with allied bodies for DOs through the American Osteopathic Association Bureau of Osteopathic Specialists), the American Board of Dental Specialties, the American Board of Professional Psychology, or the relevant specialty board.

6.2 Verification Protocol

Before publishing the reviewer's name on the site, the editorial team verifies credentials in five steps: (1) NPI at NPPES Registry npiregistry.cms.hhs.gov/provider-view/{NPI}; (2) license at the FSMB Physician Data Center fsmb.org/PDC/ or state medical board direct site; (3) board certification at ABMS Certification Matters certificationmatters.org; (4) disciplinary search at DocInfo (FSMB consumer portal) docinfo.org; (5) log to /var/www/sites/[domain]/admin/reviewer-verification.log with ISO 8601 timestamp, reviewer name, NPI, and active status confirmation.

The log establishes a paper trail. Re-verify annually. Suspended or sanctioned reviewers must be removed from the site and their pages re-reviewed by an active reviewer at the same or higher credential level.

6.3 The Reviewer Credit Pattern

Every YMYL medical page reviewed by a credentialed clinician renders the reviewer credit prominently. Extends the standard YMYL Phase 5 credit block from framework-ymyl.md Section 5.5.2 with four healthcare-specific additions: specialty mention when content is specialty-specific (cardiology content reviewed by a board-certified cardiologist, not a general internist); state medical license number with Verify link to the state medical board verification URL confirming active status; NPI number with link to the NPPES Registry public listing; "medically reviewed" verb (matches what Search Quality Raters look for under the September 2025 SQRG). The full byline pattern: author with rel="author" link, "Medically reviewed by [Name], [post-nominal]" with rel="reviewer", clinical title plus specialty, license number with Verify link, NPI with NPPES link, and a date strip showing published, last updated, and last medically reviewed dates each as <time datetime>.

6.4 Specialty Matching Discipline

General health content relies on internal medicine reviewers. Specialty content requires specialty-matched reviewers. Topic-to-specialty pairing: diabetes to endocrinology; hypertension to cardiology, nephrology, or internal medicine; cancer to oncology subspecialty match (medical, surgical, radiation, hematologic); cardiovascular surgery to cardiothoracic surgery; dermatology to dermatology; dental procedures to specialty dentistry (oral surgery, endodontics, periodontics, orthodontics, prosthodontics); mental health (depression, anxiety, PTSD) to psychiatry, clinical psychology, or LCSW for non-medication content; substance use disorder to addiction medicine; pediatrics with subspecialty match; OB/GYN; geriatrics; sports medicine subspecialty; pharmacology to Pharm.D; nutrition with clinical claims to RD or RDN. Maintain /admin/reviewer-assignment-matrix.csv mapping topics to required credentials; editorial workflow checks the matrix before assigning a reviewer.

6.5 Reviewer Profile Page And Audit Trail

Each reviewer gets a dedicated profile at /providers/{{slug}}/ surfacing: full name with post-nominal letters, professional headshot, job title and primary location, educational history (medical school, residency, fellowship with dates), board certifications, state licenses, NPI with NPPES Registry link, hospital and clinical affiliations, professional memberships, specialty interests, publications, languages spoken, insurance accepted, conditions and procedures with expertise, articles reviewed on the site, last credential verification date. Profile renders Person plus Physician schema per Section 5.2.

A real reviewer program tracks who reviewed what and when. The private admin interface (behind authentication, not crawlable) records per article: URL, author, reviewer, reviewer assigned and return dates, reviewer comments, editorial sign-off date, published date, next review due date (six-month cadence for treatment guideline content), last credential verification of reviewer. Public-facing pages render only lastReviewed, reviewer name, and link to the reviewer's profile.

7. Healthcare Local SEO

Healthcare local SEO compounds general local SEO with specialty constraints. 77 percent of patients begin healthcare provider searches on Google (Tebra The Intake 2025 patient search analysis, sample of approximately 1,800 patients); the local pack is the highest-converting placement for "[specialty] near me" queries (NovaAdvertising local SEO for dentists 2026 analysis, observational sample of approximately 600 single-location dental practices). This section is a healthcare extension to framework-localseo.md. Read that framework's Sections 4 through 7 first; the patterns below add the healthcare layer.

7.1 GBP Healthcare Attributes

Configure healthcare attributes in the Business Profile Manager: accessibility (wheelchair-accessible entrance, restroom, parking) per accessibility audit; languages spoken; insurance accepted (mention top 5 in description); accepting new patients; telehealth available; online appointments; same-day appointments; Black-owned, Women-owned, LGBTQ+ friendly, Veteran-owned per accurate self-identification; walk-ins welcome (urgent care); appointment required (specialty).

GBP primary category matches the actual specialty. Common categories: Family Practice Physician, Internist, General Practitioner (solo); Medical Clinic, Medical Group (multi-physician); Hospital; specialty-specific (Cardiologist, Dermatologist); Dentist with secondary Cosmetic Dentist, Pediatric Dentist, Orthodontist per specialty; Psychiatrist (MDs), Psychologist (PsyD/PhD), Mental Health Clinic, Counselor (LPC); Telehealth Service; Urgent Care Center; Surgical Center, Plastic Surgeon per specialty.

7.2 Provider Pages As The Local Layer

Each provider gets a dedicated page; each location gets a dedicated page; provider pages link to the locations where the provider practices and location pages link to providers there. URL pattern: /providers/dr-jane-smith/, /locations/bentonville/, optionally /providers/dr-jane-smith/at-bentonville/ for the provider-at-location pivot where patient acquisition data supports it. A multi-location system with N locations and M providers builds N location pages, M provider pages, and a curated subset of provider-at-location pivots where genuinely distinct content exists. Pure programmatic N times M pivot generation without genuine per-pivot content reverts to doorway page territory per framework-localseo.md Section 8.

7.3 Insurance Acceptance Pages

A patient searching "[practice name] accepts BlueCross" is at the bottom of the funnel. The pattern: /insurance/ index page plus a per-plan page at /insurance/aetna/, /insurance/blue-cross-blue-shield/, /insurance/cigna/, /insurance/humana/, /insurance/medicare/, /insurance/medicaid/, /insurance/united-healthcare/, /insurance/tricare/. Each plan page covers: acceptance status (in-network, out-of-network with billing support, not accepted), specific plan variants (Aetna PPO, HMO, Open Choice), which providers accept this plan (cross-reference provider pages), which locations honor it, verification process, copay and deductible expectations, out-of-network billing options, direct contact for verification. The HealthInsurancePlan schema per Section 5.6 marks up the plan entity.

7.4 Telehealth State Eligibility

Telehealth providers face a state-by-state regulatory layer. General rule: a physician practicing telemedicine must be licensed in the state where the patient is located at the time of the encounter. The Interstate Medical Licensure Compact provides an expedited pathway in 43 states plus DC and Guam (American Medical Association 2026 Licensure and Telehealth Issue Brief). Multi-state services must publish which states they serve and gate eligibility.

URL pattern: /telehealth/states/ index plus per-state pages at /telehealth/states/[state-slug]/. Each state page covers: whether the practice is licensed in this state, which providers hold this state's license, state-specific requirements (controlled substance restrictions, initial in-person visit requirements), state Medicaid telehealth coverage, state commercial insurance telehealth parity status.

The eligibility logic must gate the booking flow. A patient with a state of residence not on the eligible list cannot complete a telehealth booking. Surface this gating in the booking flow with clear explanation, not error.

Mental health telehealth has the Psychology Interjurisdictional Compact (PSYPACT), in effect in 43 jurisdictions in 2026 (Telehealth.org 2025-2026 cross-state practice analysis). Psychologists practicing telepsychology under PSYPACT must hold an Authority to Practice Interjurisdictional Telepsychology credential. The Nurse Licensure Compact provides a multistate RN license in 43 jurisdictions. The DEA's 2023 telemedicine extension and subsequent rules govern controlled substance prescribing via telehealth; as of 2026 Schedule II prescriptions via telemedicine typically require an in-person visit prior to telemedicine initiation, with specific exceptions; substance use disorder treatment with buprenorphine has separate flexibilities.

7.5 Healthcare-Vertical Citation Network

Beyond general local SEO citations: NPPES NPI Registry, FSMB Physician Data Center, Healthgrades, Zocdoc, Vitals, WebMD Doctors, Doximity, Sharecare, RateMDs, Yelp Health, Apple Maps Health, insurance plan provider directories (Aetna, BCBS, Cigna, Humana, UnitedHealthcare), state medical society directories, specialty society directories (AAFP, ACP, others), hospital affiliation pages. NAP consistency tooling: Whitespark, BrightLocal, Moz Local, Yext.

7.6 Multi-Location Operational Pattern

A health system with multiple locations runs each location's GBP profile as a distinct entity with distinct local content. Each location's /var/www/sites/[domain]/locations/[city]/index.html must verify a complete checklist: business name, PostalAddress schema, business phone, OpeningHoursSpecification, providers-at-location list, services-at-location list. A bash audit loop walks the locations array, greps each file for the markers, and prints FAIL lines for any missing element.

8. Medical Condition Pages

Medical condition pages are the highest-traffic, highest-stakes content surface on most healthcare sites. They serve symptom and diagnosis seekers, often arriving in distress and frequently making care decisions based on what they read. The September 2025 SQRG holds condition pages to the strictest YMYL standard; the December 2025 core update identified uncredentialed condition content as the primary failure mode.

8.1 The Canonical Structure

Every condition page follows the same structural pattern. Consistency lets the credentialed reviewer audit faster, lets AI Overview extract reliably, and lets audit tooling validate at scale.

Top: mental health crisis banner (if applicable; Section 8.2), top-of-article medical YMYL disclaimer, H1 (condition name), author and reviewer credit block per Section 6.3, published/updated/medically reviewed dates, quick-answer summary, table of contents. Main content: What is [condition], Symptoms with severity calibration (Section 8.4), Causes and risk factors, When to seek care (Section 8.5), Diagnosis, Treatment options (cross-link to MedicalProcedure pages), Lifestyle and self-care, Outlook (prognosis with realistic ranges), When to contact your provider, FAQ, References (primary literature, MedlinePlus, CDC, NIH, specialty society guidelines). Bottom: related conditions cross-link, related treatments cross-link, find a provider with this expertise, find a location with this specialty, full medical disclaimer reference, last review and update timestamps.

The pattern lives in a server-rendered template, not in a CMS WYSIWYG that lets authors deviate per article. Consistency across the library is itself a credibility signal.

8.2 Crisis Resources At The Top For Mental Health

For any condition page touching suicide, self-harm, psychiatric emergencies, severe depression, or substance use disorder crisis, 988 Suicide and Crisis Lifeline resources go at the very top, before any other content. The 988 service launched July 16 2022; a 2026 Harvard study found suicide mortality among adolescents and young adults declined following 988 launch, with the Lifeline reporting approximately 4,400 fewer suicide deaths than projected in its first two and a half years.

<aside class="crisis-resources" role="alert" aria-labelledby="crisis-heading">
  <h2 id="crisis-heading">If You Need Immediate Help</h2>
  <p><strong>If you are in crisis or thinking about suicide or self-harm, reach out now:</strong></p>
  <ul>
    <li><strong>988 Suicide and Crisis Lifeline (US):</strong> Call or text <a href="tel:988">988</a>. 24/7.</li>
    <li><strong>Crisis Text Line:</strong> Text HOME to <a href="sms:741741">741741</a></li>
    <li><strong>Veterans Crisis Line:</strong> Call <a href="tel:988">988</a> and press 1, or text 838255.</li>
    <li><strong>Immediate physical danger:</strong> Call <a href="tel:911">911</a> or nearest ER.</li>
    <li><strong>International:</strong> <a href="https://findahelpline.com/" rel="noopener external">findahelpline.com</a></li>
  </ul>
</aside>

The banner is the first content in the article, immediately after the H1. Bottom-of-page placement fails the September 2025 SQRG sensitivity bar for mental health YMYL. The banner appears on every page covering major depressive disorder, suicidal ideation, self-harm, bipolar disorder during depressive episode content, PTSD with suicidal ideation discussion, substance use disorder, eating disorders with severe psychiatric risk, perinatal mood and anxiety disorders, and any psychiatric emergency content. When in doubt, include the banner.

8.3 Evidence Sourcing And Citation Hierarchy

Citation hierarchy: (1) primary literature in peer-reviewed PubMed-indexed journals (RCTs, systematic reviews, meta-analyses); (2) clinical practice guidelines from specialty societies (ADA Standards of Care, AHA, USPSTF, ACOG, AAP, APA, AAFP); (3) MedlinePlus (NLM/NIH patient-facing reference); (4) CDC, FDA, NIH, WHO; (5) Cochrane Reviews; (6) Merck Manual, UpToDate; (7) university hospital and academic medical center publications (Mayo Clinic, Cleveland Clinic, Johns Hopkins, Stanford, Mass General Brigham, NYU Langone, Penn Medicine, UCSF); (8) specialty society patient education (American Cancer Society, AHA, Alzheimer's Association).

Tier 8 and below acceptable for low-stakes claims. Tiers 1 through 4 required for treatment recommendations, prognosis, directive content. Tier 1 required for any claim of efficacy, effectiveness, or outcome.

Inline citations render as superscript anchors following each factual claim. The references section is an ordered list, each entry with anchor id, full author list, year, title, journal name in <em>, volume(issue), pages, PMID linked to pubmed.ncbi.nlm.nih.gov/{PMID}/, DOI linked to doi.org/{DOI}. For guideline references, include the issuing body, year, full title, journal or web source. Every factual claim above the basic-anatomy level gets a citation. The reviewer reads each cited source and verifies the claim before signing off.

8.4 Symptom Section With Severity Calibration

The symptoms section is one of the most extracted surfaces by AI Overviews. Structure as labeled lists with severity calibration: an H2 Symptoms, then H3 subsections for Common symptoms, Less common but possible symptoms, and Symptoms that need urgent medical attention. Each symptom row gets a bolded name and a one-sentence description. The urgent-symptoms section is wrapped in a role="note" callout with the explicit instruction "Call 911 or go to the nearest emergency room if you experience:". Urgent-symptoms callout is standard; patients in distress scan for urgency signals, and AI Overviews frequently surface emergency-signs lists.

8.5 When-To-Seek-Care Decision Tree

A short scannable decision tree replaces ambiguous prose. The pattern is a two-column table with rows for urgent (call 911 or nearest emergency room), same-day (contact provider same day, if unavailable urgent care or ED), routine (schedule within 1 to 2 weeks), and monitoring (discuss at next scheduled visit) presentations. The treatment section on a condition page is a navigation hub; full treatment detail lives on the dedicated MedicalProcedure page.

9. Treatment And Procedure Pages

Treatment pages serve the advanced funnel stage: a patient who knows their condition and is researching options. Conversion intent is higher: book a consultation, request a procedure quote, contact a specific provider.

9.1 Canonical Treatment Page Structure

Top-of-article medical disclaimer; H1 with treatment or procedure name; author and credentialed reviewer credit per Section 6.3 (specialty-matched per Section 6.4); published, updated, medically reviewed dates; quick-answer summary. Sections: What is, Who is a candidate, How it works, Before the procedure (preparation), During, After (recovery), Outcomes (Section 9.2), Risks (Section 9.4), Cost and insurance coverage (Section 9.3), Alternatives, FAQ, References. Cross-link to providers offering this, location pages, related conditions. Full medical disclaimer reference at the bottom.

9.2 Outcomes Reporting Discipline

Outcome statements attract the most scrutiny from regulators and Search Quality Raters. Discipline: use ranges not single numbers for outcomes that vary across populations; cite the underlying study for each outcome statement; identify the patient population in which the outcome was observed; mark contraindications and exclusion criteria; add the "results may vary" individual-variation disclaimer per FTC guidance. The pattern: an Outcomes section with an opening paragraph noting outcomes depend on individual factors, then a bulleted list of "approximately X percent experience [OUTCOME] within [TIME_RANGE]" entries each with citation superscript, followed by a role="note" aside with the explicit "Individual results vary" disclaimer.

9.3 Cost Transparency Where Applicable

The Hospital Price Transparency Rule (45 CFR 180) requires hospitals to post standard charges online. Outpatient surgery centers and ambulatory practices have related requirements under the Transparency in Coverage Rule and the No Surprises Act for self-pay good faith estimates. For SEO, treatment pages benefit from genuine cost transparency; patients searching "[procedure] cost" are bottom-funnel.

The cost section covers self-pay ranges (with No Surprises Act good faith estimate disclosure), insurance coverage (which plans cover the procedure when medically necessary, prior authorization expectations, link to /insurance/), and financing options for amounts not covered. Vague or misleading cost language fails FTC truth-in-advertising review and patient trust.

9.4 Risks And Complications Section

The risks section serves both informed consent and SEO. Patients searching "[procedure] risks" are evaluating; pages addressing risks credibly convert better than pages downplaying them. Frame each risk with frequency context across three buckets: common risks (more than 1 in 100 patients), less common risks (1 in 100 to 1 in 1,000 patients), rare but serious risks (less than 1 in 1,000 patients). Each risk gets a bolded name and a one-sentence description with the specific frequency. Pair with a closing statement that the provider discusses risks specific to the patient's situation during consultation.

10. Provider Pages

Provider pages serve patient acquisition directly. 76 percent of patients report going online to research individual providers before booking (Tebra The Intake 2025 patient search behavior analysis, sample of approximately 1,800 patients). Provider pages are also where credentialing and the schema entity graph compound most: a single page hosts the Physician schema entity, sameAs network, hasCredential array, and link surface that anchors the local SEO graph.

10.1 Canonical Provider Page Structure

Top: provider photo (professional headshot, warm not stock), H1 with credentials post-nominal, title and practice affiliation, specialty and subspecialty, languages spoken, telehealth availability and licensed states, insurance accepted (cross-link to insurance pages), new-patient acceptance status, office locations (cross-link), book appointment CTA (routes to HIPAA-compliant scheduler), telephone.

Middle: about this provider (two-to-four-paragraph bio in third person), education and training, board certifications, hospital privileges and affiliations, professional memberships, conditions treated (cross-link to MedicalCondition pages), treatments and procedures offered (cross-link to MedicalProcedure pages), publications, awards and recognition (verifiable not vanity), patient testimonials (HIPAA-compliant per Section 11), aggregate rating (honest and verifiable), articles reviewed on this site (if provider serves as medical reviewer).

Schema: Physician entity per Section 5.2, NPI verification link, state medical board license verification link, MedicalWebPage wrapper, BreadcrumbList. Cross-references via @id back to MedicalOrganization root and forward to MedicalCondition and MedicalProcedure entities the provider is associated with.

10.2 Provider Photo Standard

Professional headshot, neutral background, recent (within two years). Clinical attire appropriate to specialty. Eye contact, warm expression. Resolution at least 800 by 800; serve via responsive image with srcset. No filters, no stock substitutions. Alt text plain: "Dr. Jane Smith, board-certified family medicine physician". Same image file as referenced in the Physician schema entity.

10.3 Bio That Converts

Two to four paragraphs in third person. Paragraph 1: specialty, training summary, years in practice, primary clinical interest. Paragraph 2: practice philosophy or approach; what makes this provider's care distinctive. Paragraph 3 (optional): notable affiliations, research, community involvement. Paragraph 4 (optional): brief personal note if practice culture supports it. Avoid: superlative claims without verification ("best in town", "top doctor"), credentials inflation (listing short courses as certifications), stock language that could describe any provider in the specialty.

10.4 Conditions, Treatments, Insurance, Telehealth Blocks

Each provider lists conditions treated and procedures performed (cross-linked to MedicalCondition and MedicalProcedure pages), serving three purposes: patient-facing self-selection, SEO topic-cluster cross-link mesh, and schema feeding the Physician entity's knowsAbout and availableService. Insurance block lists accepted plans with link to /insurance/. Telehealth block lists licensed states with link to /telehealth/states/[state]/ per Section 7.4. Render as plain <ul> lists under labeled subheadings (Conditions treated, Procedures and treatments offered, Insurance Accepted, Telehealth Visits).

11. Healthcare Reviews Management

Reviews drive healthcare conversion. 94 percent of healthcare patients use online reviews to evaluate providers (rater8 2025 Next Evolution of Patient Choice report, sample of approximately 1,400 patients); 46 percent use reviews to choose a provider (Tebra The Intake 2025 analysis); review velocity is a local pack ranking signal (BrightLocal 2026 Local Consumer Review Survey, representative sample of approximately 1,100 U.S. consumers). Reviews are also the surface where HIPAA violations most commonly occur in healthcare marketing.

11.1 Acquiring Reviews HIPAA-Safely

Workflow: patient receives a generic non-PHI post-visit communication inviting feedback; invitation routes to a public review platform (GBP, Healthgrades, Zocdoc) directly; patient writes on the platform; the practice's internal patient experience platform separately collects PHI-bearing feedback under HIPAA-compliant channels for clinical quality purposes and never crosses into the public review surface. The invitation can mention the visit date in the patient's own private email but cannot include condition or diagnostic information. The acceptable invitation thanks the patient by name, lists the public review platform URLs (Google, Healthgrades, Zocdoc), explicitly asks the patient not to include specific medical details in the public review, redirects clinical feedback to the practice's private patient experience contact, and signs off with a generic practice signature.

Do not pay for reviews, do not require reviews as a condition of care or discount, do not write reviews under fake identities. The FTC final rule on fake reviews (effective October 21 2024) imposes civil penalties up to 50,120 dollars per violation in 2026; Google's review policies separately prohibit incentivized reviews.

11.2 Responding To Reviews

The HIPAA-safe response template per Section 4.4 is the default. Practice it across the entire response staff. Customize only the practice name and contact information, never the body about specific care.

Negative review responses use the same template. The reflex to defend by explaining clinical reasoning is the most common HIPAA disclosure error. If a patient publicly criticizes a provider for "missing my diagnosis", the safest response is the standard template; explaining what was or was not in the clinical record is a PHI disclosure even if the goal is to defend the provider.

11.3 Patient Testimonials On Site

Patient testimonials require explicit, current HIPAA authorization per testimonial. Authorization elements: patient name on file; identified content to be used (full name or first name only, photograph, video, quoted statements, specific condition or treatment); enumerated channels (website, Facebook, Instagram, GBP, YouTube, paid advertising, print materials each checked specifically); duration with start and end date; patient acknowledgements (right to revoke via written notice, information already shared cannot be retrieved, not required for treatment payment or enrollment, possible re-disclosure no longer protected by HIPAA, copy provided to patient); signature and date. Authorization is reviewed by the practice's HIPAA Privacy Officer or legal counsel. Authorizations are filed in the patient's record with a separate index for marketing-purposes uses to support audit.

11.4 Aggregate Review Schema

AggregateRating per Section 5.1 surfaces star ratings in rich results and AI Overview citations. Rules: rating honest and verifiable from real reviews; reviewCount is the actual count; bestRating and worstRating define the scale (5 to 1); schema attaches to MedicalOrganization root or specific MedicalClinic location entities, not fabricated subsidiary entities; if aggregated across platforms, document the methodology and disclose on a /reviews/ page explaining which platforms are counted, how the average is computed, when the count was last refreshed, and links to each underlying platform. The FTC fake review rule prohibits fabricated reviews, undisclosed insider reviews, and AI-generated review content presented as authentic.

12. Common Healthcare SEO Mistakes

Ten anti-patterns. Each fails on at least one of: HIPAA compliance, SQRG quality bar, Google Ads policy, FTC truth-in-advertising, state medical board advertising rules, AI engine extraction reliability.

12.1 Tracking pixels on appointment and condition pages. Most common mistake. Meta Pixel, Google Ads remarketing, LinkedIn Insight, TikTok Pixel fire on PHI-adjacent pages and disclose PHI to a non-business-associate vendor. OCR December 2022 tracking technologies bulletin and subsequent enforcement made this a regulatory liability. Fix: implement Section 4.3.

12.2 Patient testimonials without written authorization. Posting before-and-after photos, video testimonials, or quoted reviews without specific current HIPAA authorization. OCR September 2025 Cadia Healthcare enforcement (150 patient stories without valid written permission) is the canonical example. Fix: pull testimonials pending audit, republish only with current authorization per Section 11.3.

12.3 Uncredentialed or generic reviewer stamp. A single "medical reviewer" name on hundreds of articles with no audit trail. December 2025 core update analysis (Stan Ventures, approximately 4,200 health domains) found this as the primary ranking-loss pattern. Fix: implement Section 6 in full with specialty matching (Section 6.4) and verification (Section 6.2).

12.4 Disclaimer without substance. Boilerplate "consult a professional" disclaimer at the bottom of an article that explicitly prescribes treatment. Disclaimers do not immunize directive content. Both Google's raters and FTC review the substantive content. Fix: align disclaimer tone to content tone; directive content must be authored by a credentialed practitioner.

12.5 Telehealth marketing without state eligibility gating. Site lets any visitor book a telehealth appointment regardless of state of residence. Provider is not licensed in the patient's state. The encounter is an unlicensed-practice violation. Fix: implement Section 7.4 gating.

12.6 988 resources buried or absent on mental health pages. A depression or suicide content page with footer link but no top-of-page banner. Fails the September 2025 SQRG sensitivity bar. Fix: implement Section 8.2 banner at the top of every applicable page.

12.7 Specific outcome claims without per-patient context. "Most patients see a 50 percent improvement in symptoms within two weeks." FTC treats as misleading; state medical board advertising rules in many states prohibit guarantees. Fix: implement Section 9.2 outcome reporting discipline.

12.8 Insurance acceptance listed but not current. Page lists plans not updated in two years; patients arrive expecting coverage. Fix: insurance acceptance updates are quarterly minimum, monthly during plan-relationship change.

12.9 NPI or license number listed but not verified. Provider page shows an NPI that does not match NPPES, or a license that is suspended. Fix: Section 6.2 verification with annual re-verification logged.

12.10 LegitScript certification missing for SUD treatment or telemedicine pharmacy. Practices offering SUD treatment or telemedicine pharmacy require LegitScript certification to advertise on Google Ads (Google Ads Healthcare and Medicines Policy, last updated April 2026). For organic SEO, lack of certification can correlate with the AI Overview's tendency to surface certified competitors. Fix: pursue LegitScript certification through addiction treatment, telemedicine, or pharmacy programs as applicable.

13. Audit Rubric

The healthcare SEO audit runs in three layers: per-page, site-wide, and a first-90-days subset that gates the rest of the audit.

13.1 Per-Page Healthcare Audit

Apply to every YMYL medical page. Pass criteria are absolute, not graded.

Critical (HP1-HP5, HP9, HP12, HP14, HP17): passes HIPAA per-page checklist (Section 4.6); top-of-article medical disclaimer banner; mental health crisis banner at top if topic touches psychiatric crisis; credentialed author byline with specialty match (Section 6.4); credentialed medical reviewer byline with license, NPI, specialty match; primary literature citations for every factual claim with PubMed PMID or DOI; outcomes section with ranges/citations/population/results-may-vary disclaimer for treatment pages; telehealth state eligibility surfaced for telehealth-relevant pages; AI use disclosed if AI involved in drafting.

High (HP6-HP8, HP10, HP11, HP13): published, last updated, last medically reviewed dates displayed; MedicalWebPage schema with reviewedBy/lastReviewed/datePublished/dateModified; MedicalCondition or MedicalProcedure schema entity attached per page type; references section with full citations; symptoms section with severity calibration for condition pages; cost section with honest range for treatment pages.

Medium (HP15-HP16): cross-link to provider pages with this expertise; cross-link to location pages offering this care.

Score: 34 max. World-class healthcare YMYL page: 30 or higher with zero Critical fails.

13.2 Site-Wide Healthcare Audit

Critical (HS1-HS8, HS14-HS17, HS19-HS20, HS22, HS24): HIPAA Notice of Privacy Practices current and linked from footer; forms collecting PHI route PHI separately (Section 4.5); analytics HIPAA-aware (Section 4.3); no third-party advertising pixels on PHI-adjacent pages; chat widget HIPAA-compliant with BAA; editorial policy per framework-ymyl Section 5.2 with healthcare additions; corrections policy and log present; medical disclaimer page exists; telehealth state eligibility pages exist per state (Section 7.4); review acquisition workflow HIPAA-compliant (Section 11.1); review response templates HIPAA-safe (Section 11.2); patient testimonials with current HIPAA authorization (Section 11.3); specialty-matched medical reviewer program with verification log (Section 6.2); LegitScript certification if practice offers SUD treatment or telemedicine pharmacy; mental health pages all have 988 crisis banner at top (Section 8.2); annual HIPAA risk assessment current.

High (HS9-HS12, HS18, HS21): all providers have dedicated pages with Physician schema (Section 5.2); NPI and license verification links on every provider page; MedicalOrganization schema with sameAs network of 7+ authoritative sources; multi-location practices have dedicated page per location (Section 7.6); AggregateRating honest and verifiable; GBP profile complete with healthcare attributes (Section 7.1).

Medium (HS13, HS23): insurance acceptance pages exist per plan (Section 7.3); quarterly internal audit documented.

Score: 48 max. World-class healthcare site: 44 or higher with zero Critical fails.

13.3 First 90 Days Subset

For new engagements, the first 90 days focus on the highest-impact, highest-risk subset. Failure to clear this within 90 days means new content creation is paused until the gap closes. Ten binary items, all required: F1 HIPAA audit per Section 4.6 across PHI-adjacent pages with remediation; F2 provider pages built with Physician schema and credential verification (Sections 6, 10); F3 medical reviewer program established with credentialed reviewer per specialty (Section 6); F4 editorial, corrections, and medical disclaimer pages live (YMYL Section 5); F5 Notice of Privacy Practices current and linked from footer (Section 4); F6 GBP profile complete and verified with healthcare attributes (Section 7); F7 patient testimonial authorization audit completed (Section 11); F8 mental health crisis banner installed (Section 8.2); F9 tracking pixel audit completed (Section 4.3); F10 top 20 condition or treatment pages audited per Section 13.1 with critical failures remediated.

14. Maintenance Schedule And Report Templates

14.1 Daily, Weekly, Monthly

Daily: monitor 988 and crisis resource pages; verify external resources are responsive; respond to new reviews within 48 hours using HIPAA-safe template; respond to corrections requests within 48 hours. Weekly: review one condition page from refresh queue, verifying reviewer alignment and citation currency; update GBP posts; scan new reviews for HIPAA disclosure risk. Monthly: generate compliance status report (Section 14.4); update corrections log; refresh time-sensitive content (drug dosing, vaccination schedules, season-specific conditions); run automated HIPAA per-page audit; audit new content for reviewer match per Section 6.4.

14.2 Quarterly

Full audit against Section 13.1 rubric on randomly sampled 10 percent of medical content; reviewer credential re-verification per Section 6.2; editorial policy review; HIPAA risk assessment review with Privacy and Security Officers; update refresh calendar; insurance plan acceptance verification (call each plan or check provider portal); cross-reference GBP attributes with current practice reality; audit telehealth state eligibility against actual provider licenses.

14.3 Annually And On Regulatory Change

Annually: comprehensive site-wide audit against Section 13.2 rubric; HIPAA risk assessment per OCR-required cadence (45 CFR 164.308); disclaimer language legal review; AI use policy review; reviewer team review; provider page accuracy audit; state medical board license re-verification for every reviewer and provider; LegitScript certification renewal where applicable.

On regulatory change: new CDC, FDA, or NIH guidance reviewed within 60 days for affected pages; new specialty society guideline (ADA, AHA, ACOG, AAP) related pages reviewed within 90 days; new state telehealth or licensing regulation reviewed within 30 days; new HIPAA or OCR guidance triggers site-wide policy and notice review within 60 days; new FTC or state AG healthcare marketing enforcement triggers review of similar surfaces within 30 days.

14.4 Healthcare SEO Audit Report Template

The report template covers: header (practice, domain, audit date, type, specialties, locations); executive summary with overall score {{X}}/82, percentage, critical failures count; HIPAA compliance status; provider roster compliance counts (complete pages, NPI verified, license verified, specialty-matched reviewers); content compliance (condition pages, credentialed reviewer count, crisis banner coverage, outcome-discipline treatment pages, primary-citation pages); schema implementation (MedicalOrganization root, Physician per provider, MedicalCondition, MedicalProcedure coverage, AggregateRating honesty); local SEO (GBP profiles, NAP consistency, insurance pages live, telehealth state pages live); reviews (total, response rate, HIPAA-safe responses, testimonials with authorization); critical failures list; first 90 days F1 through F10 status; remediation order; sign-off with auditor name and review-with line citing HIPAA Privacy Officer, HIPAA Security Officer, Medical Director.

End of Framework Document

Version: 1.0 Updated: 2026-05-14 Maintained by: ThatDeveloperGuy

Healthcare SEO is the strictest expression of the YMYL framework. The trust signals here are not cosmetic; they correspond to clinical, legal, and ethical responsibility. A healthcare site that ranks because it satisfies the patterns here is also genuinely safer for patients to encounter, more credible to reviewers, more reliable for AI extraction, and more defensible under regulatory scrutiny. When in doubt, err toward more rigor: more credential verification, more conservative outcome claims, more honest cost disclosure, more careful HIPAA boundary-keeping, more frequent specialty-matched review.

Companion documents: framework-contentfirst.md, framework-ymyl.md, framework-eeat.md, framework-sqrg.md, framework-hcs.md, framework-infogain.md, framework-schema.md, framework-entitysalience.md, framework-knowledgegraph.md, framework-localseo.md, framework-internallinking.md, framework-aicitations.md, framework-aioverviews.md, framework-cross-stack-implementation.md, framework-react.md, framework-tailwind.md, SEO-Search-Appearance.md, SERP-Optimization.md.

Scheduled per-vertical batch: framework-legal-seo.md, framework-finance-seo.md, framework-realestate-seo.md.