Email Marketing for Health & Wellbeing — The Practitioner’s Playbook.

SectionHonest reframe

Generic email agencies sell dental practices, private GPs, opticians, physios and aesthetic clinics a single Mailchimp list, a monthly newsletter blast, and a "subscribers" report that nobody reads. The list mixes patients who consented to clinical communications with people who once downloaded a teeth-whitening guide three years ago. The send goes to everyone. The copy carries the same "best results in the area" claim that the ASA rules against. The whitening promo runs alongside the dental-recall reminder. Open rates drift below 12%, the inbox provider quietly routes most of it to Promotions or Spam, and the Practice Manager is the one fielding the angry "stop emailing me" replies.

Health and wellbeing email is not a marketing newsletter pillar. It is a regulated, special-category, lifecycle discipline. Patient health data is special-category under UK GDPR Article 9, which means the consent you captured for "marketing" does not cover clinical communications, and the consent you captured for clinical reminders does not cover the Botox promo. ASA, CAP and MHRA regulate what you can claim in an email, particularly on aesthetic, weight-management, telehealth and supplement creative. Deliverability — SPF, DKIM, DMARC, BIMI — separates the clinic whose appointment reminder lands in the inbox from the clinic whose reminder lands in Spam and produces a no-show. Generic agencies don't ship this stack because they don't understand the regulators, can't be bothered to segment by treatment, and have never built a clinical-recall lifecycle in their lives.

This playbook fixes the structure. Deliverability is the ground floor. Special-category consent is the legal floor. Per-treatment segmentation is the conversion lever. The clinical-recall lifecycle is the compounding asset. Read it, run it yourself, or have us ship it on retainer — the canon is the same.

SectionEight-point audit

Score your own email programme red / amber / green this week. Three or more reds means the foundation is broken — fix that before any new campaign.

1. SPF + DKIM + DMARC + BIMI deliverability hardening — A clinic emailing patients without aligned SPF, DKIM and a DMARC policy at p=quarantine minimum is shipping appointment reminders into the Spam folder and inviting spoofing. BIMI is the verified-logo layer that surfaces the practice's mark in Gmail and Apple Mail. Most clinics we audit are running p=none with no DMARC reporting and no BIMI record at all. Forty-five-minute fix at the DNS level, with measurable inbox-placement lift inside two weeks.
2. GDPR special-category consent capture and audit log — Health is special-category data under UK GDPR Article 9. The marketing checkbox does not cover it. You need explicit, granular, separately-logged consent for clinical communications (appointment reminders, recall, after-care), for marketing communications (newsletters, promotions, treatment offers), and for research participation if relevant. Each opt-in date-stamped, source-recorded, and retained for the statutory period. Without this, every send is a regulatory exposure.
3. ASA / CAP / MHRA copy review per send — Aesthetics, supplements, telehealth and weight-management creative draws the most upheld complaints. Misleading "best results in the area" superlatives, before/after photography without controls or timeframes, prescription-only-medicine references (botulinum toxin, semaglutide) by trade name, undisclosed influencer testimonials — all of it ASA-upheld and Google-flagged. Every send passes a written compliance review before queue, with a dated sign-off log retained for two years.
4. Per-treatment segmentation (dental / aesthetic / private GP / physio) — A single list mixing dental patients, aesthetic patients, private-GP members and physio referrals is producing low engagement on every send and inbox-provider penalty on the next. Segment by service line, by clinician, by treatment history, by appointment recency. The whitening promo goes to whitening patients; the implant after-care goes to implant patients; the recall reminder goes to the patient whose six-month window has opened.
5. Appointment-reminder + after-care lifecycle automation — Confirmation on booking, reminder 48 hours before, reminder 2 hours before, after-care instructions same day, follow-up at 7 days, review request at 14 days. Personalised by clinician, treatment, and clinic location. Cuts no-shows by 30–50%, lifts review velocity, and is the single highest-revenue automation in the category. Most clinics still run a manual reminder process or rely on the booking platform's default text.
6. Review-request + recall lifecycle (clinical recall by treatment cycle, e.g. dental 6-monthly, optical 2-yearly) — A patient seen for routine dental hygiene goes into a 6-month recall queue. An optical patient goes into a 2-year queue. A physio discharge goes into a 90-day check-in. A private-GP annual health-check patient goes into a 12-month queue. Each queue fires the right message at the right cadence, addressed by name, signed by the clinician, with a one-tap booking link. Compounds for years and is the most under-built asset in the category.
7. Transactional vs marketing separation at the sending-domain level — Appointment reminders, password resets and clinical communications must not share an IP or sender reputation with promotional newsletters. A single ASA-flagged aesthetic promo can pull the whole sender into Spam and the next appointment reminder lands in junk. Separate sending domains (e.g. notifications.clinic.co.uk vs news.clinic.co.uk), separate IPs, separate authentication. Most clinics run everything off one Mailchimp account on a shared IP and discover the consequence the first time a campaign gets reported.
8. Suppression and right-to-erasure handling — When a patient opts out, withdraws consent, requests erasure under UK GDPR Article 17, or moves to a different practice, every list, every automation, every backup must remove them within the statutory window. Most clinics have a manual unsubscribe process that misses one of three lists, then keeps emailing the patient who has formally requested erasure. That is an ICO complaint waiting to happen, and the £8,750 fine is the cheap outcome.

Three or more reds — fix the foundation before commissioning new campaigns.

SectionSix deliverables

On a Foundation, Compound or Architect retainer, the same six outputs land in your portal each cycle. Industry-tuned, fixed scope, dated.

Deliverability and GDPR special-category hardening. SPF, DKIM, DMARC at p=quarantine then p=reject, BIMI with a verified VMC-or-CMC logo, separate sending domains for transactional vs marketing, and DMARC aggregate-reporting dashboard. Plus the special-category consent flow — explicit, granular, separately-logged opt-ins for clinical, marketing and research, with an audit log retained for the statutory period. ICO-defensible architecture, written in a one-page brief your DPO signs off. Time to first signal: 14 days.

ASA / CAP / MHRA copy review process. Written compliance review on every send before queue — claim register, before/after photo conventions with timeframes and controls, testimonial disclosure rules, prescription-medicine handling, supplement claim limits. Dated sign-off log per send, retained for two years. Catalogued register of approved claims so the writer doesn't re-litigate the same compliance question every cycle. The first time a CAP complaint is upheld against a clinic costs four figures in fines plus a six-figure trust hit; the review process pays for itself the first time it catches a problem.

Per-treatment segmentation. Segmented lists by service line (dental, aesthetic, private GP, physio, optical), by named clinician, by treatment history, by appointment recency, by membership tier where relevant. Each segment receives only the creative that applies to it. Built in your existing ESP (Mailchimp, Klaviyo, ActiveCampaign, HubSpot) without a platform migration, mapped against your booking platform (Cliniko, Heallo, SimplyBook, Dentally, IRIS Maximiser) so segmentation tracks the clinical record automatically.

Appointment + after-care lifecycle. A dated, automated lifecycle: confirmation on booking, reminder at 48 hours, reminder at 2 hours, after-care instructions same day, follow-up at 7 days, review request at 14 days. Personalised by clinician name, treatment type, clinic location. Built on your booking platform's API into your ESP. Cuts no-shows by 30–50%, lifts review velocity, and is the single highest-revenue automation we ship in healthcare. Time to first signal: 30 days.

Clinical-recall lifecycle automation. Per-treatment recall queues — dental hygiene 6-monthly, optical eye-test 2-yearly, physio post-discharge 90-day check-in, private-GP annual health-check 12-monthly, aesthetic top-up cycle by product. Each queue fires the right message at the right cadence, addressed by name, signed by the clinician, with a one-tap rebooking link that maps to live availability. Compounds for years. The single most under-built asset in healthcare email and typically the highest-ROI workstream we ship after the deliverability fix.

Right-to-erasure and suppression handling. A documented suppression pipeline that propagates an opt-out, consent withdrawal or Article 17 erasure request across every list, every automation, every backup, every connected platform within the statutory window. Audit log per request, response template aligned with ICO guidance, escalation path for ambiguous cases. The boring deliverable that keeps the practice off the ICO complaint register.

SectionWhat to do this week

Three actions, ranked by leverage. Same first three steps we ship in week one of a Foundation retainer for a clinic or practice operator.

1. Audit your DMARC, SPF and DKIM right now. Owner: founder or marketing manager. Time: 30 minutes. Run your sending domain through any free DMARC inspector. If your DMARC is p=none or absent, if your SPF is missing your ESP, or if your DKIM is unaligned, the appointment reminders going out today are already losing inbox placement. Most clinics we audit are running at least one of these three reds.
2. Pull a 12-month list of patients seen and never re-contacted. Owner: practice manager. Time: 60 minutes. Export from your booking platform every patient seen in the last 12 months whose treatment cycle has triggered a recall (dental 6-monthly, optical 2-yearly, physio 90-day, GP annual). Count how many have not received a recall communication. The answer is normally hundreds, sometimes thousands. That list, properly sequenced, is six figures of recoverable revenue.
3. Decide DIY, DWY or DFY for the next 90 days. Owner: founder. Time: 30-min discovery call. We'll confirm the right way in writing within two business days. See the three ways.

SectionFive questions clinic / practice operators ask us about email

What's the actual ROI on a clinical-recall lifecycle? The most under-built asset in healthcare email and typically the highest-ROI workstream we ship. A general-dental practice with 4,000 active patients and a 6-month recall, where 35% of recalls currently slip into a manual call-back queue and 15% never get re-contacted at all, is leaking around £180,000 a year in routine-treatment revenue. A properly-built recall lifecycle recovers 60–75% of that within 90 days of launch. Optical 2-yearly is a longer feedback loop but a higher-margin recovery. Physio post-discharge converts at 25–35% to a follow-up appointment. The lifecycle pays for itself before the second send.

What's our actual ASA risk on aesthetic email creative right now? More than most clinics realise. ASA upheld rulings on aesthetics have climbed sharply 2023–2026, with non-surgical injectables, weight-management injectables and laser-treatment creative drawing the most complaints. Email is treated as advertising under the CAP code. The line: factual descriptions are fine, named superlatives are not, before/after photos need controls and lighting and timeframe disclosed, testimonials need disclosed conflicts, prescription-only medicines (botulinum toxin, semaglutide) cannot be advertised by trade name. We refuse to ship copy that crosses the line, and we've never had a CAP complaint upheld on work we've shipped.

How does special-category GDPR change what we can do with our list? Health data is special-category under UK GDPR Article 9, and the consent threshold is higher than standard marketing consent — it must be explicit, granular, freely given, informed, and separately-logged for each purpose. The marketing-checkbox you collected at form-fill three years ago does not cover clinical communications, and the clinical-reminder consent does not cover the Botox promo. The fix is a granular consent capture going forward, plus a re-permission campaign on the legacy list for any send that requires explicit special-category consent. Done properly, you lose 10–25% of the legacy list and gain a defensible, ICO-clean book of permission that actually engages.

What's the deliverability lift from proper authentication? Measurable and compounding. A clinic running p=none DMARC, unaligned SPF, no BIMI, and shared transactional-and-marketing infrastructure typically sits at 65–75% inbox placement. Hardening to p=quarantine with aligned SPF and DKIM, separate sending domains, BIMI with a VMC and reputation-warmed dedicated IP for transactional traffic, lifts inbox placement to 92–96% within 30–60 days. On appointment reminders alone — where a Spam-foldered reminder produces a no-show — the revenue lift typically pays for the entire engineering work inside one quarter.

Can we run this ourselves with the playbook + £750 audit? Most of the deliverability fix is achievable in-house in a half-day if you have a developer or someone with DNS access. Special-category consent and the suppression pipeline benefit from external eyes — ICO defensibility is hard to self-audit. The clinical-recall lifecycle requires sustained discipline over 90+ days and most practices fail because nobody owns the build past week three. The £750 audit gets you a written red / amber / green of all eight points, a DMARC inspector report, a DPO-signable consent brief, and a 90-day named-owner roadmap. If you sign for DWY or DFY within 30 days, the audit fee credits against the first cycle.

SectionWhere to go from here

If you want this shipped end-to-end on a productised retainer, book a 30-minute discovery call. Tailored proposal in writing within two business days.

If you'd rather have a senior practitioner reviewing your team's email work each week — deliverability hardening, consent architecture, lifecycle build, ASA review discipline — the coaching plans start at £750/month with rolling cycles and walk-away rights. If you have a hard deadline — a new-clinic launch where the lifecycle stack must be live on day one, a pre-CQC-inspection consent and suppression rebuild, a re-permission campaign on a legacy list before the next ICO sweep — the two-week embedded sprint lands a senior practitioner inside your tools for ten working days at £3,000 fixed.

Or run it yourself. Eight-point audit + one deliverable a month + twice-quarterly office hours.