What HIPAA Actually Requires for Dental Marketing (And What It Doesn't)

HIPAA's Privacy Rule (45 CFR 164.508) governs when and how dental practices can use protected health information for marketing purposes. The confusion most practices face: not all promotional content triggers HIPAA requirements, but the boundaries aren't always intuitive.

What constitutes PHI in dental marketing:

• Patient names combined with any treatment information
• Before/after photos showing dental work (identifiable or not—facial images are inherently identifying)
• Testimonials mentioning specific procedures received
• Case studies describing patient treatment details
• Any acknowledgment that someone is or was a patient

What generally doesn't require HIPAA authorization:

• General educational content about procedures
• Stock photography (obviously not your patients)
• Marketing that doesn't reference specific patient information
• Appointment reminders for existing patients (falls under treatment operations)

The critical distinction: HIPAA authorization for marketing purposes requires specific elements beyond general consent forms. A signature on your intake paperwork doesn't authorize marketing use. You need a separate authorization that clearly states the PHI being disclosed, the purpose (marketing), the recipient, expiration date, and right to revoke.

Note: This is educational content about HIPAA compliance, not legal advice. Consult healthcare counsel for your practice's specific situation.

Before/after photos and video testimonials drive dental marketing results—but they're also the highest-risk compliance area. Here's what proper authorization looks like:

Required authorization elements (45 CFR 164.508(c)):

1. Specific description of PHI being disclosed ("before and after photographs of dental veneers placed on [date]")
2. Name of the practice disclosing the information
3. Where it will be used ("practice website, social media accounts, and printed materials")
4. Purpose of disclosure ("marketing and promotion of dental services")
5. Expiration date or event ("until revoked in writing" is acceptable)
6. Statement of right to revoke
7. Signature and date

Common mistakes that invalidate authorization:

• Bundling marketing consent with treatment consent forms
• Using "blanket" authorizations without specifying the content
• Missing the required revocation language
• Verbal consent without written documentation

For before/after photos specifically, consider whether the images alone could identify the patient. Full-face photos are inherently identifiable. Even cropped smile photos combined with other information (procedure dates, demographic details in testimonials) can create identification risk.

Practical approach: Create a standalone marketing authorization form. Review it with healthcare counsel once. Use it every time—no exceptions for "quick" social media posts.

Online reviews create a compliance trap: patients can say whatever they want about their care, but your response options are severely limited. Even a well-intentioned response can constitute a HIPAA violation.

What you cannot do—even if the reviewer identifies themselves:

• Confirm they are or were a patient
• Reference any treatment details
• Correct inaccuracies about their care
• Mention appointment dates or interactions

What you can do:

• Thank them generally for feedback (without confirming the relationship)
• State your practice's general policies
• Invite them to contact you directly to discuss concerns
• Respond to completely non-PHI aspects of the review

Sample compliant response to a negative review:

"We take all feedback seriously and are committed to providing excellent care. If you'd like to discuss your concerns, please contact our office directly at [phone]. We value the opportunity to address any issues."

Notice: no confirmation of patient status, no reference to any care provided, no acknowledgment that the described events occurred.

The frustration is real—watching an unfair review stand without correction feels wrong. But the OCR has made clear that responding to reviews doesn't create a "patient waiver" of privacy rights, even when the patient initiated the public disclosure.

For review management strategies that work within these constraints, see our dental reputation management guide.

Your dental website likely collects protected health information through contact forms, appointment requests, and patient intake systems. This creates technical compliance obligations many practices overlook.

Contact forms collecting health information:

• Require SSL/TLS encryption (HTTPS) at minimum
• Form submission handlers need Business Associate Agreements
• Email notifications containing form data must be encrypted
• Form data storage must meet HIPAA security requirements

Common form platforms and BAA availability: Most general-purpose form tools (Google Forms, basic WordPress plugins) don't offer BAAs and aren't appropriate for health information collection. HIPAA-compliant form services exist but require specific configuration.

Analytics and tracking considerations:

Standard Google Analytics implementation on pages collecting health information raises compliance questions. While the guidance isn't absolute, best practice includes:

• Anonymizing IP addresses
• Not tracking users on patient portal pages
• Reviewing what page URLs might reveal ("/request-appointment-for-dental-implants" exposes potential PHI)
• Ensuring remarketing pixels don't create health-condition targeting

Patient portal vs. marketing website: Many practices benefit from separating their marketing website (standard hosting, standard analytics) from their patient portal (HIPAA-compliant hosting, restricted tracking). This simplifies compliance without eliminating marketing capabilities.

Technical implementation should be reviewed by someone familiar with both HIPAA Security Rule requirements and web development.

HIPAA compliance is necessary but not sufficient. The ADA Principles of Ethics and Code of Professional Conduct (Section 5) plus your state dental board's advertising regulations add additional layers.

ADA Principles of Ethics—Section 5 highlights:

• Advertising must not be false or misleading in any material respect
• Statements of opinion must be clearly identified as such
• Advertising cannot create unjustified expectations of favorable results
• Testimonials cannot be used if they "create unjustified expectations"

That last point matters: even with perfect HIPAA authorization, testimonials promising specific outcomes can violate ADA ethics guidelines.

State board variations (verify current rules with your licensing authority):

• California: Particularly detailed advertising disclosure requirements; restrictions on before/after photo usage
• Texas: Specific rules around specialty advertising and credentials display
• Florida: Detailed requirements for advertising claims substantiation
• New York: Fee advertising restrictions and disclosure requirements

Common state board red flags:

• Advertising yourself as a "specialist" in non-recognized specialties
• Guaranteeing outcomes
• Disparaging other practitioners
• Misleading credentials or training claims
• Before/after photos without appropriate context or disclaimers

State board complaints often originate from competitors, not patients. Your website and advertising are visible to every dentist in your market—someone is paying attention.

Use this checklist to audit your current marketing compliance. Address highest-risk items first.

Immediate priority (highest violation risk):

• ☐ Review all published patient testimonials—verify written HIPAA authorization exists for each
• ☐ Audit before/after photos for proper authorization documentation
• ☐ Review last 6 months of online review responses for PHI disclosure
• ☐ Check website contact forms—do they collect health information without proper safeguards?

High priority (common compliance gaps):

• ☐ Create standalone marketing authorization form (not bundled with treatment consent)
• ☐ Establish review response policy and train front office staff
• ☐ Verify BAA exists with website hosting provider if PHI is stored
• ☐ Review social media posts for inadvertent PHI disclosure

Ongoing compliance:

• ☐ Document authorization process for all new testimonials/photos
• ☐ Regular review response audits (quarterly minimum)
• ☐ State dental board newsletter monitoring for rule changes
• ☐ Annual marketing material review with healthcare counsel

For practices working with marketing agencies or SEO providers, ensure they understand these constraints. Request documentation of their HIPAA awareness in contracts. See our guide to HIPAA-compliant SEO services for dental practices for what to look for in compliant marketing partners.

This checklist is educational. Have healthcare counsel review your specific compliance program.