What HIPAA, ADA, and State Dental Boards Actually Require From Your Orthodontic Website

HIPAA (45 CFR §164.502) governs how you handle Protected Health Information (PHI) — and yes, your website can create PHI obligations even if you don't intend it to.

What triggers HIPAA on your website:

• Appointment request forms that collect health information (chief complaint, insurance details, medical history)
• Patient portals or secure messaging features
• Online intake forms
• Any form that asks about current dental conditions or treatment history

What doesn't trigger HIPAA:

• General contact forms asking only for name, phone, and "I'm interested in braces"
• Newsletter signups
• General information pages with no data collection

Minimum technical requirements when PHI is involved:

• SSL/TLS encryption (HTTPS) for all pages with forms
• Business Associate Agreement (BAA) with your web host and any form processing services
• Access controls for any stored form submissions
• Audit logging if you store submissions on your server

A common mistake: using standard contact form plugins that email PHI in plain text. If your form collects health information and sends it via unencrypted email, you have a HIPAA gap. services include HIPAA-compliant form services or patient portal integrations that maintain encryption throughout.

This is educational guidance, not legal advice. Consult a healthcare compliance attorney for your specific situation.

The Americans with Disabilities Act requires places of public accommodation to be accessible — and courts have increasingly ruled that websites fall under this requirement. For orthodontic practices, this means your website needs to work for users with visual, auditory, motor, and cognitive disabilities.

WCAG 2.2 Level AA — the practical standard:

• Perceivable: Alt text for all images (including before/after photos), captions for videos, sufficient color contrast (4.5:1 minimum for text)
• Operable: Full keyboard navigation, no content that flashes more than 3 times per second, skip navigation links
• Understandable: Consistent navigation, clear form labels, error messages that explain what went wrong
• Robust: Valid HTML, proper heading hierarchy (H1→H2→H3), ARIA labels where needed

Common violations on orthodontic websites:

• Before/after slider galleries without alt text or keyboard controls
• Smile assessment tools that require mouse-only interaction
• Videos showcasing treatment with no captions
• Low-contrast text on image backgrounds

Beyond avoiding lawsuits, accessibility compliance improves SEO. Proper heading structure, alt text, and clean HTML are all factors search engines reward. You're not choosing between accessibility and rankings — they align.

Accessibility audits should happen annually at minimum, and after any significant website redesign.

Every state dental board has advertising rules, and they're not uniform. What's acceptable in one state can trigger disciplinary action in another. As of 2024, here's where the key variations occur:

Specialty claims:

• Most states only allow "specialist" or "specialty" claims for ADA-recognized specialties (orthodontics qualifies)
• Some states require specific disclaimer language if you offer orthodontic services without being a board-certified orthodontist
• California, Texas, and Florida have particularly detailed specialty advertising rules

Testimonials and reviews:

• Some states prohibit testimonials entirely on practice-controlled media
• Others require disclaimers stating results may vary
• Third-party review platforms (Google, Yelp) generally don't fall under practice control

Fee advertising:

• Most states allow fee advertising but require you to honor advertised prices
• "Free consultation" claims may need specific disclosure about what's included
• Financing promotions must comply with both dental board and FTC credit advertising rules

Before/after photos:

• Nearly all states require patient consent
• Some require you retain consent documentation for a specified period
• A few states restrict before/after use if the images could be considered misleading about typical results

Verify current requirements with your state dental board — these rules change. This overview reflects common patterns as of 2024, not state-specific legal advice.

Use this as a starting point for compliance conversations with your legal counsel and web team:

HIPAA Privacy Rule (45 CFR §164.502)

• Applies to: Any collection, transmission, or storage of Protected Health Information
• Key requirement: Appropriate safeguards for PHI, including encryption and access controls
• Enforced by: HHS Office for Civil Rights (OCR)
• Risk: Penalties range from $100 to $50,000+ per violation depending on negligence level

ADA Title III / WCAG 2.2

• Applies to: Websites of places of public accommodation
• Key requirement: Equal access for users with disabilities
• Enforced by: Private lawsuits, DOJ
• Risk: Lawsuits typically settle in the $10,000-$50,000 range plus required remediation

FTC Endorsement Guides (16 CFR Part 255)

• Applies to: Testimonials, reviews, influencer relationships
• Key requirement: Material connections must be disclosed; claims must be truthful
• Enforced by: Federal Trade Commission
• Risk: Civil penalties, required corrective advertising

State Dental Board Advertising Rules

• Applies to: All marketing by dental professionals
• Key requirement: Varies by state — specialty claims, testimonial restrictions, fee advertising rules
• Enforced by: State dental licensing boards
• Risk: License suspension or revocation, fines, required corrective action

Compliance isn't a single project — it's ongoing maintenance. Here's where to focus:

Immediate priorities:

1. Audit your forms: List every form on your site. For each one that collects health information, verify HTTPS encryption and check how submissions are transmitted and stored.
2. Run an accessibility scan: Tools like WAVE or axe DevTools catch obvious violations. They won't find everything, but they identify low-hanging fruit.
3. Review your state's dental board rules: Search "[your state] dental board advertising rules" and read the current guidance. Note any requirements for disclaimers or restrictions.

Ongoing maintenance:

• Annual accessibility audit (automated + manual review)
• Review consent documentation process for any new before/after photos
• Update privacy policy when you add new forms or third-party tools
• Monitor state dental board announcements for rule changes

When to involve specialists:

• Healthcare compliance attorney: Before launching patient portals, when you receive any regulatory inquiry, for state-specific advertising guidance
• Accessibility consultant: After website redesigns, if you receive an ADA demand letter
• HIPAA security professional: When implementing new technology that handles PHI

The goal isn't perfect compliance documentation — it's reasonable, documented efforts to meet your obligations. Regulators and courts look for good faith effort, not perfection.

For SEO strategies that work within these compliance frameworks, see our compliant SEO strategies for orthodontic practices.