What HIPAA, the FTC, and State Medical Boards Actually Require for Your Plastic Surgery Website

Every plastic surgeon's website sits at the intersection of three regulatory frameworks. Understanding where each applies prevents the kind of violations that can derail both your marketing and your medical license.

HIPAA (Health Insurance Portability and Accountability Act) governs how you handle patient health information. If your website collects, stores, or displays anything that could identify a patient and their health condition, HIPAA applies. This includes contact forms asking about procedures, before-after photos, and patient testimonials.

FTC Endorsement Guides regulate how you present patient results and testimonials. The Federal Trade Commission cares about truthfulness and typicality—claims must be substantiated, and endorsements must reflect what most patients can expect.

[State medical board rules](/resources/attorney/law-firm-seo-compliance) vary significantly—some prohibit superlatives like 'best' while others restrict before-after photo usage add another layer that varies dramatically by jurisdiction. Some states prohibit claims of superiority, restrict how you can display credentials, or have specific rules about advertising surgical procedures.

Note: This content provides general educational information about regulatory frameworks. It does not constitute legal advice. Consult with a healthcare attorney familiar with your state's specific requirements before implementing any marketing strategy.

If you're a plastic surgeon with a website, these rules apply to you. There's no exception for small practices, no threshold for marketing spend, and no grace period for new websites.

Your practice website—including all pages, blog posts, galleries, and forms—falls under these regulations. This applies whether you built it yourself, hired a web designer, or work with an SEO agency.

Third-party platforms where you maintain a presence (Google Business Profile, RealSelf, social media) also require compliance. You're responsible for content you post or approve on these platforms.

Your marketing partners don't absorb your compliance obligations. If an SEO agency or marketing firm creates content that violates HIPAA, the FTC Act, or state medical board rules, you remain liable. Many practices discover this only after receiving a complaint or investigation notice.

The regulatory landscape doesn't distinguish between intentional violations and innocent mistakes. A well-meaning testimonial request that doesn't include proper disclosures, or a before-after photo posted without adequate authorization, creates the same compliance exposure as deliberate misconduct.

HIPAA's Privacy Rule (45 CFR § 164.502) establishes when and how you can use patient information for marketing purposes. For plastic surgery websites, three areas demand attention.

Before-after photos require valid written authorization under 45 CFR § 164.508. This authorization must be specific—it should describe what photos will be used, where they'll appear, and how long the authorization lasts. Generic consent forms buried in intake paperwork typically don't meet HIPAA's requirements for marketing authorization.

Patient testimonials that identify the patient (by name, photo, or sufficient detail to be identifiable) require the same level of authorization. Even if a patient voluntarily submits a Google review, using that review on your website with their photo or full name requires separate marketing authorization.

Website forms collecting protected health information trigger Security Rule requirements. If your contact form asks about medical history, current medications, or specific procedures of interest, that data must be encrypted in transit and stored securely. Many practices unknowingly collect PHI through forms that route to unsecured email addresses.

The Office for Civil Rights (OCR) enforces HIPAA through complaint investigations and periodic audits. Penalties under the current enforcement framework range from $100 per violation for unknowing violations to $50,000+ per violation for willful neglect, with annual caps up to $1.5 million per violation category.

The FTC's Endorsement Guides (16 CFR Part 255) govern how businesses can use customer testimonials and endorsements. For plastic surgeons, these rules intersect with before-after photos and patient reviews in ways many practices overlook.

Typicality requirement: Testimonials must reflect what typical patients experience. If you showcase your most dramatic rhinoplasty transformation, but most patients see more modest results, you need clear disclosure that results vary and aren't designed to. The FTC specifically addresses this in their Health Products Compliance Guidance.

Material connection disclosure: If you provided any incentive for a testimonial—discounts on future procedures, gift cards, entry into a contest—that relationship must be disclosed clearly. This applies even to reviews on third-party platforms when you've solicited them with incentives.

Substantiation requirement: Claims in testimonials must be substantiated. If a patient says your procedure "took ten years off my appearance," you need reasonable evidence supporting that characterization. Vague, subjective statements carry less risk than specific claims about outcomes.

The FTC doesn't require pre-clearance of marketing materials, but they do investigate complaints and can bring enforcement actions. Recent FTC enforcement trends show increased attention to healthcare and wellness marketing claims, making proactive compliance essential.

State medical board advertising rules add complexity because they vary significantly by jurisdiction. What's permissible in California may violate Texas rules, and vice versa.

Common restrictions across many states include:

• Prohibitions on claims of superiority ("best plastic surgeon," "top-rated")
• Requirements to include specific disclosures about board certification
• Restrictions on guaranteeing outcomes or using language implying designed to results
• Rules about how "before-after" photos must be presented (same lighting, angles, timeframes)
• Limitations on using patient photos in certain contexts

States with notably detailed advertising regulations include California, Texas, Florida, and New York—though this shouldn't suggest other states are permissive. Many state boards have adopted the Federation of State Medical Boards' model guidelines, but implementation varies.

Practical guidance: Before implementing any marketing strategy, obtain a copy of your state medical board's advertising guidelines. These are typically available on the board's website. If you practice in multiple states or market to patients who might travel for procedures, you may need to comply with multiple jurisdictions' requirements.

State regulations change periodically. Verify current rules with your licensing authority before implementing marketing strategies based on this general overview.

Before-after photos are among the most effective marketing assets for plastic surgeons—and among the most regulated. Here's a framework for using them compliantly.

Authorization requirements:

• Obtain HIPAA-compliant written authorization specifically for marketing use (not just medical record consent)
• Specify where photos will appear (website, social media, print materials)
• Include expiration date or process for revoking authorization
• Keep signed authorizations on file and accessible for potential audits

Photo presentation standards (drawn from various state board guidelines):

• Use consistent lighting, angles, and background between before and after images
• Disclose timeframe between photos (immediately post-procedure vs. fully healed)
• Avoid digital alteration beyond standard color correction
• Include disclosure that individual results vary

Caption and context requirements:

• Don't imply results are designed to or typical unless you have substantiation
• Avoid superlatives ("amazing transformation," "dramatic results") that could be interpreted as outcome guarantees
• Consider adding context about the specific procedure and patient's starting point

Many practices create a standardized photo release process integrated into their patient intake workflow. This ensures consistent authorization while the compliance requirements are fresh in staff members' minds.