What HIPAA and COPPA Actually Require for Your Pediatric Dental Website — And What They Don't

Most healthcare websites worry about HIPAA. Most child-focused websites worry about COPPA. Pediatric dental practices need to address both — and the overlap creates complexity that general compliance guides miss.

HIPAA's scope on your website: The moment your website collects health information — appointment requests mentioning symptoms, new patient forms asking about medical history, even a contact form where parents describe their child's dental concerns — you're handling Protected Health Information (PHI). This triggers requirements for encryption, access controls, and business associate agreements with every vendor touching that data.

COPPA's scope on your website: If children under 13 can submit information directly through your site — filling out a "tell us about yourself" form, entering a contest, or interacting with gamified features — COPPA's parental consent requirements apply. Many pediatric dental websites inadvertently trigger COPPA through well-intentioned "kid-friendly" interactive elements.

Where they intersect: A child filling out a pre-appointment questionnaire on your website triggers both frameworks simultaneously. The information is PHI under HIPAA and personal information from a child under COPPA. Your compliance approach must satisfy both standards, which sometimes have different requirements for the same data.

This content is educational and does not constitute legal advice. Consult with a healthcare compliance attorney and your state dental board for guidance specific to your practice.

HIPAA doesn't specifically regulate websites — it regulates how covered entities handle PHI. But your website becomes subject to HIPAA the moment it touches patient health information. Here's what that means practically:

Contact and appointment forms: Any form collecting health-related information must transmit data via encrypted connection (HTTPS with TLS 1.2 or higher). The receiving system — your email, CRM, or practice management software — must also meet HIPAA security requirements. A standard Gmail inbox receiving form submissions creates a compliance gap.

Business Associate Agreements (BAAs): Every third-party service processing PHI on your behalf requires a signed BAA. This includes:

• Website hosting providers
• Form processing services
• Email marketing platforms (if sending appointment reminders)
• Live chat tools
• Analytics platforms with access to form data

Access controls: Limit who can access PHI collected through your website. Document who has access, why, and review permissions regularly.

Breach notification procedures: Have a documented plan for what happens if your website or a connected service is compromised. HIPAA requires notification within specific timeframes.

Privacy practices notice: Your website should link to your Notice of Privacy Practices, though the full HIPAA-compliant notice requirements apply to your practice overall, not just the website.

COPPA (Children's Online Privacy Protection Act) applies when a website or online service is directed to children under 13 or has actual knowledge that it's collecting personal information from children under 13. Pediatric dental websites often fall into gray areas.

What triggers COPPA:

• Interactive features designed for children (games, quizzes, virtual tours "for kids")
• Forms that children fill out directly (rather than parents filling out on their behalf)
• Content and design clearly targeting child users
• Collecting information like names, email addresses, or photos from children

What COPPA requires when triggered:

• Verifiable parental consent before collecting any personal information from children
• A clear, comprehensive privacy policy describing what information you collect from children and how it's used
• Parental access to review and delete their child's information
• Data minimization — collect only what's necessary
• Reasonable security measures for children's data

The practical solution for most practices: Design your website so that parents — not children — submit all forms and interact with all data-collecting features. Make intake forms clearly addressed to parents/guardians. Avoid gamified elements that invite direct child interaction. This approach typically avoids triggering COPPA's consent requirements while still creating a welcoming, family-friendly site.

FTC enforcement of COPPA has resulted in significant penalties. When in doubt, consult with a privacy attorney familiar with children's online privacy requirements.

Most compliance violations aren't obvious. They hide in third-party integrations, default settings, and features added without evaluating regulatory implications.

Analytics and tracking pixels: Google Analytics, Facebook Pixel, and similar tools collect data that may include PHI when a visitor arrives from a health-related search query. Many practices don't have BAAs in place (Google offers one for Analytics; Facebook does not for standard Pixel implementations). Configure these tools to anonymize IP addresses and avoid collecting PHI where possible.

Live chat and chatbots: If parents — or children — can describe health concerns through a chat widget, you're collecting PHI. Does your chat provider offer a BAA? Is the data encrypted in transit and at rest? Many popular chat tools aren't HIPAA-compliant out of the box.

Third-party review widgets: Embedding Google Reviews or Yelp widgets can inadvertently display patient names alongside your practice, creating an implicit disclosure that the person is your patient — which is technically PHI.

Photo galleries and testimonials: Patient photos require HIPAA authorization. Photos of child patients require both HIPAA authorization and, ideally, documentation that a parent/guardian provided permission.

Email marketing integration: If your website signup form feeds into Mailchimp or a similar platform, and those emails discuss health topics, you need a BAA. Not all email platforms offer HIPAA-compliant tiers.

Social media login: Avoid "login with Facebook" or similar features for any patient-facing functionality. These create unnecessary data sharing with third parties.

Use this framework to evaluate your current website. Each item represents a potential compliance gap:

Technical security:

• SSL certificate installed and forcing HTTPS on all pages
• TLS 1.2 or higher for all encrypted connections
• Form data encrypted before transmission
• Secure hosting environment with documented security controls

Business Associate Agreements:

• BAA in place with hosting provider
• BAA in place with form/CRM platform
• BAA in place with any chat or messaging tools
• Analytics configured to minimize PHI collection (or BAA in place)

Privacy documentation:

• HIPAA Notice of Privacy Practices linked from website
• Website privacy policy addressing data collection practices
• COPPA-specific disclosures if collecting any information from children
• Cookie consent mechanism for visitors from GDPR jurisdictions (if applicable)

Form and feature design:

• All intake forms addressed to parents/guardians, not children
• No gamified features inviting direct child data submission
• Photo/video content has documented authorization
• Testimonials have proper consent documentation

Vendor review:

• Inventory of all third-party tools with website access
• Documentation of which tools touch PHI
• Annual review of vendor compliance status

For practices implementing SEO alongside compliance, see our guide on HIPAA-compliant SEO for pediatric dental practices for strategies that improve visibility without creating regulatory exposure.

Beyond federal HIPAA and COPPA requirements, state dental boards regulate how dental practices advertise — and your website is advertising. Rules vary significantly by state, but common requirements include:

Credential representation: How you list specialties, certifications, and qualifications must comply with state-specific rules. Some states prohibit using "specialist" unless you hold specific board certifications. Pediatric dentistry has defined specialty credentials, but how you communicate them online matters.

Testimonial restrictions: Some states limit or prohibit patient testimonials in dental advertising. Others require specific disclaimers. Before adding a reviews section or video testimonials, verify your state's current rules.

Before-and-after photos: Many states have specific requirements for clinical photography in advertising, including disclaimers about results varying by patient.

Fee advertising: Rules about advertising prices, "free" services, and comparative pricing claims vary by jurisdiction.

Required disclosures: Some states require specific information (license numbers, office addresses, etc.) to appear on practice websites.

How to stay current: State dental board rules change. Bookmark your state board's advertising regulations page and review annually. If you practice in multiple states or near state borders (serving patients from neighboring jurisdictions), you may need to comply with multiple sets of rules.

Verify current advertising regulations with your state dental board. Rules change, and this general guidance may not reflect your jurisdiction's current requirements.