What State Boards and HIPAA Actually Require for Physiotherapy Marketing — And What They Don't

Physiotherapy practices face a unique regulatory intersection that most marketing advice ignores. Understanding which rules apply to which activities prevents both overcaution (avoiding effective tactics unnecessarily) and violations (marketing aggressively without proper safeguards).

This is educational content, not legal advice. Verify current rules with your state licensing board and a healthcare attorney.

HIPAA (Health Insurance Portability and Accountability Act) governs how you use protected health information in marketing. This includes patient names, treatment details, photos, and even the fact that someone is your patient. Many practices misunderstand HIPAA's scope — it applies to testimonials, case studies, before/after photos, and email communications about treatment.

State Physical Therapy Board Rules add practice-specific advertising restrictions that vary dramatically by state. Some boards prohibit claims of specialisation without specific credentials. Others restrict comparative advertising or testimonials entirely. These rules supersede general marketing guidance.

FTC Endorsement Guidelines require disclosure when patients receive anything of value for reviews — including discounts, free sessions, or contest entries. This applies to testimonials on your website and incentivised reviews on Google.

TCPA (Telephone Consumer Protection Act) governs text messaging and automated calls to patients. Marketing texts require express written consent with specific disclosure language. Appointment reminders have different requirements than promotional messages.

The challenge is that these regulations interact. A perfectly HIPAA-compliant testimonial might still violate your state board's advertising rules. A properly disclosed incentive review might trigger FTC compliance while creating TCPA issues if you text patients about the program.

Patient testimonials present the most common compliance gap in physiotherapy marketing. The rules are more nuanced than most practices realise.

HIPAA authorisation requirements: Even when a patient volunteers their story enthusiastically, using it in marketing requires written authorisation that meets specific HIPAA criteria. This authorisation must describe exactly how you'll use the information, identify who will see it, and include expiration provisions. Generic release forms often fail these requirements.

The authorisation must be separate from treatment consent forms. Patients cannot be required to sign it as a condition of treatment. They can revoke it at any time, which means you need a process for removing testimonials when requested.

What counts as PHI in testimonials:

• Patient's name connected to your practice
• Treatment details or diagnosis information
• Before/after photos (even without names)
• Demographic information that could identify someone
• The mere fact of being your patient

State board variations: Some states restrict or prohibit patient testimonials entirely in PT advertising. Others require specific disclaimers like 'results may vary' or prohibit testimonials that imply designed to outcomes. Check your state board's advertising rules — they're typically in the practice act or board regulations.

A common mistake: reposting Google reviews to your website. While the patient publicly posted the review, republishing it in your marketing materials may trigger different HIPAA considerations. The safest approach is obtaining authorisation before featuring any patient content on owned channels.

State PT board advertising rules create the most variation in what physiotherapy practices can legally claim in marketing. These rules change periodically, so verify current requirements with your specific board.

Common restrictions across many states:

• Prohibitions on unsubstantiated claims of superiority ('best PT in the area')
• Requirements for specific credential disclosure when claiming specialisation
• Restrictions on implying designed to outcomes
• Mandatory inclusion of licensure information in advertising
• Rules about using 'Dr.' title for DPT credential holders

Specialisation claims require caution. Many states restrict use of terms like 'specialist' or 'specialising in' without board-certified specialisation credentials. Stating you 'focus on' or 'have experience with' sports rehabilitation differs from claiming specialist status — and the distinction matters for compliance.

Comparative advertising restrictions appear in some state rules. Claims that your practice is better than competitors, even if arguably true, may violate advertising provisions. Factual statements about your credentials, experience, and services are generally safer than comparative claims.

Title usage rules vary significantly. Some states allow DPT holders to use 'Dr.' with required clarifying disclosure. Others restrict or prohibit it in advertising contexts. This affects website copy, Google Business Profile descriptions, and marketing materials.

The practical approach: review your state's PT practice act and any advertising-specific board rules annually. Document your review process. When state rules conflict with effective marketing tactics, state rules win — but often the restriction is narrower than practices assume.

The FTC's endorsement guidelines apply whenever there's a 'material connection' between your practice and someone endorsing it. For physiotherapy practices, this most commonly affects review solicitation and referral programs.

What creates a material connection:

• Discounts on future services for leaving a review
• Entry into drawings or contests for reviews
• Free products or samples for testimonials
• Any compensation, even nominal, for endorsements
• Referral bonuses to patients who recommend friends

When a material connection exists, disclosure is required. The disclosure must be clear, conspicuous, and unavoidable — not buried in fine print. For written testimonials, disclosure should be immediately adjacent to the endorsement.

Google's policies add a layer: Google prohibits incentivised reviews on Google Business Profile. Offering anything of value for Google reviews violates their terms of service and can result in review removal or profile penalties. The FTC disclosure requirement doesn't make incentivised Google reviews compliant — it makes the violation disclosed but still against platform policy.

The compliant approach to review generation: Ask satisfied patients for reviews without offering incentives. Send follow-up emails or texts (with TCPA-compliant consent) that make leaving a review easy. Focus on service quality that generates organic positive reviews.

Staff and family reviews present another material connection scenario. Reviews from employees, family members, or anyone with a financial relationship to your practice require disclosure. Many practices overlook this when building initial review profiles.

Patient communication consent separates into two categories with different requirements: transactional messages (appointment reminders, treatment information) and marketing messages (promotions, newsletters, service announcements).

TCPA requirements for marketing texts:

• Express written consent before sending marketing SMS
• Consent must clearly disclose that marketing texts will be sent
• Consent cannot be a condition of treatment
• Clear opt-out mechanism in every message
• Honour opt-outs immediately

The consent language matters. Generic 'consent to receive text messages' may not cover marketing texts. The disclosure should specifically mention promotional or marketing messages to ensure valid consent.

Appointment reminders have different rules. Many practices conflate transactional and marketing messages. Texting appointment reminders under existing patient consent is generally acceptable. Texting 'We're running a special on wellness packages' requires separate marketing consent.

Email marketing operates under CAN-SPAM and, for some practices, HIPAA. CAN-SPAM requires:

• Accurate header and subject line information
• Physical mailing address in every email
• Clear opt-out mechanism
• Honouring opt-outs within 10 business days

When emails contain health information or are sent in connection with treatment, HIPAA's email security requirements may apply. Marketing emails to patients about your services exist in a grey area — many practices treat them as requiring the same protections as clinical communications.

For practices working with regulation-aware SEO for physiotherapy practices, digital marketing strategy accounts for these consent requirements from the start rather than retrofitting compliance later.

Understanding regulations matters less than applying them to real marketing situations. Here are scenarios physiotherapy practices commonly encounter:

Scenario: You want to share a patient's remarkable recovery story on your website.
Compliance path: Obtain specific written HIPAA authorisation describing how the story will be used. Check your state board's testimonial rules — some require disclaimers, others prohibit outcome-focused testimonials. Consider whether photos or identifying details are necessary or if an anonymised story serves your purpose while reducing risk.

Scenario: You want to run a 'leave us a review for 10% off your next visit' campaign.
Compliance path: This violates Google's policies for Google reviews and requires FTC disclosure for any platform where it's permitted. The discount also creates a business expense your accountant should categorise correctly. Many practices find asking for reviews without incentives, combined with excellent service, generates sufficient volume without these complications.

Scenario: You want to text patients about a new service offering.
Compliance path: Review your existing consent forms. If they don't specifically authorise marketing texts, you need new consent before the campaign. Your EHR or practice management system may have compliant consent templates. Include opt-out instructions in the message.

Practical compliance steps:

• Audit current testimonials for proper authorisation documentation
• Review state board advertising rules at least annually
• Separate transactional and marketing consent in patient intake
• Document your compliance review process
• When uncertain, consult a healthcare attorney familiar with your state

Compliance isn't about avoiding all marketing — it's about marketing effectively within appropriate boundaries. Practices that understand the actual rules often find more freedom than those operating on assumptions.