What HIPAA, ADA, and FTC Actually Require for Your Surgical Practice Website

HIPAA wasn't written with search engine optimization in mind, but several common SEO tactics directly involve protected health information (PHI). Understanding these intersection points prevents inadvertent violations that can result in penalties ranging from $100 to $50,000 per incident.

Patient testimonials and case studies represent the highest-risk area. When a patient shares their surgical experience on your website, you're publishing PHI. This requires a signed authorization form that specifically permits use for marketing purposes—separate from standard treatment consent forms.

Before-and-after photography requires dual authorization: a photo release for the images themselves and HIPAA authorization for using them in marketing. Many practices miss this distinction and only obtain photo releases.

Contact and intake forms that collect health information must transmit data via encrypted connections (HTTPS) and be processed by HIPAA-compliant systems. If you use a third-party form provider, chat widget, or CRM, you need Business Associate Agreements (BAAs) with each vendor.

Online review responses create a common compliance trap. Even if a patient publicly identifies themselves in a Google review, your response cannot confirm they were your patient. Responses like "We're glad your rhinoplasty went well" violate HIPAA—even though the patient mentioned the procedure first.

This content is educational and does not constitute legal advice. Consult healthcare compliance counsel for guidance specific to your practice.

Patient testimonials are powerful for SEO—they add unique content, build trust signals, and often include natural keyword variations. The compliance challenge is obtaining proper authorization without making the process so burdensome that patients decline.

Required Authorization Elements

• Specific description of information to be disclosed (name, photos, procedure type, outcomes)
• Clear statement that disclosure is for marketing purposes
• Identification of who may see the information (website visitors, social media audiences)
• Expiration date or event ("until revoked in writing" is acceptable)
• Signature and date from the patient
• Statement that the patient may revoke authorization at any time

Timing matters. Request testimonials after the patient has completed their recovery and expressed satisfaction—not during the consent process for surgery. Mixing marketing authorization with treatment consent creates both ethical issues and weaker testimonials.

Video Testimonials

Video testimonials require the same authorization but add complexity. Ensure your authorization form specifically covers video recording and specifies all platforms where the video may appear. Keep original authorization documents indefinitely—you may need to prove compliance years later.

What you cannot do: Offer discounts, free services, or any consideration in exchange for testimonials without disclosure. This crosses from HIPAA into FTC territory.

Google reviews significantly impact local SEO rankings and patient decision-making. But the way surgeons can respond differs fundamentally from how restaurants or retailers engage with reviewers.

The Core Rule

You cannot confirm or deny that someone is or was your patient—even if they've publicly identified themselves. The patient waived their own privacy by posting; they did not waive your obligation to protect it.

Compliant Response Templates

For positive reviews: "Thank you for sharing your experience. Our practice is committed to providing excellent surgical care to everyone we serve." Note: no confirmation this person was actually your patient.

For negative reviews: "We take all feedback seriously and strive to provide the best possible care. We'd welcome the opportunity to discuss your concerns directly—please contact our patient relations coordinator at [phone/email]." Again: no acknowledgment of the relationship.

What Gets Practices in Trouble

• "We're so glad your recovery went smoothly, Mrs. Johnson!" — Confirms patient relationship
• "Your procedure was more complex than typical cases, which explains..." — Reveals treatment details
• "We've reviewed your chart and..." — Confirms they have a chart (patient relationship)
• Posting any details to "correct the record" on negative reviews — Still a violation even if factually accurate

Some practices choose not to respond to reviews at all to eliminate risk. This is compliant but sacrifices the engagement signals that benefit local SEO.

The Americans with Disabilities Act applies to surgeon websites under most interpretations as places of "public accommodation." Beyond legal exposure, accessibility directly affects SEO—Google's algorithms favor accessible sites, and many accessibility improvements align with technical SEO best practices.

WCAG 2.1 AA Standards

The Web Content Accessibility Guidelines (WCAG) 2.1 at Level AA represent the current target standard. Key requirements include:

• Alt text for images: Every image needs descriptive alternative text. Before-and-after photos require alt text describing what's shown without revealing patient identity.
• Color contrast: Text must have sufficient contrast ratios against background colors (4.5:1 for normal text, 3:1 for large text).
• Keyboard navigation: All interactive elements must be accessible via keyboard alone.
• Form labels: Every form field needs an associated label—critical for contact and intake forms.
• Video captions: Testimonial videos and procedure explanation videos need accurate captions.

SEO Benefits of Accessibility

Alt text helps Google understand image content. Proper heading hierarchy (H1, H2, H3) signals content structure. Transcripts for videos create crawlable text content. Fast-loading, clean code (accessibility requirement) improves Core Web Vitals.

Accessibility audits should be part of any technical SEO review. Tools like WAVE, axe, or Lighthouse provide baseline assessments, but manual review catches issues automated tools miss.

The Federal Trade Commission regulates advertising claims and endorsement disclosures across all industries, including healthcare. For surgeons, three areas require attention: testimonial authenticity, incentivized reviews, and outcome claims.

Testimonial and Endorsement Rules

If you provide any consideration in exchange for a testimonial—discounts, free touch-up procedures, gift cards, anything of value—the testimonial must clearly disclose this. The disclosure must be:

• Clear and conspicuous (not buried in fine print)
• Close to the endorsement itself
• In the same medium (video disclosure for video testimonials)

Employee reviews: Staff members reviewing your practice on Google or other platforms must disclose their employment relationship.

Outcome Claims and Typicality

"Results may vary" disclaimers are no longer sufficient under current FTC guidance. If you show exceptional results, you must either clearly disclose what typical patients can expect or only show results that represent typical outcomes.

For surgeons, this means before-and-after photos should represent realistic expectations, not just best-case scenarios. If you show exceptional results, context like "This patient's results were above average due to [factors]" may be appropriate.

Fake Review Prohibition

Posting fake reviews, paying for fake reviews, or suppressing negative reviews through deceptive means violates FTC rules. Review generation programs must request honest feedback, not just positive reviews.

State medical board regulations often impose advertising restrictions beyond federal requirements. These rules vary significantly by jurisdiction and carry consequences including license discipline.

Common State-Level Restrictions

• Specialty claims: Many states restrict advertising board certification or specialties unless from ABMS-recognized boards. Some require disclosure if certification is from non-ABMS boards.
• Guarantee language: States commonly prohibit guaranteeing surgical outcomes. Phrases like "designed to results" or "we promise you'll love your outcome" may violate state rules.
• Fee advertising: Some states regulate how surgical fees can be advertised, particularly regarding financing or payment plan promotions.
• Before-and-after requirements: Certain states mandate specific disclosures with before-and-after photos, such as whether photos are of actual patients or stock images.

Verifying Your State's Requirements

Medical board advertising rules are typically found in the state's administrative code or medical practice act. Key search terms: "[state] medical board advertising regulations" or "[state] medical practice act marketing rules."

Many state medical societies publish plain-language summaries of advertising restrictions. These can be helpful starting points but should be verified against actual regulatory text.

Multi-state practices: If you advertise across state lines (common for destination surgical practices), you may need to comply with regulations in each state where you're targeting patients.

Regulations change. Verify current rules with your state medical board or healthcare compliance attorney before implementing marketing programs.