Most dental practices aren't violating HIPAA on purpose. They're violating it because no one told them that the "Book Now" button on their website might be the problem.
HIPAA compliance in dental marketing is one of those topics that gets discussed in vague, anxiety-inducing terms without much practical guidance. Yes, patient information is protected. Yes, there are real penalties for violations that can reach into the tens of thousands of dollars per incident. But between the genuine restrictions and the myths that have calcified into conventional wisdom, most practices are either doing less than they legally could or more than they should.
This article breaks down the actual rules across the four areas where dental marketing most commonly runs into HIPAA trouble: patient photos and before-and-afters, testimonials and online reviews, email marketing, and website tracking technologies. The goal isn't to make you afraid to market your practice. It's to help you do it correctly.
Note: This article is for educational purposes and does not constitute legal advice. Practices with compliance questions should consult a healthcare attorney or HIPAA compliance officer.
A surprising number of practice owners and office managers operate with a gut-level understanding of HIPAA that's only somewhat accurate, with a whole lot of folklore thrown in. That creates real problems, because the folklore tends to make people paranoid about things that are perfectly legal or reckless about things that aren't.
HIPAA's Privacy Rule protects what's called protected health information, or PHI. In a dental practice, PHI is any information that could identify a patient and is connected to their health condition, the treatment they received, or their payment for that treatment. A name by itself isn't necessarily PHI. A name attached to the fact that someone had a root canal on March 3rd absolutely is.
The definition of PHI is broader than most people assume. Here's what it includes in the context of your marketing:
What's not PHI: a generic statement like "our patients love us," stock photography of people who aren't your patients, educational content about procedures without patient identifiers, and testimonials a patient posts publicly on their own initiative. Your practice didn't disclose that information, the patient did.
HIPAA doesn't prohibit dental marketing. It requires that any marketing using PHI meet specific authorization requirements. This distinction matters, because too many practices hear "HIPAA and marketing" and shut down entirely, leaving valuable growth channels untouched while competitors who understand the rules move ahead.
There's one more piece of the HIPAA framework that directly affects marketing: the business associate relationship. Any third-party vendor that handles PHI on your behalf, your email marketing platform, your website host if patients submit forms through your site, or your online scheduling vendor, needs a business associate agreement (BAA) in place.
If you're working with a marketing agency that has access to patient data for campaign targeting or performance tracking, that relationship needs to be covered too. Many practices discover this one the hard way, after a vendor relationship has been in place for years without the proper documentation. If you're building a broader marketing strategy and want to understand who needs access to what, our guide to dental marketing strategy fundamentals walks through the vendor landscape without the compliance confusion.
Before-and-after photos are some of the most powerful marketing assets a dental practice has. They're also the area where practices most commonly convince themselves they're compliant when they aren't.
Here's the core rule: if a photo identifies a patient and shows the result of treatment, it's PHI. Using it in marketing requires written authorization that's separate from your general intake paperwork. The consent form patients sign when they walk in the door, the one that covers treatment and payment, doesn't cover marketing use.
A HIPAA-compliant marketing authorization isn't a single checkbox buried in your new patient forms. It needs to be a standalone document, and it needs to include several specific elements:
Without all of these elements, the authorization may not hold up if it's ever challenged. And here's the part most practices miss: the authorization should be obtained at the time of treatment, not weeks or months later when you're assembling marketing materials. Patients are more willing to consent when they're excited about their results. Track them down six months later and the conversation is awkward at best, unproductive at worst.
What about photos where the patient isn't identifiable? A close-up of just the teeth, no face, no distinguishing marks?
This is a gray area, and reasonable people in the compliance world disagree about it. Some attorneys argue that a photograph showing only a mouth with no other identifiers doesn't constitute PHI because there's no reasonable basis to identify the individual. Others take the position that if the patient could recognize themselves, authorization is still prudent.
The safest approach is to get authorization, regardless. But if you're publishing non-identifiable clinical photography without it, understand that the risk is lower than posting a full-face before-and-after, even if it's not zero.
Online reviews are the lifeblood of dental practice marketing. They're also a minefield if you don't know where the mines are buried. The most important concept to internalize is this: the patient can say anything they want about their treatment. You can't confirm any of it.
When a patient leaves a Google review that says "Dr. Balini did an amazing job on my root canal and the staff was so helpful with my insurance," that patient voluntarily disclosed their own PHI. HIPAA doesn't restrict what patients disclose about themselves. The problem starts with your response.
If you reply with "Thank you, Sarah! We're glad your root canal went smoothly and that our team could help with your Aetna coverage," you've just confirmed that Sarah is a patient, that she had a root canal, and that she has Aetna insurance. That's a HIPAA violation, and it's public on the internet forever.
The safe response framework is straightforward:
A compliant response to the example above would be: "Thank you for your kind words! We appreciate you taking the time to share your experience."
That's it. No clinical detail, no insurance acknowledgment, no confirmation that the person was even a patient. If you need to address a specific concern raised in a negative review, do it offline. Your reputation management strategy lives and dies by reviews, and you can dig deeper into that with our guide to dental reputation management, but the compliance layer is non-negotiable.
Asking patients for reviews is permissible under HIPAA, but the way you ask matters. A generic post-appointment email that says "We'd love to hear about your experience" is fine. An email that says "We noticed you came in for a crown last Tuesday, would you leave us a review about it?" isn't, because it discloses PHI in the request itself.
The same rule applies to testimonials you feature on your website. If a written testimonial identifies a patient by name and references their treatment, you need the same written marketing authorization you'd get for a before-and-after photo. A first-name-only testimonial that says "Dr. Park is great!" probably doesn't need one. A testimonial with a full name, photo, and description of treatment absolutely does.
If you're also building your practice's presence on social platforms, the rules don't change. Patient content that crosses into PHI territory on Instagram or Facebook is subject to the same authorization requirements as your website. Our guide to social media in dentistry covers the content side of that equation, but the compliance foundation needs to be solid before anything goes live.
This is the section where most practices discover they have a compliance problem they didn't know existed. Email marketing to patients and website tracking technologies are both heavily used in dental marketing, and both have HIPAA implications that aren't always obvious.
HIPAA divides patient communications into a few buckets. Communications related to treatment, payment, or healthcare operations, known as TPO communications, don't require separate marketing authorization. That covers:
All of these are fair game without additional consent because they're part of your treatment relationship with the patient, not marketing.
Promotional emails promoting new services, special offers, or elective procedures are different. If you're emailing patients about your new clear aligner offering or a whitening special, and that email is tied to their identity as a patient, you're in marketing territory that may require authorization. A general practice newsletter that goes to anyone who subscribes, with no PHI involved, sits in a safer space. But the moment the email references the recipient's treatment history or patient status, authorization becomes relevant.
In December 2022, the U.S. Department of Health and Human Services (HHS) issued a bulletin that sent a shock through the healthcare marketing world. The guidance clarified that tracking technologies, specifically Meta Pixel, Google Analytics, and similar tools, embedded on pages where patients enter PHI may constitute an unauthorized disclosure of protected health information to third parties.
Here's why this matters for your dental practice. If you have an online booking widget on your website with a Meta Pixel firing on that page, every time someone schedules an appointment, data about that interaction could be transmitted to Meta. If your patient portal or contact form page has Google Analytics tracking installed, PHI entered into those forms may be captured and sent to Google. Neither Meta nor Google is your business associate in most configurations, which means that data is being disclosed to a third party without authorization.
The compliance gap here is enormous, and most practices have no idea it exists. A 2023 study published in Health Affairs found that 98.6% of hospital websites had third-party tracking code on patient-facing pages. There’s a good chance dental practice websites are doing the same thing.
The HHS guidance is clear in its implications, if not its enforcement specifics: HIPAA-covered entities are responsible for ensuring that tracking technologies on their web properties don't result in impermissible disclosures of PHI. The guidance has been updated as recently as 2024 to reflect additional enforcement priorities.
If you're reading this and realizing you have no idea what pixels are running on your scheduling pages, you're in the majority. Here's what to do next:
This isn't a problem you solve once and forget about. If you change booking platforms, redesign your website, or add new marketing tools, the pixel audit needs to happen again.
HIPAA compliance in dental marketing isn't about restricting what you can say or show. It's about making sure the infrastructure around how you collect, display, and transmit patient information is airtight. The places where practices most commonly go wrong are all fixable: review responses that confirm too much, tracking pixels firing on scheduling pages, old intake forms being treated as blanket marketing consent.
The practices that handle this well aren't just protecting themselves from penalties. They're building patient trust on a foundation that marketing alone can't buy. A patient who knows you take their privacy seriously is a patient who refers friends, leaves reviews, and stays with your practice for decades.
If you haven't done a compliance audit of your marketing stack in the past year, start with the pixel issue. It's the one most practices haven't addressed, and it's the one with the most exposure. From there, tighten your review response protocols and revisit your photo consent forms. None of this is complicated once you know what to look for. The hard part is knowing to look in the first place.
