Treloar and Heisel
Resource

Marketing your Dental Practice Online

HIPAA doesn’t ban digital marketing for dental practices – but it does set rules you need to follow

A lot of dentists treat the Health Insurance Portability and Accountability Act (HIPAA) and digital marketing as incompatible, like any active online presence is an accident waiting to happen. That’s not quite right.

HIPAA doesn’t prohibit dental practices from running Google Ads, maintaining a social media presence, sending emails to patients, or posting before-and-after photos. It regulates how patient information is handled within those activities. A well-run practice can do all of it compliantly.

The problem is that most dentists haven’t mapped their marketing activities against HIPAA’s specific requirements. This post may help you develop that map.

 

Does HIPAA apply to dental practices?

If your practice submits insurance claims electronically – which essentially every dental practice does – you’re a HIPAA covered entity. That means HIPAA governs your clinical records, your website, your email platform, your scheduling software, and your social media. Assume it applies and work from there.

 

How HIPAA defines marketing – and where dental practices cross the line

HIPAA’s marketing definition is broader than the colloquial one. Under the Privacy Rule, any communication that uses patient information to encourage the use of a product or service requires written patient authorization.

The key exception for dentists: communications about your own services don’t require authorization. Appointment reminders, treatment follow-ups, emails promoting a procedure you offer; those are considered healthcare operations. You can email patients about your new implant service without getting authorization first.

Where the line gets crossed: selling patient data to a third party, or accepting payment from a vendor to promote their product to your patients. Cross that line without written authorization, and you have a HIPAA violation.

 

HIPAA Business Associate Agreements: what dental practices owe their marketing vendors

Any vendor that handles patient data on your behalf is a HIPAA “business associate.” Before that vendor touches any patient information, you need a signed Business Associate Agreement (BAA).

For digital marketing, your BAA list should include:

  • Your email marketing platform, if it stores patient names or appointment data
  • Your online scheduling software
  • Your website host, if patients submit contact or intake forms through your site
  • Your patient recall or communication software

Here’s where practices run into trouble: platforms like Mailchimp, Gmail, and standard WordPress form plugins are not HIPAA-compliant and don’t offer BAAs on standard accounts. Using them to communicate about patient care, even for routine appointment reminders, creates exposure. If a vendor says you don’t need a BAA, get a second opinion.

 

Website tracking pixels and HIPAA compliance for dentists

In December 2022, the U.S. Department of Health and Human Services Office for Civil Rights (HHS OCR) issued a bulletin warning healthcare providers about website tracking technologies, specifically tools like the Meta Pixel and Google Analytics. In July 2023, HHS OCR and the Federal Trade Commission (FTC) reinforced the warning with a joint letter to healthcare organizations.

These are standard tools on most business websites. For dental practices, they carry a specific risk.

When a patient visits your site, these tools can capture their IP address, the pages they viewed, and the actions they took…and send that data to advertising platforms. If that data can be connected to a patient’s health information, it may constitute an unauthorized disclosure of protected health information (PHI).

Check your website: are any tracking or analytics tags installed? If yes, confirm whether those tools are compliant and whether you have a BAA with the vendor. Your web developer may not know this is a regulatory question, so you need to ask directly.

 

How to respond to patient reviews without violating HIPAA

HHS OCR has settled cases against multiple dental practices for HIPAA violations in their online review responses, all for the same type of violation.

The error: responding to a patient’s review in a way that confirmed their patient status or referenced details of their care. Even when the patient publicly identified themselves, the practice still cannot acknowledge the relationship.

The compliant response to any review, whether positive or negative may be something along the lines of  “Thank you for your feedback. Please reach out to us directly at [phone number] and we’d be happy to help.”  That’s it. Anything more specific risks a violation.

 

HIPAA requirements for patient photos and website contact forms

Patient photos. Before-and-after images require specific, written authorization for each photo , describing how and where it will be used. A general consent form at intake may not be enough protection if a patient files a complaint.

Contact forms. When a prospective patient submits a request mentioning their reason for visiting, that’s PHI the moment they hit send. It needs to be encrypted and stored on HIPAA-compliant servers under a signed BAA.

 

HIPAA staff training requirements for dental offices

HIPAA requires ongoing training for every employee who handles patient information. For marketing purposes, that means your team needs to know:

  • don’t post about patients on social media,
  • don’t respond to reviews with anything that identifies a patient, and
  • don’t use personal email accounts for patient communications.

A friendly “We’re so glad you enjoyed your visit!” in reply to a patient’s public review can still confirm their patient status, which crosses the line by revealing PHI.

Train your staff on where the line is.

 

Here are a few HIPAA compliance best practices for dental practice marketing

  • Audit your vendor list and confirm BAAs are signed
  • Check your website for tracking pixels and analytics tags
  • Standardize your review response template to something generic
  • Use specific written authorizations for patient photos
  • Confirm your contact form is encrypted and hosted compliantly
  • Train your team and document it

HIPAA compliance doesn’t make dental marketing harder. It makes it more deliberate, and patients respond to practices that handle their information carefully. That trust is worth building intentionally.

 

Privacy compliance is an important part of building a healthy, trusted practice. For more patient retention strategies and how to design a better patient experience, download our Ebook: Proven Methods To Grow Your Patient List.

 

About Treloar & Heisel

Treloar & Heisel offers dental and medical professionals a comprehensive suite of financial products and services ranging from business and personal insurance to wealth management. We are proud to assist thousands of clients from residency to practice and through retirement. Our experienced teams deliver custom-tailored advice through an active local presence, while our strong national network ensures that clients experience the same high level of service throughout the country.

This post is for informational purposes only and does not constitute legal advice. Dental practices should consult with qualified legal counsel regarding their specific HIPAA compliance obligations.

Footnotes

  1. 1. American Dental Association. HIPAA: How HIPAA Can Apply to You and How to Comply if It Does. ADA.org. https://www.ada.org/resources/practice/legal-and-regulatory/hipaa/how-hipaa-can-apply-to-you-how-to-comply-if-it-does  2 3
  2. 2. U.S. Department of Health & Human Services, Office for Civil Rights. Marketing. 45 CFR 164.501, 164.508(a)(3). HHS.gov. https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/marketing/index.html  2
  3. 3. American Dental Association. HIPAA 20 Questions. ADA.org. https://www.ada.org/resources/practice/legal-and-regulatory/hipaa/hipaa-20-questions 
  4. 4. U.S. Department of Health & Human Services, Office for Civil Rights. Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates. December 1, 2022. HHS.gov. https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/hipaa-online-tracking/index.html  2
  5. 5. U.S. Department of Health & Human Services, Office for Civil Rights, and Federal Trade Commission. Joint Letter on Use of Online Tracking Technologies. July 20, 2023. HHS.gov. https://www.hhs.gov/sites/default/files/use-online-tracking-technologies.pdf 
  6. 6. American Dental Association. Marketing and Advertising. ADA.org. https://www.ada.org/resources/practice/legal-and-regulatory/marketing-and-advertising