What HIPAA and FTC Actually Require for Cosmetic Surgery Marketing — and What They Don't

Using patient photos in your marketing isn't automatically a HIPAA violation, but the authorization requirements are stricter than many practices realize. A general treatment consent form does not cover marketing use. You need a separate, specific authorization that meets HIPAA's requirements.

Your photo authorization must include:

• A description of exactly what images or information will be used
• Who will see the materials (your website, social media, print ads)
• An explicit statement that the patient can revoke authorization at any time
• An expiration date or event (or statement that authorization doesn't expire)
• A statement that the practice cannot condition treatment on signing

Many practices use forms that are missing one or more of these elements. A form that simply says 'I consent to use of my photos' without specifying the purpose, audience, and revocation rights may not meet HIPAA's authorization standard.

Practical considerations: Even with proper authorization, consider whether photos could identify patients through context. A distinctive tattoo, unique jewelry, or recognizable body feature visible in the image may require additional discussion with the patient. Some practices use photo editing to remove identifying marks, but this should be documented in your authorization process.

This is educational guidance, not legal advice. Consult a healthcare attorney to review your specific authorization forms and processes.

In 2022, the HHS Office for Civil Rights issued guidance clarifying that standard website tracking tools can create HIPAA violations when they capture protected health information. For cosmetic surgery websites, this risk is higher than many practices realize.

Common PHI exposure points:

• Appointment booking pages that include procedure selection or health questions
• Patient portal login pages where tracking pixels fire
• Contact form submissions that pass through to analytics platforms
• URL parameters that indicate specific procedures (e.g., /schedule?procedure=rhinoplasty)

When a Meta pixel or Google tag fires on these pages, it may transmit data that, combined with the user's identity, constitutes PHI. This creates a potential violation even if no one at the advertising platform views the data.

Mitigation approaches:

1. Exclude patient portal and booking pages from tracking pixel deployment entirely
2. Configure Google Analytics to avoid capturing URL parameters that indicate health conditions
3. Use server-side tracking with PHI filtering rather than client-side pixels on sensitive pages
4. Ensure any marketing vendor receiving tracking data has signed a Business Associate Agreement

The OCR guidance specifically noted that individual IP addresses combined with procedure information can constitute PHI. Many practices need to reassess their current tracking configurations against this standard.

Patient testimonials are powerful marketing tools for cosmetic practices, but they trigger both HIPAA authorization requirements and FTC endorsement guidelines. Getting one right while missing the other still creates compliance exposure.

FTC disclosure requirements for testimonials:

• If a patient received any compensation — including discounts, free services, or gifts — the testimonial must clearly disclose this
• If results shown are not typical, you must either have substantiation that they are typical or include a clear disclaimer about expected results
• Disclosures must be clear and conspicuous — burying them in small text at the bottom of the page is insufficient

The FTC has specifically targeted healthcare providers who use testimonials without adequate disclosure. 'Clear and conspicuous' means the disclosure should be near the testimonial itself, in similar font size, and visible without scrolling or clicking.

Combining HIPAA and FTC compliance: Your testimonial consent form should address both the HIPAA authorization elements for using the patient's health information and a clear explanation of any compensation provided. Some practices create a combined document; others keep them separate to ensure each set of requirements is fully addressed.

Video testimonials add complexity: For video testimonials, FTC disclosure should appear within the video itself, not just in the description or caption. Verbal disclosure at the start of the video is clearest.

Verify current FTC guidance at ftc.gov — endorsement rules are periodically updated.

Beyond federal regulations, advertising platforms have their own healthcare policies that can result in ad disapproval, account suspension, or reduced reach. These policies layer on top of HIPAA and FTC requirements.

Google Ads healthcare restrictions:

• Before/after images may be restricted or prohibited in ads depending on the procedure type
• Claims about specific outcomes often require certification or face disapproval
• Remarketing to people based on their health conditions or perceived health interests requires Healthcare and Medicines certification
• Some cosmetic procedure terms face keyword restrictions in certain regions

Meta (Facebook/Instagram) policies:

• Ads cannot include before/after images that show idealized or unexpected results
• Personal attributes language ('You need to fix your...') violates policy
• Custom audiences built from patient lists require Special Ad Category designation
• Weight loss and cosmetic procedure ads face additional creative review

Platform policies change frequently. In our experience working with cosmetic practices, ad accounts that ran without issues for months can suddenly face disapprovals after policy updates. Building relationships with platform representatives and monitoring policy update communications helps practices stay ahead of changes.

Practical approach: Maintain a creative library with compliant alternatives ready when primary ads face disapproval. Document which creative approaches have passed review to build an internal compliance playbook.

HIPAA and FTC are federal minimums. State medical boards often impose additional advertising restrictions that catch practices by surprise. These rules vary significantly by state and can include requirements not found in federal regulations.

Common state-level restrictions include:

• Requirements to include physician name and license number in advertising
• Prohibitions on specific claims like 'best results' or 'most experienced'
• Restrictions on use of patient photos even with consent
• Requirements for specific disclaimers on pricing advertisements
• Limitations on advertising surgical procedures by non-physicians in the practice

Some states, including California and Florida, have particularly detailed medical advertising rules. Texas requires specific disclosures about who performs procedures. New York has restrictions on testimonial content that exceed FTC requirements.

Verification process:

1. Review your state medical board website for advertising guidelines
2. Check whether your state has additional regulations for medical spas or non-physician providers
3. If you advertise across state lines (common for practices near borders), verify rules in each state where you target patients
4. Consider having a healthcare attorney review your advertising materials against state-specific requirements

Board rules change and enforcement varies. This is educational guidance — verify current rules with your state medical board or a healthcare attorney licensed in your state.

If a marketing vendor accesses, stores, or transmits protected health information on your behalf, they're likely a business associate under HIPAA. This triggers a requirement for a Business Associate Agreement before sharing any patient data.

Marketing activities that typically require BAAs:

• Email marketing platforms that receive patient email lists
• CRM systems that store patient contact information alongside treatment history
• Review management tools that access patient names and procedure information
• Call tracking services that record calls discussing patient care
• Analytics vendors receiving data from pages where PHI may be transmitted

Marketing activities that may not require BAAs:

• Website hosting with no patient data access
• Social media management using only publicly available content
• SEO services that don't access patient information
• Advertising platforms where PHI transmission has been properly prevented

The key question is whether the vendor could access PHI through their services, not whether they intend to use it. A vendor that dismisses BAA requirements by saying 'we don't look at that data' misunderstands the rule. Potential access triggers the requirement.

Red flags in vendor relationships: If a marketing vendor refuses to sign a BAA when their services involve potential PHI access, that's a significant compliance risk. If they don't know what a BAA is, that's a sign they may not have healthcare compliance infrastructure.