What HIPAA, the FTC, and Your State Medical Board Actually Require From Your Dermatology Marketing

HIPAA's Privacy Rule governs how protected health information can be used for marketing purposes. For dermatology practices, this creates specific obligations that many marketing activities can inadvertently violate.

What counts as PHI in marketing contexts:

• Patient names connected to treatment information
• Before-and-after photos that could identify individuals
• Appointment scheduling data captured by third-party tools
• IP addresses combined with health condition searches
• Email addresses submitted through condition-specific landing pages

The authorization requirement is where most practices get into trouble. Using PHI for marketing requires a specific written authorization from the patient—separate from the general HIPAA consent form patients sign at intake. This authorization must describe exactly how the information will be used, where it will appear, and for how long.

Common violation scenarios we see:

• Posting patient photos to social media after verbal-only consent
• Responding to Google reviews with treatment details
• Retargeting website visitors who viewed specific condition pages
• Sharing patient stories in email newsletters without written authorization

This is educational content, not legal advice. Consult a healthcare attorney for compliance guidance specific to your practice.

Standard website analytics configurations can capture protected health information without your knowledge. This creates HIPAA exposure that many dermatology practices don't recognize until it's flagged in an audit.

Where PHI leaks occur:

Google Analytics and similar tools capture URL parameters by default. If your appointment request page URL contains condition information (/request-appointment?service=acne-treatment), that data flows to Google's servers alongside the visitor's IP address. HHS has taken the position that this combination can constitute PHI transmission to a third party without authorization.

Meta (Facebook) Pixel risks:

• Captures form field data including names and contact information
• Tracks page views on condition-specific content
• Enables retargeting based on health-related browsing behavior

In late 2022 and 2023, HHS issued guidance clarifying that tracking technologies on healthcare websites require careful configuration—or Business Associate Agreements with the technology vendors, which most analytics providers won't sign.

Practical configuration steps:

• Audit all third-party scripts currently running on your website
• Configure analytics to anonymize IP addresses
• Exclude form submissions and appointment pages from tracking
• Review retargeting audience definitions for health-condition targeting
• Consider server-side analytics that don't transmit data to third parties

Verify current HHS guidance and consult with a HIPAA compliance specialist—enforcement interpretations evolve.

Online reviews drive patient acquisition for dermatology practices, but responding to them creates a regulatory trap. The moment you confirm someone is your patient—even to thank them—you've disclosed protected health information.

What constitutes a violation:

"Thank you for being a patient at our practice" confirms a treatment relationship. "We're glad your acne treatment went well" discloses specific care. Even "We appreciate patients like you" can be interpreted as confirmation. HHS has made clear that the patient posting a review does not waive their privacy rights.

Compliant response framework:

• Use generic language that doesn't confirm patient status
• Never reference specific treatments, conditions, or outcomes
• Invite offline conversation: "Please contact our office directly to discuss your experience"
• Maintain the same response template for positive and negative reviews

Example compliant response:

"Thank you for taking the time to share this feedback. We're committed to providing excellent care to everyone who visits our practice. If you'd like to discuss anything further, please contact our office at [phone]."

Handling negative reviews:

The same rules apply—perhaps more importantly. You cannot defend your practice by revealing what actually happened in someone's care. Document the review internally, respond generically, and address legitimate concerns through proper channels.

Many practices find this frustrating. However, the alternative—potential OCR investigation and penalties—makes disciplined review response essential.

The Federal Trade Commission actively enforces rules against deceptive health claims, and dermatology marketing frequently triggers scrutiny. Treatments for acne, aging, hair loss, and skin conditions are common targets.

What the FTC requires:

Health benefit claims must be truthful, not misleading, and substantiated by competent and reliable scientific evidence. For dermatology, this means:

• "Clinically proven" requires actual clinical studies—not patient testimonials
• Before-and-after photos must represent typical results, not best-case outliers
• Testimonials with specific outcome claims need substantiation or clear disclaimers
• Comparative claims ("better than other treatments") require head-to-head evidence

High-risk claim categories for dermatology:

• Acne treatment efficacy percentages
• Anti-aging results and timelines
• Hair restoration success rates
• Scar reduction outcomes
• "All-natural" or "chemical-free" characterizations

Practical guidance:

Focus marketing language on the patient experience and your practice's approach rather than specific outcome guarantees. "We offer comprehensive acne treatment plans customized to your skin" creates less regulatory exposure than "Clear skin in 30 days."

When using patient testimonials (with proper HIPAA authorization), include disclaimers that results vary and individual outcomes depend on multiple factors. The FTC specifically looks for testimonials that claim typical results without substantiation.

FTC enforcement is complaint-driven but increasingly proactive in healthcare. Audit your website copy and advertising for unsupported claims.

The Americans with Disabilities Act applies to healthcare provider websites. While the legal landscape continues evolving, litigation risk is real—and dermatology practices have been named in accessibility lawsuits.

Core accessibility requirements:

Websites should be perceivable, operable, understandable, and robust for users with disabilities. In practice, this means:

• All images need descriptive alt text (especially before-and-after photos)
• Video content requires captions or transcripts
• Forms must be navigable by keyboard alone
• Color contrast must meet minimum ratios for readability
• Screen readers must be able to parse your page structure

Why dermatology sites face elevated risk:

Visual content is central to dermatology marketing. Photo galleries, treatment result images, and video testimonials are common—and often inaccessible. Appointment scheduling tools may rely on mouse-only interactions. Cosmetic procedure descriptions may use color-coded information.

Minimum steps for compliance:

• Run your website through automated accessibility checkers (WAVE, axe)
• Test keyboard-only navigation through critical paths
• Add alt text to all images describing what's shown
• Ensure appointment booking flows are screen-reader compatible
• Review any embedded third-party tools for accessibility compliance

Industry benchmarks suggest many healthcare websites have significant accessibility gaps. Addressing these issues improves user experience for all visitors while reducing legal exposure.

Consult an ADA compliance specialist for a thorough audit—automated tools catch only a portion of accessibility issues.

Beyond federal regulations, state medical boards impose advertising restrictions that vary significantly by jurisdiction. Dermatologists licensed in multiple states face overlapping—sometimes conflicting—requirements.

Common state-level restrictions:

• Prohibitions on testimonials that imply designed to outcomes
• Required disclosures about board certification and specialty status
• Restrictions on "specialist" terminology without board certification
• Mandatory inclusion of physician names in practice advertising
• Specific rules about before-and-after photo usage

Areas of significant variation:

Some states restrict or prohibit patient testimonials entirely. Others allow testimonials but require specific disclaimers. Cosmetic procedure advertising often faces additional scrutiny, with some states requiring disclosure of risks alongside marketed benefits.

Multi-state practice considerations:

If your practice serves patients across state lines or advertises digitally to broader geographic areas, you may need to comply with the strictest applicable rules. A compliant ad in one state could violate another state's medical practice act.

Practical compliance steps:

• Review your specific state medical board's advertising guidelines annually
• Document internal policies for advertising approval
• Train staff involved in marketing on applicable restrictions
• Maintain records of authorizations and disclaimers used

Many practices find that building conservative advertising standards—compliant with the strictest relevant jurisdiction—simplifies multi-platform marketing management.

State medical board rules change. Verify current requirements with your licensing authority, not general online guidance.