What HIPAA, the FTC, and State Medical Boards Actually Require from Your Dermatology Website

This guide addresses dermatology practice owners, office managers, and marketing coordinators who handle digital presence decisions. If you're evaluating SEO agencies, managing your Google Business Profile, or overseeing website updates, you need to understand where compliance obligations intersect with marketing activities.

This is educational content, not legal advice. Healthcare marketing compliance involves federal regulations, state-specific rules, and evolving enforcement priorities. Work with healthcare attorneys and compliance officers for practice-specific guidance.

The regulations we'll cover:

• HIPAA Privacy Rule — How patient data protection applies to testimonials, review responses, website analytics, and retargeting campaigns
• FTC Health Claims Enforcement — What you can and cannot say about treatment outcomes, and how 'typical results' disclosures work
• ADA Website Accessibility — Technical requirements that affect dermatology websites and the enforcement trend you should understand
• State Medical Board Advertising Rules — State-specific restrictions on physician advertising, specialist claims, and before-and-after imagery

Each section includes practical guidance for common dermatology marketing scenarios. The goal is helping you ask the right questions when evaluating marketing tactics—not replacing professional compliance review.

HIPAA's Privacy Rule applies to your marketing activities whenever protected health information (PHI) could be collected, stored, or disclosed. For dermatology practices, the risk areas are more extensive than many realize.

Testimonials and Case Studies

Patient testimonials require valid HIPAA authorization before publication. A signed 'marketing consent' form isn't automatically HIPAA-compliant—the authorization must meet specific requirements under 45 CFR § 164.508, including clear description of how the information will be used and the patient's right to revoke authorization.

Review Response Protocols

When responding to Google or Yelp reviews, HIPAA restricts what you can acknowledge. Even confirming someone is a patient can constitute PHI disclosure. Many practices use templated responses that neither confirm nor deny the patient relationship: 'We take all feedback seriously and encourage anyone with concerns to contact our office directly.'

Website Analytics and Tracking Pixels

This is where many dermatology practices unknowingly create compliance exposure. Standard Google Analytics implementations and Meta Pixel tracking can capture URL paths that reveal health conditions—for example, if someone visits /services/psoriasis-treatment and that data is transmitted to third parties.

HHS guidance on tracking technologies (updated December 2022, with clarifications through 2024) indicates that analytics data combined with IP addresses may constitute PHI when collected on authenticated patient portal pages. Some practices now use privacy-focused analytics or configure tracking to exclude condition-specific pages.

Practical step: Audit your current tracking setup with someone who understands both the technical implementation and HIPAA requirements. The intersection is specialized.

The Federal Trade Commission enforces truth-in-advertising standards that directly affect how dermatology practices describe treatments. The FTC's 'competent and reliable scientific evidence' standard applies to efficacy claims—and enforcement actions against medical practices have increased.

Claims That Trigger Scrutiny

Specific outcome claims require substantiation you can document. Examples that create risk:

• 'Eliminates acne in 90% of patients' (requires clinical evidence for that specific statistic)
• 'Permanent hair removal designed to' (absolute claims invite challenges)
• 'Our laser treatment reverses sun damage' (medical efficacy claim)

Safer Language Frameworks

Many dermatology practices use language that describes treatment mechanisms rather than promising outcomes:

• 'This treatment is designed to reduce the appearance of fine lines' (describes intent, not guarantee)
• 'Many patients report improvement in skin texture' (attributed to patient experience, not clinical promise)
• 'Results vary based on individual skin type and treatment adherence' (appropriate qualification)

Before-and-After Photo Requirements

The FTC's position on testimonials and endorsements applies to before-and-after imagery. If results shown aren't typical, disclosure is required. 'Results not typical' buried in footer text generally doesn't satisfy FTC guidance—disclosures should be clear and conspicuous, placed near the images.

Additionally, before-and-after photos require HIPAA-compliant authorization (discussed above) and may face state medical board restrictions (discussed below). The intersection of these three regulatory frameworks makes patient imagery one of the highest-compliance-burden marketing tactics in dermatology.

Title III of the Americans with Disabilities Act applies to 'places of public accommodation.' Federal courts have increasingly interpreted this to include websites of businesses that serve the public—including medical practices.

The Current Legal Landscape

There's no single federal standard for website accessibility compliance. Courts often reference the Web Content Accessibility Guidelines (WCAG) 2.1 Level AA as a benchmark, but this isn't codified in statute. The Department of Justice has signaled intent to formalize web accessibility rules but hasn't finalized regulations as of this writing.

What's clear: ADA accessibility lawsuits against healthcare providers have increased. Plaintiff's attorneys often target websites with obvious accessibility gaps—missing alt text on images, poor color contrast, forms that can't be completed with screen readers, videos without captions.

Practical Accessibility Steps

For dermatology websites, common accessibility issues include:

• Image alt text: Procedure photos, before-and-after images, and staff photos need descriptive alt attributes
• Form accessibility: Appointment request forms must be navigable with keyboard-only input and compatible with screen readers
• Color contrast: Text must have sufficient contrast against backgrounds—especially important for sites using light color schemes common in dermatology branding
• Video content: Educational videos about procedures need captions

Many practices now include accessibility audits in their website maintenance. Tools like WAVE or axe DevTools can identify technical issues, though full WCAG compliance typically requires manual testing with assistive technologies.

Note: Accessibility isn't just risk mitigation. Accessible websites often perform better in search—many accessibility improvements align with SEO best practices like descriptive headings, logical page structure, and proper image optimization.

State medical boards regulate physician advertising with rules that vary significantly by jurisdiction. What's permitted in California may trigger a board complaint in Texas. If your practice serves patients across state lines (increasingly common with teledermatology), you may face multiple overlapping requirements.

Common Restriction Categories

'Specialist' and 'Board Certified' Claims: Many states restrict 'specialist' terminology to physicians with board certification in recognized specialties. Some require disclosure of the certifying board. Dermatologists with sub-specialty training (Mohs surgery, dermatopathology, pediatric dermatology) face specific rules about how to communicate those credentials.

Testimonial Restrictions: Some state medical boards have rules about patient testimonials that go beyond HIPAA and FTC requirements—including prohibitions on testimonials for certain procedures or requirements for specific disclaimers.

Before-and-After Photo Rules: Several states have specific requirements for before-and-after photos beyond FTC disclosure rules—including standardized lighting/positioning requirements or mandatory waiting periods before photos can be used.

Fee Advertising: Rules about advertising prices, discounts, and 'free consultations' vary. Some states require specific disclosures when advertising fees.

Practical Compliance Approach

Before launching marketing campaigns, identify which state medical board(s) have jurisdiction over your practice and review their current advertising regulations. These rules change—what was compliant three years ago may not be today.

If you work with an SEO agency or marketing firm, ask how they handle state-specific compliance. A generic 'we're HIPAA compliant' answer doesn't address medical board advertising rules, which are a separate regulatory framework entirely.

Resource: The Federation of State Medical Boards maintains a directory of state board contacts, though specific advertising rules require reviewing each state's regulations directly.

Compliance isn't a one-time audit—it's an ongoing framework that should inform every marketing decision. Here's how dermatology practices can structure their approach.

Content Review Process

Establish a review workflow before publishing any patient-facing content:

1. Draft creation — Marketing team or agency creates content
2. Compliance review — Someone with regulatory knowledge reviews for HIPAA, FTC, and state board issues
3. Clinical accuracy review — Physician reviews treatment descriptions for medical accuracy
4. Legal review — For high-risk content (testimonials, efficacy claims, before-and-after photos), healthcare attorney review

Not every blog post needs full legal review. Establish tiers based on risk level—educational content about skin conditions is lower risk than patient testimonials with before-and-after photos.

Vendor and Agency Evaluation

When evaluating SEO agencies or marketing vendors, specific compliance questions to ask:

• How do you handle HIPAA requirements in content development?
• What's your process for state medical board advertising rule compliance?
• How do you configure analytics and tracking to minimize PHI exposure?
• Can you provide examples of compliant content you've created for other healthcare clients?

Vague answers ('we work with lots of doctors') don't indicate actual compliance infrastructure. Agencies experienced in healthcare marketing should be able to discuss specific protocols.

Documentation and Training

Document your compliance policies and train staff who handle marketing activities. If a board complaint or legal challenge arises, demonstrating good-faith compliance efforts—documented policies, regular training, review processes—can be material to the outcome.

When you're ready to work with an SEO partner who understands healthcare regulations, compliance infrastructure should be part of the evaluation conversation from day one.