What HIPAA, APA Ethics, and State Boards Actually Require for Your Therapy Website

HIPAA doesn't regulate search engine optimization. It regulates how you collect, store, and transmit protected health information (PHI). The confusion arises because modern SEO involves website elements that do touch PHI: contact forms, appointment requests, chat widgets, and analytics tools.

Here's what this means practically:

• Contact forms that collect health information must transmit data via encrypted connections (HTTPS) and store it securely
• Third-party tools (analytics, heatmaps, session recordings) may access PHI and require Business Associate Agreements
• Testimonials and case studies using any patient information require signed Client testimonials require signed [HIPAA authorization](/resources/therapist/seo-for-therapist-faq) f—verbal permission isn't sufficient
• Review responses on Google Business Profile cannot confirm someone is your patient

The SEO tactics themselves—keyword research, content creation, link building, technical optimization—don't trigger HIPAA concerns. The implementation often does.

This is educational content about compliance principles, not legal advice. Consult a healthcare attorney for guidance specific to your practice and state.

The APA Ethics Code Standards 5.01 through 5.06 govern how psychologists and therapists present themselves publicly. These standards apply to your website, Google Business Profile, directory listings, and any SEO-driven content.

Standard 5.01 (Avoidance of False Statements) prohibits misrepresenting training, experience, competence, credentials, or institutional affiliations. On your website, this means:

• Credential abbreviations must reflect degrees you've actually earned
• Specialty claims must align with your training and supervised experience
• Outcome promises ("I can help you overcome depression") require careful framing

Standard 5.04 (Testimonials) permits client testimonials but requires consideration of undue influence. A current client providing a testimonial may feel pressure to comply—document voluntary participation carefully.

Standard 5.05 (In-Person Solicitation) prohibits soliciting business from vulnerable populations in ways that could be coercive. This affects how you approach content targeting people in crisis.

Many state licensing boards adopt APA standards and add their own restrictions. California, for example, has specific rules about advertising specialties that exceed APA requirements.

State licensing boards frequently impose marketing restrictions stricter than HIPAA or APA guidelines. Therapists licensed in multiple states must comply with the most restrictive rules across all jurisdictions where they practice.

Common state-level restrictions include:

• Mandatory disclosure language on websites (license numbers, supervising clinician information for provisionally licensed therapists)
• Prohibitions on specific advertising claims ("designed to results," "best therapist in [city]")
• Requirements to list all credentials earned, not selectively omit degrees
• Restrictions on before/after claims even with anonymized data

Telehealth complicates this further. If you're licensed in Texas but see clients via telehealth in California, California's advertising rules may apply to your marketing targeting California residents.

We recommend maintaining a compliance reference document listing each state where you hold licensure and its specific advertising provisions. Review this quarterly, as boards update rules without widespread notification.

As of 2024, verify current rules with each state licensing authority—regulations change, and this content may not reflect recent updates.

This table summarizes key regulations affecting therapist marketing online. Use it as a starting reference, not a comprehensive legal guide.

• HIPAA Privacy Rule (45 CFR 164): Governs PHI collection, storage, transmission. Affects forms, testimonials, analytics tools. Requires BAAs with vendors accessing PHI.
• HIPAA Security Rule: Mandates administrative, physical, and technical safeguards. Requires encrypted data transmission (HTTPS minimum).
• APA Ethics Code 5.01-5.06: Governs truthfulness in advertising, testimonial use, credential representation, solicitation practices.
• FTC Endorsement Guidelines (16 CFR 255): Requires disclosure of material connections in testimonials. Applies if clients receive any benefit for reviews.
• State Licensing Board Rules: Vary significantly. Often require license number display, supervising clinician disclosure, specific credential formatting.
• State Consumer Protection Laws: Prohibit deceptive advertising. "Bait and switch" pricing or misleading specialty claims trigger violations.

For HIPAA specifically, the HHS Office for Civil Rights provides guidance documents that clarify application to digital marketing contexts. Many therapists over-comply in some areas while missing actual requirements in others.

Use this checklist to audit your current website and SEO implementation. This covers common compliance touchpoints—your specific situation may require additional measures.

Technical Security:

• SSL certificate active (HTTPS on all pages)
• Contact forms transmit via encrypted connection
• Form submissions stored in HIPAA-compliant system or deleted after processing
• Business Associate Agreements in place with hosting provider, form processor, email service

Analytics and Tracking:

• Google Analytics 4 configured with IP anonymization
• No session recording tools capturing form input fields
• Cookie consent mechanism for applicable jurisdictions

Content and Testimonials:

• Client testimonials have signed HIPAA authorization on file
• Case examples fully anonymized (no identifiable details, including rare conditions + location combinations)
• Credentials accurately represented per state board requirements
• License numbers displayed where required by state

Review Response Protocol:

• Staff trained to never confirm patient relationships in review responses
• Template responses reviewed by compliance-aware counsel

In our experience working with therapy practices, certain compliance gaps appear repeatedly. These aren't hypothetical—they're configurations we encounter on active therapist websites.

The testimonial without authorization: A therapist publishes a glowing client review on their website. The client verbally agreed, but there's no signed HIPAA authorization. This is a HIPAA violation regardless of intent.

The form-to-email pipeline: Contact forms send submissions directly to a standard Gmail account. Unless that Gmail is part of a Google Workspace account with a BAA, this transmission may violate HIPAA if the form collects health information.

The confirming review response: A negative review appears on Google. The therapist responds: "I'm sorry your experience in our sessions didn't meet expectations." This confirms a patient relationship—a HIPAA violation.

The credential shortcut: A therapist lists "Dr." before their name based on a doctorate in an unrelated field, or lists a specialty certification they completed but let lapse. State boards investigate these complaints.

The multi-state telehealth listing: A therapist targets keywords in states where they hold licensure but doesn't display required disclosures for each state on the relevant landing pages.

None of these scenarios involve bad intent. All carry real consequences—from HIPAA fines to licensing board complaints that appear on your public record permanently.