Healthcare marketing has a tighter compliance frame than almost any other vertical. HIPAA, FTC, state medical and dental board ad rules, FDA constraints on certain claims — the rules are real, the penalties are large, and the line is finer than most practice owners think.
What HIPAA actually says about marketing
HIPAA covers Protected Health Information (PHI). You cannot share, suggest, or imply specific patient information without written authorization — even in a positive review context, even with names removed if the patient is identifiable. Reviews where the patient self-identifies are fine; you cannot create or curate a review that exposes PHI on your end.
Photo and testimonial use
- Before/after photos: require explicit written authorization from the patient, scoped to the use (your website, your social, your ads — each one named).
- Patient testimonials: require written authorization. Some specialty boards (cosmetic surgery is the strictest) have additional disclosure requirements about typical results.
- Staff and facility photos: no PHI issues, but get written model releases from staff for marketing use.
Claims rules and FTC
Health-related claims must be substantiated. Avoid ‘cures,’ ‘guaranteed,’ and any specific outcome promise unless you have peer-reviewed evidence behind it. The FTC enforces this; state medical and dental boards add their own ad rules on top, and they vary state to state.