Online Dental Marketing: Staying HIPAA Compliant in 2023

Online dental marketing: Staying
HIPAA compliant in 2023
Adrian LeflerOctober 17, 2022
Staying HIPAA compliant requires knowledge of HIPAA
regulations and changes or updates to the Privacy Rule. Adrian
Lefler of My Social Practice shares some of the common digital
marketing strategies for dental practices and how they should be
evaluated for HIPAA compliance.
Read Time:6 Minute, 6 Second
Most dental practices are actively engaged in some strategy of digital
marketing. It could be sending out patient emails, writing blog posts, website
SEO, social media marketing or paid advertising.
The HIPAA Privacy Rule states that patients have specific controls over
whether their protected health information (PHI) is used for marketing
purposes. Most forms of dental digital marketing often come in contact with
ePHI (electronically protected health information) and should be explored for
HIPAA compliance.
This post will discuss some of the common digital marketing strategies and
how they should be evaluated for dental HIPAA compliance.
HIPAA-compliant dental websites
HIPAA compliance in dental website design is only required if the website
collects, stores or transmits PHI. If your website only provides service-related
content, directions, dental biographies and contact information, then there is
no need for HIPAA compliance.
But, most websites have intake forms, patient photography, reviews, live chat,
email subscriptions, online payments, patient portals and online scheduling. If
your website has any of this content or functionality, it falls under the HIPAA
Privacy Rule.
To be safe, you should contact your dental website company and find out the

  1. Do you have a business associate agreement (BAA) from your dental
    website company?
  2. Do you have sub-BAA’s from third-party integration companies that
    collect, store or transmit ePHI? For example, online patient forms,
    scheduling, payments, etc.
  3. Are your website forms compliant? HIPAA has specific encryption
    requirements for ePHI being submitted through a patient form. In my
    experience most forms are not compliant.
  4. Is any ePHI stored with your website hosting company? If so, your
    hosting company must capture, transmit and store ePHI with the HIPAA
    encryption requirements mentioned above. And, you should get a BAA.
  5. Does your website have prominently placed HIPAA Notice of Privacy
    Practices? And has a HIPAA attorney reviewed the notice for
  6. Is your website secure sockets layer (SSL) encrypted?
  7. Are your email servers encrypted?
    For more detailed instructions, I recently wrote a HIPAA compliant dental
    website guide that should help you out.
    But if you can check the boxes above you’re in pretty good shape. There are
    additional tasks associated with HIPAA compliance, but regarding your
    website being HIPAA compliant, this list is a great start.
    HIPAA compliance with patient photography
    Patient photos that are identifiable in any way are considered PHI. Identifiable
    PHI could be a patient in the background of a photo, name or initials,
    identifiable birthmarks and tattoos.
    Patient photography used internally for training and documentation does not
    require HIPAA consent. But, if the photo is used externally for educational
    purposes, i.e., at a seminar, a conference, or being sent to another medical
    professional, you must get a signed HIPAA consent form from the patient.
    An often-overlooked violation with patient photography is storage. The
    camera on your cell phone is not encrypted. ePHI must be stored with an
    encryption standard or AES 256. If you take a photo using your cell phone
    camera and then leave the office with the photo saved on your phone, you
    violate HIPAA.
    The solutions are the following:
  8. Get a signed HIPAA consent form with all patient photos.
  9. Take photos using a device that never leaves the office and is
  10. Download a HIPAA-compliant photo app with approved encryption
    If you’d like to go with option three we’ve developed a HIPAA photo app as
    part of our social media marketing services.
    HIPAA-compliant social media marketing
    Posting identifiable patient information to your social media accounts
    requires written authorization from the patient for that specific photo.
    Some dental practices have sped up the patient photo authorization process
    with a single universal form. Usually this is a form that is included in the
    materials that a new patient signs when they come to their first appointment
    and allows the practice to use any photography for marketing purposes.
    Many dentists feel that this ‘universal form’ checks off the HIPAA compliance
    box, but it’s important to remember that the patient is the one who brings a
    If a patient doesn’t remember signing the form giving explicit authorization for
    a social media post with their PHI, you have to ask yourself, “Have you really
    checked the box?”
    The best and safest action is to get a signed consent form for each photo you
    post to your social media accounts.
    HIPAA-compliant reputation management
    Responding to online patient reviews is one of the most complicated areas of
    HIPAA compliance. The HIPAA Privacy Act was enacted in 1996, waaaaaaay
    before social media and online reviews.
    The internet has taken over, and some of the laws in the HIPAA act seem out
    of fashion. For example, a patient gives your practice a Google review and
    mentions that they received an implant. According to HIPAA, you are not
    allowed to acknowledge that they are a patient. Well, it’s not like they’re not
    your patient; they admitted it. Still, you’re not allowed to acknowledge it.
    The best course of action is to respond to reviews with vagueness.
    Patient Review: A huge thank you to Dr. So & So. I’ve been coming to ABC
    Dental for more than ten years. They’ve not only been amazing with me, but my
    husband just had a full mouth reconstruction surgery and is doing great. We
    highly recommend Dr. So & So.
    Non-Compliant Response: Thank you so much for being a valued patient of our
    practice. We’re so glad that you enjoyed your experience. Your husband is one of
    our favorite patients. We look forward to seeing you again.
    Complaint Response: We are dedicated to delivering the highest oral health
    care possible. We love to hear about positive and successful experiences. Thank
    you for the review.
    Responding to reviews shows that you care. Just make sure not to
    acknowledge that the person reviewing is a patient of your practice.
    If you want to use the review in your marketing then you must get a signed
    HIPAA consent form from the patient.
    HIPAA-compliant email marketing
    Sending PHI via email does not violate HIPAA. The OCR (Office of Civil Rights)
    says that if a patient wants their PHI sent to them via email, then the Covered
    Entities and Business Associates must comply.
    The OCR also states that a Covered Entity and Business Associates should
    take ‘reasonable steps to ensure that the patient understands the risks of
    sending PHI via email.
    A dental practice wanting to stay compliant should do the following to ensure
    they are crossing their T’s and dotting their I’s.
  11. Ensure that the server containing the emails is encrypted.
  12. Ensure that there is end-to-end encryption in the sending of emails.
    Suppose a patient requests PHI via an unsecured email process. In that case,
    the patient must authorize verbally or in writing that they understand the risks
    associated with sending PHI via an unsecured method.
    Staying HIPAA compliant requires knowledge of HIPAA regulations and
    changes or updates to the Privacy Rule. You should always consult with your
    HIPAA attorney. This post is for educational purposes only and does not
    constitute legal advice.
  13. This was posted on “Off the Cusp”, Patterson Dental, 10/19/2022

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: