HIPAA Rules for Dental Social Media: Patient Photos and Review Responses (2026)

HIPAA does not ban dental practices from social media. It draws two lines: you need a patient's written authorization to post their photo or testimonial, and you cannot reveal that someone is your patient when you reply to a review. Get either wrong and a routine marketing task becomes a HIPAA disclosure. Here is what counts, and what OCR has fined.

Why this is the gap most practices miss

Posting before-and-after photos and replying to Google reviews are ordinary marketing for a modern practice. They are also two of the few HIPAA mistakes OCR has fined dental offices for by name, in public resolutions you can read on hhs.gov.

The reason practices slip is that "social media" feels like one topic with one rule ("get consent"). It is actually two different rules from two different parts of the Privacy Rule, and the second one surprises people. Replying to a bad review at all, in a way that confirms the person was your patient, is a disclosure of protected health information. You can break HIPAA without sharing a single clinical detail.

Social media's two HIPAA rules, not one

Rule 1: posting about a patient is marketing. Under 45 CFR 164.508, a covered practice needs a signed authorization before it uses a patient's PHI for marketing. A before-and-after photo or a named patient testimonial is marketing, and each one needs written authorization first. The Privacy Rule's narrow exceptions to that requirement (a treatment communication or a face-to-face conversation) do not cover a promotional post built around a patient. Routine treatment and billing never need authorization, but promoting your practice with a patient's image or words does.

Rule 2: responding to a review is a disclosure. Under 45 CFR 164.502(a), you may not disclose PHI except as the rule permits. The fact that a named individual is your patient is itself PHI. So when you reply "Thanks for being a valued patient, please call the office," you have confirmed publicly that the reviewer is your patient. Add any detail about their visit and the disclosure gets worse. This is the rule that catches dentists who are only trying to be polite or to defend their reputation.

What OCR has actually fined dental practices for

These are not hypotheticals. Three dental practices have paid OCR penalties for this exact behavior, and OCR has kept enforcing it:

Igbinadolor D.M.D. and Associates (North Carolina): $50,000 (2022). A patient posted a negative review on the practice's Google page under a pseudonym. The same day, the practice replied and named the patient three times, disclosing their symptoms and the recommended treatment. OCR imposed a $50,000 civil money penalty for an impermissible disclosure under 164.502(a). The practice made its position worse by ignoring OCR's data request and subpoena and not contesting the findings.

New Vision Dental (California): $23,000 (2022). The owner responded to negative Yelp reviews by posting patients' information. OCR's settlement required a $23,000 payment, a corrective action plan, two years of monitoring, and a public substitute notice of the disclosure.

Elite Dental Associates (Texas): $10,000 (2019). Responding to a patient's review, the practice posted her name, treatment plan details, and her insurance and cost information. OCR found the practice had done the same on other reviews and had no policy for releasing PHI on social media, with gaps in its Notice of Privacy Practices.

The pattern is identical across all three: a public reply meant to set the record straight that revealed a patient. OCR has fined this from $10,000 to $50,000, and the statutory penalties run far higher.

Before your next one-star review tempts a detailed reply: most practices have never checked whether their review and social-media habits expose them this way. The free HIPAA Scorecard surfaces the gaps in a few minutes, then a short expert review walks you through what to fix first. Check my practice →

What can a dental practice post safely?

Almost anything that does not identify a patient is fine. General oral-health tips, procedure explainers in the abstract, team introductions, office tours, new-equipment news, community events, and promotions are all clear of HIPAA, because none of them reveal who your patients are. The same content tied to "here's how we fixed Sarah's smile" is not safe, unless Sarah signed an authorization.

How to respond to a negative review without breaking HIPAA

You can respond. You just cannot confirm the person is your patient or reference their care. A safe reply stays generic and steers the conversation offline, without ever acknowledging treatment.

What does a compliant photo authorization need?

A valid HIPAA authorization (164.508) is a signed document, not a verbal yes and not a line buried in your intake paperwork. At a minimum it names the patient, describes exactly what will be shared (for example, intraoral before-and-after photos), says where and how long it will be used (your Instagram and website) and who may see it, and tells the patient they can revoke it in writing. It is signed and dated. The ADA publishes sample authorization forms in its HIPAA compliance manual. Keep the signed form on file. If OCR ever asks, "we had verbal permission" is not a defense.

For a photo of a child patient, the authorization has to come from the parent or guardian who is the child's personal representative under HIPAA.

"Anonymized" is not a magic word. HHS's de-identification standard treats a full-face photograph as one of the 18 identifiers that must be removed. An image counts as de-identified only once every identifier is gone and you have no reason to think the person could still be recognized. Cropping a face helps, but a distinctive smile, a caption, your account, or the photo's hidden metadata can still point to one patient. The safe default for any patient-specific image is a signed authorization.

The catch: edge cases that trip practices up

A patient's chart in the background. The most common slip is not a testimonial at all. It is a team photo or an office reel with a screen or a chart visible behind everyone. If a patient's information is readable in the frame, posting it is a disclosure, the same as naming them.

Staff personal accounts. A hygienist posting "crazy case today" from their own phone is still your exposure if it reveals a patient. Your social-media policy has to cover personal accounts, not only the practice page.

Your social-media manager may be a business associate. If you hand patient information to an outside marketing or social-media agency (to pull a testimonial, say), that vendor is handling PHI on your behalf and generally needs a signed business associate agreement. Posting non-patient content does not trigger this; handling PHI does.

The patient who shares first. If a patient publicly posts their own before-and-after or tags your office, that is their disclosure, not yours. But the moment you repost or add your own detail, it becomes your disclosure. Resharing for marketing still needs authorization.

Deleting is not undoing. Removing a non-compliant post lowers ongoing exposure, but it does not undo a disclosure that already happened. Under 45 CFR 164.402, any impermissible disclosure of unsecured PHI is presumed to be a reportable breach unless you document a risk assessment showing a low probability that the information was compromised, which is hard to show for something posted in public. A public slip can carry breach-notification duties even after the post is gone.

State law can be stricter. HIPAA is the federal floor. Several states add tighter rules on patient images and dental records. Where your state is stricter, follow the stricter rule.

What to do this week

Two moves cover most of the risk. First, write or update a one-page social-media policy that names the two rules above and applies to personal accounts, the same way you would set a policy for staff handling patient data. Second, switch your review replies to a single generic template starting today, before the next one-star review tempts a detailed rebuttal.

If you are not sure where your current gaps are, the free HIPAA Scorecard checks your practice against the controls OCR actually enforces, including the marketing and disclosure points behind every case above. It takes a few minutes and ends with a short, no-pressure expert review. Check my practice →

This is general information about HIPAA and social media, not legal advice. Your own situation, and any stricter rules in your state, decide what applies to your specific practice.

About the author

Dolev Arama is Hipsana's founder. He's the one behind the Scorecard and the short risk reviews it produces. He is not an attorney, and Hipsana is a publisher and referral service, not a law firm or a healthcare provider. The writing here starts where the rules actually live, at HHS, OCR, and NIST, and gets checked against their current text before it goes up. If a line can't be sourced, it doesn't run. More about Hipsana →

Sources

• HHS Office for Civil Rights, Notice of Proposed Determination, U. Phillip Igbinadolor, D.M.D. & Associates, P.A., OCR Transaction No. 16-225168 (October 2020; $50,000 civil monetary penalty announced 2022).
• HHS Office for Civil Rights, Resolution Agreement and Corrective Action Plan, New Vision Dental (2022).
• HHS Office for Civil Rights, Resolution Agreement and Corrective Action Plan, Elite Dental Associates (2019).
• HHS Office for Civil Rights, “Guidance Regarding Methods for De-identification of Protected Health Information” (the 18 identifiers and the de-identification standard; accessed June 2026).
• American Dental Association, sample HIPAA patient authorization forms (HIPAA compliance manual; accessed June 2026).
• 45 CFR § 164.508 (uses and disclosures for which an authorization is required, including marketing); § 164.502(a) (general rules for uses and disclosures); § 164.514(b) (de-identification); § 164.402 (breach definition and presumption); § 160.203 (preemption) (eCFR, current).