HIPAA-Compliant Marketing for Therapists: 2026 Guide

Updated May 2026 — Current strategies and data for New Jersey healthcare providers.

Why HIPAA and Marketing Collide — and What Therapists Need to Know

HIPAA compliance is something most therapists think about in the context of their clinical records — their EHR, their release forms, their case notes. But HIPAA's reach extends into your marketing in ways that are less obvious and increasingly enforced.

In 2022 and 2023, the HHS Office for Civil Rights issued multiple pieces of guidance explicitly addressing digital marketing activities: tracking technologies on websites, pixel-based advertising, and review solicitation practices. Multiple healthcare organizations — including therapy groups — received OCR investigations and civil monetary penalties related to marketing activities they believed were standard practice.

This guide explains what HIPAA actually means for your marketing as a therapist in New Jersey, what you can and cannot do, and how to build a marketing program that grows your practice without creating compliance exposure.

What HIPAA Actually Means for Your Marketing

HIPAA's Privacy Rule and Security Rule govern any use of Protected Health Information (PHI). PHI is any individually identifiable information that relates to someone's health, health condition, or healthcare treatment.

In a marketing context, PHI can appear in unexpected ways. A patient submitting a contact form on your website with their name, phone number, and a description of what brings them in is submitting PHI — and how your website handles that data matters under HIPAA. A patient leaving a Google review that mentions your practice and their diagnosis creates a situation where your response must be carefully worded to avoid confirming that they are your patient.

The key HIPAA requirement that trips up most therapists in marketing: you cannot use or disclose PHI for marketing purposes without explicit patient authorization. And the definition of "marketing" under HIPAA is broader than most practitioners realize.

What You CAN Market as a Therapist

Despite the constraints, HIPAA leaves enormous room for effective marketing. Everything below is permissible without patient authorization:

• Your services, specialties, modalities, and clinical approach
• Your credentials, training, and professional background
• Educational content about mental health conditions and treatment approaches
• Your office environment, staff introductions, and practice culture
• Testimonials — with specific, written HIPAA authorization from the patient
• Your locations, hours, insurance, and fee structure
• General information about what to expect in therapy
• Blog posts, videos, and social content about mental health topics

You can run Google Ads, Facebook Ads, SEO campaigns, and email newsletters. You can have a highly effective marketing program that generates a consistent stream of new patient inquiries. The constraints are specific — not global.

Marketing Activities That Create HIPAA Risk

These are the most common places where therapist marketing crosses HIPAA lines — often unintentionally:

Unsecured contact forms: Any form on your website that sends patient inquiries via unencrypted email is transmitting PHI insecurely. Standard contact form plugins on WordPress, Squarespace, and Wix typically do this unless specifically configured otherwise.

Standard Google Analytics: Google Analytics in its default configuration collects IP addresses, device identifiers, and behavioral data that can constitute PHI when tied to health-related browsing. Google does not sign Business Associate Agreements for standard Analytics accounts.

Facebook and Meta pixel: Meta's advertising pixel, when placed on pages where users submit health information, can transmit that data to Meta without a BAA — a potential HIPAA violation. This is an area of active OCR enforcement.

Responding to patient reviews: If a patient leaves a Google review mentioning your practice, responding in a way that confirms they are your patient (even something like "Thank you for sharing your experience") can be a HIPAA violation. The correct response acknowledges the review without confirming the patient relationship.

Patient testimonials without authorization: Using patient success stories, before-and-after framings, or quotes on your website or social media without specific written HIPAA authorization — separate from a general HIPAA release — is a violation.

Email marketing to patients without BAA: Standard email marketing platforms (Mailchimp, Constant Contact) do not sign BAAs by default. Sending clinical communications through these platforms without a BAA is non-compliant.

Building a HIPAA-Compliant Marketing Stack

A compliant marketing stack for a NJ therapist uses covered tools or tools with signed BAAs at every point where patient data touches:

For contact forms: Use platforms that sign BAAs — IntakeQ, SimplePractice, Therapy Brands, or a custom form on HIPAA-eligible hosting. Avoid WPForms, Gravity Forms, Google Forms, or Typeform for patient-facing inquiries.

For analytics: Replace standard Google Analytics with privacy-first tools like Plausible Analytics or Fathom Analytics. Neither collects personally identifiable information, neither uses cookies requiring consent banners, and both give you the traffic and conversion data you need without compliance exposure.

For email marketing: Use platforms that offer BAAs for healthcare — Google Workspace for Healthcare, Microsoft 365 for Healthcare, or specialized healthcare email platforms. Confirm BAA status before using any platform for patient communications.

For Google Ads and Facebook Ads: These platforms involve complex compliance considerations around pixels and audience targeting. Work with an agency that has established healthcare-safe configurations for both platforms.

For your website overall: Ensure your hosting is HIPAA-eligible and that every vendor in your website stack has a signed BAA. This includes your host, your contact form provider, your scheduling software, and your analytics platform.

What Rewokers Does Differently

Every marketing program Rewokers builds for NJ therapists and mental health practices is built with HIPAA compliance as a structural requirement, not a checkbox. Our approach:

We audit every vendor in your website stack before launch and confirm BAA coverage. We replace standard Google Analytics with privacy-first analytics on every healthcare client. We configure Meta's Limited Data Use settings and block pixels from any page that collects health information. We design review acquisition processes that encourage patient reviews through compliant channels without any disclosure of the patient relationship. We train our clients' teams on compliant social media response practices so you never inadvertently confirm a patient relationship in a public comment.

The result: our NJ therapy practice clients have full marketing visibility — they know their traffic, conversion rates, and lead sources — without the compliance exposure that comes from a standard marketing setup.

Frequently Asked HIPAA Marketing Questions

Can I post before-and-after content for therapy? No — this implies a patient relationship and treatment outcome without authorization. You can describe what a transformation looks like in general terms, but using identifiable patient stories or outcomes requires specific written HIPAA authorization.

Can I respond to negative reviews? Yes, but carefully. Acknowledge the reviewer's experience, thank them for their feedback, and invite them to contact you directly. Never confirm or deny the patient relationship, never reference any details of their treatment, and never disclose any information that would acknowledge they are your patient.

Do I need to disclose that I use Facebook Ads? No explicit disclosure is required, but you must configure your advertising setup to comply with HIPAA's requirements around PHI disclosure to third parties.

Can I ask patients to leave Google reviews? Yes, with care. You cannot incentivize reviews (this violates FTC guidelines and raises HIPAA issues). You can ask satisfied patients to share their experience if they feel comfortable. You cannot follow up with patients specifically about reviews in a way that uses your knowledge of their treatment relationship.

Compliance Is Not a Marketing Obstacle

The most important mindset shift for NJ therapists: HIPAA compliance is not in tension with effective marketing. It is a constraint that, once understood, shapes a cleaner and often more effective marketing program. Practices that run compliant marketing campaigns build more patient trust — because patients increasingly notice privacy signals in how providers manage their digital presence.

The therapy practices growing fastest in New Jersey in 2026 are not the ones cutting compliance corners. They are the ones who understand the rules well enough to build aggressive, effective marketing programs within them.