Sharing or using PHI for marketing without written authorization. Example: posting a client story that reveals they’re in treatment (even if first name only). HHS.gov+1 

Vendors without a BAA when they might handle PHI (forms, email/SMS, chat, EHR, hosting/CDN, analytics). No BAA = non-compliant. HHS.gov 

Tracking pixels that transmit PHI (e.g., on intake/appointment pages or condition-specific pages) to platforms like Meta or Google. HHS.gov 

Review replies that confirm someone is/was a patient or include any identifying details. Keep responses generic and process-oriented. Bass, Berry & Sims PLC 

Misleading claims (“we cure anxiety in 4 weeks,” “#1 therapist in Tampa”). APA Standard 5 prohibits deceptive statements. American Psychological Association 

Improper testimonials (implying guaranteed outcomes, missing disclosures). Follow FTC Endorsement Guides. Federal Trade Commission 

Sensitive targeting/personalization in ads (targeting users based on health attributes or building remarketing audiences from mental-health intent). Platform policies restrict this. Google Help 

Educational, non-diagnostic content (e.g., “What to expect in your first session,” “How CBT can help work stress”). Provide credentials and cite reputable sources (YMYL/E-E-A-T best practices). 

Minimal-data conversions: offer “Free 15-minute consult” with only name + contact on the marketing form; route any PHI to your EHR/secure portal. HHS.gov 

Google Business Profile (GBP): choose accurate categories (“Psychotherapist,” “Mental health service”), add appointment link, list services, and post updates—while never confirming anyone’s patient status in replies. Bass, Berry & Sims PLC 

Directories that actually convert: Psychology Today, Alma/Headway, Zocdoc—use consistent NAP and UTM links to track performance. Federal Trade Commission 

BAAs across your stack: email, hosting, forms, analytics (if truly needed). Keep a vendor inventory and signed BAAs on file. HHS.gov 

Compliant analytics: if you cannot guarantee no PHI flows to third parties, remove trackers from high-risk pages or use HIPAA-capable solutions under a BAA. HHS.gov 

Do encourage general practice-level reviews where allowed by platform rules. 

Don’t respond in a way that confirms a treatment relationship. Use neutral language: “Thank you for the feedback. We welcome all comments and encourage anyone with concerns to contact our office directly.” Bass, Berry & Sims PLC 

Site essentials: clear services pages (e.g., Individual Therapy, Couples Therapy, Telehealth), credentials, license numbers, fees/insurance, and a crisis disclaimer (“Not for emergencies—call 988”). 

Local SEO: NAP in footer; schema for LocalBusiness/Therapist where applicable; fast hosting and Core Web Vitals. 

Content cadence: 2 quality posts/month answering common questions; include short FAQ answers for snippet/Answer-Engine visibility. 

Target intent, not identity: bids on “therapist near me,” “couples counseling [city],” “anxiety therapist [city].” 

Ad copy: service-oriented, credential-forward, no claims (“Licensed therapy in [City]. Evening & Telehealth availability. Book a free 15-minute consult.”). 

Sensitive-category guardrails: Avoid restricted health terms and personalized ads involving personal health content. Google Help+1 

Use broad geo/age targeting; avoid interests that imply health conditions or personal attributes. Meta disallows ads that assert or imply the viewer’s health status. Facebook+1 

Keep it supportive and informative—no before/after, no negative self-perception framing, no implied diagnosis or guarantees. Facebook 

Example: “Therapy in [City]. Compassionate, evidence-based care. In-person & telehealth. Learn more.” 

Choose Awareness or Reach objectives. 

Do not use Lead Ads or DM prompts if your goal is “no information collected.” 

Send clicks to a neutral page with minimal data capture (name + contact only) and a crisis disclaimer. 

Disable pixels on intake/appointment or condition-specific pages (or ensure no PHI is transmitted); document your decision. HHS.gov 

High-risk pages: intake forms, patient portal links, appointment booking, or condition-specific content. 

Actions: remove third-party pixels, or use a HIPAA-capable analytics vendor under a BAA; avoid passing sensitive parameters in URLs (e.g., ?reason=depression). Keep a written data-flow map and vendor list. HHS.gov 

Marketing forms: collect only name + email/phone. Route PHI to your EHR/secure portal. HHS.gov 

Email/SMS: if health info may be included, use vendors under a BAA and obtain patient consent for the communication method. HHS.gov 

GBP Messaging: consider turning it off to prevent clients from sending PHI through non-secure channels; if on, set an auto-reply that directs people to secure contact options. Bass, Berry & Sims PLC 

Lead with education and ethics. 

Keep PHI out of marketing systems. 

Sign BAAs, document vendors, and minimize tracking on high-risk pages. HHS.gov 

Use SEO + GBP + reputable directories for steady demand. Federal Trade Commission 

Run Google Search for non-sensitive intent and Meta Awareness for visibility, without collecting personal info. Google Help+1