What HIPAA, LegitScript, and the FTC Actually Require From Your Treatment Center Website

HIPAA (45 CFR Parts 160 and 164) applies to your website the moment it collects, transmits, or stores protected health information. This means your contact forms, insurance verification tools, live chat features, and appointment schedulers all fall under HIPAA's security and privacy rules.

Specific website requirements include:

• SSL/TLS encryption for all pages handling PHI (the padlock icon in browsers)
• Business Associate Agreements with any third-party service touching patient data — including form builders, chat providers, CRM systems, and analytics platforms
• Access controls limiting who can view submitted patient information
• Audit trails documenting who accessed what data and when

The testimonial question trips up many treatment centers. Patient success stories are powerful marketing tools, but they require careful handling. You need written authorization specifically permitting use of the testimonial — general treatment consent forms don't cover marketing use. The authorization must describe how and where the testimonial will appear.

What many centers miss: Even if a patient volunteers their story publicly, you cannot republish it without proper authorization. Screenshots of Facebook posts or Google reviews require the same authorization process as filmed testimonials.

This is educational content, not legal advice. Consult a healthcare compliance attorney for guidance specific to your situation.

42 CFR Part 2 provides federal protections for substance use disorder patient records that exceed standard HIPAA requirements. If your facility receives federal funding (including Medicaid or Medicare) or operates under federal authority, these rules apply to your digital marketing activities.

Key differences from standard HIPAA:

• Patient consent must be specific about each disclosure — blanket authorizations are invalid
• Even acknowledging someone is a patient at your facility requires consent
• Re-disclosure is prohibited without fresh patient consent
• Consent forms have specific required elements beyond HIPAA authorization

For your website, this means referral partnerships and alumni programs require particular attention. Publishing alumni testimonials, featuring former patients in videos, or even listing them in a recovery community forum can violate Part 2 if consent wasn't obtained using compliant authorization forms.

The digital marketing implication: Retargeting pixels that track visitors from your treatment pages may create records identifying potential substance abuse patients. While enforcement guidance is evolving, many compliance officers recommend excluding treatment-specific pages from remarketing audiences or using consent-based tracking only.

In our experience, the safest approach treats any identifiable connection between a person and your substance abuse services as requiring Part 2-compliant authorization before any marketing use.

Verify current regulations with your compliance officer or healthcare attorney, as enforcement interpretations continue to develop.

Google requires LegitScript certification for any advertiser promoting addiction treatment services. Without certification, your ads will be disapproved regardless of how compliant your landing pages are. This policy has been in effect since September 2018.

LegitScript evaluates:

• State licensing and accreditation status for all advertised locations
• Website content accuracy and absence of misleading claims
• Compliance with advertising regulations including FTC guidelines
• Ownership transparency and business legitimacy
• Patient safety protocols and clinical standards

The certification process typically takes 2-4 weeks for straightforward applications, though facilities with multiple locations or complex ownership structures may require longer review periods. Annual renewal is required, and LegitScript conducts ongoing monitoring — certification can be revoked for violations discovered after approval.

Common certification obstacles:

• Outcome claims without clinical evidence ("90% success rate")
• Testimonials that make treatment outcome promises
• Missing or incomplete licensing information on the website
• Insurance verification forms that collect excessive PHI
• Lead generation relationships with uncertified entities

Many treatment centers discover compliance issues during the LegitScript application process that would have created regulatory exposure regardless. The certification requirement, while adding a barrier to Google Ads, often surfaces website problems worth fixing for reasons beyond advertising access.

The FTC's Health Products Compliance Guidance applies directly to addiction treatment marketing. The core principle: any claim about treatment outcomes must be truthful, not misleading, and substantiated by competent scientific evidence.

Claims that typically violate FTC guidelines:

• Specific success percentages without peer-reviewed clinical data ("85% of our patients achieve lasting sobriety")
• designed to outcomes ("You will recover")
• Superiority claims without head-to-head comparative evidence ("The most effective treatment in the state")
• Testimonials presented as typical results when they're exceptional

How to discuss outcomes compliantly:

• Focus on the treatment process rather than promising results
• Describe your clinical approach, staff qualifications, and evidence-based modalities
• If citing statistics, reference published research with proper attribution
• Include clear disclosures that individual results vary significantly

The FTC has specifically targeted addiction treatment marketing in recent enforcement actions. In 2020, the agency issued warning letters to multiple treatment centers making unsubstantiated COVID-19 treatment claims, signaling active monitoring of the sector.

For testimonials specifically: The FTC requires disclosures when results aren't typical. A former patient's success story must include language like "Results vary. Addiction treatment outcomes depend on many individual factors." This disclosure must be clear and conspicuous — not buried in fine print.

This overview covers federal FTC requirements. Your state attorney general may enforce additional consumer protection rules.

Federal compliance is the floor, not the ceiling. Several states have enacted treatment advertising regulations that exceed federal requirements — and violations can result in licensing consequences beyond FTC fines.

Florida's Patient Brokering Act (s. 817.505) prohibits paying for patient referrals. For digital marketing, this affects:

• Affiliate marketing arrangements where payment is per-admission
• "Call center" lead generation with per-patient fees
• Some influencer marketing structures where compensation ties to admissions

California's regulations through the Department of Health Care Services require:

• Specific licensing information displayed on all marketing materials
• Clear disclosure of facility locations and services offered at each
• Restrictions on using terms like "recovery" in facility names without meeting certain criteria

Other states with notable requirements:

• Arizona requires prior approval for certain advertising claims
• Massachusetts restricts marketing to individuals in emergency rooms
• New Jersey has specific rules about alumni testimonials and aftercare marketing

Multi-state treatment networks face the challenge of creating compliant content for their most restrictive jurisdiction while maintaining marketing effectiveness. In our experience, building a compliance review process into content creation prevents costly retroactive changes.

State regulations change frequently. We recommend quarterly reviews with your compliance team to catch regulatory updates before they affect your marketing materials.

Consult with an attorney licensed in each state where you operate or advertise for specific compliance guidance.

Knowing the rules matters less than having a process to apply them consistently. Here's a framework treatment centers can use when evaluating website content and marketing materials.

Before publishing any content, ask:

1. Does this content collect or display protected health information? → If yes, verify HIPAA/Part 2 compliance and proper authorizations
2. Does this make claims about treatment outcomes or success rates? → If yes, verify substantiation meets FTC standards
3. Does this feature a current or former patient? → If yes, verify written authorization using compliant consent forms
4. Will this be used in paid advertising? → If yes, verify LegitScript certification status and platform policies
5. Does this comply with the most restrictive state where we operate? → If uncertain, get legal review

Red flags that require immediate review:

• Percentage claims about outcomes ("90% success rate")
• Guarantees or promises ("You will recover," "designed to results")
• Before/after framing that implies certain outcomes
• Patient photos or videos without documented authorization
• Lead forms requesting detailed health information

Building compliance into your workflow:

Create a simple checklist for content creators. Before any page goes live, require sign-off confirming each compliance checkpoint was reviewed. Document these approvals — they demonstrate good-faith compliance efforts if questions arise later.

Treatment centers that build compliance review into their standard content process rarely face the scramble of retroactive fixes that plague facilities treating compliance as an afterthought.