What HIPAA, LegitScript, and FTC Actually Require from Your Rehab Center Website

HIPAA's Privacy and Security Rules apply the moment your website collects any information that could identify a patient. For rehab centers, this typically includes contact forms, insurance verification tools, live chat features, and appointment scheduling systems.

What triggers HIPAA on your website:

• Contact forms asking for name, phone, email, or insurance information
• Live chat or chatbot conversations discussing treatment needs
• Online intake or assessment questionnaires
• Patient portal login areas
• Email communications about treatment options

The key requirement is implementing appropriate safeguards. Forms must transmit data over encrypted connections (HTTPS with TLS). Any third-party tools—chat widgets, form processors, analytics platforms—that might access patient information require Business Associate Agreements (BAAs).

Common HIPAA gaps we see on rehab websites:

• Contact forms sending data to non-HIPAA-compliant email services
• Chat widgets from vendors without BAA availability
• Insurance verification tools storing data on unsecured servers
• Analytics tracking that captures form field data

Note that 42 CFR Part 2 adds another layer specifically for substance use disorder treatment records. These regulations are stricter than standard HIPAA in some areas, particularly around consent for disclosure. If your website collects any treatment-related information, both frameworks likely apply.

This is educational content, not legal advice. Consult a healthcare compliance attorney for your specific situation.

Google requires LegitScript certification for any addiction treatment facility wanting to run Google Ads. Without certification, your ads won't be approved—regardless of how compliant your actual facility operations are.

What LegitScript evaluates:

• Valid state licensing for each facility location
• Accreditation status (CARF, Joint Commission, or state equivalent)
• Compliance with applicable advertising regulations
• Website content accuracy and truthfulness
• Patient brokering policies (no illegal referral arrangements)

The certification process typically involves submitting documentation, undergoing website review, and potentially making changes before approval. LegitScript also conducts ongoing monitoring, so maintaining certification requires sustained compliance.

Why LegitScript matters beyond Google Ads:

Facebook and Microsoft Advertising have similar requirements. Some referral networks and directories also use LegitScript status as a trust signal. Losing certification doesn't just shut off paid advertising—it can affect multiple marketing channels simultaneously.

Common certification obstacles:

• Testimonials making specific outcome claims
• Missing or expired state licenses displayed on website
• Language suggesting designed to results or "cures"
• Unclear pricing or insurance acceptance information

The certification fee varies by facility type and size. Budget for both initial certification and annual renewal costs in your marketing planning.

The Federal Trade Commission's truth-in-advertising rules apply to all businesses, but addiction treatment centers face heightened scrutiny given the vulnerable population served and history of misleading practices in the industry.

Testimonial requirements under FTC guidelines:

• Testimonials must reflect honest opinions of real patients (with proper consent)
• Results described must be typical, or you must clearly disclose that they aren't
• Material connections must be disclosed (e.g., if the person received discounted treatment)
• You cannot use testimonials to make claims you couldn't make directly

What this means practically:

A testimonial saying "This program saved my life and I've been sober for 5 years" may be genuine, but if most patients don't achieve 5-year sobriety, you need a disclaimer stating results aren't typical. Vague success rate claims like "90% success rate" require substantiation—and the FTC's standard for substantiation is rigorous.

Outcomes claims that create risk:

• Specific success or completion percentages without methodology disclosure
• Comparisons to other facilities without head-to-head data
• Implied guarantees ("You will recover" vs. "Our program supports your recovery")
• Before/after narratives that suggest designed to transformation

The safest approach: focus testimonials on the experience and support received rather than specific outcomes. "The staff genuinely cared about my progress" creates far less regulatory risk than "I'm completely cured."

This is general guidance, not legal advice. Consult an advertising attorney familiar with healthcare marketing.

Federal regulations set the floor, but many states have enacted additional restrictions specifically targeting addiction treatment advertising. If you operate in multiple states or accept out-of-state patients, you may need to comply with several overlapping frameworks.

Florida (HB 807 and related regulations):

Florida cracked down on deceptive treatment marketing following the "Florida Shuffle" scandals. Key restrictions include prohibitions on patient brokering, limitations on certain marketing practices, and requirements for transparent pricing disclosure. The state actively investigates and penalizes violations.

California (DHCS regulations):

California's Department of Health Care Services regulates licensed treatment facilities with specific advertising requirements. These include accurate representation of services, licensing status disclosure, and restrictions on certain claims. DHCS also coordinates with the state attorney general on enforcement.

Other states with notable requirements:

• New Jersey has patient brokering prohibitions similar to Florida
• Pennsylvania requires specific disclosures in treatment advertising
• Several states mandate licensing numbers be displayed in advertising

Multi-state compliance strategy:

If you accept patients from multiple states, the conservative approach is complying with the strictest applicable standard. Website content reaches everywhere, so you can't easily geo-target compliance. Most facilities find that meeting Florida and California standards positions them well for other states.

State regulations change frequently. Verify current requirements with your state licensing authority and legal counsel.

Understanding what triggers regulatory attention helps prioritize compliance efforts. Based on enforcement patterns and industry experience, certain issues draw more scrutiny than others.

High-risk scenarios that frequently trigger action:

• Unsubstantiated success claims: Publishing specific percentages ("85% success rate") without rigorous methodology invites FTC inquiry
• Patient data exposure: A form submission going to an unsecured email, even once, can constitute a HIPAA breach
• Testimonials with outcome guarantees: Patient stories implying designed to recovery attract both FTC and state regulator attention
• Lead generation arrangements: Paying for patient leads in ways that constitute brokering violates multiple state laws
• Operating without proper licenses displayed: Both LegitScript and state regulators check for current licensing

How enforcement typically begins:

Competitors filing complaints, patients or families reporting concerns, routine LegitScript monitoring flagging website changes, or state regulators conducting industry sweeps. The substance abuse treatment industry remains under elevated scrutiny given past abuses.

Consequences of non-compliance:

• Google Ads account suspension (often with limited appeal options)
• LegitScript certification revocation
• State licensing board investigation
• FTC consent orders requiring corrective advertising
• Civil penalties ranging from thousands to millions depending on violation scope
• Reputational damage that undermines patient trust

The facilities that avoid these outcomes build compliance into their marketing process from the start rather than retrofitting after problems emerge.

Use this framework to evaluate your current website compliance status. This is a starting point for assessment, not a substitute for professional compliance review.

HIPAA and data security:

• All pages use HTTPS with current TLS certificate
• Forms transmit to HIPAA-compliant systems with BAAs in place
• Chat and communication tools have BAAs or don't collect PHI
• Analytics configured to avoid capturing form field data
• Privacy policy accurately describes data handling practices

LegitScript readiness:

• Current state licenses displayed for each facility location
• Accreditation status accurately represented
• No language suggesting designed to outcomes or cures
• Clear disclosure of services offered and accepted insurance
• No patient brokering arrangements or suspicious referral patterns

FTC testimonial compliance:

• All testimonials from real patients with documented consent
• Atypical results include clear disclaimers
• No specific success percentages without methodology disclosure
• Material connections disclosed where applicable

State-specific requirements:

• Licensing numbers displayed as required by applicable states
• Pricing/insurance information meets disclosure requirements
• No prohibited marketing arrangements
• Content complies with strictest applicable state standard

For a detailed implementation checklist, see our SEO checklist for addiction treatment centers. For facilities needing expert guidance, explore our compliant SEO services for addiction treatment centers.