What HIPAA, LegitScript, and the FTC Actually Require from Your Treatment Center Website

Addiction treatment centers operate under overlapping federal and state regulations that directly impact how you can build, market, and operate your website. Understanding which rules apply — and where they intersect — is foundational to compliant digital marketing.

This content is educational and does not constitute legal advice. Consult qualified healthcare compliance counsel for your specific situation.

HIPAA: Health Insurance Portability and Accountability Act

HIPAA's Privacy Rule applies when your website collects Protected Health Information (PHI) — any information that could identify an individual seeking treatment. This includes contact forms, insurance verification tools, live chat, and even IP addresses combined with page visits indicating treatment interest.

42 CFR Part 2: Federal Substance Abuse Confidentiality Regulations

Part 2 provides additional protections specifically for substance use disorder treatment records. It restricts how patient-identifying information can be disclosed, even in situations where HIPAA might permit disclosure. The standards are stricter than general healthcare — a critical distinction many treatment centers miss.

LegitScript Certification

Google and Meta require LegitScript certification before treatment centers can advertise addiction services. This third-party certification verifies licensing, accreditation, and adherence to advertising standards. Without it, your paid media options are severely limited.

FTC Guidelines

The Federal Trade Commission regulates advertising claims, including testimonials, outcome statistics, and comparative statements. For addiction treatment — where outcomes are highly variable — FTC scrutiny is particularly relevant.

Your website becomes a HIPAA-covered touchpoint the moment it collects information that could identify someone seeking addiction treatment. Many centers underestimate how many website elements create this exposure.

Common PHI Collection Points

• Contact forms requesting name, phone, email, and insurance information
• Insurance verification widgets that collect policy details
• Live chat services where prospective patients describe their situation
• Callback request forms with any identifying information
• Assessment quizzes that collect health-related responses

Technical Safeguards Required

If your website collects PHI, HIPAA requires administrative, physical, and technical safeguards. For websites, this typically means:

• SSL/TLS encryption for all data transmission
• Business Associate Agreements (BAAs) with any third-party service handling PHI — including form processors, chat providers, and CRM systems
• Access controls limiting who can view submitted information
• Audit trails documenting access to patient data

The BAA Requirement Often Missed

Many treatment centers use contact form plugins, chat widgets, or email marketing tools without confirming the vendor will sign a BAA. If a vendor won't sign a BAA, they cannot compliantly handle PHI — which means you need a different vendor or a different workflow. Verify BAA availability before integrating any tool that touches potential patient information.

Part 2 applies specifically to federally-assisted substance use disorder treatment programs and imposes confidentiality requirements that exceed HIPAA in several ways. If your facility receives any federal funding — including Medicare or Medicaid reimbursement — Part 2 likely applies.

Key Differences from HIPAA

Under HIPAA, covered entities can disclose PHI for treatment, payment, and healthcare operations without explicit patient authorization. Part 2 is stricter: it generally requires written patient consent for most disclosures, including some that HIPAA would permit automatically.

Website Implications

The stricter consent requirements affect how you handle website-submitted information:

• Information submitted through your website cannot be shared with third parties for marketing purposes without explicit consent
• Retargeting pixels that could identify site visitors as treatment-seekers require careful compliance review
• Insurance verification processes must be structured to comply with Part 2 disclosure limitations

Recent Rule Changes

Part 2 regulations were updated in 2024, aligning some provisions more closely with HIPAA while maintaining heightened protections against unauthorized disclosure. The rules continue to evolve — your compliance officer should monitor HHS guidance for current requirements.

Note: Part 2 compliance is complex and facility-specific. This overview identifies website-relevant issues but does not substitute for qualified compliance counsel familiar with your specific program structure.

Since 2017, Google has required LegitScript certification for addiction treatment advertising. Meta followed with similar requirements. Without certification, you cannot run Google Ads or Facebook ads promoting treatment services — effectively locking you out of paid search and social channels.

What LegitScript Evaluates

The certification process reviews:

• Licensing: Valid state licenses for your facility and services offered
• Accreditation: Accreditation from recognized bodies (CARF, Joint Commission, or state equivalents)
• Advertising practices: Website claims, testimonials, and marketing materials
• Staff credentials: Appropriate clinical staffing for services advertised
• Physical location: Verification that your facility exists and operates as represented

Common Certification Obstacles

Based on industry patterns, facilities often encounter issues with:

• Testimonials that include specific outcome claims ("I've been sober for 3 years")
• Success rate statistics without proper methodology documentation
• Advertising services not covered by current licensure
• Website content inconsistent with actual service offerings

Timeline and Cost

Initial certification typically takes several weeks and requires an annual fee that varies by facility size. The process includes document submission and may involve facility inspection. Renewal is annual, and LegitScript conducts ongoing monitoring of certified facilities.

If you're planning to invest in compliant SEO strategies for addiction treatment, understanding LegitScript requirements helps you build content that won't create certification problems later.

The FTC's endorsement guidelines apply to treatment center websites, particularly around patient testimonials and claims about treatment effectiveness. Addiction treatment outcomes are inherently variable, making unqualified claims particularly problematic.

Testimonial Requirements

If you use patient testimonials — video, written, or case study formats — FTC guidelines require:

• Typicality: Results described must be typical, or you must clearly disclose what typical results are
• Material connections: Any compensation, discounts, or incentives for testimonials must be disclosed
• Substantiation: Claims made in testimonials must be supportable

What This Means Practically

A testimonial stating "I completed the program and have been in recovery for two years" implies a result. If that result isn't typical — and in addiction treatment, long-term recovery rates vary significantly — you need clear disclosure. Statements like "Results vary. Recovery depends on many factors including individual commitment to ongoing care" help contextualize testimonial claims.

Outcome Statistics

Publishing success rates or completion statistics requires methodology documentation. Claims like "85% success rate" invite FTC scrutiny unless you can demonstrate how that figure was calculated, what "success" means, the timeframe measured, and whether the population studied represents typical patients.

Comparative Claims

Statements comparing your outcomes to competitors or industry averages require substantiation. Many treatment centers avoid comparative claims entirely rather than risk FTC inquiry.

Practical approach: Focus testimonials on experience rather than outcomes. "The staff treated me with dignity" is safer than "This program saved my life after three other facilities failed."

Use this checklist to identify potential compliance gaps on your current website. This is a starting point for discussion with your compliance officer — not a substitute for professional compliance review.

HIPAA & 42 CFR Part 2 Items

• All pages use HTTPS with valid SSL certificate
• Contact forms transmit data via encrypted connection
• Form processor vendor has signed BAA
• Live chat vendor has signed BAA
• Insurance verification tool vendor has signed BAA
• CRM receiving form submissions is HIPAA-compliant with BAA
• Privacy policy accurately describes data collection and handling
• Retargeting pixels reviewed for Part 2 compliance implications

LegitScript Certification Items

• All advertised services covered by current state licensure
• Accreditation status accurately represented
• Testimonials reviewed for outcome claim language
• No success rate claims without methodology documentation
• Staff credentials page reflects current clinical team
• Facility photos and descriptions match actual location

FTC Compliance Items

• Testimonials include appropriate disclaimers about typical results
• Any compensated testimonials clearly disclosed
• Outcome statistics supported by documented methodology
• No unsubstantiated comparative claims

For guidance on building SEO programs within these requirements, review our resource on search optimization that meets rehab industry regulations.