The complete guide for treatment center operators and marketing teams navigating the most regulated advertising environment in healthcare.
Why Addiction Treatment Marketing Is Regulated Differently
Most industries can advertise freely. Healthcare advertising has guardrails. Addiction treatment advertising has guardrails, a compliance certification requirement, federal substance use privacy law layered on top of HIPAA, platform-specific rules that can suspend your entire paid search program overnight, and FTC guidelines that dictate exactly how you’re allowed to describe your own outcomes.
No other marketing vertical operates under this many simultaneous regulatory frameworks at once.
This isn’t a reason to avoid marketing. It’s a reason to understand exactly what you’re working with before you spend a dollar — and to choose partners who understand this landscape, not ones who learn about it after they’ve already violated it on your behalf.
This guide covers every compliance layer that governs addiction treatment marketing in the United States: what each rule requires, who enforces it, what happens when it’s violated, and how a well-run program stays clean across all of them simultaneously.
The Regulatory Stack: What Governs Addiction Treatment Marketing
Before going deep on each layer, it helps to see them together. A single piece of advertising — a Google search ad, a Facebook retargeting campaign, a landing page with a call tracking number — can simultaneously implicate:
Federal Privacy Law
- HIPAA (Health Insurance Portability and Accountability Act)
- 42 CFR Part 2 (Confidentiality of Substance Use Disorder Patient Records)
Platform Certification Requirements
- LegitScript certification (required for Google Ads, Microsoft Ads, Bing, and others)
- Meta’s healthcare advertising policies and special ad categories
Federal Consumer Protection Law
- FTC Act (Section 5 — unfair or deceptive acts)
- FTC Endorsement Guides (testimonials and outcome claims)
State Law
- State-level substance use confidentiality laws (many states have laws stricter than 42 CFR Part 2)
- State consumer protection laws
- State professional licensing advertising rules
Platform Terms of Service
- Google Ads Healthcare and Medicines policy
- Meta advertising policies for health and wellness
- Bing/Microsoft advertising policies
Each framework has different enforcement mechanisms, different penalties, and different compliance requirements. A marketing program that satisfies one layer can still violate another. Understanding how they interact is the actual work of compliance-first addiction treatment marketing.
HIPAA in the Addiction Treatment Marketing Context
What HIPAA Actually Covers
HIPAA applies to “covered entities” — healthcare providers, health plans, and healthcare clearinghouses — and their “business associates.” If your treatment facility is a covered entity (which it is if it provides healthcare services), HIPAA governs how you handle Protected Health Information (PHI).
PHI is any individually identifiable health information held or transmitted by a covered entity.
In marketing, this becomes complicated because several common digital marketing tools — analytics platforms, advertising pixels, CRM systems, call tracking software — collect and transmit data that can constitute PHI when it’s in the hands of a healthcare provider.
The marketing-specific HIPAA rules are found primarily in the Privacy Rule (45 CFR Part 164) and center on a single core principle: you cannot use or disclose PHI for marketing purposes without written authorization from the individual, with limited exceptions.
The Pixel Problem: Why Standard Analytics and Advertising Tracking Violates HIPAA
This is the most common and consequential HIPAA compliance failure in addiction treatment marketing, and it affects the majority of treatment centers that haven’t specifically audited their tracking infrastructure.
When a person visits your website, fills out an inquiry form, calls your phone number via a call tracking link, or initiates a chat, they are a potential patient.
Standard Google Analytics, the Meta Pixel, Google Ads conversion tracking, and most call tracking platforms were not built for HIPAA compliance.
They transmit user-level data to third-party servers (Google, Meta, etc.) without a Business Associate Agreement (BAA) in place. Google explicitly states in their google analytics and google ads terms of service that they are not a HIPAA business associate. Meta says the same.
What this means practically:
- A Google Analytics account tracking your website visitors is, by default, sending identifiable behavioral data about potential patients to Google without a BAA — a potential HIPAA violation.
- A Meta Pixel firing on a contact form confirmation page is sending data about someone who just requested information about addiction treatment to Meta — a potential HIPAA violation.
- A standard call tracking platform that records calls and stores data in its own system without a BAA is a potential HIPAA violation.
- Retargeting campaigns that use pixel-collected audiences consisting of people who visited your treatment inquiry pages are built on PHI — and targeting them with ads may constitute an unauthorized use of that PHI.
The OCR (Office for Civil Rights at HHS) has made clear through enforcement actions and guidance that this is not a theoretical concern. In December 2022, HHS issued a bulletin specifically addressing the use of tracking technologies by HIPAA-covered entities, stating that when a covered entity uses tracking code that transmits to a vendor without a BAA, it violates HIPAA’s Privacy and Security Rules.
Penalties range from $100 to $50,000 per violation per category, with annual maximums up to $1.9 million per violation category. A single un-remediated pixel that’s been running for two years represents thousands of individual incidents.
What HIPAA-Compliant Tracking Looks Like
There are several approaches to building compliant tracking infrastructure. None of them are plug-and-play defaults — they require intentional implementation:
Business Associate Agreements (BAAs). For any vendor that will touch PHI, a BAA must be in place before data flows to them. Some vendors (certain CRM platforms, some analytics tools built specifically for healthcare) will sign BAAs. Google and Meta will not. This means for those platforms, you either need a technical solution that prevents PHI from reaching them, or you don’t use them on PHI-triggering pages.
Server-side tagging and conversion APIs. Rather than using client-side pixels that transmit data directly from the user’s browser to advertising platforms, server-side tagging routes data through your own server first, where it can be filtered, stripped of PHI, and hashed before transmission.
Google’s Consent Mode and Meta’s Conversions API (CAPI) can be implemented with server-side filtering that removes PHI from the data stream. This allows for some level of conversion tracking and optimization without transmitting raw PHI.
Some ‘Hipaa compliant analytics / google ads / meta pixel ads setups we have seen actually do transmit PHI, and some we have seen strip so much data that sending to google ads / tag manager / meta pixel with all data stripped makes it worthless and simply a tax on your server resources with no benefits.
More on this in our blog posts and webinars.
Consent management platforms. A properly implemented consent management platform (CMP) can gate tracking behind explicit user consent. Under this approach, analytics and advertising pixels only fire for users who have explicitly consented to tracking. The limitation is that this significantly reduces data volume — most users in crisis don’t engage with cookie banners deliberately — and this cmp doesn’t fully resolve the PHI issue on the healthcare provider side.
HIPAA-compliant analytics alternatives. Platforms like Matomo (self-hosted), or analytics tools built specifically for healthcare with BAAs available, can replace standard analytics on sensitive pages without creating HIPAA exposure.
(as mentioned above, some ‘lessened hipaa exposure services’ we have reviewed either remove only a portion of PHI or remove so much, that sending the data to ad pixels becomes worthless)
HIPAA and Call Tracking
Call tracking — routing calls through trackable phone numbers to attribute marketing spend to phone inquiries — is standard practice in addiction treatment marketing because phone calls are how most admissions happen. The HIPAA implications are significant.
A call tracking platform typically records the call, stores the recording, logs caller phone numbers, and integrates with CRM systems. All of this involves PHI (a phone call about seeking addiction treatment from an identified phone number is PHI).
Compliant call tracking requires:
- A signed BAA with the call tracking vendor
- Call recording notices that meet applicable state wiretapping disclosure requirements
- Secure storage and access controls for recordings
- Data retention policies and procedures
- Integration with your overall Security Rule compliance program
Several call tracking platforms serve healthcare and will sign BAAs, including some built specifically for the treatment center market. Generic business call tracking tools (most of them) will not, and using them to track patient inquiries is a compliance exposure.
Email Marketing and HIPAA
If you’re sending marketing emails to individuals who are or have been patients of your facility, those communications are subject to HIPAA’s marketing rules.
Sending promotional communications about your services to a current patient list typically requires individual written authorization unless the communication falls within a limited exception (such as treatment communications or communications about treatment alternatives when there’s no financial relationship with the alternative provider).
Email to prospective patients who found you through non-PHI channels (opted into a general mailing list, for instance) and haven’t established a patient relationship is governed more by CAN-SPAM act, and your consent practices, more than HIPAA.
Can-Spam act is serious and some state laws take it further. Omitting rule 4 (Your message must include your valid physical postal address.) can cost you a lot of money with one email blast.
The line between “prospective patient” and “patient” for HIPAA purposes can be blurry and depends on the nature of the contact.
42 CFR Part 2: The Substance Use Disorder Privacy Overlay
42 CFR Part 2 is a federal regulation that predates HIPAA and is, in several important ways, stricter than HIPAA. It specifically governs the confidentiality of substance use disorder (SUD) patient records held by federally assisted programs.
“Federally assisted” is broadly defined and includes programs that receive any federal funds (including Medicare and Medicaid reimbursement), are conducted by a federal agency, or are authorized or licensed under federal law.
Most addiction treatment centers qualify as federally assisted programs. For those facilities, 42 CFR Part 2 applies to all SUD patient records, and its requirements are more restrictive than HIPAA’s in several key ways:
Stricter disclosure rules. Under HIPAA, covered entities can share PHI for treatment, payment, and healthcare operations without patient authorization in many circumstances. Under 42 CFR Part 2, SUD records generally cannot be disclosed without written patient consent even for treatment coordination with other providers, with limited exceptions.
More specific consent requirements. The 42 CFR Part 2 consent form has specific required elements that go beyond HIPAA authorization requirements, including a list of permitted disclosures, expiration provisions, and anti-redisclosure language.
Marketing implications. Any use of patient records or patient-derived information for marketing purposes by a facility subject to 42 CFR Part 2 is subject to its consent requirements. This includes testimonials — using a patient’s experience for marketing purposes without a 42 CFR Part 2-compliant consent is a federal violation, not just an ethical issue.
What changed in 2020. HHS updated 42 CFR Part 2 in 2020 (effective March 2021) to better align with HIPAA in some areas, making it somewhat easier to share records for treatment coordination with patient consent. However, the core prohibition on disclosure without consent remains, and the marketing implications are unchanged.
The practical marketing implications of 42 CFR Part 2 are primarily around patient testimonials, case studies, alumni marketing programs, and any data use that involves records from your SUD treatment program. If you’re running an alumni engagement program, retargeting past patients, or using patient outcomes in your marketing, 42 CFR Part 2 compliance must be specifically addressed.
LegitScript Certification: The Gate to Paid Search Engine Marketing / Facebook / Instagram sponsored ads
What LegitScript Is
LegitScript is a third-party verification and monitoring company that certifies online merchants in high-risk categories, including addiction treatment. It is not a government agency, but its certification is required by major advertising platforms — including Google — as a condition for running ads in the addiction treatment category.
For practical purposes, if your treatment center wants to run Google Ads, facebook or instagram ads, you need LegitScript certification. This is not optional, not waivable, and not something you can work around through clever ad copy.
Google enforces this policy by disapproving ads and suspending accounts that attempt to advertise addiction treatment without certification.
Why LegitScript Exists in This Context
The addiction treatment advertising industry had a serious fraud problem, particularly around patient brokering — the practice of paying for referrals of patients whose insurance could be billed. Congress passed the Eliminating Kickbacks in Recovery Act (EKRA) in 2018, and the FTC and various state attorneys general pursued enforcement actions against fraudulent treatment center marketing operations.
Google, facing pressure and reputational risk from facilitating fraudulent addiction treatment ads, partnered with LegitScript to create a certification program that verifies treatment centers are legitimate, licensed operations before allowing them to advertise. The program launched in 2018.
Who Needs LegitScript Certification
You need LegitScript certification to run paid ads for addiction treatment services on any platform that requires it, including:
- Google Ads (Search, Display, YouTube)
- Microsoft Advertising (Bing)
- Facebook and Instagram (Meta has separate but related policies)
- Pinterest (certain healthcare categories)
- Various other ad networks have also adopted LegitScript standards
If your treatment center provides any of the following services and wants to advertise them via paid search or paid social, certification is required:
- Drug and alcohol detox
- Residential treatment
- Partial hospitalization (PHP)
- Intensive outpatient (IOP)
- Outpatient treatment
- Medication-assisted treatment (MAT)
- Sober living/recovery housing (some contexts)
- Dual diagnosis treatment
The LegitScript Certification Process
The certification process is substantive — it’s not a checkbox exercise. LegitScript verifies that your facility is a legitimate, licensed operation before certifying it.
Application requirements typically include:
State licensure documentation for each facility location (LegitScript verifies that your facility holds current, valid state licenses for the services it provides)
Accreditation documentation (CARF, Joint Commission, or state accreditation where applicable)
Proof of compliance with applicable state and federal regulations
Information about ownership, operators, and key staff
Website review (LegitScript reviews your website for compliance with its standards, including advertising accuracy and prohibited practices)
Payment and business practices review
The timeline varies but typically runs four to twelve weeks from application submission to certification decision, depending on application completeness and LegitScript’s review queue.
Costs include an application fee and ongoing annual certification fees. As of the most recent published fee schedules, costs depend on the number of facility locations and the type of certification. Budget meaningfully for this — it’s a significant but one-time upfront cost with recurring annual fees.
Ongoing requirements include annual renewal, ongoing monitoring by LegitScript, and notification requirements when there are material changes to your facility (new locations, change in ownership, loss of licensure).
What LegitScript Certification Allows You to Do
Certified status does not mean unrestricted advertising. It means you’re eligible to advertise, subject to platform-specific policies that still apply.
Your ads still must:
- Accurately represent your facility and services
- Not contain prohibited claims
- Direct users to pages that match the ad content
- Comply with Google’s broader healthcare and medicines advertising policies and Facebook’s (Meta) policies
Certification is the key that unlocks the door. What you do once you’re through the door still matters.
LegitScript Certification and Your Marketing Agency
Here’s where treatment centers often get burned: LegitScript certifies facilities, not agencies. Your marketing agency cannot be LegitScript certified on your behalf. What this means operationally is:
- Your facility must hold its own LegitScript certification
- Your certification is tied to your Google Ads account(s)
- If your agency manages a Google Ads account under their MCC (manager account) and runs addiction treatment ads in it without your facility’s LegitScript certification properly linked, that account is at risk
- When you change agencies, the certification status and account history stay with the account, not the agency
Agencies with deep experience in addiction treatment marketing know how to properly link facility certifications to Google Ads accounts and how to structure account access to protect your certification standing during agency transitions.
Google Ads Policies for Addiction Treatment
The Restricted Category Framework
Google classifies addiction treatment advertising as a “restricted” category within its Healthcare and Medicines policy. Restricted does not mean prohibited — it means additional requirements apply.
The core restriction is the LegitScript certification requirement described above. Beyond that, Google’s policies for addiction treatment advertising address:
Landing page requirements. Your ads must send users to landing pages that:
- Clearly identify your facility
- Accurately represent the services offered
- Include contact information
- Do not use deceptive design patterns or urgency tactics that exploit vulnerability
Ad content restrictions. Addiction treatment ads may not:
- Guarantee treatment outcomes
- Make false or misleading claims about success rates
- Use fear-based tactics designed to exploit individuals in crisis
- Misrepresent costs, insurance coverage, or payment terms
- Claim certifications or accreditations that the facility doesn’t hold
Keyword and targeting restrictions. Google has at various points restricted certain targeting methods for sensitive healthcare categories, particularly limiting the use of audience targeting based on health conditions. Policies in this area have evolved and continue to evolve — what’s permitted in a given campaign structure should be verified against current policy at the time of campaign build.
The Practical Impact of Google’s Policy Enforcement
Google’s automated systems and human review processes flag and suspend addiction treatment advertising accounts regularly. Common enforcement actions include:
Ad disapprovals for policy violations in specific ads, which don’t necessarily affect other ads in the account but create gaps in coverage and require remediation.
Account suspensions for serious violations or patterns of violation. A suspended account cannot run any ads until the suspension is resolved, which can take days to weeks and requires submitting an appeal with documentation of remediation.
Policy change-driven disruptions when Google updates its healthcare policies. These changes happen without advance notice to advertisers and can cause compliant campaigns to suddenly become non-compliant.
For treatment centers that depend heavily on paid search for admissions, an account suspension is an immediate crisis. Building compliance into the account from the start — and maintaining a relationship with someone who monitors Google policy changes — is not optional for programs that treat paid search as a significant admission source.
Microsoft Advertising (Bing)
Microsoft Advertising has adopted policies similar to Google’s, including a LegitScript certification requirement for addiction treatment advertising. If you’re running Bing ads for addiction treatment, the same certification and policy considerations apply.
Meta (Facebook and Instagram) Advertising for Addiction Treatment
Meta’s advertising policies for addiction treatment are distinct from Google’s and have evolved significantly since 2018. Key considerations:
Special Ad Categories
Meta designates certain sensitive advertising categories as “Special Ad Categories” that require explicit declaration and apply additional restrictions. Health and financial services are among them.
Ads related to addiction treatment may fall under Meta’s health-related special ad category designations. When an ad is run in a special ad category, Meta restricts targeting options — detailed targeting based on interests, behaviors, and demographics is significantly limited. This substantially reduces the precision available compared to standard Meta advertising.
Meta’s Stance on LegitScript
Meta has indicated requirements for addiction treatment advertisers that align with LegitScript certification, though Meta’s enforcement of these requirements has been less consistent and less automated than Google’s. The policy landscape for addiction treatment on Meta has shifted multiple times since 2018 and continues to evolve.
HIPAA and Meta: A Specific Warning
Meta explicitly states that it is not a HIPAA business associate and will not sign Business Associate Agreements. This means any data transmitted to Meta via standard pixel tracking from a covered entity’s website creates HIPAA exposure.
Some treatment centers using Meta advertising choose to use Meta’s Conversions API (CAPI) with server-side filtering that prevents (some? all?) PHI from being transmitted, combined with consent infrastructure. This is a technical implementation task that requires specific expertise — it is not the default setup for a Meta Pixel installation.
We consider it wasteful in most cases to send stripped patient or client data back to meta, google, or any other place. In an effort to try to get some bonus from sending stripped conversion data and stay Hipaa compliant, we find that it either violates or Hipaa or sending data back with no info gives you no ads benefit so it is twice as wasteful.
We are always looking for ways to do things in a Hipaa compliant way that has benefits for marketing spend. As of May 2026 we still have not found a way to do this data sharing of conversion data in compliance with Hipaa.
FTC Guidelines: What You Can and Cannot Say
The Legal Framework
The Federal Trade Commission Act prohibits “unfair or deceptive acts or practices in or affecting commerce.” In plain terms: you cannot lie in your advertising, you cannot make claims you can’t substantiate, and you cannot create false impressions even through technically true statements.
The FTC has specific guidance that applies directly to addiction treatment marketing, and enforcement actions in the healthcare space have increased substantially. Understanding what the FTC considers deceptive is not optional for treatment centers — it’s the difference between effective marketing and a federal investigation.
Success Rate and Outcome Claims
This is the area where treatment centers most frequently create legal exposure without realizing it.
The FTC requires that any objective claim made in advertising be substantiated — meaning you must have competent and reliable evidence to support the claim before you make it, not after someone challenges it.
Claims that commonly appear in addiction treatment marketing and require substantiation:
Recovery rate claims. “Our clients achieve lasting sobriety” or “90% of our graduates are still sober at one year” are objective claims. If you don’t have rigorous, methodologically sound data to support them — tracked outcomes, defined measurement criteria, a representative sample — making them is deceptive advertising under the FTC Act. The challenge is that outcome tracking in addiction treatment is genuinely difficult, and most facilities do not have data that would meet the FTC’s substantiation standard for strong outcome claims.
Comparison claims. “Higher success rates than traditional 12-step programs” or “More effective than other treatment approaches” require comparative data. Vague superiority claims without data are deceptive.
“Best” claims. “#1 addiction treatment center in [state/region]” requires a defined, verifiable methodology for that ranking. If it’s self-assigned without substantiation, it’s deceptive.
The safest approach is to focus marketing claims on your program’s attributes — your staff credentials, your clinical approach, your accreditations, your evidence-based modalities — rather than outcome percentages. What you do is more verifiable than what percentage of patients succeed by some measure, given how difficult addiction treatment outcomes are to track and define.
Testimonials and Endorsements
The FTC’s Endorsement Guides (16 CFR Part 255, significantly updated in 2023) govern how testimonials and endorsements can be used in advertising. The rules that most directly affect addiction treatment marketing:
Testimonials must reflect typical results. If you feature a patient testimonial describing their successful recovery, and that experience is not typical of your patient population, you must clearly disclose that. Phrases like “results not typical” were historically used for this purpose, but the 2023 FTC Guides made clear that such disclaimers are insufficient if they’re buried or easy to ignore — the non-typicality must be clearly communicated.
You cannot cherry-pick outlier results. Featuring only your best outcomes while presenting them as representative of typical patient experience is deceptive regardless of whether each individual testimonial is accurate.
Paid or incentivized endorsements must be disclosed. If you pay patients, provide free services, or offer any consideration in exchange for testimonials, that relationship must be clearly disclosed.
Social media endorsements. If alumni or advocates post positive content about your facility on social media and you have any kind of relationship with them (paid, discount, affiliate, or formal ambassador program), those posts require disclosure under the Endorsement Guides.
The 42 CFR Part 2 Intersection with Testimonials
Testimonials from former patients at an SUD treatment program subject to 42 CFR Part 2 require more than FTC compliance — they require a 42 CFR Part 2 compliant written consent that specifically authorizes the use of the patient’s information for marketing purposes.
This means your testimonial collection process needs both a 42 CFR Part 2 compliant consent form AND compliance with FTC testimonial requirements.
Many treatment centers have testimonials on their websites collected under generic photo/media releases that don’t meet either standard.
Insurance and Cost Claims
Making claims about insurance coverage (“we accept most major insurance” or “your insurance may cover 100% of treatment”) without verification creates FTC exposure. These statements can create false impressions about affordability and influence decisions to seek care based on financial expectations that turn out to be inaccurate.
More specific: any representation about what insurance will cover for a specific patient before verification has actually been completed is a potential problem. Marketing can accurately describe which insurance plans you’re in-network with. It cannot promise coverage outcomes before those outcomes are verified for the individual.
The No Surprises Act (effective 2022) adds a separate layer here — patients have specific rights to cost estimates, and marketing that creates inaccurate cost impressions intersects with those rights.
State Law Considerations
Why Federal Compliance Isn’t Enough
Federal law establishes minimum standards. States can and do enact stricter requirements, and addiction treatment marketing is an area where many states have moved aggressively. Operating in multiple states — or marketing nationally to patients who may be in any state — requires understanding the patchwork of state requirements.
State Substance Use Confidentiality Laws
Many states have enacted their own substance use disorder confidentiality laws that are stricter than 42 CFR Part 2 in specific ways. California, New York, Illinois, and Texas, among others, have state-level SUD privacy protections that treatment centers must comply with when treating residents of those states.
A multi-state facility, or a facility that markets nationally and admits patients from multiple states, cannot assume that federal 42 CFR Part 2 compliance is sufficient for all patients. State law analysis is required.
State Advertising and Licensing Rules
Many states regulate healthcare advertising directly, including:
Licensure advertising requirements. Some states require that advertising by licensed healthcare facilities include specific disclosures about licensure status or licensure numbers.
False advertising prohibitions. State consumer protection laws parallel the FTC Act but sometimes have different standards, different enforcement priorities, and different private right of action provisions (meaning patients or competitors can sue you, not just regulators).
Patient brokering laws. Most states now have specific prohibitions on patient brokering in the addiction treatment context, including restrictions on referral fee arrangements and lead generation practices. These laws vary significantly in scope, definitions, and enforcement from state to state.
State certification and accreditation requirements. Some states have their own certification requirements for marketing specific treatment modalities or claiming certain types of specialization.
Florida, California, and Texas: Higher Stakes States
These three states represent significant concentrations of addiction treatment facilities and have been the most active in enforcement:
Florida passed the Patient Brokering Act and related legislation after the “Florida shuffle” scandals of the mid-2010s. Florida law on patient brokering, kickbacks, and referral arrangements is detailed, actively enforced, and has resulted in criminal prosecutions. Treatment centers marketing to Florida patients or operating in Florida need specific Florida law analysis.
California has detailed SUD confidentiality law (Welfare and Institutions Code sections on drug and alcohol treatment confidentiality), strict consumer protection enforcement via the CCPA’s health data provisions, and a private right of action for many advertising violations.
Texas has aggressive enforcement by the Health and Human Services Commission on licensing and advertising claims.
Common Compliance Failures in Addiction Treatment Marketing
Understanding the theoretical framework matters less than knowing where programs actually fail. These are the most common compliance failures seen in addiction treatment marketing programs:
Running Non-Compliant Tracking Infrastructure
As described in the HIPAA section: the majority of treatment center websites have some form of non-compliant tracking.
Meta Pixel on inquiry pages, Google Analytics, form submissions and email systems without proper encryption — these are endemic.
Most facilities have never audited their tracking stack from a HIPAA perspective because their marketing agency didn’t raise the issue, and their compliance officer doesn’t know to look there.
The risk is not merely theoretical. OCR investigations have been triggered by patient complaints about retargeting ads — someone submitting an inquiry for addiction treatment and then seeing addiction treatment ads following them across the web. That experience, from the patient’s perspective, is a disclosure of their health information to an advertiser. From a HIPAA perspective, it may be exactly that.
Advertising Without LegitScript Certification
A treatment center’s marketing agency sets up a Google Ads account and starts running campaigns. The agency doesn’t raise the LegitScript requirement, or the center assumes the agency handles it. Ads run for weeks or months before Google’s enforcement catches the account. The account gets suspended. Admissions from paid search go to zero during the resolution period, which can take weeks.
This happens more often than it should, almost always because a non-specialist marketing agency either didn’t know about the requirement or didn’t make it a prerequisite before launch.
Using Unapproved Ad Copy on Google
Even with LegitScript certification, specific ad copy can trigger disapprovals and suspension risk. Common violations include outcome guarantees (“get sober for life”), unsubstantiated superlatives (“the most effective treatment available”), and certain urgency tactics. Agencies without addiction treatment-specific experience write this kind of copy instinctively because it works in other verticals. In addiction treatment it creates enforcement exposure.
Testimonials Without Proper Consents
A treatment center collects patient testimonials under a general media release form. Those testimonials go on the website and into marketing materials. Neither 42 CFR Part 2 requirements nor FTC testimonial requirements were addressed in the consent document. The facility has created both federal privacy law exposure and FTC exposure simultaneously.
Misleading Insurance Claims in Ads
“Your insurance likely covers treatment” or “most insurance accepted” in an ad that directs to a page without specific insurance verification guidance creates FTC exposure and, in some states, additional liability. Patients who make decisions based on these representations and then receive unexpected bills can generate both regulatory complaints and civil claims.
No Business Associate Agreements with Marketing Vendors
A facility uses a CRM that holds patient inquiry data, email marketing software that sends to a contact list that includes patients, and a chat platform that captures inquiry conversations. None of the vendors have signed Business Associate Agreements. Every one of those integrations is a potential HIPAA violation.
Using Standard Email Marketing on Patient Lists
Importing a list of current or former patients into a standard email marketing platform (Mailchimp, Klaviyo, Constant Contact) and sending marketing communications to them is a HIPAA violation in most scenarios, as these platforms are not HIPAA-compliant and will not sign BAAs.
Retargeting Website Visitors Who Are Clearly Seeking Care
Running retargeting campaigns that build audiences from visitors to inquiry pages, admissions pages, or clinical content pages and serving them addiction treatment ads on third-party websites is potentially using PHI for marketing purposes without authorization — the exact scenario HIPAA’s marketing rules are designed to prevent.
Building a Compliance-Forward Addiction Treatment Marketing Program
Getting compliant is not a one-time project. It’s an ongoing operational discipline. Here’s how the components fit together in a program that maintains compliance while still driving admissions growth:
Step 1: Compliance Audit of Existing Infrastructure
Before building or optimizing anything, the current state needs to be assessed:
- Tracking audit: What pixels, tags, scripts, and integrations are currently on your website? Where do they fire? What data do they collect and where does it go? Who has BAAs in place?
- Ad account audit: Is LegitScript certification in place and properly linked? Are any ads running that contain potentially non-compliant claims?
- Content audit: Are there testimonials on your website or in marketing materials? What consent documentation supports them?
- Vendor audit: Which vendors touch patient or inquiry data? Which have signed BAAs?
This audit is the foundation. You cannot fix what you haven’t inventoried.
Step 2: Remediation by Priority
Not everything can be fixed at once, and some fixes are more urgent than others. Prioritization should be based on:
- OCR enforcement risk: Active HIPAA violations — particularly non-compliant pixels on inquiry pages — represent the highest acute risk and should be remediated first.
- Platform suspension risk: LegitScript gaps and non-compliant ad copy create business continuity risk (admissions going to zero) and should be addressed immediately.
- FTC and state law risk: Unsubstantiated claims and non-compliant testimonials create long-term legal exposure but typically don’t generate immediate operational disruption.
Step 3: Compliant Infrastructure Build
Once remediation is complete, build compliant infrastructure going forward:
Tracking: Implement server-side tagging with PHI filtering, consent management for user-controlled tracking, and restrict tracking on sensitive pages. Secure BAAs with vendors who will sign them. Use HIPAA-compliant analytics alternatives where necessary.
LegitScript: Obtain and maintain certification. Understand the renewal requirements and build them into your compliance calendar.
BAAs: Establish a vendor review process that requires BAA evaluation before any vendor integration that touches PHI goes live.
Ad accounts: Structure Google Ads accounts to properly link LegitScript certification. Establish ad copy review processes that check for prohibited claims before ads go live.
Content and testimonials: Build a compliant testimonial collection process that meets both 42 CFR Part 2 consent requirements and FTC Endorsement Guide requirements. Review existing testimonials against these standards.
Step 4: Ongoing Monitoring and Maintenance
Platform policy monitoring: Google, Meta, and other platforms update their healthcare advertising policies without advance notice to advertisers. Someone needs to be tracking these changes and responding to them. Policy changes that affect running campaigns can happen at any time.
Account health monitoring: Regular review of Google Ads account status, disapprovals, and policy warnings. Early detection of issues prevents small problems from becoming account suspensions.
Regulatory monitoring: OCR enforcement guidance, FTC updates to the Endorsement Guides, and state law changes all affect compliance requirements. Healthcare marketing compliance is not a static target.
Annual compliance review: At minimum annually — and more frequently as your program scales — a comprehensive review of your marketing compliance posture against current requirements.
Step 5: Staff Training and Vendor Alignment
Compliance failures often happen not because nobody knows the rules, but because the people executing marketing tasks — writing ad copy, collecting testimonials, adding website integrations — haven’t been trained on the specific rules that apply to what they’re doing.
Internal marketing staff, external agencies, and freelancers who contribute to your marketing program should all understand the basic compliance requirements relevant to their work. An agency that adds a pixel to your website without checking your BAA status and HIPAA implications is a compliance liability, not just a service provider.
The Compliance Advantage: Why Getting This Right Is a Competitive Strategy, Not Just Risk Management
Most treatment centers treat compliance as a cost center — something to be minimally satisfied to avoid punishment. The centers that treat compliance as a competitive differentiator are building something more durable.
Consider what compliance-forward marketing actually demonstrates to a prospective patient or their family:
A facility that has invested in HIPAA-compliant tracking infrastructure has done so because they take patient privacy seriously — including the privacy of someone who hasn’t even called yet.
A facility whose marketing contains no unsubstantiated outcome claims is telling you that it respects your intelligence and won’t manipulate you with promises it can’t keep.
A facility that obtained and maintains LegitScript certification — going through a rigorous verification process voluntarily — has demonstrated to an independent third party that it’s a legitimate, licensed operation in good standing.
These are not small signals to a population that has, as an industry, been subject to significant fraud and exploitation. The patients and families who are most skeptical of addiction treatment marketing — often because they’ve been burned before — are exactly the population that can be reached by demonstrating genuine trustworthiness.
Marketing compliance, done right, is the most authentic version of what compliance-first advertising can be: proof that you operate the way you say you do.
The Agency Side: What to Demand From Your Marketing Partner
If you’re working with a marketing agency on your addiction treatment advertising — or evaluating agencies — compliance competence is not a differentiator, it’s a prerequisite. Here’s what a genuinely compliant agency should be able to demonstrate:
LegitScript knowledge: Can they walk you through the certification process, the timeline, the ongoing requirements, and how certification is linked to your Google Ads account? If they’re vague or say they’ll “handle it,” that’s a problem.
HIPAA tracking competence: Can they conduct or facilitate a tracking audit of your website? Do they understand the difference between client-side pixels and server-side tagging? Can they name which of your current vendors have signed BAAs and which haven’t?
42 CFR Part 2 awareness: Do they know what this regulation is and how it affects patient testimonials and data use in your marketing program? Many healthcare marketing agencies are not aware of 42 CFR Part 2 at all.
Google Ads policy history in addiction treatment: Have they had accounts suspended? What happened? How did they remediate? An agency that has operated in this space long enough will have encountered enforcement situations — what matters is how they handled them.
FTC claim review process: What is their process for reviewing ad copy and content claims before publication? Do they flag unsubstantiated outcome claims, or do they write whatever they think will perform?
Compliance documentation: Can they show you BAAs they’ve executed with vendors on your behalf, their ad copy review checklist, their LegitScript compliance procedures?
The right answer to each of these questions is a substantive, specific answer from someone who clearly knows the territory. Vague reassurances that “we handle all of that” are a flag, not a comfort.
TCA’s Compliance Approach
Treatment Center Agency was built around this environment. We work exclusively in addiction treatment and behavioral health — no other verticals, no clients who have never encountered a Google Ads policy suspension or a LegitScript renewal issue.
Our approach to compliance isn’t a department we added when compliance became a hot topic. It’s the foundation the agency was built on, because we’ve seen what happens to treatment centers whose marketing programs aren’t built this way:
Programs go dark when Google suspends an account. Facilities get OCR letters triggered by pixel complaints. Testimonial pages get cited in FTC investigations. Treatment centers lose years of ad account history and optimization data when a non-specialist agency mismanages their LegitScript standing during a transition.
Our standard for new clients begins with a compliance audit before strategy or campaigns. We won’t run advertising in an account that isn’t compliant, and we won’t build tracking infrastructure that creates liability for our clients. That’s not a constraint on our ability to drive results — it’s the operating discipline that makes durable results possible.
Every client owns their assets. Your LegitScript certification stays with you. Your Google Ads account is yours. Your website, your content, your tracking infrastructure — all of it is built to be yours, regardless of what the agency relationship looks like in the future.
No long-term contracts. Compliance-based confidence doesn’t need to be locked in. If we’re doing the job, you stay. If we’re not, you shouldn’t be locked into a contract that keeps money flowing to an agency that isn’t performing.
If you’d like a compliance assessment of your current marketing program — tracking infrastructure, ad accounts, content claims, vendor BAA status — we offer a structured audit that gives you a clear picture of your current risk profile and what it would take to remediate it.
Frequently Asked Questions
Do I need LegitScript certification to run Facebook ads for my treatment center? Meta has its own healthcare advertising policies that are related to but separate from LegitScript. Google explicitly requires LegitScript certification for addiction treatment ads. Meta’s enforcement has been less consistent, but its policies for health-related advertising and special ad categories apply to addiction treatment advertising. Consulting a specialist on current Meta policy for your specific situation is advisable.
We’ve been running Google Ads for years without LegitScript certification. How is that possible? Google’s enforcement is not instantaneous or uniform. Some accounts have operated in non-compliant states for extended periods before enforcement caught up. When it does catch up, account suspension is retroactive — the history of running without certification doesn’t protect you from future enforcement.
Can our marketing agency handle the LegitScript certification application? An agency can assist with the application process and ensure the account is properly configured once certification is obtained. However, the certification is issued to the facility, not the agency. Ownership of the certification and the associated Google Ads account must be structured to remain with the facility.
What’s the difference between a HIPAA authorization and a consent for marketing under 42 CFR Part 2? A HIPAA authorization allows a covered entity to use or disclose PHI for purposes not otherwise permitted by the Privacy Rule, including marketing. A 42 CFR Part 2 consent has specific additional required elements and applies to SUD records at federally assisted programs. For treatment centers subject to both, testimonials and patient-facing marketing require forms that meet both standards — a single general media release almost certainly doesn’t.
Is website chat HIPAA compliant? Standard website chat platforms (Intercom, Drift, Zendesk, etc.) are not built for HIPAA compliance and most will not sign BAAs. If your chat platform captures conversations with individuals seeking addiction treatment, those conversations can constitute PHI. Using a non-HIPAA-compliant chat platform for patient inquiries is a potential HIPAA violation. HIPAA-compliant chat solutions exist — the requirement is selecting one, not avoiding chat.
We want to share patient success stories. What do we need? At minimum: a written consent that meets 42 CFR Part 2 requirements (if your program is subject to it, which it likely is), compliance with FTC Endorsement Guide requirements including disclosure of whether the result is typical, and care in how the testimonial is presented so it doesn’t create a false impression about typical outcomes. Have legal counsel review your consent forms and testimonial program before going live.
Ready to assess where your current marketing program stands?