HIPAA & 42 CFR Part 2 Compliance.

Last updated: June 16, 2026

1. Scope and Purpose

Allgood Marketing ("we," "our," or "us") is a digital marketing agency that serves behavioral health providers, addiction treatment centers, mental health practices, and other healthcare organizations regulated under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), its implementing regulations (the Privacy, Security, and Breach Notification Rules), and 42 CFR Part 2 (Confidentiality of Substance Use Disorder Patient Records).

This page describes how we approach compliance when we engage with a Covered Entity or another Business Associate. It is a statement of our operating policies — not a legal opinion on your organization's obligations. You should confirm with your own privacy officer or counsel that our role and safeguards meet your specific compliance requirements.

2. Our Role: Service Provider and Business Associate

When we deliver marketing services that may involve access to, or transmission of, Protected Health Information ("PHI"), we operate as a Business Associate under HIPAA. Activities that can place us in this role include:

• Building or maintaining intake forms, contact forms, or chat tools on a Covered Entity's website
• Configuring CRM, marketing-automation, or call-tracking platforms that store inquirer or patient information
• Operating ad accounts, analytics, or attribution systems whose data flow could include identifiers tied to an individual's healthcare
• Hosting landing pages, microsites, or campaign infrastructure that collects health-related information from prospective patients

In every engagement where these activities apply, a signed Business Associate Agreement governs our handling of PHI before work begins.

3. Business Associate Agreements (BAAs)

We make a Business Associate Agreement available on request to any Covered Entity client and to any of our own sub-processors that may receive PHI on our behalf. Our standard BAA addresses the requirements of 45 CFR § 164.504(e), including:

• Permitted uses and disclosures of PHI
• Safeguards consistent with the HIPAA Security Rule (administrative, physical, and technical)
• Reporting of any use, disclosure, or Security Incident not permitted by the agreement
• Breach notification within timeframes that allow you to meet your 45 CFR § 164.410 obligations
• Subcontractor flow-down requirements
• Return or destruction of PHI upon termination

If your organization requires execution of your BAA template, we are willing to review and, where appropriate, sign it as part of onboarding. To request a BAA, email contact@allgoodmarketing.com.

4. PHI Handling Principles

Our default posture is to minimize PHI exposure across the marketing stack. Specifically:

• Minimum necessary. We collect, process, and transmit only the information needed to deliver the agreed marketing service.
• No PHI in ad platforms. We do not knowingly transmit PHI to Google Ads, Meta, Microsoft Advertising, LinkedIn, TikTok, or any other ad platform that has not signed a BAA with our client. We configure ad accounts to exclude PHI from event payloads, conversion uploads, and customer match lists.
• No PHI in standard analytics. We do not configure Google Analytics, Meta Pixel, or similar non-BAA tools on regulated pages (intake forms, eligibility checks, treatment-specific landing pages) without using HIPAA-compliant proxies, server-side filtering, or BAA-covered alternatives.
• Server-side and consent-aware tracking. When attribution is required on regulated surfaces, we use server-side tagging, filtered conversion endpoints, or BAA-covered tools that strip identifiers before they leave the client environment.
• Access on a need-to-know basis. Only assigned account team members have access to client systems that may contain PHI.

5. 42 CFR Part 2 (Confidentiality of SUD Records)

Substance Use Disorder (SUD) patient records are subject to additional protections under 42 CFR Part 2, which is generally stricter than HIPAA. For clients providing SUD treatment, we apply the following defaults on top of our HIPAA controls:

• We treat any indication that an individual has sought, received, or been referred for SUD treatment as protected and avoid storing it in marketing systems that lack written authorization-based access controls.
• We avoid configuring testimonial, story, or "patient journey" content in any way that could identify a Part 2 record without documented, written patient consent that meets 42 CFR § 2.31.
• We work with our clients to draft and serve consent and revocation language consistent with Part 2 when forms or campaigns touch SUD-related content.
• Where federal "re-disclosure" notices are required (42 CFR § 2.32), we include them in any material we create that reproduces Part 2 information.

6. Technical and Administrative Safeguards

Access controls

Role-based access, single sign-on with multifactor authentication for systems that may touch PHI, principle of least privilege, and prompt deprovisioning when team members change roles or leave.

Encryption

Encryption in transit (TLS 1.2 or higher) for all data exchanged with client systems. Encryption at rest for any storage that may hold PHI on our infrastructure.

Audit logging

Access and configuration changes to client systems, ad accounts, analytics tools, and CRMs are logged where the platform supports it, and reviewed on a documented cadence.

Endpoint security

Workforce devices used for client work are protected with full-disk encryption, automatic updates, screen-lock policies, and endpoint-detection tooling.

Workforce training

All team members who handle client engagements complete HIPAA and 42 CFR Part 2 awareness training at onboarding and on an annual refresh cycle. Training records are retained for at least six years.

Risk analysis

We conduct an annual security risk assessment of the systems we use to deliver client services, and we document remediation plans for any findings.

7. Sub-processors

We use a small set of vetted sub-processors to deliver our services. Where these vendors may receive or process PHI on our behalf, we maintain a signed Business Associate Agreement with the vendor before any PHI is transmitted, and we limit each vendor's access to the minimum necessary for its function. A current list of HIPAA-relevant sub-processors is available on request from your account team.

8. Pixels, Analytics, and Tracking Technologies

The U.S. Department of Health and Human Services Office for Civil Rights ("OCR") has issued guidance clarifying that disclosure of individually identifiable health information by a Covered Entity or Business Associate through online tracking technologies is regulated under HIPAA. The Federal Trade Commission ("FTC") has issued parallel guidance under Section 5 of the FTC Act, the Health Breach Notification Rule, and state privacy laws.

Our approach to tracking on client websites:

• Regulated pages (intake forms, treatment-specific landing pages, insurance verification, scheduling, chat, eligibility) are configured to avoid sending identifiers to non-BAA ad and analytics platforms.
• Unauthenticated, general informational pages may use standard analytics provided the page does not reveal an individual's healthcare-related search or activity.
• Conversion measurement uses hashed-and-server-side, enhanced-conversion, or BAA-covered alternatives that strip PHI before transmission.
• Cookie consent and Global Privacy Control (GPC) signals are honored where applicable under state privacy laws.

Configurations are documented per client and reviewed when ad platform policies, OCR guidance, or FTC enforcement actions change.

9. Breach Notification

If we discover a use or disclosure of PHI not permitted by the applicable BAA, or a Security Incident as defined in 45 CFR § 164.304, we notify the affected client without unreasonable delay and within the timeframe specified in our BAA — generally within ten (10) business days of discovery, and sooner for incidents that may meet the definition of a Breach under 45 CFR § 164.402. Our notification provides, to the extent known:

• A description of what happened, including the date of the incident and the date of discovery
• The types of PHI involved
• The individuals or categories of individuals affected, where known
• Steps taken to investigate, mitigate, and prevent recurrence
• Contact information for our incident response lead

We support our clients in meeting their downstream notification obligations to individuals, HHS, and (where applicable) the media under 45 CFR §§ 164.404–164.408.

10. What We Do Not Do

To set expectations clearly:

• We are not a Covered Entity. We do not provide healthcare services, billing, or claims processing.
• We are not currently integrated with client Electronic Health Record (EHR) systems for marketing attribution. Marketing-to-admit attribution is performed using anonymized, aggregated, or client-furnished data — not via direct EHR access.
• We do not sell PHI under any circumstance.
• We do not use PHI for our own marketing, product development, or analytics outside the scope of the BAA.
• HIPAA compliance is a shared responsibility. We can deliver our portion of the program — but a Covered Entity remains accountable for its overall compliance posture, including configurations made by other vendors, internal staff, or technologies outside our scope of work.

11. Requesting Documentation

The following documentation is available on request to current and prospective clients:

• Business Associate Agreement template
• List of HIPAA-relevant sub-processors
• Summary of our security policies, workforce training, and risk-assessment cadence
• Information security questionnaire responses (SIG, CAIQ, or custom formats)

Email contact@allgoodmarketing.com with "HIPAA documentation request" in the subject line.

12. Changes to This Policy

We update this page as our practices, our sub-processor list, OCR guidance, FTC guidance, and applicable law evolve. The "Last updated" date at the top of this page reflects the most recent material change. We encourage clients and prospective clients to review this page periodically.

13. Contact

For HIPAA, 42 CFR Part 2, BAA requests, security questionnaires, or incident reporting, contact:

• Email: contact@allgoodmarketing.com
• Subject line: "HIPAA" or "42 CFR Part 2"
• Location: Fort Lauderdale, FL, United States