Internal Reference — Luxe Rejuvenate Compliance — Not Patient-Facing
Luxe Rejuvenate · Marketing Compliance Brief
HIPAA, Meta Ads, FDA, Florida. What ships, what does not.
Operational reference for everything that hits the Luxe Rejuvenate website, ads, or social. Run copy and creative against this document before anything goes live. Built from the 2026-05-11 compliance research.
Prepared for Victoria, Cody, Michelle
Updated 2026-05-12
Source Compliance-Research-HIPAA-Meta-FDA.md
01.Executive Summary
Seven things every person touching Luxe Rejuvenate marketing needs to know. The rest of the document is the longer version.
1
Luxe Rejuvenate is a HIPAA covered entity. Treat every patient photo, name, treatment outcome, review from a chart, or session list as PHI. PHI cannot be used without a signed HIPAA marketing authorization from the patient.
2
The Meta Pixel does not belong on booking, confirmation, or patient-portal pages. Meta will not sign a Business Associate Agreement. Use server-side Conversions API with hashed, de-identified top-of-funnel events only. Never send Lead, Schedule, or Purchase events from a treatment flow.
3
Meta categorizes Luxe Rejuvenate as Health & Wellness. That blocks bottom-funnel conversion optimization (no Purchase, Lead, or Schedule optimization), restricts before/after photos, and prohibits personal-attribute copy ("Tired? Struggling with X?"). Bottom-of-funnel work happens in email and SMS, not Meta auction.
4
Compounded GLP-1s and most peptides are effectively un-advertisable right now. Semaglutide and tirzepatide are post-shortage and FDA is proposing permanent 503B exclusion. BPC-157 and 13 other peptides are Category 2 pending July 2026 PCAC review. Do not name them in ads or on the site by brand. NAD+ remains legally compoundable.
5
Florida requires an MD or DO as medical director for IV therapy. Palumbo D.O. fills the role on paper. Clinic licensure status under Fla. Stat. 400.9905 needs to be confirmed before paid traffic ramps. Open question: physician-owned exemption or AHCA Health Care Clinic License.
6
The FTC removed the "results not typical" safe harbor in 2023. Every testimonial must show results a typical customer would actually get, or the ad must state typical results clearly. Material connections (employees, comped clients, paid influencers) must be disclosed clearly.
7
Florida requires a specific 72-hour-refund disclaimer on any ad offering free or discounted services. Fla. Stat. 456.062. Required in 6pt Times New Roman or larger in print, 15-second visual/verbal disclosure in video. Applies to any "first visit free," "$50 off intro," "Sip Drip Glow intro pricing."
The three nevers (paste these on the wall)
Never name a prescription drug by brand in ads or on the site (Ozempic, Wegovy, Mounjaro, Zepbound, etc.) without LegitScript Certification. Same for peptides by name until FDA reclassification is final.
Never use a real patient's name, face, or treatment outcome without a signed HIPAA marketing authorization on file. Aggregated review counts ("300+ five-star Google ratings") are fine. Specific patient stories are not, without paperwork.
Never make a disease claim. "Supports relaxation," "Designed for recovery," "Replenishes fluids and electrolytes" are defensible structure/function claims. "Cures," "Treats," "Reverses," "Prevents" are not.
02.HIPAA · Patient Privacy
Why HIPAA applies to Luxe Rejuvenate
Luxe Rejuvenate is a medical practice with a Medical Director (Palumbo D.O.), a Pharmacist (Urbatchka), and an R.N. owner (Franklin). It administers IVs, peptides, and injectables, and processes payment for medical services. Even if billing is cash-only, the standard assumption for any medical practice marketing engagement is to operate as a HIPAA covered entity. Ventari becomes a Business Associate the moment we touch any PHI on Luxe's behalf, which requires a signed BAA on file.
IP addresses combined with a visit to a specific treatment page
Anything that ties a real person to having received care from Luxe Rejuvenate
Not PHI: aggregated and de-identified data (e.g., "300+ clients with a 5-star average Google rating"). That is a factual summary of public reviews, not a patient story.
What a valid HIPAA marketing authorization looks like
Specific description of the information used (e.g., "before and after photos of my abdomen on [date]")
Who is authorized to use it (Luxe Rejuvenate) and who receives it (Meta, Ventari, public web visitors)
Each purpose of the use (Meta advertising, display on luxerejuvenate.com, etc.)
Expiration date or expiration event
Clear statement of the patient's right to revoke in writing, and how
Signature and date
Enforcement is active
In September 2025, OCR cited Cadia Healthcare for sharing 150 patient stories online without valid written permission. Penalties scale per record. The willful-neglect tier ranges from $13,785 to $2,134,831 per violation per year.
03.HIPAA · Online Tracking (Meta Pixel, GA)
The single largest landmine in the Luxe Rejuvenate marketing stack. HHS issued tracking-tech guidance in December 2022, expanded it in March 2024, then a Texas federal court (American Hospital Association v. Becerra, June 2024) vacated the IP-plus-condition-visit portion. The remaining guidance still applies to booking flows, patient portals, and confirmation pages.
Page Type
Tracking Risk
Recommended Posture
Home, About, generic info
Low
Standard Meta Pixel acceptable. Recommend Consent Mode or clear cookie banner per state privacy laws.
Service pages (Peptides, NAD+, Beauty IV, etc.)
Moderate
Server-side Conversions API only. Hashed, minimum-necessary data. No client-side Pixel-only firing. Suppress booking events.
Booking, confirmation, post-purchase
High
No third-party pixels. No Meta Pixel. No standard Google Analytics. Use HIPAA-compliant analytics vendor with signed BAA (Freshpaint, Aptible, Piwik PRO).
Inside logged-in patient portal
Maximum
Zero third-party tracking. Full audit. Everything fired here is PHI by default.
Meta will not sign a BAA
Confirmed in their advertising terms. Any data that qualifies as PHI cannot be sent to the Meta Pixel or Conversions API without violating HIPAA. The architecture has to keep PHI out of whatever Meta receives.
Customer list uploads (Custom Audiences): uploading Luxe Rejuvenate patient phone numbers or emails to Meta for targeting is a HIPAA disclosure. Practical answer: do not upload patient lists. Build Meta audiences only from non-PHI sources (page engagers, video viewers).
Recommended tracking stack for launch
Replace standard Meta Pixel with Meta Conversions API gateway, server-side, sending only de-identified, hashed top-of-funnel events (PageView, ContentView).
Never send Lead, Schedule, Complete Registration, or Purchase events from booking or patient flows.
Use a HIPAA-compliant analytics tool with a signed BAA for any treatment-page or booking-page measurement. Freshpaint specifically offers a HIPAA-compliant Meta Pixel and Google Analytics layer.
Build a documented data flow map. Have Luxe Rejuvenate's medical director sign off before launch.
04.Meta Advertising · Health & Wellness Restrictions
In January-February 2025, Meta categorized Health & Wellness brands and applied advertising restrictions across the entire category. Luxe Rejuvenate qualifies on all three Meta triggers: associated with medical conditions, specific health statuses, and provider/patient relationships.
What is restricted
No bottom-funnel conversion optimization. Cannot optimize for Purchase, Lead, Schedule, Complete Registration, or Add to Cart at the account level. Optimization limited to Landing Page View, Engagement, Reach.
No conversion-based audience building. Cannot build Custom Audiences from purchase or booking events.
Personal attribute restrictions. No copy or creative that asserts or implies the viewer has a specific health condition or attribute.
Before-and-after imagery restricted. Side-by-side comparisons implying medical outcomes are blocked.
Lookalike audiences off PHI-derived seeds prohibited.
Second wave (early 2026): additional restrictions on lead-gen for physician practices and behavioral health clinics, rolling out now.
Personal attribute violations (the most common rejection reason)
Triggers rejection
"Tired of feeling exhausted? Energy IV at your door."
"Struggling with belly fat?"
"Are you over 40 and noticing sagging skin?"
Before image of visible fatigue/weight/acne/aging next to corrected after image
Passes
"Luxury IV therapy, mobile to your door in Tampa."
"Wellness, recovery, and performance, delivered."
"Licensed clinicians. Custom formulations. Your home, your hotel, your office."
Lifestyle imagery of the mobile service in action, the IV bag with branding, the medical team
What this means for the funnel
Top-funnel campaigns (brand awareness, traffic, video views) work as normal. Conversion campaigns optimizing for booking will be disabled or heavily throttled. The bottom half of the funnel lives in email and SMS, not in Meta's auction-side optimization. SEO and organic content matter more for this brand than for typical consumer e-commerce.
05.Meta Advertising · Prescription Drugs and Peptides
Meta's Drugs and Pharmaceuticals policy is layered on top of Health & Wellness. Direct-to-consumer Rx ads are allowed in the U.S., but only with appropriate licensure and LegitScript Certification when prescription drugs are named.
What requires LegitScript Certification to name in ads
Any peptide meeting the drug classification (BPC-157, GHK-Cu, etc.)
Recommended copy strategy until LegitScript is in place
Avoid
"Lose weight with semaglutide"
"BPC-157 for recovery"
"Botox $12/unit"
Use instead
"Personalized wellness consultation, mobile to your door"
"Recovery-focused peptide therapy, prescribed and supervised by licensed clinicians"
"Wrinkle-relaxing injections, mobile service, licensed RN"
06.FDA · Compounded Peptides and Bulk Drug Substances
The highest-risk service line. Compounded peptides cannot be advertised, dispensed, or administered legally unless the bulk drug substance is on FDA's 503A or 503B bulks list, or is FDA-approved as a finished drug, or has a USP monograph, or is in Category 1 of the interim 503A bulks list.
Current status by substance (as of May 11, 2026)
Substance
Status
Marketing Implication
Semaglutide (compounded)
Effectively prohibited
Do not advertise. Do not list on the website. Do not name in any creative.
Tirzepatide (compounded)
Same
Same.
GLP-1 brand names
Conditional
Only if Luxe has FDA-approved product through legitimate supply chain + LegitScript Certification.
BPC-157, GHK-Cu
Category 2, pending July 2026 review
Do not market by name until FDA reclassification is final and confirmed in Federal Register.
NAD+
Legally compoundable
Allowed to market, subject to Meta Health & Wellness rules and FDA disease-claim limits.
Sermorelin
Legally compoundable
Same as NAD+.
Other Category 2 peptides not on reclassification list
Not compoundable
Do not market.
For the /peptides landing page
Lead with the category benefit: "peptide therapy for recovery, performance, sleep, longevity." Route specifics to a consultation. Do not name peptides on the page until July 2026 PCAC review and Federal Register notice. LegitScript Certification needed before naming peptides in any Meta ad.
Before any peptide-specific copy ships, Katy or Michelle confirms which peptides Luxe's pharmacy partner (Urbatchka) is actually compounding right now and what FDA category each falls into.
07.FDA · Structure/Function vs. Disease Claims
Even for legal-to-compound substances, what Luxe Rejuvenate can claim about them is regulated. Only an FDA-approved drug can make a disease claim. Compounded medications, dietary ingredients, and IV formulations not FDA-approved for a disease cannot make disease claims without triggering FDA misbranding and FTC deceptive-advertising risk.
Disease claims · NOT allowed
"Treats chronic fatigue"
"Reverses aging"
"Cures dehydration from hangover"
"Prevents Alzheimer's"
Structure/function · Allowed
"Supports energy and post-workout recovery"
"Supports skin and collagen health"
"Replenishes fluids and electrolytes"
"Supports immune function"
Service names that imply outcomes carefully ("Athlete Recovery IV," "Beauty/Youth IV," "Immune IV," "Energy IV") are defensible. Where things break is body copy that claims to treat or cure a condition.
FTC adds substantiation
The FTC's 2022-2023 Health Products Compliance Guidance tightened the standard. Claims about health benefits generally require "competent and reliable scientific evidence," typically randomized controlled trials for treatment claims. Aspirational language ("feel more energized") is safer than performance claims ("increases energy by 40%").
08.FTC · Endorsement Guides and Testimonials
The FTC revised 16 CFR Part 255 in 2023. Headline change for healthcare marketers: the "results not typical" safe harbor was removed.
Testimonials must depict typical results, OR the ad must clearly and conspicuously state what typical results actually are.
Material connections must be disclosed clearly. Employee, paid influencer, comped patient, friend of founder — disclose in a way that is "difficult to miss and easily understandable."
Acceptable social disclosures: #sponsored, #ad, "Paid partnership with [Brand]." Generic "thanks @brand" is not acceptable.
Fake reviews are prohibited. The FTC finalized a rule in late 2024 with civil penalties up to $51,744 per violation per occurrence.
Testimonialists must have actually used the service in a way representative of how a typical customer would.
For Luxe Rejuvenate specifically
"300+ clients with 5-star Google ratings" — fine. Factual summary of public reviews, not testimonial endorsement.
"Lisa lost 15 pounds in 30 days with our IV protocol" — needs HIPAA authorization, typical-results substantiation, and disclosure if Lisa is employee/comped.
Influencer partnerships — clear sponsored-by-Luxe disclosure on every post, not just the first one.
Medical team members in ads — fine. If they describe personal results, employee status should be clear.
09.Florida · Medical Director, Clinic Licensure, Disclaimers
Medical director
Florida requires every IV therapy operation to have a licensed MD or DO as medical director, with authority over clinical protocols, supervision, recordkeeping, and quality assurance. Palumbo D.O. is named in Context.md. Confirm signed medical director agreement on file, protocols documented, chart audits happening, escalation pathway defined.
RN scope of practice
A Florida-licensed RN can administer IV therapy under physician protocols. Franklin R.N. (owner) and any RN staff can therefore administer in the field. APRNs administering IV therapy in a med-spa setting operate under physician supervisory protocol, not autonomously. LPNs can administer under delegated supervision per Fla. Admin. Code R. 64B9-12.005.
Clinic licensure (Fla. Stat. 400.9905)
Open structural question
An entity providing health care services and billing for them is a "clinic" and must be licensed by AHCA unless it qualifies for the physician-owned exemption (wholly owned by Florida-licensed physicians, services provided by those physicians, directly supervised by them).
If Luxe Rejuvenate LLC is owned by Franklin R.N. without physician co-ownership, the physician-owned exemption does not apply. Luxe likely needs to either restructure ownership to include Palumbo D.O., or hold a Health Care Clinic License from AHCA. Mobile clinics are explicitly within scope, so the mobile model does not change this.
This is foundational legal. Ventari should not be ramping paid traffic to a non-compliant operation. Confirm with Katy before any major spend starts.
Required on any ad offering free or discounted services by a licensed Florida health care practitioner:
Required language verbatim
"The patient and any other person responsible for payment has a right to refuse to pay, cancel payment, or be reimbursed for payment for any other service, examination, or treatment that is performed as a result of and within 72 hours of responding to the advertisement for the free, discounted fee, or reduced fee service, examination, or treatment."
6-point Times New Roman or larger in print. 15-second visual or verbal disclosure on broadcast/digital video. Applies to "first visit free," "$50 off intro," "Sip Drip Glow intro pricing." If we run a discount promo, the landing page footer and the ad creative end-card both carry this.
10.TCPA · SMS and Email Marketing
Since Meta optimization is restricted for Luxe, email and SMS carry the bottom of the funnel. Rules to follow:
Marketing texts (promotions, offers, "book your next IV")
Prior express written consent required. Must be in writing, clearly identify Luxe Rejuvenate, identify the phone number being authorized, and state the recipient is not required to consent as a condition of purchase.
Autodialed texts to a cell phone the patient provided are allowed, but cannot include marketing content.
Limited to 160 characters or less, with easy opt-out.
Capped at 1 per day and 3 per week per provider.
FCC update (April 11, 2025)
Patients can revoke consent through any reasonable method (replying STOP, calling, written request). Organizations must process revocations within 10 business days.
11.Pre-Publish Checklist
Before anything ships to ads, the site, email, or SMS:
Run this list against every page, post, ad, and FAQ entry. If a row is uncertain, pause and ask.
No prescription drug brand names in copy or imagery (Ozempic, Wegovy, Mounjaro, Zepbound, etc.) without LegitScript Certification on file
No compounded peptide names (semaglutide, tirzepatide, BPC-157, GHK-Cu, etc.) until FDA reclassification is final
No real patient names, faces, or treatment outcomes without a signed HIPAA marketing authorization on file
No disease claims ("treats," "cures," "reverses," "prevents"). Structure/function language only ("supports," "designed for")
No personal-attribute copy ("Tired? Struggling with belly fat? Are you over 40?")
No before/after imagery implying medical outcomes
Any testimonial reflects typical results, OR ad clearly states what typical results are
Any material connection (employee, comped patient, paid influencer) is disclosed clearly
Florida 72-hour-refund disclaimer present on any "free" or "discounted" service offer
Booking, confirmation, and patient-portal pages have NO Meta Pixel, NO standard Google Analytics
If patient list upload is being considered for Meta Custom Audiences, the answer is no
BAA signed between Ventari and Luxe Rejuvenate before any PHI processing
SMS marketing has prior express written consent for each number; healthcare-exemption texts contain no marketing