If you have tried to run Google or Meta ads for your telehealth company and hit a wall, LegitScript certification is likely the reason and the solution.
LegitScript is the dominant third-party trust and compliance certification for online healthcare businesses. Google requires it to run ads for telemedicine and prescription drug-related services. Meta requires it for health and pharmaceutical advertising. Visa and Mastercard require it for certain payment processing merchant categories. Without it, your peptide or GLP-1 telehealth company is locked out of the paid channels and payment infrastructure that most businesses use to grow.
This guide covers what LegitScript certification is, why it matters specifically for peptide and GLP-1 telehealth operators, the full requirements, the application process step by step, what it costs, and how your choice of telehealth platform affects how much compliance work is already done before you apply.
What LegitScript Is and Why It Exists
LegitScript is a Portland-based compliance and certification company that operates as a verification layer between online healthcare businesses and the platforms that serve them. Google, Meta, Visa, Mastercard, and others use LegitScript’s database to determine which companies are permitted to advertise or process payments in healthcare-adjacent categories.
LegitScript does not issue medical licenses or replace regulatory agencies. It certifies that a company has the licenses, policies, pharmacy relationships, and operational practices that define a legitimate online healthcare business. The certification is renewed annually and comes with ongoing monitoring to ensure companies remain compliant after initial approval.
For consumers, LegitScript certification is a visible trust signal. For operators, it is increasingly a prerequisite for the distribution channels that matter.
What LegitScript Certification Unlocks
Google Ads
Google restricts telehealth and prescription drug advertising to LegitScript-certified businesses. Without certification, your ad account can serve general health content but will be rejected or suspended for ads that reference prescription services, specific medications, or telehealth consultations. This applies directly to GLP-1, peptide, TRT, HRT, and any program involving prescription compounds.
LegitScript certification does not guarantee Google Ads approval for every ad. It makes you eligible to apply for verification within Google’s healthcare advertiser program, which then allows compliant ads to run.
Meta (Facebook and Instagram)
Meta’s pharmaceutical and healthcare advertising policies require LegitScript certification for ads that involve prescription medications, online pharmacies, or telemedicine services. This includes retargeting campaigns, lookalike audiences, and any content referencing specific medications or prescription programs. For telehealth brands with a visual product and a social-media-native audience, Meta access is critical, and LegitScript is the path to it.
Payment Processing
Visa and Mastercard require LegitScript certification for merchants processing payments in certain healthcare merchant category codes (MCCs). Some acquiring banks and payment processors will not underwrite telehealth businesses without it. This matters because uncertified companies often face higher decline rates, account reserves, or sudden account terminations from processors who flag the merchant category.
If you are operating as the merchant of record on your telehealth platform, which is the correct structure for controlling your business economics, LegitScript certification is part of maintaining stable payment infrastructure at scale.
Patient and Partner Trust
LegitScript certification appears on your website as a badge that patients can verify. In a market where unregulated peptide suppliers and non-compliant telehealth companies are common, the certification distinguishes your company as one that has been independently reviewed.
Compounding pharmacy partners, investor conversations, and enterprise partnerships are also easier when you can point to LegitScript certification as evidence of operational compliance.
Who Needs Their Own Certification
LegitScript certification is tied to the company operating as the merchant of record and running advertising. This distinction matters:
You need your own certification if:
- You are the merchant of record on patient transactions
- You want to run paid ads on Google, Meta, or Bing under your brand
- You have your own payment processing accounts
- You are building a standalone telehealth brand
You may not need it immediately if:
- Your telehealth platform is the merchant of record on all transactions
- You are operating as an affiliate or co-branded partner without independent advertising
- You are in early validation mode before investing in paid acquisition
The key signal: if a telehealth platform tells you that LegitScript is not relevant to you, or that they handle it, ask specifically whether you are the merchant of record. Platforms that hold merchant-of-record status on partner transactions carry the compliance burden because they control the payment relationship. This also means you cannot run independent ad campaigns or build your own ad accounts. LegitScript certification is a byproduct of truly owning your business.
Full Requirements Checklist
LegitScript reviews several categories of documentation and compliance. Here is what to prepare:
Business and Legal Documentation
- Certificate of formation or incorporation
- Business registration in your operating state(s)
- Physical business address (not a PO box)
- Ownership and officer identification
- Any doing-business-as (DBA) registrations
Clinical Licensing
- Documentation of licensed prescribers covering all states where you offer services
- Verification that prescribers are authorized to prescribe in each state (state medical license numbers)
- If using a provider network (such as Karpa’s 50-state licensed network), documentation of that arrangement and the network’s licensing coverage
- Confirmation that no prescribing occurs without a valid patient-provider relationship established per state law
Website Compliance
Your website must meet specific disclosure and safety requirements before you apply. LegitScript reviewers will examine your site directly. Common issues that cause rejections:
- No clear indication that a prescription is required before medication is dispensed
- Missing or inadequate privacy policy
- Missing or inadequate terms of service
- Absence of contact information for patient support
- Any marketing claims that imply medications can be obtained without a consultation
- Pricing pages that show medication prices without clarifying that a consultation and prescription are required
HIPAA Compliance Documentation
- Executed Business Associate Agreements (BAAs) with all vendors handling protected health information (EMR providers, patient portal, pharmacy partners)
- Privacy policy that meets HIPAA Notice of Privacy Practices requirements
- Evidence of HIPAA training and internal policies
Pharmacy Sourcing Documentation
- Names and licenses of all compounding pharmacies from which patients receive medications (Empower, Strive, Olympia, Belmar, and others)
- Confirmation that all pharmacies are licensed 503A or 503B facilities
- No sourcing from non-accredited or non-licensed suppliers
- Drug pricing transparency or access to pricing information for patients
Operational Policies
- Refund and cancellation policy
- Patient complaint process and contact information
- Process for adverse event reporting
- Telehealth consent policy (patients must consent to receive care via telehealth)
- Policy prohibiting prescribing controlled substances or prohibited compounds
Marketing Compliance
LegitScript reviews your advertising and marketing materials alongside your website. Prepare to provide:
- Samples of any active ad campaigns
- Social media profiles associated with the business
- Email marketing examples
- Confirmation that all marketing complies with FDA advertising standards (no unsubstantiated efficacy claims, no off-label promotion)
The Application Process Step by Step
Step 1: Pre-Application Readiness Audit (2 to 4 weeks before applying)
Do not apply before your documentation and website are ready. LegitScript’s review clock starts when you submit. Incomplete applications extend your timeline and can result in rejection.
Work through the requirements checklist above. For each item, either confirm you have it or create it. The most common gaps that delay applications are:
- Inadequate website disclosures (missing “prescription required” language)
- Missing HIPAA documentation and BAAs
- Pharmacy sourcing not documented
- No formal patient complaint process
Step 2: Create a LegitScript Account
Go to legitscript.com and create a business account. Select the Healthcare Merchant certification program. LegitScript charges an application fee at submission.
Step 3: Complete the Merchant Profile
LegitScript’s application portal walks you through uploading all required documentation. Complete every section fully. Partial submissions slow the review. For each section, upload the actual documents rather than descriptions of them.
Key sections:
- Business entity documentation
- Website URL(s) to be certified (all patient-facing domains)
- Description of services offered
- Prescriber licensing documentation
- Pharmacy partner information
- Policy documentation
Step 4: Website Verification
LegitScript will review your live website during the application process. Before submitting, verify that your website:
- Clearly states that a medical consultation and prescription are required before any medication is dispensed
- Has a working, accessible privacy policy linked in the footer
- Has a working, accessible terms of service
- Has a visible contact method for patient inquiries
- Does not make unsubstantiated efficacy claims about specific medications
- Does not display medication prices in a way that implies they can be purchased without a prescription
Step 5: Review Period
LegitScript’s review team evaluates your application and may send follow-up questions or documentation requests. Respond promptly. The typical review period is 4 to 8 weeks. Companies with complete, clean documentation often move through faster.
Step 6: Approval and Badge Issuance
Upon approval, LegitScript issues a certification badge for your website and adds your company to their verified merchant database. Google, Meta, and payment processors query this database when reviewing advertiser eligibility.
Step 7: Annual Renewal and Ongoing Monitoring
LegitScript monitors certified companies on an ongoing basis and requires annual renewal. Renewal includes a fee and a review of any material changes to your business. Significant operational changes (new states, new medication categories, ownership changes) should be proactively disclosed to LegitScript.
Cost and Timeline
LegitScript’s Healthcare and Telemedicine certification has two paths:
Standard: $975 nonrefundable application fee plus $2,150 per year per website. Total in year one: roughly $3,125. Review takes 6 to 10 weeks.
Expedited (through LegitScript directly): $6,000. Faster review, same outcome.
Through Karpa’s partnership: $2,000 with expedited approval. That is $4,000 less than going directly for expedited review, and faster than the standard path.
| Path | Year One Cost | Timeline |
|---|---|---|
| Standard (independent) | ~$3,125 | 6 to 10 weeks |
| Expedited (LegitScript direct) | $6,000 | Expedited |
| Through Karpa partnership | $2,000 | Expedited |
For operators building on Karpa’s platform, the LegitScript partnership is one of the more tangible financial advantages beyond the operational infrastructure. Book a call with Karpa to access partner pricing.
How Your Platform Choice Affects LegitScript Readiness
A significant portion of LegitScript’s requirements relate to infrastructure that your telehealth platform either provides or does not:
50-state licensed provider network. LegitScript requires documentation that licensed providers cover every state where you offer services. A platform with a built-in 50-state provider network makes this documentation straightforward. Building it independently from individual state-licensed providers is a substantial compliance project.
HIPAA-compliant infrastructure. LegitScript requires BAAs with all vendors handling PHI. A platform that operates with a BAA already in place covers the infrastructure layer. Operators using multiple disconnected vendors need BAAs with each one.
Accredited pharmacy partners. LegitScript requires documentation of all compounding pharmacy sources. A platform with direct integrations with licensed 503A pharmacies (Empower, Strive, Olympia, Belmar, and others) produces this documentation in a single step. Self-assembled pharmacy relationships require individual pharmacy documentation.
Compliant patient intake and consent. LegitScript reviews whether your platform captures proper telehealth consent from patients before care is delivered. Platforms with built-in consent workflows satisfy this requirement automatically.
Operators on a purpose-built telehealth platform often find that half the LegitScript requirements are already satisfied by the platform’s infrastructure before they start their application. Operators who built their stack independently spend significantly more time and cost on compliance documentation before they are ready to apply.
Common Rejection Reasons and How to Avoid Them
Website does not clearly require a prescription. Every page that displays medication information should include language indicating that a prescription is required. “Requires a prescription from a licensed physician” should appear near any medication listing or pricing information.
Inadequate privacy policy. Generic privacy policy templates often do not meet HIPAA Notice of Privacy Practices requirements. Use a healthcare-specific privacy policy that includes the required HIPAA disclosures.
No adverse event reporting process. Document how patients can report adverse reactions and how those reports are handled. This can be as simple as a dedicated email address and a written internal process.
Pharmacy sourcing not documented. List every compounding pharmacy your patients may receive medications from and provide their license numbers. “We use accredited compounding pharmacies” is not sufficient.
Marketing claims that imply no prescription needed. Review every piece of marketing for language that could be read as implying patients can receive prescription medications without a consultation. Phrases like “get semaglutide online” without a clear disclosure that a prescription is required are common rejection triggers.
After Certification: Unlocking Google and Meta Ads
LegitScript certification makes you eligible for healthcare advertiser verification on Google and Meta, but it does not automatically activate ad access. You need to apply separately:
Google: Submit a verification request through Google Ads’ healthcare advertiser policy program. Google will confirm your LegitScript status and review your advertising content for compliance with their healthcare policies.
Meta: Apply through Meta’s pharmaceutical and healthcare advertising authorization process. LegitScript certification is part of the documentation Meta requires.
Both platforms have additional content restrictions even after certification. Ads for prescription medications cannot make unsubstantiated efficacy claims, cannot target audiences based on health conditions, and must comply with the platform’s specific healthcare ad policies.
LegitScript Certification Is an Asset, Not Just a Compliance Box
Operators who treat LegitScript certification as a compliance obligation miss the business value. Certification is a moat. Most early-stage telehealth competitors operating in the peptide and GLP-1 space are not certified, which means they cannot run Google or Meta ads at scale. They rely on organic channels, SEO, and word of mouth.
A certified operator can run paid acquisition that uncertified competitors cannot. That asymmetry compounds over time: more ads mean more patients, more revenue, more brand recognition, and more ability to outpace operators who built on an uncertified foundation.
If you are building a telehealth brand with serious growth ambitions, LegitScript certification is not a future consideration. It is a near-term operational priority that unlocks the distribution your competitors cannot access.
Book a call with Karpa Health to access Karpa’s LegitScript partner pricing ($2,000 with expedited approval vs. the standard ~$6,000 independent path) and discuss how Karpa’s platform infrastructure reduces your certification preparation time.
Need help getting your telehealth company ready for LegitScript certification? Start with our free program builder to understand your platform options, or read our guide on HIPAA compliance for cash-pay telehealth programs.
