Skip to content
RegenCompliance
All articles
Testimonial compliance

Healthcare Testimonial Compliance: What You Can and Can't Publish Under the Updated FTC Endorsement Guides

The FTC's Endorsement Guides govern every patient testimonial a healthcare practice publishes - and they were meaningfully updated in 2023. This post covers the current rulebook on typical-experience disclosure, paid endorsements, employee testimonials, influencer partnerships, and reposted content.

10 min readBy RegenCompliance Editorial, FDA/FTC compliance desk

Patient testimonials are the single most persuasive asset in healthcare marketing and one of the two most-enforced. The FTC updated its Endorsement Guides in 2023 with new enforcement language that shifted what healthcare practices can publish. This post is the current rulebook.

We’ll cover: typical-experience disclosure, material connection rules, paid endorsements, employee testimonials, influencer partnerships, repost rules when patients publish about you, substantiation-file retention, and a template for the testimonial-solicitation form that captures everything the Endorsement Guides require.

Rule 1 - Typical experience disclosure

The anchor rule. If a testimonial depicts an outcome presented as what a consumer (or patient) would typically achieve, you must have adequate substantiation that it is typical. If the outcome is atypical - which cherry-picked testimonials almost always are - you must clearly and conspicuously disclose what the typical outcome actually is.

The pre-2023 loophole was a generic “results may vary.” The updated guides make clear that’s not enough. The disclosure has to describe what typical is, not just acknowledge that atypical exists.

Non-compliant

"I lost 45 pounds in 3 months. Life-changing!" - Patient testimonial. *Results may vary.

Compliant alternative

"I lost 45 pounds in 3 months." - Patient outcome above the typical range for our program. In our medically supervised weight loss program, patients typically lose 10–15% of their starting body weight over 6 months. Individual results depend on starting weight, adherence, and health history.

Why: The “results may vary” line is functionally invisible. The compliant version states what typical is in concrete terms, so the featured outcome is correctly contextualized.

Rule 2 - Material connection disclosure

If the patient or endorser received anything of value in exchange for the testimonial, you must clearly disclose the material connection. “Anything of value” includes:

  • Cash payment.
  • Free or discounted treatment.
  • Free or discounted products.
  • Gift cards, spa days, anything else monetizable.
  • Loyalty points or credits.
  • Even the testimonial photo shoot itself, if produced at your expense.

The disclosure has to be in the same location as the testimonial (not linked-out, not in a separate page). “Featured patient received this treatment at no charge in exchange for consenting to marketing use” is a compliant minimal disclosure.

Rule 3 - Employee testimonials

Testimonials from employees, physicians in your practice, owner- operators, or their family members are treated as endorsements with a material connection (the employment relationship itself is a material connection). Publishing them as if they were third-party patient endorsements is deceptive.

Non-compliant

"Best med spa in town!" - Sarah, 5-star review on Google

Compliant alternative

(Don't publish staff reviews as patient reviews. If you want to feature clinical leadership, present them as clinicians with their own brand voice, not as patients.)

Why: Employee testimonials need explicit disclosure of the employment relationship. In most cases, the right answer is to not publish employee reviews as patient reviews at all, and to feature clinical staff as staff.

Rule 4 - Influencer and content-creator partnerships

If you partner with an influencer - paid, gifted, or via affiliate program - that’s an endorsement with a material connection. Standard requirements apply:

  • Disclosure in the post itself.Not in the bio, not in a linked landing page. “#ad,” “paid partnership,” or equivalent clearly visible.
  • Disclosure visible regardless of scroll position. On Instagram, this typically means “#ad” or “paid partnership with” shown above the post fold.
  • Written contractbetween practice and influencer spelling out disclosure obligations. The FTC holds the brand responsible for the influencer’s compliance.
  • Substantiation for any outcome claimsthe influencer makes. “Changed my life” is subjective and fine. “Cured my acne” is a disease claim regardless of who says it.

Rule 5 - Reposts when patients post about you

A patient writes a glowing review on Google, posts a raving Instagram story, or tweets about their treatment. You repost or share it on your clinic’s channels. What are the rules?

The moment you repost, you own the claim. If the patient’s original post contains a cure claim, an FDA-approval claim, or an atypical outcome presented as typical, those become your claims. Third-party origin doesn’t immunize you.

Safe reposting protocol

  1. Read the original carefully.If it contains disease claims, treatment verbs tied to conditions, or outcome guarantees - don’t repost. Or request an edited version from the patient.
  2. Add disclosures to your repost. Individual-results- vary, typical-experience if atypical, material-connection if the patient received anything of value.
  3. Get written consent for the repost itself. Reposting a patient’s public post is still a HIPAA-adjacent marketing use. A written authorization is protective.
  4. Retain the substantiation file. Even reposted content needs a substantiation-file entry noting what outcome was shown, what typical is, and what disclosures were attached.

Rule 6 - Substantiation file retention

For every published testimonial, you should be able to produce, on demand:

  • The signed patient authorization (HIPAA + marketing consent).
  • The specific outcome data that substantiates the claim.
  • Documentation of any material connection (payment, free treatment, etc.).
  • The typical-outcome data used to determine if the featured outcome is typical or atypical.
  • If an influencer: the contract specifying disclosure obligations.

When a regulator opens a file on your practice, their first document request is for substantiation of every testimonial on your marketing surfaces. If you can produce it cleanly within 15 business days, your response cost is dramatically lower. If you can’t, the regulator starts building a case on unsubstantiated-claim grounds.

Most clinics can’t produce the substantiation file. That single gap turns a testimonial-based enforcement action from an annoyance into an existential threat.

The testimonial-solicitation form template

Capture everything you need at collection time, not retroactively. A compliant testimonial-solicitation form should request:

  1. Patient’s subjective experiencein their own words. “How did the experience feel to you?” Avoid questions that invite condition-language responses.
  2. Specific time frame.“How many weeks after treatment are you writing this?”
  3. Concurrent treatments.“Were you on any other programs or making other changes during this time?”
  4. Consent for specific marketing uses. Website, social, ads. Each use explicitly flagged.
  5. Compensation disclosure. Did the patient receive any discount, gift, or free service? Check box + description.
  6. Patient photo consent (separate from written testimonial).
  7. Right to revoke. Clear explanation of how to revoke authorization.
  8. Signature + date.

The resulting file is the substantiation file. Store it with the testimonial, not in a separate CRM or HR folder.

What to do this week

  1. Audit every testimonial live on your site and social channels. List which ones have signed authorization, typical-experience disclosure, material-connection disclosure, and time-frame disclosure.
  2. Remove or rewrite any testimonial missing any of those.
  3. Update your testimonial-solicitation workflow using the template above. Any new testimonials going forward will be compliant by default.
  4. Build the substantiation filefor every currently-live testimonial. If you can’t build the file, take the testimonial down until you can.
  5. Review all influencer/partner contentfor disclosure compliance. The practice is responsible for the influencer’s compliance failures.

Built for this exact problem

Scan your clinic's content before regulators do.

RegenCompliance checks every word of your marketing against live FDA and FTC enforcement data - and rewrites violations automatically. A 30-second scan can save a $50,000–$5M regulatory response.

Apply for betaTry the free demo

Related in the platform

tool

Compliance scanner

hub

Compare vs alternatives

Weekly compliance brief

One email a week. New enforcement actions, rule changes, and tactical fixes. No spam, unsubscribe anytime.

We only send one email per week. No marketing blasts.

Keep reading

FDA Warning Letters at a 25-Year High: What Every Healthcare Practice Needs to Know in 2026

More than 200 FDA warning letters hit healthcare practices in 2024 - the highest volume in a quarter century. Here is what is being flagged, why regenerative medicine and med spas are on the front line, and what a defensible marketing program looks like now.

Read article

How a Single Social Media Post Can Become a Multi-Million-Dollar FTC Settlement

Multi-million-dollar FTC settlements against stem cell and regenerative medicine clinics now routinely start with a single Instagram caption or Facebook testimonial. Here is how that chain actually works - and the four places clinics lose control of it.

Read article

Structure/Function Claims vs. Disease Claims: The One FDA Distinction That Determines Whether Your Marketing Is Legal

One line separates legal marketing from a warning letter: the difference between a structure/function claim and a disease claim. Most practice owners think they know where the line is. They are usually wrong by one or two key phrases.

Read article