Skip to content
RegenCompliance
All articles
5-step playbook

How to Audit Your Healthcare Website for FDA/FTC Compliance: A 5-Step Framework You Can Run in Two Weeks

A tactical framework any clinic can run in two weeks: inventory, pageview-weighted triage, claim-category scan, rewrite-at-source style guide updates, and archive retirement. With the exact sequencing and who does what.

11 min readBy RegenCompliance Editorial, FDA/FTC compliance desk

A website compliance audit is the single highest-ROI compliance investment a healthcare practice can make right now. It is also the single most commonly misrun one - either treated as a once-a-year legal review, or as a one-time cleanup that finishes and stays finished. Both approaches fail under 2026 FDA/FTC enforcement cadence. Here is the framework that actually works.

The goal of the framework is simple: end the audit in a better place than a find-and-replace pass, end it in the same place every time you run it (so outcomes are reproducible), and end it with audit trail that you can show a regulator if you need to respond to a warning letter in 15 business days.

Step 1 - Full marketing-surface inventory

Before you can audit, you need to know what exists. Most clinic owners underestimate this by a factor of 5 to 10 - the marketing surface is always larger than you think.

What to inventory

  • Website pages. Pull a crawl from your CMS export, a sitemap, or an SEO tool. Include unlinked pages.
  • Social media. Every post, story highlight, pinned post, and profile bio across Instagram, TikTok, Facebook, LinkedIn, X, YouTube.
  • Paid ads. Every active and paused ad + every ad variation across Google, Meta, TikTok, YouTube. Platform ad libraries are public - regulators use them.
  • Email. Every template in your ESP, every automation flow, every recent one-off broadcast.
  • Scripts and intake. Sales scripts, on-hold message, intake forms, consent language, after-care instructions.
  • Third-party surfaces. Your Google Business profile, Yelp, Healthgrades, RealSelf, Zocdoc, directory listings, partner sites that reference you.
  • Archive / Wayback. Check archive.org/web/*/yourclinic.com for pages that have been removed or rewritten. Archived pages are still readable by regulators.

Dump every URL or surface into a single spreadsheet. One row per surface. One column for type. This is your audit universe.

Step 2 - Pageview-weighted triage

Auditing 200 pages perfectly takes weeks. Auditing the top 10 pages today cuts most of the actual risk. Do the high-traffic surfaces first.

How to prioritize

  1. Pull 90-day pageviews from your analytics (GA4, Plausible, Fathom, whatever you use).
  2. Sort descending. Top 10 pages typically carry 60–80% of traffic in a small clinic site.
  3. Then overlay: every page that’s a landing page for an active ad. Regardless of pageview count. A low-traffic landing page that pairs with a high-spend ad is a high-risk surface.
  4. Then: every social post from the last 12 months that got above-median engagement. Posts that spread are the posts regulators see.
  5. Everything else is the long tail. Audit it in the second sprint.

Step 3 - Claim-category scan

For each surface in your triaged list, scan against four specific claim categories. These are the categories that drive the vast majority of 2024–2026 enforcement.

Category 1 - Disease claims

Any language asserting the product or procedure treats, cures, heals, reverses, or prevents a named medical condition. This is the single highest-density category. See the structure/function vs. disease claims post for the line.

Category 2 - Implied or false FDA status

“FDA-approved” language when what you mean is FDA-registered, or when nothing at all is FDA-approved in the procedure chain. See the 7 banned words list for the specific phrases.

Category 3 - Outcome guarantees and safety absolutes

“Guaranteed,” “100% safe,” “no side effects,” “risk-free.” FTC territory.

Category 4 - Testimonial and before/after compliance

Testimonials without typical-experience disclosure. Before/after photos without standardization or consent documentation. Paid testimonials without material-connection disclosure.

For each surface, mark which of the four categories applies and record the specific phrase and location. Your output from step 3 is a violation map: surface, category, exact text.

Step 4 - Rewrite at the source, not at the instance

The most common audit failure is fixing each flagged phrase one at a time, letting the same language re-enter next week. The durable fix is to change the writing source so violations do not get typed in the first place.

Three source-level fixes

  1. Marketing style guide update. Add the seven banned words from the trigger-words post to your clinic style guide, with the approved alternatives written right next to them. This is the single most durable intervention.
  2. Testimonial-solicitation workflow update. Update your testimonial-collection form to ask patients to describe their experience in subjective terms rather than disease terms, and to include typical-experience disclosure automatically when the testimonial is an atypical outcome.
  3. Pre-publish compliance scan. Every piece of marketing content runs through a scan before it goes live. Pre- publish catches the violation when it is free to fix. Post-publish catches it after the regulator has a screenshot.

With all three in place, you are shipping violations at roughly 1/10 the rate of a find-and-replace-only program. The delta compounds over a year.

Step 5 - Archive retirement and audit trail

Two things remain after the rewrite pass.

Archive retirement

Pages, posts, and ads that were written under an older compliance standard and cannot be rewritten compliantly get retired - not hidden. For a website page that means 301-redirect it to the most relevant compliant page, so any link equity is preserved and the old URL stops serving violative content. For a social post, delete it; do not archive it.

Audit trail

Every change you made in the audit - what was flagged, what was rewritten, what was retired, by whom, and when - goes into a centralized audit log. If a warning letter arrives nine months from now, this is the file that turns a 15-business-day panic into a 15-business-day administrative task.

The audit is not the compliance program. The audit trail is the compliance program.

How often to run this

  • Full audit: every six months, minimum. Every quarter for higher-risk specialties (regen med, stem cell, GLP-1 weight loss).
  • Pre-publish scan: every new piece of outward-facing content. No exceptions.
  • Rule refresh: your compliance ruleset should pick up new FDA/FTC language within 24 hours. Quarterly manual refresh is too slow.
  • Archive sweep: once a year. Check Wayback, check old-but-still-indexed pages, remove or redirect what no longer meets standards.

Who on the team does what

For most clinics, the cleanest role split is:

  • Clinical lead (MD/owner): signs off on rewrites touching disease language or testimonials. Not in the weeds of the audit.
  • Marketing lead or office manager: runs the inventory, the scan, and the rewrites. Coordinates with vendor if you have one.
  • Vendor (if any): runs the technical side - redirects, sitemap updates, CMS edits. Does not make compliance calls on copy.
  • Compliance scanner: does the claim-category classification and produces the violation map. Runs pre-publish on every new piece of content thereafter.

Built for this exact problem

Scan your clinic's content before regulators do.

RegenCompliance checks every word of your marketing against live FDA and FTC enforcement data - and rewrites violations automatically. A 30-second scan can save a $50,000–$5M regulatory response.

Apply for betaTry the free demo

Related in the platform

tool

Audit trail + PDF export

tool

Compliance scanner

tool

AI compliant rewriter

Weekly compliance brief

One email a week. New enforcement actions, rule changes, and tactical fixes. No spam, unsubscribe anytime.

We only send one email per week. No marketing blasts.

Keep reading

FDA Warning Letters at a 25-Year High: What Every Healthcare Practice Needs to Know in 2026

More than 200 FDA warning letters hit healthcare practices in 2024 - the highest volume in a quarter century. Here is what is being flagged, why regenerative medicine and med spas are on the front line, and what a defensible marketing program looks like now.

Read article

How a Single Social Media Post Can Become a Multi-Million-Dollar FTC Settlement

Multi-million-dollar FTC settlements against stem cell and regenerative medicine clinics now routinely start with a single Instagram caption or Facebook testimonial. Here is how that chain actually works - and the four places clinics lose control of it.

Read article

Structure/Function Claims vs. Disease Claims: The One FDA Distinction That Determines Whether Your Marketing Is Legal

One line separates legal marketing from a warning letter: the difference between a structure/function claim and a disease claim. Most practice owners think they know where the line is. They are usually wrong by one or two key phrases.

Read article