The patient who is willing to talk publicly about their experience with your practice is the most persuasive asset you will ever have. Capturing that asset without creating risk is a discipline most practices have not built.
There is a particular kind of marketing asset that no advertising agency can manufacture. A real patient, speaking in their own words, about their experience with a medical practice. The credibility of that voice is greater than any ad copy, any campaign, any branded content. It is the closest thing healthcare marketing has to a force multiplier.
It is also the asset most likely to be deployed in ways that create compliance issues. Patient testimonials sit at the intersection of HIPAA, state medical advertising rules, and the Federal Trade Commission’s endorsement guidelines. Each of those layers has independent requirements, and the agency or practice that focuses on only one of them will produce content that passes one test and fails another.
The good news is that compliant testimonial marketing is entirely achievable. It just requires a more deliberate process than most practices currently use.
The Three Compliance Layers
Testimonials touch three regulatory frameworks simultaneously, and effective testimonial programs address all three.
The HIPAA layer governs whether the patient’s information can be shared at all. A testimonial inherently reveals that the speaker is a patient of the practice, which is itself PHI. Sharing it requires the patient’s specific, informed authorization in writing, distinct from any general consent the patient signed for treatment.
The state medical advertising layer governs what claims the testimonial can make about clinical outcomes. Most states have rules prohibiting medical advertising that creates unjustified expectations, misrepresents the experience of typical patients, or implies guarantees of results. A testimonial that exceeds these limits exposes the practice regardless of how genuine the patient’s experience was.
The FTC layer governs disclosure of any material connection between the patient and the practice. If the patient received any compensation, free service, discount, or other consideration in exchange for the testimonial, that connection must be disclosed in the testimonial itself, in language clear enough that a reasonable viewer would notice it.
All three layers apply simultaneously. A testimonial that handles HIPAA cleanly but ignores FTC disclosure is non-compliant. A testimonial that meets state advertising rules but lacks HIPAA authorization is non-compliant. The work is meeting all three layers, not picking one.
HIPAA Authorization Done Properly
The HIPAA authorization for use of a testimonial is not a general consent. It is a specific, written authorization that meets HIPAA’s regulatory requirements for what such an authorization must contain.
At minimum, the authorization must describe the specific information being authorized for release — including the fact that the patient is a patient of the practice, any clinical context the testimonial includes, and any visual or audio identifiers that will be used. It must specify who is authorized to receive and use the information, including any agencies, ad platforms, or third parties that will handle it. It must state the purpose of the use — marketing, advertising, public communications. It must include an expiration date or event. It must inform the patient of their right to revoke the authorization in writing.
Generic media release forms borrowed from non-healthcare contexts do not meet these requirements. Practices using a generic release for testimonial collection are operating with authorization that may not be valid under HIPAA. The authorization needs to be drafted with HIPAA’s specific requirements in mind.
What Patients Should and Should Not Say
Even with proper authorization, the content of the testimonial itself is governed by state advertising rules. A few principles help keep testimonials within those rules.
Testimonials should reflect the patient’s actual experience and should not be edited in ways that misrepresent that experience. Selecting which testimonials to publish is acceptable; editing a testimonial to make a moderately positive experience sound stronger than it was is not.
Testimonials should not claim outcomes that are atypical without clear disclosure. “Results may vary” language is not a magic spell — its placement, prominence, and clarity matter — but it is part of the standard pattern for testimonials that describe favorable outcomes.
Testimonials should avoid language that implies guarantees. “This procedure changed my life” describes one person’s experience and is generally acceptable. “Anyone who has this procedure will have their life changed” generalizes to a guarantee and is not.
Some states have specific additional rules — for example, around testimonials from specific provider relationships, around dollar-amount references to costs, or around clinical outcome language in particular specialties. Practices operating in multiple states need to consider the strictest applicable rules.
Disclosure Requirements
The FTC’s requirements on testimonials and endorsements have two main components.
Material connections must be disclosed. If the patient received anything of value in exchange for the testimonial — free services, discounts, fees, gift cards, or even non-monetary consideration like a featured social media spotlight that has value to them — that connection must be disclosed. The disclosure must be in the testimonial itself, in language clear enough that a typical viewer would notice it, in close proximity to the testimonial content.
Typical outcomes must be addressed. If the testimonial describes a result, the practice should be able to substantiate either that the result is typical or that the language used makes clear it is one individual’s experience. Generic disclaimer language is less effective than testimonial-specific framing.
The standard for what counts as clear-and-conspicuous disclosure has tightened in recent FTC guidance. A disclosure buried in fine print at the bottom of a page is generally not sufficient. A disclosure within the testimonial itself or immediately adjacent to it is the safer pattern.
Where Testimonials Should and Should Not Appear
Once a properly authorized, compliant testimonial exists, the question of where to use it has its own considerations.
Testimonials on the practice’s own website, in patient-facing content, and in marketing materials the practice controls are the most straightforward. The authorization typically covers these uses, and the practice can ensure proper disclosure language travels with the testimonial wherever it appears.
Testimonials in paid advertising introduce platform-specific considerations. Google’s ad policies, Meta’s ad policies, and other platform policies have specific rules about healthcare testimonials, before-and-after imagery, and outcome claims. A testimonial that is compliant from a HIPAA and FTC perspective may still be rejected by an ad platform for policy reasons.
Testimonials shared by third parties — repurposed by patients on their own social media, featured by reviewers, or included in news coverage — are outside the practice’s direct control and need to be approached differently. The practice’s authorization may not extend to those uses, and the practice’s marketing should not embed third-party testimonials in ways that imply formal endorsement without separate authorization.
The Process That Works
Practices that build sustainable testimonial programs typically follow a recognizable process.
Patients who indicate satisfaction at post-visit moments are systematically asked whether they would be willing to share their experience. This is asked separately from any clinical communication and framed clearly as an optional marketing activity.
Patients who say yes are walked through a proper authorization process, including review of what they are authorizing, how their information will be used, who will see it, and their right to revoke the authorization. The conversation is documented.
The testimonial is collected in a controlled environment — written, recorded, or filmed — and the practice retains the original. Edits are minimal and do not change the substance of what the patient said.
The published testimonial includes appropriate disclosure language, is reviewed against state advertising rules before use, and is associated with documentation of the authorization. The authorization documentation is stored in a way that allows the practice to demonstrate, if asked, that the testimonial was properly obtained.
Programs run this way tend to produce fewer testimonials than programs that skip the process — but the testimonials they produce are usable across years of marketing without exposure. The discipline is the value.
