Skip to content
RegenCompliance
All articles
Tactical playbook

How to Audit Your Healthcare Practice's Social Media for FDA/FTC Compliance: A Step-by-Step Framework

Your social media is the highest-velocity compliance surface in your practice - and the one that typically has the least review before publish. Here's the audit framework to catch compliance issues before a regulator does.

11 min readBy RegenCompliance Editorial, FDA/FTC compliance desk

Social media is the highest-velocity marketing surface in most healthcare practices and the one that typically gets the least compliance review before publish. It’s also disproportionately where FTC and FDA enforcement actually starts - the Wellbeing Corporation settlement cited a single Instagram post; the FDA regularly cites social media content in warning letters. If you haven’t audited your practice’s social media presence for compliance, this post walks through the framework to do it in a week.

Step 1 - Inventory every account

Most clinic owners underestimate the number of social accounts in scope. A typical med spa with a physician owner and three nurse injectors can easily have 8-12 distinct accounts that the FDA or FTC would consider part of the practice’s marketing surface.

Accounts in scope

  • Practice accounts. Official Instagram, TikTok, Facebook, YouTube, LinkedIn, Twitter/X accounts for the practice.
  • Physician personal accounts.If the physician discusses the practice, its treatments, or patient outcomes anywhere, the account is in scope. “Personal account” does not mean exempt.
  • Nurse injector and provider accounts.Same rule - if practice-related content appears, it’s part of the marketing surface.
  • Front desk, marketing staff accounts.Often-overlooked but sometimes include practice content.
  • Patient-facing communication accounts.Direct message accounts, appointment-booking chat systems, any account used for patient outreach.

Step 2 - Pull content export or screenshot history

Before scanning, you need to have the content accessible. Different platforms have different export capabilities:

Platform-specific export options

  • Instagram.Meta’s data download includes posts, stories, and DMs. Third-party tools can extract caption + image data in reviewable format.
  • TikTok. Similar data download available. For caption and voiceover text, third-party transcription tools help.
  • Facebook.Meta’s data download covers pages and personal accounts.
  • YouTube. Google Takeout provides video and caption data; transcripts can be pulled from the platform.
  • LinkedIn. Data export available; less frequently an issue unless the practice uses LinkedIn for consumer marketing.

Scope: how far back to audit

For practical purposes, 12-24 months covers most active enforcement risk. Older content that’s no longer prominent can be prioritized after newer content. Content that appears in archives or highlights stays in scope regardless of age.

Step 3 - Scan for specific claim categories

Scanning without a structured rule set misses categories of issues consistently. Use a specific list of claim categories rather than ad-hoc review.

Claim categories to scan for

  1. Disease-treatment claims. Any phrasing that says or implies a treatment addresses a named disease or condition.
  2. FDA-approved misuse.“FDA-approved” applied to products that are FDA-cleared, FDA-registered, or operating under the 361 pathway.
  3. Safety absolutes.“No side effects,” “completely safe,” “risk-free.”
  4. Outcome guarantees.“Guaranteed results,” “money-back guarantee on outcomes,” similar.
  5. Typical-experience gaps. Outcome claims without typical-experience disclosure, particularly in before/after content and weight-loss testimonials.
  6. Material-connection gaps. Endorsements without FTC-compliant disclosure of paid relationships or other material connections.
  7. Brand-name advertising issues. Prescription drug brand names in promotional contexts, off-label indication promotion, etc.
  8. Substantiation issues.“Clinically proven,” “proven to work,” without the specific evidence cited.
  9. Superlative claims.“Best,” “top,” “most effective” without substantiation.

Step 4 - Triage by reach and risk

Not all flagged content is equally urgent. The priority framework is reach times risk:

Risk levels

  • HIGH risk. Disease-treatment claims, FDA-approved misuse, cancer or serious-condition claims, undisclosed celebrity endorsements.
  • MEDIUM risk. Safety absolutes, typical- experience gaps, brand-name issues, superlative claims.
  • LOW risk. Missing disclosures on lower-stakes content, minor substantiation issues.

Reach proxy

For each flagged piece of content, use impression count or engagement as a reach proxy. A HIGH-risk post with 50,000 impressions is more urgent than a HIGH-risk post with 200 impressions - though both need fixing.

Triage output

Produce a ranked list: highest reach × highest risk first. This list is what the correction team works through in sequence. Without this triage, teams often fix easy issues first and run out of energy before addressing the highest-impact ones.

Step 5 - Correct or retire content

For each flagged piece, there are three options: edit, add disclosure, or delete.

Edit

When the underlying content is worth preserving but the specific claim needs to change, edit the caption, replace the offending phrase with a compliant alternative, and update. Most HIGH-risk claims can be edited to compliant alternatives without losing the marketing message.

Add disclosure

For typical-experience gaps, material-connection issues, and some substantiation issues, adding proper disclosure is often sufficient - provided the disclosure is clear and conspicuous (not in fine print, not linked elsewhere).

Delete

Sometimes the content is fundamentally non-compliant and cannot be salvaged. Disease-treatment testimonials, celebrity endorsements without proper disclosure for which you can’t add disclosure retroactively, or content making cancer-related claims should typically be deleted rather than edited.

Document every change

Maintain a log: post URL, original content (screenshot), action taken, date, responsible staff. This documentation is valuable both for ongoing compliance records and as evidence of good-faith compliance in any future regulatory interaction.

Step 6 - Update the publish process

The audit is temporary. The publish process is permanent. If you don’t change how new content enters the social surface, the same categories of issues will reappear within months.

Pre-publish compliance check

Implement a step in your social media publishing workflow where each piece of content is checked against the same rule set you just used for the audit. This can be a 30-second scanner review, a checklist review by the marketing manager, or a combination.

Staff training

Train every staffer who creates or approves social content on the claim categories and the specific patterns that got flagged in your audit. Training should be documented (dates, topics, attendees).

Archive management

Highlights and pinned posts stay public long after the original post date. Include them in recurring audits and in any archival strategy.

Physician and staff account policy

Create clear written guidelines for what physicians and staff can and cannot post about practice treatments on personal accounts. Many practices solve this by saying “no practice-related content on personal accounts” - which is clear, enforceable, and eliminates an entire class of compliance risk.

Platform-specific notes

Instagram

Highlights, Reels, and Stories each have their own compliance considerations. Highlights stick around as permanent content; Reels often get higher reach than feed posts; Stories expire but can be captured by screenshot.

TikTok

Audio transcripts matter for compliance review, not just captions. The FTC reads video content including voiceover and on-screen text. Short-form video ads face the highest enforcement attention.

Facebook

Boost-promoted posts carry the same compliance weight as paid ads. Review boosted posts with the same rigor as formal ad campaigns. Also review user-generated content on your page where you’ve interacted (engagement can be construed as endorsement).

YouTube

Video descriptions and transcripts both count. YouTube ads require the same compliance rigor as other video ad platforms. Live-stream content should be treated like any other marketing content once recorded.

LinkedIn

Business-to-business healthcare content (e.g., speaking to other physicians or practice owners) has different considerations than consumer marketing, but practice LinkedIn pages that reach consumers still need compliance review.

Frequently asked questions

How long does a first-time audit take?

For a typical med spa or aesthetic practice with 12 months of content across 5-10 accounts, a first-time audit runs a week with automation or 2-3 weeks fully manual. Subsequent audits take significantly less time because most of the historical content has been cleaned up.

Can I do this in-house or do I need an agency?

In-house with the right tools and someone willing to learn the rules. An agency specializing in healthcare marketing compliance can accelerate the work but is typically cost-effective only for larger practices or practices with extensive historical content.

What if I find content that’s clearly been a violation for years?

Correct it quickly. The length of time a violation has been up doesn’t increase your liability for subsequent correction - but continuing the violation after awareness definitely does. Silent, prompt correction is the right approach for most historical issues.

Do I need to disclose the audit publicly?

No. Compliance audits are standard business practice and don’t require public disclosure. Visible “retroactively corrected” notices are not required and generally not recommended.

What about deleted content that’s archived elsewhere?

Third-party archives (Wayback Machine, platform data exports requested by others, screenshots in news coverage) are beyond your control. Your responsibility is compliance on the surfaces you control. Deleted content that’s been archived elsewhere is not ongoing advertising from your practice.

How often should audits recur?

Quarterly for most practices. Faster for high-volume social publishing. A comprehensive annual audit plus quarterly check-ins is the cadence that balances rigor and practicality.

Built for this exact problem

Scan your clinic's content before regulators do.

RegenCompliance checks every word of your marketing against live FDA and FTC enforcement data - and rewrites violations automatically. A 30-second scan can save a $50,000–$5M regulatory response.

Apply for betaTry the free demo

Related in the platform

tool

Compliance scanner

tool

AI compliant rewriter

tool

Audit trail + PDF export

Weekly compliance brief

One email a week. New enforcement actions, rule changes, and tactical fixes. No spam, unsubscribe anytime.

We only send one email per week. No marketing blasts.

Keep reading

FDA Warning Letters at a 25-Year High: What Every Healthcare Practice Needs to Know in 2026

More than 200 FDA warning letters hit healthcare practices in 2024 - the highest volume in a quarter century. Here is what is being flagged, why regenerative medicine and med spas are on the front line, and what a defensible marketing program looks like now.

Read article

How a Single Social Media Post Can Become a Multi-Million-Dollar FTC Settlement

Multi-million-dollar FTC settlements against stem cell and regenerative medicine clinics now routinely start with a single Instagram caption or Facebook testimonial. Here is how that chain actually works - and the four places clinics lose control of it.

Read article

Structure/Function Claims vs. Disease Claims: The One FDA Distinction That Determines Whether Your Marketing Is Legal

One line separates legal marketing from a warning letter: the difference between a structure/function claim and a disease claim. Most practice owners think they know where the line is. They are usually wrong by one or two key phrases.

Read article