Patient Testimonials and Consent: The Complete Compliance Guide

Nothing builds trust like a real patient describing their real experience. Testimonials convert prospects in ways that practice claims never can.

But patient testimonials involve using protected health information for marketing - one of the most regulated activities in healthcare. Get the consent wrong, and you've violated HIPAA. Misrepresent the testimonial, and you've violated FTC rules. Fail to meet state requirements, and you've violated professional regulations.

This guide covers how to collect, document, and use patient testimonials while staying compliant.

Why Consent Matters

Patient testimonials require explicit authorization for multiple reasons.

HIPAA Requirements

Using patient health information for marketing requires written authorization under HIPAA. A testimonial necessarily reveals:

• That the person is/was your patient
• What treatment they received
• Their health status and outcomes

All of this is protected health information (PHI).

FTC Requirements

The Federal Trade Commission requires:

• Testimonials reflect typical results
• Material connections are disclosed
• Claims are truthful and substantiated

State Medical Board Rules

Many state boards have additional requirements:

• Disclosure that results may vary
• Prohibition on misleading testimonials
• Specific format or content requirements

Professional Ethics

Beyond legal requirements, ethical considerations include:

• Patients truly understanding how their story will be used
• No coercion or inappropriate pressure
• Protecting patient dignity and privacy

The Authorization Form

A proper authorization form is essential.

Required HIPAA Elements

HIPAA requires specific elements for marketing authorization:

1. Description of information: Specifically describe what information will be used.

• Name and/or image
• Treatment received
• Health condition
• Outcome information

2. Purpose: Clear statement that information is for marketing/promotional purposes.

3. Recipients: Who will receive/see the information.

• Your practice
• Marketing vendors
• Specific platforms (website, social media)
• General public

4. Expiration: When authorization expires.

• Specific date
• Specific event
• "Until revoked" (if permitted in your state)

5. Right to revoke: Clear statement that patient can revoke at any time, and how.

6. No conditioning: Statement that treatment is not conditioned on signing.

7. Signature and date: Patient signature with date.

Beyond HIPAA Minimums

Additional elements for comprehensive protection:

Scope clarity:

• Specific uses permitted (website, social media, print, video)
• Whether editing/excerpting is permitted
• Whether images will be used
• Whether video will be used

FTC compliance:

• Acknowledgment of any compensation
• Statement about results representativeness
• Disclosure of material connection if applicable

Media release: If photography or video:

• Separate media release
• Specific format permissions
• Editing acknowledgment

Review opportunity:

• Option to see testimonial before use
• Approval process for final content

Sample Authorization Language

Key provisions should include:

"I authorize [Practice Name] to use my name, image, likeness,
and the following health information for marketing and
promotional purposes:

[Checkbox list of specific information]

I understand this information may be used on:
[Checkbox list: website, social media, print materials, video, etc.]

I understand that:
- I may revoke this authorization at any time in writing
- Revocation will not affect uses that occurred before revocation
- Treatment is not conditioned on signing this authorization
- Information disclosed may be re-disclosed and no longer protected

This authorization expires on [date] or until revoked in writing.

[Signature, printed name, date]"

Work with healthcare attorneys to develop forms specific to your practice and state.

Collecting Testimonials Compliantly

How you ask matters as much as the form.

Timing

Appropriate timing:

• After successful treatment completion
• After patient expresses satisfaction
• During follow-up when relationship is established
• When patient has time to consider

Inappropriate timing:

• During active treatment (pressure concern)
• When patient is distressed
• Immediately after procedure (capacity concern)
• When any sense of coercion exists

Who Asks

Best practices:

• Non-clinical staff (reduces pressure dynamic)
• Clear separation from care relationship
• No suggestion treatment depends on participation
• Time to consider without immediate pressure

How to Ask

Appropriate approach: "We love sharing patient experiences with people considering similar treatments. Would you be interested in sharing your story? There's absolutely no pressure, and it has no effect on your care."

Inappropriate approach: "Dr. Smith wanted me to ask you to write a testimonial." "We really need more testimonials - can you help?"

What to Explain

Patients should understand:

• Exactly how their testimonial will be used
• What information will be shared
• Who will see it
• That they can decline without consequence
• That they can revoke later

Specific Testimonial Types

Different formats have different requirements.

Written Testimonials

Consent requirements:

• Written authorization
• Clear scope of use
• Permission to excerpt/edit (if applicable)

Documentation:

• Original signed form
• Copy of testimonial as submitted
• Copy of testimonial as used
• Any correspondence

Video Testimonials

Additional requirements:

• Specific video consent (often separate)
• Understanding video may be edited
• Permission for various platforms
• Clear release of likeness

Production considerations:

• Professional setting (not clinical areas with other patients)
• Consent reviewed on camera (optional but protective)
• Final approval process recommended

Before/After Photos

Specific requirements:

• Detailed photo release
• Understanding photos may be published
• Permission for specific uses
• Agreement to conditions (lighting, etc.)

See separate article on before/after photo compliance.

Social Media Testimonials

Platform considerations:

• Patient understanding of platform reach
• Understanding of comment/sharing potential
• Consideration of tagging and identification

Content control:

• Patient-posted testimonials are their choice
• Practice-posted requires authorization
• Practice cannot direct patient posts without disclosure

FTC Compliance for Testimonials

FTC rules add requirements beyond HIPAA.

Typical Results Requirement

Testimonials must represent typical results.

Requirements:

• If testimonial describes exceptional results, must disclose
• "Results may vary" alone is insufficient
• Must indicate what typical results are

Example: Patient lost 50 pounds. If typical loss is 15-20 pounds, testimonial should note: "This patient's results exceeded typical results of 15-20 pounds."

Material Connection Disclosure

Any material connection must be disclosed.

Material connections:

• Payment for testimonial
• Free or discounted services
• Family or employee relationship
• Gifts or incentives

Disclosure requirement: Clear, conspicuous disclosure of relationship.

"Patient received a discount on services for participating in this testimonial."

Substantiation

Claims in testimonials must be truthful and substantiable.

Your responsibility:

• Don't publish claims you can't support
• Edit or decline testimonials with false claims
• Don't enhance or exaggerate

Managing Testimonial Use

Ongoing management of testimonials requires systems.

Documentation Systems

Maintain records of:

• Original authorization forms
• Copies of testimonials as received
• Final versions as used
• Where each testimonial is used
• Any revocations

Tracking Use

Know where testimonials appear:

• Website locations
• Social media posts
• Print materials
• Video distribution
• Third-party sites

Handling Revocations

Patients can revoke authorization at any time.

Revocation process:

• Accept revocation in any written form
• Remove testimonial from all controlled locations
• Document removal
• Acknowledge cannot remove from places already distributed

Timeline: Remove promptly - 30 days maximum for online properties.

Regular Review

Periodic audit:

• Are all testimonials currently authorized?
• Have any patients requested removal?
• Are testimonials still representative?
• Have FTC requirements changed?

State-Specific Considerations

Some states have additional testimonial requirements.

States with Specific Rules

Examples:

New York: Specific requirements for professional advertising testimonials.

California: Consumer protection requirements affecting testimonial use.

Florida: Medical advertising regulations with testimonial provisions.

Texas: Board rules on patient testimonials in advertising.

Common State Requirements

Disclosure requirements:

• Results may vary
• No guarantee of results
• Patient was not compensated (or disclosure if was)

Prohibition patterns:

• Testimonials implying guarantees
• Misleading testimonials
• Testimonials from non-patients

Check your specific state board rules.

When Testimonials Go Wrong

Problems and how to handle them.

Patient Wants Removal

Response:

• Honor revocation requests promptly
• Remove from all controlled properties
• Document the removal
• Cannot remove from third-party sites or distributed materials

Testimonial Becomes Inaccurate

Example: Patient's condition changed; testimonial no longer reflects current state.

Response:

• Consider whether continued use is appropriate
• Update or remove if misleading
• Contact patient if appropriate

Competitor or Regulatory Complaint

Response:

• Preserve all documentation
• Review authorization validity
• Consult legal counsel
• Respond appropriately to inquiries

Patient Relationship Deteriorates

Example: Patient who provided testimonial later becomes unhappy.

Consideration:

• Is continued use appropriate?
• Risk of hostile patient with visible testimonial
• Whether removal is warranted regardless of authorization

The Bottom Line

Patient testimonials are valuable marketing assets - but they're assets built on patient trust and regulated by multiple frameworks. Proper consent protects both patients and practices.

Invest in proper authorization forms. Train staff on appropriate collection. Document everything. Monitor where testimonials appear. Honor revocations promptly.

Done right, testimonials build trust and drive growth. Done wrong, they create liability and damage relationships.

The extra effort for compliance is always worth it.

Authoritative References

• HHS HIPAA Authorization Requirements - 45 CFR § 164.508: hhs.gov/hipaa/for-professionals/privacy/guidance/authorizations - Official HHS guidance on valid HIPAA authorizations, including the required elements for using patient information in marketing and testimonials.

• FTC Guides Concerning Use of Endorsements and Testimonials: ftc.gov/legal-library/browse/rules/endorsement-guides - The Federal Trade Commission's official guides on using endorsements and testimonials in advertising, including requirements for representing typical results.

• HHS Sample Business Associate Agreement Provisions: hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions - Official HHS sample BAA provisions for vendors handling patient testimonials and marketing content.

---

This article provides general information about testimonial consent in healthcare. It is not legal advice. Consult qualified healthcare attorneys to develop authorization forms and processes specific to your practice and jurisdiction.