Telehealth advertising compliance: the seven patterns every referee keeps flagging

On February 20, 2026, the FDA issued warning letters to thirty telehealth companies in a single day. When it announced them two weeks later, it reduced all thirty to two violations: claiming a compounded drug is the same as the brand, and making the telehealth company look like the compounder. That is what enforcement in this category actually looks like. Not fog. A list. Four referees, seven repeating patterns, every one of them quoted in a public document you can read this afternoon.

This page is that list, with the exact language that triggered each one, and a tool at the bottom that reads your own copy against it.

Who can actually take your ads down?

Four different bodies can stop a telehealth ad, and founders routinely treat them as one problem. They are not. They judge different things, they can do different things to you, and they move on different clocks.

The platform judges your creative against its own written standards and rejects the ad. This is the fastest referee and the least consequential one. A rejection costs you a campaign. It is also the only one that gives you same-day feedback, which is why teams over-index on it and mistake "the ad ran" for "the ad is defensible."

The FDA judges whether your product claims are false or misleading, and it writes a warning letter. The letter is public, permanent, and indexed. It is not itself a fine. The letters sent in February gave companies fifteen working days to respond in writing.

The FTC judges whether your claims were substantiated before you made them, and whether your privacy promises match your data practice. It brings orders and civil penalties. GoodRx paid $1.5 million. BetterHelp paid $7.8 million.

The state is new, and it judges what your AI sounds like. As of 2026 several states regulate whether software may imply it is a licensed human. Texas attaches penalties up to $200,000 for an uncurable violation.

The clocks matter. A platform rejection is an afternoon. A warning letter is a quarter. An FTC order can follow you for twenty years. If your compliance process only optimizes for the fastest referee, you are grading your own homework against the easiest marker.

This is worth understanding before you write another ad: the platform and the regulator fail the same ad for different reasons, and passing one tells you almost nothing about the other.

This is strategic guidance from a physician-operator, not legal advice. Your regulatory counsel makes the final call.

What did the FDA's thirty letters actually say?

The letters went out on February 20, 2026. The FDA announced them on March 3. Both dates are real and they are not interchangeable, which is the first small lesson in reading enforcement: the record is precise, and so should you be.

In its announcement, the FDA named the primary violations plainly: "making claims implying sameness with FDA-approved products and obscuring product sourcing by advertising drug products branded with the telehealth firm's name or trademark without qualification, implying they are the compounder."

Two patterns. Thirty companies. One day.

Pattern one is sameness. The FDA's letter to Better Health Labs, doing business as Measured, quotes the company's own site back at it:

"Measured offers compounded GLP-1 treatments made with the same active ingredients found in Wegovy®, Ozempic®, Zepbound®, and Mounjaro®."

And the shorter version, which appeared as a headline: "Same active ingredient in Ozempic and Wegovy."

The FDA's reasoning is worth reading in full, because it explains why this is not a technicality: "Compounded drug products are not FDA-approved. Your claims imply that your products have been FDA-approved or otherwise evaluated for safety and effectiveness when they have not."

That is the trap. Borrowed brand trust is the fastest conversion lever in this category, and it is the violation. The same sentence does both jobs.

Pattern two is hidden source. The letter to Ivim Services cites something a marketer would never think of as a claim at all. Not the copy. The product photo.

"The compounded semaglutide and tirzepatide products displayed on your website identify 'Ivim' on the pictured label, suggesting Ivim is the compounder of those drugs when in fact it is not."

Putting your own logo on the vial is a representation. The regulation the FDA cites says so directly: the appearance of a name on a drug label, without qualification, represents that the named party made the drug.

Note what Ivim was not cited for. There is no sameness claim in its letter. One company, one pattern. The record is specific, and a tool that treats every letter as saying the same thing is a tool that will lie to you.

If you want to see how the flagged copy gets rewritten rather than just flagged, we took six of the FDA-flagged GLP-1 ads apart line by line.

This was not an isolated wave. The FDA's own announcement puts it in context: "Over the past six months, the agency has sent thousands of letters warning pharmaceutical and telehealth firms to remove misleading ads, more than had been sent over the entire preceding decade." For scale, the agency notes that warning letters to pharmaceutical companies had fallen to one in 2023 and zero in 2024.

The enforcement gap you may have built your growth model inside of has closed.

What does the FTC flag that the FDA doesn't?

The FDA reads your product claims. The FTC reads your evidence, and it reads your privacy policy against your network traffic.

Pattern three: outcomes you cannot substantiate. The FTC's Health Products Compliance Guidance sets the bar before the ad runs, not after: "Before disseminating an ad, advertisers must have adequate substantiation for all objective product claims conveyed, expressly or by implication, to consumers acting reasonably."

What counts as adequate is higher than most growth teams assume. "As a general matter, substantiation of health-related benefits will need to be in the form of randomized, controlled human clinical testing."

And the line that ends most of the arguments teams have about this: "Anecdotal evidence about the individual experiences of consumers, including surveys of consumer experiences, are never sufficient to substantiate claims about the effects of a health product."

Never. Your testimonials are not evidence. They may be true, they may be moving, and they do not substantiate a health claim.

Pattern four: the privacy promise your pixel breaks. This one is invisible in your ad copy. It lives in your tag manager.

GoodRx promised privacy and shipped health data to advertising platforms. It "agreed to pay a $1.5 million civil penalty."

BetterHelp did the same and the FTC "finalized an order requiring online counseling service BetterHelp to pay $7.8 million." The specifics: it "disclosed consumers' email addresses, IP addresses, and health questionnaire information to Facebook, Snapchat, Criteo, and Pinterest for advertising purposes despite promising consumers that it would only use or disclose personal health data for limited purposes."

Read that as an advertising failure, not an engineering one. Both companies wrote a promise in marketing copy that their growth stack did not keep. The ad was the liability. The pixel was just the proof.

You cannot see this pattern by reading your ads, which is exactly why it keeps happening. Worth knowing whether your pixel is disclosing something you never put in an ad.

Which state laws now reach your marketing?

The seventh pattern is the newest: AI that sounds like a licensed human.

California's AB 489, chaptered in October 2025, is direct about it. It prohibits any term or phrase in the advertising or functionality of an AI system that "indicates or implies that the care, advice, reports, or assessments being offered through the AI or GenAI technology is being provided by a natural person in possession of the appropriate license or certificate to practice as a health care professional."

And the part that changes the math: "Each use of a prohibited term, letter, or phrase shall constitute a separate violation."

Not one violation per bot. One per phrase.

Texas took effect January 1, 2026. Its disclosure rule reaches healthcare specifically: where an AI system "is used in relation to health care service or treatment, the provider of the service or treatment shall provide the disclosure" no later than the date treatment is first provided. The disclosure "must be clear and conspicuous," "must be written in plain language," and "may not use a dark pattern."

The penalties are not symbolic. An uncurable violation runs "not less than $80,000 and not more than $200,000."

Read the scope carefully rather than panicking. The Texas duty attaches to the provider of care, at the point of care. Whether a pre-visit marketing chatbot sits inside that definition is a question for your counsel, not for a blog post. What is settled is simpler and should be enough to make you look: your intake assistant's greeting is now copy with a statute attached, and it was almost certainly written by someone who thought they were writing UX.

The tone question underneath this one is real, and it is not only legal: what Texas and California now require your AI intake to sound like is also a question about what your brand sounds like at the moment the stakes change.

The seven patterns, with the language that triggered them

# Pattern Referee The language that triggered it
1 Sameness. The compounded product framed as the FDA-approved brand. FDA "Same active ingredient in Ozempic and Wegovy" (Measured, letter 721454)
2 Hidden source. Your brand on the vial, implying you compounded it. FDA Products "identify 'Ivim' on the pictured label, suggesting Ivim is the compounder of those drugs when in fact it is not" (letter 721816)
3 Outcomes without substantiation. Guarantees, numbers, "clinically proven" with no clinic. FTC Substantiation "will need to be in the form of randomized, controlled human clinical testing"
4 A privacy promise your data practice breaks. FTC BetterHelp disclosed health data "to Facebook, Snapchat, Criteo, and Pinterest... despite promising consumers" otherwise
5 Implied personal attributes. Copy that knows the reader's condition. Meta, Google Meta's personal-attributes ad standard prohibits asserting or implying a viewer's health condition
6 Prohibited creative. Before-and-after imagery, idealized-body pressure. Meta Meta's health and wellness ad standards
7 AI that sounds licensed. States Prohibited: implying care is "provided by a natural person in possession of the appropriate license" (CA AB 489)

Two honest notes about this table, because a list like this is only useful if you know where it is soft.

Patterns 5 and 6 are described, not quoted. Meta's policy pages render nothing to an automated reader, so I can tell you accurately what the standards prohibit and I will not put quotation marks around language I could not fetch. Everything else on this page is verbatim from a primary source.

And the count is a claim about this record, not about the universe. Every enforcement action cited here flags one of these seven. I am not telling you there is no eighth.

What I am telling you is that nothing on this list required a subpoena, an insider, or a lawyer's retainer. Every pattern above was published by the body that enforces it. The fog was optional.

What the flagged ad costs at the visit

From Pranay Parikh, MD:

An ad does not just start a funnel. It opens a debt.

The patient arrives at the visit expecting what the ad promised, and now someone has to pay that back. If I cannot, we both look bad, in different ways. The marketer looks bad for promising something the clinic cannot deliver. I look bad for not helping with the exact thing they came in for.

The patient does not separate those two failures. They came for a reason, they did not get it, and the last person in the room was a doctor. So what gets damaged is not just this brand. It is telehealth. They tell their friends the whole category is a bait and switch, and about the part they experienced, they are right.

That is what a claims review is actually protecting. Not the fine. The debt you cannot pay back at the visit.

How do you check your own copy against the list?

Three steps, and the first one takes about ninety seconds.

Run your live headlines and primary text through the checker below. It reads for the patterns above and shows you the enforcement language behind each flag. It runs in your browser. Your copy is not sent anywhere unless you choose to send it.

For anything it flags, fix the pattern rather than the phrase. Swapping one banned word for a synonym is how teams end up with a second warning letter. The rewrite is usually structural: name the care model instead of the brand, name the clinician instead of the outcome, let the disclosure travel in the same breath as the ingredient. The before-and-after teardowns show the rewrite, not just the rule.

For the two patterns no text tool can read, go look. Your pixel and your imagery are invisible to any checker that only sees words. So is what your intake bot says on turn four.

Run your copy against the seven patterns

Paste a headline and primary text. This runs in your browser. Your copy is not sent anywhere unless you choose to send it. Rule set: 2026-07

0 / 2000
What this cannot see. It reads words. It cannot read your images (before-and-after photos are prohibited outright under Meta's health standards), it cannot read your pixel and data flow, and it cannot read what your AI intake says on turn four. It is not a legal review, and it never tells you an ad is compliant.

Nothing above is a verdict. The checker shows you where your copy touches language that has already been cited in a public enforcement action. It never says an ad is compliant, because no tool that reads only words could know that.

If you want a physician-operator read of the whole campaign, book a 15-minute call.

Frequently asked questions

What happens if the FDA sends your company a warning letter?

The letter is public and permanent. It is not itself a fine. The letters FDA issued to telehealth companies on February 20, 2026 asked for a written response within fifteen working days. Ignoring a warning letter is what escalates it. Responding is a matter for your regulatory counsel, not a blog post.

Do FTC advertising rules apply if we are HIPAA-compliant?

Yes. They are different agencies applying different theories. HIPAA governs protected health information. The FTC governs whether your claims were substantiated and whether your privacy promises match your data practice. GoodRx and BetterHelp were both FTC actions, and both turned on marketing promises the growth stack did not keep.

Can a telehealth company say "FDA-approved" in its ads?

Only about a specific approved drug, accurately. Not about a compounded product, and not about your program or your service. FDA is explicit that compounded drugs are not FDA-approved and that the agency does not review their safety, effectiveness, or quality before they are marketed. Implying otherwise is the exact claim quoted in the February letters.

Is there a checklist for telehealth ad compliance?

The seven patterns above are the list, and the checker runs your copy against them. Before you submit an ad, it is also worth running the six-question check on the ad-rejection page. Neither is a legal review, and neither can see your images, your pixel, or your intake bot.