Passing LegitScript: A Guide for TRT & Weight Loss Clinics

If you run a men's health clinic, a TRT practice, a medical weight loss program, or any telemedicine operation that touches prescription medications, there's a good chance you'll eventually need LegitScript certification. Payment processors, ad platforms like Google and Meta, and many pharmacy partners now require it before they'll work with you. Without it, you can find your merchant account frozen or your ads pulled overnight.

The problem is that the application itself is opaque until you're inside it. You don't really know what they'll ask, how deep they'll dig, or where the common snags are until you're already mid-review and scrambling to respond.

This post walks through what the process actually looks like, based on a real application from a men's health practice that made it through. The goal is simple: help you prepare before you start, so the review goes faster and you don't get caught flat-footed on the questions that trip most clinics up.

A quick note before we dig in. This is a practical guide drawn from one practice's experience, not legal or compliance advice. Regulations vary by state and change frequently, and your own situation may differ. Use this to prepare, but verify specifics with your own counsel and compliance team. 

A note on who we are: Nexamed is the top lead generation marketing agency built specifically for hormone, weight loss, and peptide clinics — the exact practices that need LegitScript certification before they can run ads on Google, Meta, and other major platforms. We've seen the certification process from the marketing side many times, which is why we put this guide together. If you've already earned your certification and you're looking for a healthcare marketing partner who knows this space inside and out, schedule a free call here.

* We do NOT help businesses with LegitScript certifications 

What LegitScript Is Actually Checking

LegitScript isn't just confirming you exist. The review is built around a set of certification standards, and across the application, you'll see them cited by number. A few come up constantly:

• Standard 5 (Affiliates & Partners) — they want proof of your relationships with pharmacies and other partners, and those partners often need to be certified too.
• Standard 6 (Patient Services) — clarity on who you serve and how patients reach you.
• Standard 7 (Privacy) — a HIPAA-aligned privacy policy that's actually published on your site.
• Standard 9 (Transparency) — no claims that could mislead patients, which is where a surprising number of clinics stumble.

Keep these in mind as you read. Most of the harder questions map back to one of them.

The Application Has Two Phases

It helps to understand the shape of the process. The first section of the application is a structured questionnaire covering business model, ownership, licensing, pharmacy relationships, controlled substances, and so on. This part is mostly about establishing the facts of your operation.

Then comes the second phase, which catches people off guard: LegitScript reviews your actual website and social media, and sends back specific findings. These aren't generic or machine-led analyses. A human reviewer has reviewed your Semaglutide page, peptide stacks, GainsWave FAQ, Instagram posts, everything... When they find something that crosses a line, they ask you to explain it or fix it. This is where the real work usually happens.

Let's go through both phases.

Phase One: The Questionnaire

Business basics and ownership

Early questions are straightforward but worth preparing in advance:

• A short description of your business model. Be specific about what you do — consultations, the conditions you treat, telemedicine vs. in-person, and how prescriptions get dispensed.
• A list of your principals and officers, with names and positions.
• Whether you offer a mobile app, and whether your website is still under construction. (If your site isn't finished, expect delays. LegitScript will only certify a site in development on a preliminary basis.)

The pharmacy facilitation question

One question asks whether you're a "pharmacy broker, aggregator, or facilitator," defined as directing patients to external pharmacies or providers with whom you have a contractual relationship. Answer this carefully and honestly, because it determines a whole branch of the application. A traditional clinic that prescribes and sends to a pharmacy is different from a facilitator, and misclassifying yourself creates problems down the line.

Licensing and registration

You'll be asked to fill out a template covering your state-level business registration in every jurisdiction you operate in and serve. Have your Secretary of State registration numbers (or state tax ID/document numbers) ready for each state. For telemedicine, you'll also list the physician license number in each state where you provide care.

A useful detail from the actual instructions: the template has columns beyond a certain point intended for pharmacy-specific information. If you're a telemedicine provider and not a pharmacy, you can leave those blank. Don't waste time trying to fill in fields that don't apply to you.

Telemedicine compliance

If you practice telemedicine, you'll complete a spreadsheet documenting how you comply with the laws of each jurisdiction you serve. They want you to cite the actual laws and explain your compliance for things like:

• Establishing the patient-practitioner relationship
• Patient identification
• Patient consent
• Online prescribing
• Medical records and HIPAA

This is one of the more labor-intensive parts. Build it jurisdiction by jurisdiction. The clinic in this example served only one state, which kept it manageable — but if you operate across many states, start this early.

You'll also be asked how patients can contact the prescribing physician. A good answer names concrete channels: an EMR message portal, an email address, the ability to call the clinic to schedule a phone consult. Vague answers invite follow-up.

Partner pharmacies

If you use a partner pharmacy to fulfill and dispense, you'll need to name each one, provide their URL, and estimate monthly prescription volume. Partner pharmacies are required to be LegitScript certified. This matters: if you're working with a pharmacy that isn't certified, it can stall your own application.

You'll also describe your vetting process for pharmacies. A strong answer covers license verification, accreditation (NABP, PCAB), USP/FDA standards, and, increasingly important, confirmation that the pharmacy is itself LegitScript-verified. The practice in this example noted they had stopped using pharmacies that weren't verified, which is exactly the direction reviewers want to see.

Controlled substances

If you prescribe, dispense, or administer controlled substances, you'll upload your DEA registration and describe how you prevent diversion. For a TRT practice, testosterone is the controlled substance in question. A solid diversion-prevention answer includes:

• Thorough patient screening
• Checking the state Prescription Monitoring Program (PMP)
• Electronic prescribing of controlled substances (EPCS) to licensed pharmacies
• Routine lab testing and follow-ups to confirm adherence
• Secure storage and DEA-compliant tracking for any in-clinic administration
• Patient education on proper use and legal responsibilities

Audits, legal history, and domains

A few more to prepare:

• Any audits or inspections from the last five years (Board of Pharmacy, medical boards, FDA, DEA), including what you did in response.
• A ten-year history of any adverse legal, disciplinary, or regulatory actions. Note how broadly this is defined — it includes lawsuits, warning letters, consent agreements, FDA Form 483s, monetary penalties over $2,000, and payment-industry fines (like Visa VIRP or Mastercard BRAM). Read the definition carefully before answering.
• WHOIS information for each domain you're certifying. Important: it must not be privacy-protected or redacted. The screenshot needs to show domain name, registrant name, organization, address, phone, and email. Unredact your WHOIS before you apply.
• An exhaustive list of all domains owned by your business and principals — including sites unrelated to the application.

Phase Two: The Website and Social Media Review

This is where applications get interesting, and where you should expect the most back-and-forth. LegitScript reviews your public-facing content and flags anything that conflicts with their standards, especially the Transparency Standard. Here are the categories that came up in this real review — and these are extremely common across men's health and weight-loss practices.

"Safe" claims on compounded medications

The clinic's Semaglutide page described the compounded medication as "safe." LegitScript flagged it, because the FDA does not allow compounded medications to be labeled as safe — they aren't subject to the same testing and approval as FDA-approved drugs. As the FDA puts it, the agency does not verify the safety, effectiveness, or quality of compounded drugs before they're marketed.

The fix is simple: remove the word. The clinic took "safe" off both their semaglutide and tirzepatide pages. If you have safety language anywhere on your compounded medication pages, scrub it before applying.

Compounded GLP-1s and the "essentially a copy" rules

This is the big one right now, and it's worth understanding in depth. The questions around compounded semaglutide and tirzepatide are detailed and pointed.

A few things LegitScript wants you to demonstrate:

• That you're not marketing a compounded drug as FDA-approved, as a branded medication, or as simply a cheaper version of the brand. Per the FDA, a lower price is not sufficient to establish that a compounded drug isn't essentially a copy of the commercially available product.
• That any additional ingredient added to a compounded GLP-1 (to qualify for the "not essentially a copy" exemption) is done only under specific provider instruction for a specific patient, not as a blanket practice.
• How you document medical necessity for each patient, including a practitioner-documented rationale explaining why FDA-approved options are unsuitable.
• How patient-specific documentation is securely sent to the pharmacy (typically via your EHR).
• Given the FDA's shifting shortage determinations and compounding deadlines, what is your plan to adapt your business model and avoid interrupting patient care.

The strongest position here is one of genuine compliance: compound only when there's a real, documented, patient-specific clinical reason — like a dosage form that isn't commercially available or a documented intolerance to an ingredient in the branded product. The practice in this example described shifting their model toward exactly that kind of value-added compounding. If your GLP-1 offering is essentially "same drug, lower price," expect that to be a barrier.

Because FDA guidance on GLP-1 shortages and compounding has been changing rapidly, confirm the current status and deadlines before you respond — this is one area where last year's answer may already be outdated.

Skin-lightening glutathione

If you offer IV glutathione for skin lightening or brightening, know that multiple regulatory bodies have warned against it, and the FDA has expressed significant safety concerns, particularly for IV formulations. The clinic removed all skin-lightening and brightening language from its glutathione pages and added the standard disclaimer: these statements have not been evaluated by the FDA, and the product is not intended to diagnose, treat, cure, or prevent any disease. If you market glutathione for cosmetic skin effects, plan to remove those claims.

FDA-approval claims on procedures and devices

The clinic advertised its GainsWave offering as FDA-approved. It isn't — while a related shockwave lithotripsy system has FDA approval for a specific cardiac use, GainsWave itself does not. Claiming otherwise is misleading. The fix was removing the claim from the FAQs. Audit your site for any device or procedure described as "FDA-approved" and confirm each claim is actually true for that specific product.

Peptide "stacks" without disclosure

The peptides page advertised "stacks" without listing what was in them. LegitScript asked for a full list of every peptide offered. This is a good prompt to clean house: the clinic used the opportunity to discontinue peptides that weren't proven or approved and move toward a more legitimate wellness footing. If you sell peptide stacks, be ready to itemize every ingredient — and reconsider anything you'd be uncomfortable naming.

TRT marketed for muscle and bodybuilding

This one carries real legal weight. Some of the clinic's social posts advertised TRT for "enhanced muscle mass and strength." LegitScript flagged it and pointed to enforcement examples — including a physician who was sentenced to prison for prescribing testosterone and oxandrolone for bodybuilding purposes. Several states explicitly prohibit prescribing testosterone or anabolic steroids for muscle-building or aesthetic purposes absent genuine medical necessity.

The takeaway: never market TRT or testosterone for bodybuilding, aesthetics, or athletic performance. Frame it around diagnosed hypogonadism and medical necessity. Go through your social media and delete any post that frames testosterone as a performance or physique enhancer. The clinic found and removed a couple of such posts — and asked LegitScript to flag any others they'd missed, which is a reasonable, cooperative move.

Privacy policy that actually meets HIPAA

LegitScript checks that your published privacy policy aligns with HIPAA. It needs to spell out:

1. How your company treats Protected Health Information (PHI) and medical records
2. What rights patients have regarding their PHI
3. The name and contact information of your privacy official

They'll even point you to the HHS Model Notices of Privacy Practices as a reference. Make sure a compliant policy is live and publicly accessible on your site before this comes up.

Clinical SOPs

Expect to be asked for your standard operating procedures — for example, how you test and monitor for hypogonadism, and whether you ever prescribe TRT without prior lab testing. Have a written SOP ready that covers initial consultation and history, a two-step morning testosterone testing process, a full hormonal and safety panel (CBC, LFTs, lipids, PSA), informed consent, a defined follow-up and monitoring schedule, adverse-event reporting, and records retention per your state's law. The clean answer on pre-testing is that TRT without prior lab work is contraindicated except in documented exceptional circumstances — and ideally, that you simply don't do it.

If you offer IV therapy, be ready for an even more detailed set of questions: whether components come from FDA-registered facilities, who adds ingredients and where, beyond-use dating, USP 797 compliance, ISO-certified preparation areas, recall identification processes, and your procedure for handling patient-reported adverse events after they've left the clinic. Compile this documentation in advance rather than improvising under deadline.

The Patterns Worth Internalizing

Step back from the individual questions and a few clear themes emerge. These are the things that actually determine whether your review goes smoothly.

Transparency is the recurring theme. Most website findings boil down to a claim that overstates what you can legitimately say — "safe," "FDA-approved," "cheaper than the brand," or marketing a drug for a use regulators have warned against. If you audit your own site through that lens before applying, you'll preempt a large share of the back-and-forth.

Cooperative, specific responses work better than defensive ones. Throughout this real application, the most effective replies acknowledged the issue, described the concrete fix, and invited further input ("we've removed that — let us know if you find others"). LegitScript is looking for a practice that takes compliance seriously, not one that argues every point.

Your partners are part of your application. Uncertified pharmacies, unverified relationships, and undocumented partnerships all create friction. Get your partner pharmacies' certification status confirmed and your partnership documentation in order early.

Prepare your documentation before you start. The smoothest applications are the ones where the registration numbers, license numbers, DEA registration, WHOIS screenshots, privacy policy, and SOPs already exist and just need to be uploaded. Scrambling to create these mid-review is what stretches the timeline.

A Pre-Application Checklist

Before you open the application, get these in order:

• State business registrations and numbers for every jurisdiction you serve
• Physician license numbers for each telemedicine state
• DEA registration (if you handle controlled substances)
• Confirmation that every partner pharmacy is LegitScript certified, plus partnership documentation
• Unredacted WHOIS for every domain you're certifying
• A complete list of every domain you and your principals own
• A published, HIPAA-aligned privacy policy naming your privacy official
• Written clinical SOPs (hypogonadism testing/monitoring, IV therapy if applicable)
• A full audit of your website for "safe," "FDA-approved," cheaper-than-brand, and skin-lightening claims
• A full audit of your social media for any TRT/testosterone-for-bodybuilding language
• An itemized list of every peptide, supplement, and compounded medication you offer
• Your ten-year adverse-action history, with the broad definition in mind

Work through that list first, and you'll walk into the application already holding answers to the questions that stop most practices. Certification is very achievable — clinics in exactly this space get approved regularly — but it rewards preparation. Go in ready, respond cooperatively, and clean up your public-facing claims before a reviewer has to ask.