Compliance

How to Stay Compliant Selling Prescriptions Online: Payment Processors, Ad Platforms & State Rules

Payment processors, ad platforms, and state telehealth rules: the three kill-switches that shut operators down. A plain-spoken survival guide for DTC Rx and telehealth brands.

The neolife editorial desk·Published Jun 22, 2026·Updated Jul 4, 2026·13 min read

Quick answer

To legally sell prescriptions online you need: (1) LegitScript certification to keep payment processors and ad platforms live, (2) a licensed provider approving every order before it ships, (3) HIPAA-compliant data handling, and (4) state-by-state telehealth prescribing authority that matches where your patients are located.

Key takeaways

  • LegitScript certification is not optional — it is the gate that determines whether Stripe, Braintree, and major ad networks will work with you. Get it before you launch.
  • A licensed provider must approve every prescription before it ships. This is both a legal requirement and your primary liability shield. Build it into the infrastructure, not the afterthought.
  • HIPAA compliance and Rx telehealth operate separately. Meeting one does not satisfy the other. Your Shopify store cannot store PHI — your clinical layer must handle that.
  • State telehealth and prescribing rules are a moving target. Multi-state operators need ongoing legal counsel, not a one-time audit.
  • The GLP-1 compounding situation is a useful reminder that any single-category dependency is a business risk. Build for category breadth from day one.
  • Operator-owned infrastructure — your own data, your own order record — gives you a compliance audit trail that platform-dependent setups cannot provide.

To legally sell prescriptions online you need: (1) LegitScript certification to keep payment processors and ad platforms live, (2) a licensed provider approving every order before it ships, (3) HIPAA-compliant data handling, and (4) state-by-state telehealth prescribing authority that matches where your patients are located.

Most operators spend the first six months focused on product, Shopify build, and pharmacy partnerships. That is the right order — you need a product before you need compliance. But the operators who get shut down are almost always the ones who treated compliance as the last item on the list instead of the foundation.

This is the guide for operators who do not want to find out about the three main kill-switches by triggering them.


What compliance actually means for an online Rx operation

"Compliance" in DTC telehealth is not one thing. It is at least four distinct regulatory environments that overlap and interact:

  • Federal pharmacy and controlled substance law (DEA, FDA, Ryan Haight Act)
  • State telehealth and prescribing rules (one per state, all different, all changing)
  • Payment processing and financial services requirements (LegitScript, processor risk policies)
  • Ad platform policies (Google Healthcare & Medicines, Meta health advertising)
  • HIPAA (data handling, BAAs, breach notification)

Each one can shut you down independently. None of them notify you in advance.


Kill-switch #1: Payment processors

Why processors care about online Rx at all

Prescription medication sales sit in the highest-risk tier for card networks and acquiring banks. Chargebacks are higher. Regulatory exposure is real. And a processor that enables an unlicensed online pharmacy carries significant liability. As a result, most processors either prohibit online pharmacy and telehealth pharmacy operations outright, or require specific certification before onboarding.

LegitScript certification is the gate. Stripe, Braintree, Adyen, and most other major processors require LegitScript certification for any merchant operating in online pharmacy, telehealth pharmacy, or Rx-adjacent health categories. This is not negotiable and it is not a soft preference — it is written into their acceptable use policies.

What LegitScript actually checks

LegitScript is a third-party certification and monitoring company. Getting certified means they have reviewed your operation and confirmed that:

  • You require valid prescriptions for all Rx products
  • Your prescribing providers are licensed in the states where you operate
  • Your pharmacy is properly licensed and accredited
  • Your site does not make medical claims that violate FDA standards
  • You have HIPAA-compliant data handling in place

The certification process takes approximately four to eight weeks and costs around $1,500–$5,000 for initial certification plus an annual renewal fee (directional estimates — verify directly with LegitScript). It is not quick, and you cannot rush it. Factor it into your pre-launch timeline. Read the full LegitScript walkthrough here →

What happens without it

Operators who launch without LegitScript certification typically run on a processor for two to six months before a risk review flags the account. The account gets suspended, sometimes with a hold on funds in transit. Replatforming to a new processor does not solve the problem — your business type follows you. The correct answer is to get certified before you go live, not after you get shut down.

If you are already processing without certification, stop treating this as a future task. A processor suspension mid-operation is more disruptive than a delayed launch.


Kill-switch #2: Ad platforms

Google's Healthcare & Medicines policy

Google requires LegitScript certification for any advertiser promoting prescription drugs, online pharmacies, or telehealth services that prescribe Rx medications. This applies to Search, Display, Performance Max, and YouTube. The ad account approval process runs through Google's Healthcare & Medicines program — you submit your LegitScript certification as part of that application.

Without approval, your ads will not run. More precisely: they will run, briefly, and then be disapproved. If you repeatedly attempt to run disapproved ads, your account gets flagged and the appeals process is slow.

Practical sequencing: Get LegitScript first. Use your certification to apply for Google Healthcare & Medicines approval. Do not launch paid search until both are confirmed.

Meta's health advertising policies

Meta's policies on health and Rx advertising are stricter in some ways and more ambiguous in others. As of mid-2026, Meta requires LegitScript certification for prescription drug advertising on Facebook and Instagram. Additionally, Meta's health-related audience targeting restrictions limit your ability to target based on health interests — which affects how you structure your ad sets and creative.

The relevant practical constraints:

  • No targeting based on health conditions or diagnoses
  • No before/after imagery for medical treatments (explicitly prohibited)
  • Claims in ad copy are reviewed against FDA standards; off-label promotion is not permitted

Meta's ad review can also flag telehealth creative that makes implied efficacy claims, even indirect ones. Keep ad copy focused on access and convenience, not treatment outcomes.

TikTok, Pinterest, and everything else

TikTok prohibits pharmaceutical advertising in most markets and has strict health advertising policies. For most DTC Rx operators, TikTok is not a viable paid acquisition channel. Organic content is a different question — educational content about telehealth access generally is lower-risk than product advertising.

Pinterest follows similar patterns to Meta. Programmatic display networks vary — many DSPs require the same LegitScript certification.

The meta-point: every paid channel that matters requires LegitScript certification. There is no workaround.


Kill-switch #3: State telehealth and prescribing rules

The provider license problem

Your prescribing providers must be licensed in the state where each patient is physically located at the time of their consultation. Not where your business is incorporated. Not where your pharmacy is licensed. Where the patient is.

This seems obvious, but it creates a real operational constraint: your provider network needs to cover every state where you accept patients. If your platform is technically available nationwide but your provider network only covers 15 states, you either need to restrict patient acquisition geographically or turn away patients from uncovered states at intake.

Neither is a great customer experience. But prescribing across state lines without the right licensure is a legal exposure you do not want.

Controlled substances and Ryan Haight

The Ryan Haight Online Pharmacy Consumer Protection Act requires, in general, at least one in-person medical evaluation before a controlled substance can be prescribed via telemedicine. The DEA issued waivers during the COVID public health emergency that allowed remote prescribing of controlled substances without an in-person visit.

Those waivers are being wound back. The DEA has been working through a rulemaking process that would establish a special registration pathway for telemedicine prescribing of controlled substances, but as of mid-2026 the rules remain in flux.

If any of your treatment categories include controlled substances — certain weight-loss medications, sleep aids, stimulants, anxiety treatments — get current legal guidance specific to your treatment categories and patient states. This is not an area where a general compliance review from twelve months ago is sufficient.

The patchwork of state telehealth laws

Beyond controlled substances, state telehealth laws vary across several dimensions:

  • Prescribing standards: Some states require a synchronous video visit before prescribing; others permit asynchronous (store-and-forward) clinical models for specific treatment categories.
  • Informed consent requirements: Some states mandate specific written informed consent disclosures for telehealth encounters.
  • Platform registration: A small number of states impose registration or licensing requirements on telemedicine platforms themselves, not just the individual providers.
  • Pharmacist verification rules: Some state boards require pharmacies to conduct additional verification before dispensing to patients originating from telehealth platforms.

This is not a list you can research once and file away. State legislatures and medical boards update telehealth rules regularly. Multi-state operators need ongoing legal counsel with telehealth-specific expertise, not a one-time compliance audit.


HIPAA: the layer underneath everything else

What HIPAA requires and what it does not cover

HIPAA applies to covered entities (healthcare providers, health plans, clearinghouses) and their business associates (anyone who handles PHI on their behalf). Your telehealth operation is almost certainly a covered entity. Your pharmacy partner is one. Your clinical software vendor is a business associate. Your billing vendor is a business associate.

Your Shopify store is not a covered entity, and Shopify does not sign HIPAA Business Associate Agreements (BAAs) for standard merchant accounts. This has a direct architectural implication: your Shopify layer cannot store or process protected health information. The clinical record — diagnosis, Rx, consultation notes, treatment history — must live in a HIPAA-compliant clinical system that signs a BAA with you.

This is one of the most common structural mistakes we see in early-stage DTC Rx builds: the operator runs everything through Shopify including order notes with clinical data, or uses Shopify customer metafields to store health information. That is a HIPAA violation waiting to become a breach notification event.

The practical architecture

The compliant architecture separates concerns cleanly:

  • Shopify handles the commerce transaction: product catalog, checkout, payment, order confirmation. No PHI.
  • Clinical layer (your telehealth platform or EHR) handles the patient intake, provider consultation, Rx issuance, and clinical record. This signs your BAA.
  • Pharmacy fulfills the order against the valid Rx. Also a covered entity with its own compliance obligations.
  • Fulfillment bridge (like neolife) connects the Shopify order to the pharmacy workflow without routing PHI through the commerce layer.

Clean data separation is not just good compliance hygiene — it is also what makes audit response manageable if something does go wrong.

Breach notification

HIPAA requires notification to affected individuals within 60 days of discovering a breach of unsecured PHI. Breaches affecting 500 or more individuals in a state must be reported to the HHS Secretary and prominent media outlets in that state. The penalties scale with the level of negligence, ranging from $100 to $50,000 per violation (per-incident, with annual caps).

The breach risk is not theoretical. The DTC health space has had several high-profile data incidents. A well-architected platform that keeps PHI in purpose-built clinical systems substantially reduces the attack surface.


The GLP-1 lesson: category concentration is a compliance risk

It is worth addressing the GLP-1 compounding situation directly, not because it should anchor your product strategy, but because it is the clearest recent example of what single-category dependency looks like when regulatory conditions shift.

Operators who built their entire revenue model on compounded semaglutide and tirzepatide are now navigating forced pivots. The FDA's position on compounding eligibility for those drugs has tightened, and compounded GLP-1 products that were legal to dispense in 2024 may not be legal to dispense in the same form in 2026. The operators who are fine are the ones running breadth: TRT and men's health, HRT and menopause, hair, ED, tretinoin and skin, LDN, peptides, oral weight-loss alternatives. Any one category can be disrupted; a diversified formulary absorbs it.

The same logic applies to your compliance infrastructure. If your business depends on a single payment processor, a single ad channel, or a single pharmacy partner, a disruption in any one of them can take down the whole operation. Build redundancy.


What "owning your stack" has to do with compliance

There is a compliance dimension to the build-vs-rent decision that does not get talked about enough.

If you operate through a platform that holds your patient data, your order records, and your provider relationships — and that platform decides to change its terms, exit the market, or shut down — you lose your compliance audit trail along with everything else. You cannot demonstrate to a state medical board that every prescription was reviewed by a licensed provider if the records are in a system you no longer have access to.

Operators who own their system of record — who hold the order history, the provider approval log, and the clinical record chain — are in a fundamentally different position when regulators ask questions. The audit response that says "here is every order, here is the provider who approved it, here is the timestamp" is only possible if you are the system of record.

This is not an argument against using third-party clinical platforms or pharmacy partners. It is an argument for making sure that the core compliance record — who prescribed what, for whom, when, and that a licensed provider signed off — lives in infrastructure you control. See how provider approval fits into a compliant fulfillment architecture →


Pre-launch compliance checklist (condensed)

Before you accept your first patient, confirm:

  • LegitScript certification applied for and in progress (or approved)
  • Google Healthcare & Medicines ad account approval in process
  • Meta health advertising policies reviewed; ad creative and copy approved
  • BAAs signed with all business associates that will handle PHI
  • Architecture confirmed: no PHI in Shopify; clinical data in HIPAA-compliant system
  • Provider network covers every state where you plan to accept patients
  • Controlled substance prescribing rules reviewed by telehealth counsel for your treatment categories
  • Pharmacy partner is licensed and accredited; your agreement includes appropriate representations
  • State telehealth laws reviewed for your top five patient states
  • Informed consent workflow reviewed by counsel for each state
  • Incident response plan in place for potential HIPAA breach

Download the full pre-launch checklist →


Key takeaways

  • LegitScript certification is the gate for payment processing and paid advertising. Get it before you launch, not after a shutdown.
  • A licensed provider must approve every prescription before it ships. This is both a legal requirement and your most important liability control.
  • Your Shopify store cannot store PHI. Your clinical layer handles clinical data; your commerce layer handles commerce.
  • State telehealth and prescribing rules vary and change. Multi-state operators need ongoing counsel, not a one-time audit.
  • Category concentration is a regulatory risk. Build for breadth across treatment categories.
  • Operators who own their system of record can respond to regulatory inquiries. Operators who rent their stack cannot.

Frequently asked questions

Do I need LegitScript certification to sell prescriptions online? Yes, if you want to accept cards and run paid ads. Stripe, Braintree, Adyen, and most major processors require LegitScript certification for online pharmacy and telehealth pharmacy operations. Google and Meta require it for any ads promoting prescription products. Without it, you will be de-platformed — usually without warning.

Can I use Shopify to store patient health information? No. Shopify does not sign HIPAA Business Associate Agreements for standard merchant accounts. PHI — including any data that could identify a patient alongside their health condition or treatment — must live in a HIPAA-compliant clinical system. Your Shopify layer handles the commerce transaction. Your clinical layer handles the clinical record.

Does my telehealth platform need to be licensed in every state where I have patients? Your prescribing providers must be licensed in the state where each patient is located at the time of their consultation. The platform itself does not hold a license — the providers do. This means your provider network needs state-by-state coverage that matches your patient geography. Some states also impose platform-level registration requirements.

What is the Ryan Haight Act and does it apply to my telehealth business? The Ryan Haight Act generally requires at least one in-person medical evaluation before a controlled substance can be prescribed via telemedicine. The COVID-era DEA waivers that allowed remote prescribing of controlled substances are being wound back. If your treatment categories include controlled substances, get current telehealth counsel — the rules are in flux and non-compliance carries federal exposure.

How does the GLP-1 compounding situation affect compliance planning for new operators? The FDA's position on compounded GLP-1 drugs has tightened and continues to shift. Operators who built on compounded semaglutide or tirzepatide exclusively are now managing forced pivots. The lesson: build for category breadth (TRT, HRT, hair, ED, skin, LDN, peptides) so that a single regulatory shift does not take down your entire revenue line.


This article is educational and does not constitute legal or medical advice. Telehealth and online pharmacy law varies by jurisdiction and changes frequently. Verify specifics with qualified telehealth counsel and your pharmacy partner before launch.


neolife is built for operators who want to own their stack, not rent it. If you are evaluating your compliance infrastructure — or rebuilding after a processor or ad-platform shutdown — talk to us. We can walk you through how neolife connects your Shopify storefront to your pharmacy with provider approval baked in, LegitScript-ready architecture, and your clinic as the system of record. Book a 30-minute call →

Frequently asked questions

Do I need LegitScript certification to sell prescriptions online?

Yes, if you want to accept cards and run paid ads. Stripe, Braintree, Adyen, and most major processors require LegitScript certification for online pharmacy and telehealth pharmacy operations. Google and Meta require it to run any ads for prescription products. Without it, you will be de-platformed, usually without warning.

Can I use Shopify to store patient health information?

No. Shopify is not a HIPAA Business Associate and does not sign BAAs for standard merchant accounts. Patient health information (PHI) — including any data that could identify a patient alongside their health condition or treatment — must live in a HIPAA-compliant clinical system, not your Shopify store. Your Shopify layer handles the commerce transaction; your clinical layer handles the clinical record.

Does my telehealth platform need to be licensed in every state where I have patients?

Your prescribing providers must be licensed in the state where each patient is located at the time of their consultation. The platform itself does not hold a license — the providers do. As a practical matter, this means your provider network (whether employed, contracted, or sourced through a staffing layer) needs state-by-state coverage that matches your patient geography. Some states also impose platform-level registration requirements; check with telehealth counsel.

What is the Ryan Haight Act and does it apply to my telehealth business?

The Ryan Haight Online Pharmacy Consumer Protection Act generally requires at least one in-person medical evaluation before a controlled substance can be prescribed via telemedicine. The COVID-era DEA waivers that allowed remote prescribing of controlled substances are being wound back. If any of your treatment categories include controlled substances (some weight-loss medications, certain sleep or anxiety treatments), you need specific legal guidance — the rules are in flux and non-compliance carries federal exposure.

How does the GLP-1 compounding situation affect compliance planning for new operators?

The FDA's position on compounded semaglutide and tirzepatide has shifted repeatedly and is expected to tighten further. Operators who built their entire business on compounded GLP-1 drugs are now navigating forced pivots. The lesson for new operators: build for category breadth (TRT, HRT, hair, ED, skin, LDN, peptides) rather than anchoring on any single treatment area. Compliance exposure is amplified when one regulatory decision can take down your whole revenue line.

This article is operator education, not medical, legal, or tax advice. Telehealth and pharmacy regulation vary by state and product and change frequently. Verify the specifics for your business with qualified counsel and your pharmacy partner.

Keep reading

Get early access.

Join the waitlist — referrals move you up the queue.

No spam. One email when your wave opens.