Skip to main content
    Skip to main content
    DPC Startup

    DPC Compliance and Legal Requirements: What You Need to Know Before You Launch

    Freedom Healthworks Team
    Apr 2, 2026
    11 min read
    Share:

    This Isn't Legal Advice (But It's What Your Lawyer Will Ask About)

    Before we get into specifics, a disclaimer: we're DPC practice consultants, not attorneys. Everything here is informed by our experience across 155+ practice launches in dozens of states, but you need a healthcare attorney for your specific situation.

    That said, we know exactly what questions your attorney will ask—because we've sat in those meetings hundreds of times. Here's what you need to understand before you walk in.

    Is DPC Legal in My State?

    Short answer: yes, DPC is legal everywhere in the United States. The longer answer involves nuance.

    DPC enabling legislation refers to state laws that explicitly define Direct Primary Care agreements as medical service contracts rather than insurance products. Over 40 states have enacted such legislation, providing legal clarity for physicians and patients.

    As of 2026, over 40 states have passed DPC-specific enabling legislation. These laws explicitly state that DPC membership agreements are not insurance, which means:

  1. DPC practices don't need an insurance license
  2. Membership agreements aren't regulated by state insurance commissioners
  3. Patients aren't "insured" by their DPC membership (important for coverage stacking)

    4. States with DPC legislation (as of early 2026) include: Alabama, Arizona, Arkansas, Colorado, Connecticut, Florida, Georgia, Idaho, Indiana, Iowa, Kansas, Kentucky, Louisiana, Maine, Maryland, Michigan, Mississippi, Missouri, Montana, Nebraska, New Hampshire, New Jersey, New Mexico, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, South Carolina, South Dakota, Tennessee, Texas, Utah, Virginia, Washington, West Virginia, Wisconsin, and Wyoming.

    States without specific legislation (but where DPC still operates legally): California, Hawaii, Illinois, Massachusetts, Minnesota, New York, Pennsylvania, Rhode Island, Vermont, and others.

    Even without specific legislation, DPC operates legally in every state. The enabling legislation just provides extra clarity and protection. If your state doesn't have a DPC law, your attorney will structure your membership agreement as a medical services contract—which is perfectly legal.

    Membership Agreement Essentials

    Your membership agreement is the legal foundation of your practice. It needs to be clear, compliant, and patient-friendly. Here's what it should cover:

    Required elements:

  4. Description of services included in the membership
  5. Monthly fee and payment terms
  6. Duration and renewal terms
  7. Cancellation policy and refund provisions
  8. Clear statement that the agreement is NOT insurance
  9. Statement that patients should maintain health insurance for services not covered
  10. HIPAA notice of privacy practices
  11. Scope of services (what's included, what's not)

    12. Important language:

  12. The agreement should explicitly state that DPC is not a substitute for health insurance
  13. Include a recommendation that patients maintain catastrophic or wraparound coverage
  14. Specify that the physician-patient relationship begins upon agreement execution
  15. Define how after-hours communication works

    16. Common mistakes:

  16. Promising "unlimited" services without defining scope
  17. Failing to address what happens if the physician is unavailable (vacation, illness)
  18. Not including a clear termination process
  19. Using insurance terminology ("coverage," "benefits," "claims") in the agreement

    20. HIPAA in a DPC Context

    HIPAA applies to DPC practices just like any other medical practice. You're a covered entity. Full stop.

    What's different in DPC:

  20. You likely communicate with patients via text, email, and phone more frequently. All of these channels need to be HIPAA-compliant.
  21. Patient portals through your EHR are the safest communication channel
  22. Standard SMS texting is technically not HIPAA-compliant, but many DPC physicians use it with patient consent and BAAs in place for texting platforms
  23. Email requires encryption or patient consent to receive unencrypted communications

    24. What you need:

  24. HIPAA privacy policies and procedures
  25. Notice of Privacy Practices (given to every patient)
  26. Business Associate Agreements (BAAs) with every vendor that handles PHI: EHR, billing platform, email service, texting service, cloud storage
  27. A designated HIPAA privacy officer (in a solo practice, that's you)
  28. Annual risk assessment

    29. Explore DPC Pricing Tiers

    See our transparent pricing and find the right tier for your practice size and goals.

  29. Breach notification procedures

    30. Practical advice: Don't overcomplicate this. Use a HIPAA compliance service (they cost $200–$500/year) to generate your policies, conduct your risk assessment, and maintain documentation. This is not an area to DIY.

    Corporate Practice of Medicine

    Some states have "corporate practice of medicine" (CPOM) laws that restrict who can own a medical practice. In these states, only licensed physicians can own the practice entity—not corporations, investors, or non-physician partners.

    States with strong CPOM restrictions include California, Texas, New York, Illinois, and Ohio (among others).

    What this means for DPC:

  30. Your practice entity should be owned by a licensed physician
  31. If you're partnering with a management company (like Freedom Healthworks), the structure needs to comply with CPOM rules—typically through a management services agreement (MSA) that keeps clinical decision-making with the physician
  32. If you're considering bringing on NPs or PAs as partners, the ownership structure may need specific legal attention

    33. Scope Considerations for NPs and PAs

    If you plan to hire or partner with Nurse Practitioners or Physician Assistants, scope-of-practice rules vary significantly by state.

    Full practice authority states (NPs can practice independently): About 26 states plus D.C.

    Reduced or restricted practice states: Require physician oversight, collaborative agreements, or supervisory relationships.

    For DPC specifically:

  33. In full practice authority states, NPs can own and operate DPC practices independently
  34. In restricted states, you'll need a collaborative or supervisory agreement with a physician
  35. PA scope is generally more restrictive than NP scope and almost always requires physician oversight

    36. Practical considerations:

  36. Check your state's specific requirements for supervision ratios (e.g., physician must be available by phone vs. must be on-site)
  37. Ensure your malpractice insurance covers the specific practice arrangement
  38. Document the collaborative relationship clearly

    39. Malpractice Insurance for DPC

    DPC practices generally enjoy lower malpractice premiums than traditional primary care. Why? Lower patient volume, longer visits (fewer missed diagnoses), better documentation, and stronger patient relationships (patients who know their doctor are less likely to sue).

    What to know:

  39. Get a DPC-specific quote—don't assume your current policy covers a different practice model
  40. Occurrence-based policies are preferable to claims-made (you're covered for incidents during the policy period regardless of when the claim is filed)
  41. Typical DPC malpractice premiums: $4,000–$12,000/year depending on state, specialty, and coverage limits
  42. If you're leaving an employed position, you may need tail coverage for your prior employer's claims-made policy

    43. Your Compliance Checklist

    Before you launch, make sure you've addressed:

  43. [ ] State DPC enabling legislation reviewed
  44. [ ] Membership agreement drafted by healthcare attorney
  45. [ ] Business entity formed (LLC/PLLC)
  46. [ ] Medical license updated for new practice address
  47. [ ] DEA registration (new address)
  48. [ ] NPI for new practice
  49. [ ] HIPAA policies and procedures in place
  50. [ ] BAAs with all vendors
  51. [ ] Malpractice insurance secured
  52. [ ] General liability insurance secured
  53. [ ] Workers' compensation (if hiring staff)
  54. [ ] State and local business licenses
  55. [ ] OSHA compliance (bloodborne pathogen plan, sharps disposal)
  56. [ ] CLIA waiver (if performing in-office lab tests)

    57. Get the Legal Foundation Right

    Legal and compliance work isn't glamorous, but getting it right protects your practice and your patients. We connect physicians with healthcare attorneys who specialize in DPC—because a general business lawyer won't know the nuances.

    Learn more about DPC startup support or explore our partner network for vetted legal and compliance resources.

    DPC Compliance
    DPC Legal
    State Legislation
    HIPAA
    Malpractice Insurance
    Practice Regulations
    FHT

    Freedom Healthworks Team

    DPC Practice Experts

    Freedom Healthworks has helped launch and support over 155 Direct Primary Care practices nationwide, providing guidance on everything from startup to patient acquisition.

    Related Articles

    DPC Startup

    Direct Primary Care Business Plan: A No-Nonsense Template for Physicians

    Skip the generic MBA templates. Here's a DPC-specific business plan walkthrough with realistic financial pro formas, revenue projections, and the sections that actually matter.

    DPC Startup

    How Long Does It Take to Start a DPC Practice? A Realistic Month-by-Month Timeline

    From 'I'm thinking about this' to 'doors open' — a realistic 8-month timeline with milestones, common delays, and what to tackle in parallel.

    Ready to Start Your DPC Journey?

    Get personalized guidance from our team of DPC experts who have helped launch 155+ successful practices.