Starting a Direct Primary Care practice is exciting, but the compliance side of things can feel overwhelming when you are trying to figure out everything you need to do before you can legally open your doors and start seeing patients. The good news is that DPC compliance is not nearly as complicated as navigating the insurance-based system you are used to, because by stepping outside of fee-for-service you are actually eliminating a huge chunk of the regulatory burden that comes with billing third-party payers. That said, there are still real legal and regulatory requirements you need to get right from the beginning, and cutting corners on compliance is not a risk worth taking when your livelihood and your patients' trust are on the line.
This checklist is designed to give you a clear, actionable roadmap for every major compliance area you need to address when launching a DPC practice. It is organized roughly in the order you should tackle things, though some items will overlap and run in parallel. As always, this is educational guidance compiled from experienced DPC physicians and public community discussions, not legal advice, so make sure you work with a qualified healthcare attorney in your state for anything that has significant legal implications.
STATE DPC STATUTE AND REGULATORY FRAMEWORK
The very first thing you need to do is understand the legal landscape for DPC in your state. As of early 2026, thirty-seven states have passed some form of DPC enabling legislation, and each one is a little different in terms of what it covers and how it defines the DPC arrangement. You need to pull up your state's specific statute and read it carefully, because it will tell you critical things like whether your DPC agreement is explicitly defined as not being insurance, what disclosures you are required to include in your membership agreement, whether there are caps or guidelines on what you can charge, and what the rules are around your scope of services.
If your state does not yet have a DPC enabling statute, you can still operate a DPC practice, but you will need to be more careful about how you structure your membership agreements and how you describe what you are offering so that you do not inadvertently trigger insurance regulations. Several DPC attorneys have successfully structured practices in states without enabling legislation by making sure the agreements clearly describe a retainer for access to physician services rather than a prepaid health plan.
Your checklist for this section should include confirming whether your state has a DPC enabling statute, reading the full text of that statute and noting any specific requirements it imposes, identifying your state medical board's position on DPC if any formal guidance has been issued, and consulting a healthcare attorney who has experience with DPC in your state to review your planned practice structure.
BUSINESS ENTITY AND FORMATION
Before you do anything else on the business side, you need to form the right legal entity for your practice. For most physicians this means forming a Professional Limited Liability Company, which is called a PLLC in most states, though some states use the terms Professional Corporation or Professional Association instead. The key reason you want a PLLC rather than a regular LLC is that in most states only licensed professionals can own a professional services entity, and using the wrong entity type can create problems with your state medical board.
Your formation checklist includes choosing and registering your business entity type with your state, obtaining your federal Employer Identification Number from the IRS, registering with your state's department of revenue or taxation, obtaining any required state or local business licenses, opening a dedicated business bank account, and discussing S-Corp election timing with your CPA because this can save you a significant amount on self-employment taxes once your practice is generating meaningful income.
DPC MEMBERSHIP AGREEMENT
Your membership agreement is arguably the single most important legal document in your entire practice, because it defines the relationship between you and your patients and it is what protects both of you if a dispute ever arises. A well-drafted DPC membership agreement needs to cover a lot of ground, and you really should not try to write this from scratch yourself unless you have legal training.
The essential elements that need to be in your agreement include a clear description of what services are included in the membership and what is not included, the monthly or annual fee and your payment terms and policies, your cancellation and refund policy, an explicit statement that the agreement is not health insurance and does not replace the need for health insurance, a statement that the patient is responsible for obtaining insurance or other coverage for services outside the scope of your DPC practice, HIPAA acknowledgment and privacy practices notice, an informed consent section, and a dispute resolution clause.
If your state has a DPC enabling statute, it almost certainly has specific disclosure requirements that must be included in your membership agreement, so cross-reference your agreement against the statute's requirements before you finalize anything. Have a healthcare attorney review your agreement before you start using it.
HIPAA COMPLIANCE
HIPAA compliance is not optional, and it applies to your DPC practice just as much as it would to any other medical practice. The fact that you are not billing insurance does not exempt you from HIPAA because you are still a covered entity if you conduct any electronic transactions that fall under HIPAA's definitions, and even if you somehow managed to avoid all electronic transactions, following HIPAA's privacy and security requirements is simply good practice that protects your patients and protects you.
Your HIPAA compliance checklist should include designating a Privacy Officer and a Security Officer for your practice, which can be the same person and is often you in a solo practice. You need to develop and document your privacy policies and procedures, conduct a thorough risk assessment of how you handle protected health information, implement appropriate administrative, physical, and technical safeguards, create your Notice of Privacy Practices and make sure every patient receives a copy, establish a process for handling patient requests for access to their records, set up Business Associate Agreements with every vendor that will have access to patient data including your EMR provider and any cloud services you use, develop a breach notification policy and procedure, and train yourself and any staff members on HIPAA requirements.
One thing that catches some DPC physicians off guard is the Business Associate Agreement requirement. If you use any third-party service that touches patient data, whether that is your EMR, your messaging platform, your email service, your cloud storage, or even your answering service, you need a signed BAA with that vendor. Most reputable healthcare technology vendors will have a standard BAA ready for you to sign, but you need to make sure you actually execute it and keep it on file.
MEDICARE OPT-OUT DECISION
If you plan to see any patients who are Medicare beneficiaries, which includes anyone age 65 and over plus younger people who qualify for Medicare due to disability, you need to decide whether to formally opt out of Medicare. This is one of the most discussed topics in the DPC community and the consensus among experienced DPC attorneys and physicians is that opting out is the safer path for most DPC practices.
When you opt out, you file an affidavit with your local Medicare Administrative Contractor stating that you will not bill Medicare for any services for a period of two years. You then enter into private contracts with any Medicare beneficiary patients, and those contracts include specific language required by CMS acknowledging that the patient understands Medicare will not pay for your services.
Your Medicare checklist includes researching the opt-out process and requirements, consulting with a healthcare attorney about whether opting out is right for your specific situation, if opting out then preparing and filing your opt-out affidavit with your MAC, creating a compliant private contract template for Medicare beneficiary patients, setting up a system to identify Medicare beneficiaries during enrollment, and setting a calendar reminder to renew your opt-out before the two-year period expires because if you miss the renewal window you automatically re-enroll.
MALPRACTICE INSURANCE
You need malpractice insurance, period. Even though DPC practices tend to have fewer malpractice claims than traditional practices because of the stronger patient relationships and longer visit times, you are still practicing medicine and you still need coverage. The good news is that DPC-specific malpractice policies are often significantly cheaper than traditional policies because of the lower claims history.
Your malpractice checklist includes obtaining quotes from at least three malpractice insurers and specifically asking about DPC-specific policies or discounts, choosing between occurrence-based and claims-made coverage and understanding the difference, making sure your coverage limits meet your state's requirements and your comfort level, confirming that your policy covers telehealth services if you plan to offer them, and understanding whether you need tail coverage if you are transitioning from a previous position.
CLINICAL COMPLIANCE
Even though DPC frees you from a lot of the administrative burden of insurance-based practice, you still have clinical compliance obligations that you need to stay on top of. These include maintaining your state medical license and DEA registration, keeping up with your continuing medical education requirements, following your state's prescribing regulations including any specific rules around controlled substances, complying with state reporting requirements for things like communicable diseases and certain injuries, and if you plan to do any point-of-care testing in your office you will need a CLIA waiver.
If you are going to dispense medications directly from your office, which some DPC practices do, you need to check your state's rules about physician dispensing because the regulations vary quite a bit from state to state and some states require a separate dispensing license.
ONGOING COMPLIANCE OBLIGATIONS
Compliance is not a one-time checklist that you complete before opening day and then forget about. There are ongoing obligations that you need to build into your practice operations. These include renewing your state medical license, DEA registration, CLIA waiver, and business licenses on schedule, updating your HIPAA risk assessment annually, reviewing and updating your policies and procedures at least once a year, maintaining your continuing medical education requirements, renewing your Medicare opt-out before it expires if applicable, keeping your Business Associate Agreements current as you add or change vendors, staying informed about changes to your state's DPC statute or any new regulations that could affect your practice, and maintaining proper documentation of all compliance activities.
RECORD KEEPING
Good record keeping is the backbone of compliance, and you should set up your systems from day one so that maintaining records is as painless as possible. Keep organized copies of all your formation documents, licenses, and registrations. Maintain a file of all signed membership agreements and Medicare private contracts. Keep your HIPAA policies, risk assessments, and BAAs in an accessible location. Document any compliance training you complete, and keep records of any incidents or complaints and how you resolved them.
THE BOTTOM LINE
DPC compliance is genuinely more manageable than what you dealt with in the insurance-based world, but it is not something you can afford to treat casually. The physicians who run into trouble are almost always the ones who skipped the upfront work of getting their legal and regulatory foundation solid before they started seeing patients. Take the time to do this right, invest in a good healthcare attorney who understands DPC, and build compliance into your practice operations from the very beginning. Your future self will thank you for it.