← Back to CLO
HIPAA Compliance
Required for handling Protected Health Information (PHI) from lab results.
- ✓ BAA with AWS (hosting provider)
- ○ BAA with Neon (database) — pending migration
- ○ BAA with Labcorp/Quest — via reseller agreement
- ✓ SSL/TLS encryption on all endpoints
- ✓ Access controls (Cloudflare Access)
- ○ Audit logging for PHI access
- ○ Employee HIPAA training documentation
- ○ Incident response plan documented
FTC/FDA Compliance (Supplements)
Required for selling dietary supplements.
- ✓ FDA disclaimer on all supplement pages
- ✓ No disease treatment claims (see CMedO style guide)
- ○ Substantiation files for health claims
- ○ Adverse event reporting process
- ○ Product liability insurance
E-Commerce Legal Requirements
- ○ Terms of Service published
- ○ Privacy Policy published
- ○ Refund/Return Policy published
- ○ Cookie consent banner (GDPR/CCPA)
- ○ Accessibility statement (ADA)
- ○ DMCA agent registered
State Licensing
Lab test ordering may require state-specific compliance.
| State |
Requirement |
Status |
| Texas |
Direct-to-consumer allowed |
✓ OK |
| New York |
Physician order required |
Review needed |
| New Jersey |
Restrictions on some tests |
Review needed |
| Rhode Island |
Physician order required |
Review needed |
| Other 46 States |
Generally allowed |
Verify each |
Business Entity
- ○ Business entity formed (LLC/Corp)
- ○ EIN obtained
- ○ State business registration (Texas)
- ○ DBA filed if needed
- ○ Business bank account
Contracts Needed
| Contract |
Counterparty |
Status |
| Fullscript Practitioner Agreement |
Fullscript |
✓ Active |
| Lab Services Agreement |
Labcorp/Quest (via reseller) |
Needed |
| Payment Processing Agreement |
Authorize.net |
✓ Active |
| Hosting BAA |
AWS |
✓ Active |
| Contractor Agreements |
India developer |
Review needed |
Priority Actions
- Publish legal pages — Terms, Privacy, Refund policies
- Complete state review — NY, NJ, RI restrictions
- Neon BAA — Before migrating production data
- Business entity — Formalize before public launch