Home → Compliance
Compliance-first by design

The moat is the compliance.

Prescription health is regulated — and that's exactly why brands need a partner instead of doing it themselves. Compound is built prescription-first, on infrastructure designed to pass HIPAA and SOC 2 audit, with the entity structure right from day one.

The safeguards

Built to pass diligence.

  • Prescription-only. Every product requires a licensed physician's prescription — no OTC sales of prescription molecules.
  • Licensed fulfillment. Compounding through a top-5 U.S. 503A pharmacy, for eligible formulations only.
  • HIPAA data handling. Encryption, access controls, and audit trails across the portal and back office.
  • SOC 2-oriented controls. Security program built for a Type II attestation as the platform scales.
  • BAAs everywhere. Business Associate Agreements across every partner in the data chain.
  • Governed formulary. Product list follows current FDA guidance — ineligible substances stay off the platform.
🛡️

Diligence-ready

The complexity that stops brands from doing this themselves is precisely what makes the platform defensible — and hard to copy.

The structure

The friendly-PC + MSO model.

The right corporate structure keeps clinical decisions with licensed physicians and management with the platform — the same model used across established telehealth.

🩺

The physician group (PC)

A separate professional corporation employs the clinicians and owns all medical decision-making. Prescriptions are always the physician's independent clinical judgment.

🏛️

The platform (MSO)

Compound operates as a management services organization — providing technology, operations, and marketing to the practice for a management fee, without practicing medicine.

Why it matters. This separation keeps the model aligned with corporate-practice-of-medicine and fee-arrangement rules, and it's structured to scale cleanly across states as the network grows.
Questions partners ask

Compliance FAQ.

Do you sell anything over the counter?
No. Every product on the platform requires a prescription written by a licensed physician after reviewing the patient's intake. We do not sell prescription molecules OTC or as "research" products.
Who holds the patient data?
Patient health information lives in Compound's HIPAA-grade portal — never on the partner brand's systems. This keeps the PHI liability off the partner's books while giving patients a secure, unified experience.
Which pharmacy fulfills orders?
Fulfillment runs through a top-5 U.S. 503A compounding pharmacy for eligible, compoundable formulations, with cold-chain shipping and automated refills.
How do you decide what's on the formulary?
The formulary is governed by current FDA guidance and physician eligibility. Products that aren't eligible for compliant compounding are not offered — full stop.
Is the platform HIPAA and SOC 2 compliant?
The architecture is built to HIPAA requirements and designed for a SOC 2 Type II attestation, with third-party audit as part of the standard onboarding and scaling roadmap.
Diligence-ready from day one

Bring your compliance questions.

We'll walk your legal and clinical stakeholders through the full architecture and entity structure.