Insurance & Liability
Bottom line for this section
Insurance must explicitly contemplate that standard med-mal policies categorically exclude unapproved medications absent endorsement, that the OpenLoop Jan 2026 BAA-chain breach proves BAAs are necessary but not sufficient, and that D&O's regulatory-action exclusion means FDA enforcement defense is generally uninsured — the venture's policy stack must be layered and disclosed-not-omitted, not stitched together by an inexperienced broker.
Research
The insurance program for a telehealth peptide venture must layer five distinct coverages — physician medical malpractice, MSO/PC general liability and E&O, products liability (allocated between dispensing compounding pharmacy and prescribing PC), founder D&O, and cyber/HIPAA breach response — because no single policy covers the full risk surface and standard policies routinely exclude compounded biologics, unapproved drugs, and FDA regulatory actions. Med-mal carriers (The Doctors Company, MedPro/Berkshire, Coverys, ProAssurance/NORCAL) require explicit disclosure of compounded peptide and GLP-1 prescribing and underwrite only via specific endorsements. Products liability is the most contested layer: under the learned-intermediary doctrine the physician carries the duty to warn, but Texas (Randol Mill Pharmacy v. Miller, 2015) has treated compounding pharmacists partly as healthcare providers and partly as product manufacturers. HIPAA breach exposure is anchored by the OCR Breach Portal listing requirement at 500+ affected individuals, the 60-day individual notice deadline, and 2025 penalty tiers ranging from $145 to $2,190,294 per violation. Real-world telehealth precedents (OpenLoop Jan 2026 breach affecting 716K+ patients across 120+ downstream brands, Cerebral's 3.1M-patient OCR submission, GoodRx's $1.5M FTC fine) demonstrate that BAA chain coverage and cyber limits sized to $2-5M are not optional. D&O requires bodily-injury carve-back for securities claims given life-sciences exposure; standard regulatory-action exclusion means FDA enforcement defense is generally NOT covered.
Key facts
The HIPAA Breach Notification Rule (45 CFR 164.404) requires individual notice without unreasonable delay and no later than 60 calendar days after discovery of a breach of unsecured PHI, via first-class mail (or email with consent), in plain language.
Under 45 CFR 164.408, breaches affecting 500+ individuals must be reported to HHS Secretary contemporaneously with individual notice (no later than 60 days from discovery), while breaches affecting <500 may be reported in annual aggregate; 500+ breaches are posted publicly on the OCR Breach Portal.
2025 HIPAA civil monetary penalties (inflation-adjusted) range $145 to $2,190,294 per violation across four culpability tiers, with $2,190,294 annual cap per identical provision; OCR's enforcement discretion notice further reduces practical Tier 1-3 annual caps to $36,505 / $146,053 / $365,052.
Telehealth physician medical malpractice premiums for 2024-2026 range $5,000–$25,000 annually for physicians; major admitted telehealth-writing carriers are Medical Protective, The Doctors Company, ProAssurance/NORCAL, Coverys, CNA, PSIC, ISMIE, MAG Mutual.
The Doctors Company is one of the only medical professional liability insurers licensed and insuring telemedicine in all 50 states; underwrites through three entities (TDC, TDC Specialty Underwriters, TDC Insurance Services).
Medical malpractice policies categorically exclude unapproved medications and require providers to explicitly disclose all compounded peptide use during application; GLP-1 weight-loss coverage requires a specific endorsement defining covered protocols, medications, and screening requirements; omitting peptide services is grounds for policy rescission.
Tail coverage (extended reporting endorsement) for claims-made medical malpractice typically costs 150–300% of the last annual premium, paid one-time at termination; nose coverage is the alternative. MedPro Group offers free tail coverage at retirement after one year of insurance.
Under the learned intermediary doctrine, the duty to warn of prescription drug side effects rests with the prescribing physician, not the pharmacy. However, the Texas Supreme Court (Randol Mill Pharmacy v. Miller, 2015) classified compounding pharmacists as healthcare providers for dispensing-related claims while preserving products-liability theories for mishandled or defective products, creating dual exposure.
NORCAL Group (now ProAssurance) medical professional liability policies exclude liability assumed under written or oral contract, meaning typical pharmacy supply agreement indemnification clauses signed by the PC create uninsured exposure unless renegotiated.
Beazley's telemedicine/digital-health framework defines four core coverage pillars (professional liability, technology & media liability, general liability, cyber liability) plus optional regulatory and EPL endorsements, and segments telehealth insureds into three categories: providers, platform hosts (MSO profile), and software/hardware developers.
Bundled 'telehealth program' policies (Admiral Insurance Group, others) combine medical malpractice (covering bodily injury from technology solutions), Technology E&O, Media Liability, and Cyber Coverage (with HIPAA regulatory) into a single policy.
Standard D&O policies for life-sciences companies contain a bodily injury exclusion barring coverage for claims seeking compensation for physical harm from the company's products or services; the regulatory exclusion bars coverage for losses from FDA, SEC, and similar enforcement bodies. Securities-claims carve-back, Side A protection for non-indemnifiable loss, and Side A DIC policies that don't include the bodily injury exclusion are required.
Healthie auto-executes BAA at account creation (governed by Delaware law, 5 business days breach notice, HITRUST CSF R2 certified); SimplePractice signs BAA on all paid plans automatically; Doxy.me Free/Professional BAAs cover individual providers only — multi-provider organizations must move to Clinic-tier; Spruce Health includes BAA automatically; OpenLoop signs BAAs and is SOC 2 Type 1 certified.
The January 2026 OpenLoop Health breach exposed 716,000+ patients across 120+ downstream telehealth brands (attacker claims 1.6M records) in a 24-hour exfiltration of names, addresses, DOB, medical records, and prescription information from a shared backend without storage-layer or access-layer segmentation between client tenants — demonstrating that signing a BAA is necessary but not sufficient.
Pre-OpenLoop telehealth-specific HIPAA enforcement precedents include Cerebral's March 2023 OCR Breach Portal submission for 3.1 million users (data shared with Meta, Google, TikTok), the FTC's $1.5M GoodRx fine (first enforcement under Health Breach Notification Rule), and the FTC's $7.8M BetterHelp settlement; FTC HBNR is a separate framework from HIPAA that captures health apps outside HIPAA covered-entity definition.
Cyber liability coverage for healthcare practices typically recommends $2M–$5M minimum limits (vs $1M baseline) because HIPAA penalties of $100–$50,000 per record can consume $1M in one event, and healthcare data breaches averaged $9.77M per incident; policies routinely include ransomware sub-limits (e.g., $1M sub-limit under $5M policy) and funds-transfer-fraud sub-limits.
Beazley Breach Response (BBR) for healthcare provides breach-response services for up to 5,000,000 notified individuals per policy period and a separate dedicated limit of up to $2.5M for PR/crisis management/computer expert/legal services, with HIPAA Privacy/HITECH regulatory defense coverage.
The 2025 OIG Advisory Opinion approving a telehealth MSO/PC arrangement requires MSO management fee at fair market value in arms-length terms and not taking into account volume or value of referrals; same opinion period coincides with GLP-1 manufacturer lawsuits, demonstrating insurance program must contemplate simultaneous regulatory/civil litigation risk.
Hims & Hers 2025 10-K disclosures explicitly warn investors that compounded drugs lack premarket FDA review, that persistent negative sentiment may trigger more frequent regulatory inquiries plus increased products liability and consumer litigation, and that FDA misleading-promotion findings 'can lead to private litigation under federal and state consumer protection and unfair trade practices laws.'
Tradeoffs
Medical malpractice policy form: claims-made vs occurrence
Claims-made
Pro: Lower annual premium in early years; Standard form offered by all major med-mal carriers; Easy to layer with additional limits
Con: Requires tail at termination costing 150–300% of last annual premium; Switching carriers requires tail-from-outgoing or nose-from-incoming; Tail cost grows over time
Occurrence
Pro: No tail or nose coverage needed; Cleaner accounting and exit posture; Better fit for long-horizon exit or sale
Con: 20–40% higher annual premium; Not offered for all telemedicine specialties/states by all carriers; Less common in telehealth book
Insurance program architecture: bundled vs standalone layered
Bundled telehealth program policy (Admiral, Beazley, Great American, Liberty Mutual)
Pro: Single policy combines med-mal + tech E&O + media + cyber + HIPAA regulatory; Eliminates historical gap between traditional malpractice and tech E&O; Single broker, single renewal; Primary + excess limits commonly up to $5M
Con: Sub-limits within bundled policy may be lower than standalone equivalents; Single point of failure if carrier exits bundle market; Bundled forms newer with less claims-handling precedent; Coverage for compounded peptides still requires carrier endorsement disclosure
Standalone layered policies
Pro: Each layer underwritten by specialist (MedPro/TDC for med-mal, Beazley BBR for cyber); Higher individual limits available per layer; Carrier non-renewal in one layer doesn't unwind the rest; Allows mixing of best-in-class carriers per layer
Con: Higher total premium than bundled equivalent; Multiple renewal dates, multiple brokers possible; Coverage gaps between policies must be actively managed; More complex claim allocation between carriers
Products liability allocation: NAI on pharmacy vs MSO/PC independent
Named-additional-insured (NAI) on the compounding pharmacy's products-liability policy
Pro: No separate MSO/PC premium for products coverage; Pharmacy's policy follows the product through dispensing chain; Cleaner contractual story
Con: Coverage only as strong as pharmacy's policy — limits/exclusions/renewal outside MSO/PC control; If pharmacy non-renews or carrier reduces limits, MSO/PC exposed without notice; NAI status doesn't change indemnification language; Med-mal policies exclude contractually-assumed liability (NORCAL specific)
MSO/PC independent products liability (Hiscox Healthcare, Embroker, Chubb)
Pro: Coverage entirely under MSO/PC control — limits/renewals/claims handling; Survives pharmacy carrier exit or partner change; Plays cleanly with bundled telehealth program; Allows MSO/PC to walk away from pharmacy without insurance gap
Con: Additional premium layer on top of pharmacy's existing products coverage; Some carriers won't write standalone products for entities that don't compound; Coordination of two products policies requires explicit other-insurance language; Doctrinally cleaner for pharmacy to carry primary
"Insurance must explicitly contemplate that standard med-mal policies categorically exclude unapproved medications absent endorsement, that the OpenLoop Jan 2026 BAA-chain breach proves BAAs are necessary but not sufficient, and that D&O's regulatory-action exclusion means FDA enforcement defense is generally uninsured — the venture's policy stack must be layered and disclosed-not-omitted, not stitched together by an inexperienced broker."
Recommendation
Bind the program in this order before first patient consult: (1) physician med-mal claims-made with TDC or MedPro, explicit endorsement disclosing every peptide protocol AND tail provision negotiated upfront in physician services agreement; (2) MSO E&O + Tech E&O + Cyber bundled (Admiral or Beazley digital health) at $2-5M cyber sub-limit; (3) products liability allocated via written named-additional-insured cert from compounding pharmacy partner with annual delivery confirmation, plus an independent MSO/PC products policy (Hiscox Healthcare or Embroker) as DIC layer if pharmacy carrier non-renews; (4) D&O bound with bodily-injury carve-back for securities claims and explicit acknowledgment that FDA/state-board regulatory action defense is uninsured (budget separate counsel retainer for that); (5) BAAs signed with every PHI-touching vendor (EHR, telehealth video, support tooling, payment processor if PHI flows). Never omit peptide protocols from underwriting — policy rescission renders the entire med-mal stack uninsured.
Steel-manned counter
The strongest counter: bundled telehealth program policies are designed exactly for this risk profile and reduce broker overhead, renewal coordination, and coverage-gap surface area. Admiral, Beazley digital health, and Great American write these policies specifically for telehealth MSOs; the failed-operator pattern (un-disclosed peptide protocols leading to policy rescission) is a discipline problem not an architecture problem. A founder with strong broker relationships could execute a bundled program at lower cost than the layered stack, accepting the single-carrier-non-renewal risk. The risk is documentation, not architecture.
| Feature | The Doctors Company (TDC) | MedPro Group (Berkshire) | Coverys | ProAssurance / NORCAL |
|---|---|---|---|---|
| Licensed for telemedicine in all 50 states | Yes — markets itself as one of the only carriers in 50 states | Yes — broad multi-state book | Yes — written via Coverys and MHA Insurance | Yes (combined post-2021 merger) |
| Claims-made vs occurrence options | Claims-made primary; occurrence in some states | Claims-made, occurrence, AND convertible claims-made (widest range) | Claims-made primary | Claims-made primary; occurrence in select states |
| Appetite for compounded peptide / GLP-1 telehealth | Endorsement required; full disclosure; case-by-case | Endorsement required; full disclosure; case-by-case | Endorsement required; full disclosure; case-by-case | Endorsement required; full disclosure; case-by-case |
| Tail coverage policy | Standard 150–300% of last annual premium | Free tail at retirement after 1 year (unusual differentiator) | Standard 150–300% | Standard 150–300% |
| Key exclusion to read carefully | Unapproved/experimental absent endorsement; contractually-assumed | Unapproved/experimental absent endorsement; contractually-assumed | Unapproved/experimental absent endorsement; contractually-assumed | Explicit exclusion of liability assumed under written/oral contract |
| Built-in cyber/privacy sub-limit | Cyber can be added; check sub-limits | Cyber/privacy liability included up to $50K — far below standalone needs | Cyber rider available | Cyber rider available |
| Telehealth physician premium range (broker-survey) | $5K–$25K range for physicians | $5K–$25K | $5K–$25K | $5K–$25K |
Insurance + BAA execution checklist to complete BEFORE the first patient consult. Missing any item creates catastrophic uncovered exposure.
- Med-mal bound with explicit endorsement disclosing every peptide protocol and the patient-screening + monitoring requirements — omission is grounds for policy rescission
- Tail or nose coverage decision documented in the physician services agreement (who pays 150-300% of annual premium at termination, what triggers it)
- Products liability allocation specified in compounding pharmacy supply agreement: either MSO/PC named-additional-insured on pharmacy's products policy with annual cert delivery, OR MSO/PC carries independent (Hiscox Healthcare, Embroker, Chubb)
- Pharmacy supply agreement indemnification language reviewed against med-mal carrier's contractual-liability exclusion (NORCAL explicit; assume all do absent written carve-back)
- MSO general liability + Tech E&O bound (standalone via Hiscox/Embroker or bundled via Admiral / Beazley digital health / Great American telehealth program)
- Cyber/breach response policy bound at $2M–$5M minimum with explicit review of ransomware sub-limit, social engineering sub-limit, regulatory defense limit, business interruption waiting period, notification cost sub-limit — Beazley BBR offers up to 5M notified individuals + $2.5M PR/forensics/legal dedicated
- Founder D&O bound with bodily-injury carve-back for securities claims, insured-vs-insured carve-back, and explicit acknowledgment that FDA/state-board regulatory action defense is NOT covered
- BAA signed with EHR vendor (Healthie auto-execute; OpenLoop signs BAAs; Spruce auto-execute on org plans)
- BAA signed with telehealth video vendor
- BAA signed with secure messaging vendor (Spruce auto; Doxy.me Free/Professional covers individual providers only — multi-provider MSO must use Clinic-tier)
- BAA signed with customer support tooling, shipping carrier (if PHI on shipping labels), and any payment processor that touches PHI
- Breach response procedure documented: 60-day individual notice deadline (45 CFR 164.404), OCR Breach Portal submission if 500+ (45 CFR 164.408), prominent media notice if 500+ in any single state, breach counsel retained on retainer, BBR-style forensics vendor pre-selected
- Annual review of policy sub-limits, retroactive dates, OCR enforcement landscape changes, and any peptide-list changes that would require carrier re-disclosure under the endorsement
Likelihood → / Impact ↑
Open questions
Things this report could not resolve. Send these to your specific advisor.
Carrier-published premium ranges specifically for compounded-peptide telehealth at target volume tiers (500 / 2,000 / 10,000 active patients).
Email this question to your lawyerStandard compounding-pharmacy supply agreement insurance/indemnification language — searched for APC model templates and Frier Levitt practice publications but found no publicly-posted contract templates.
Email this question to your lawyerWhether dominant compounding pharmacies (Empower, Hallandale, Tailor Made, Olympia, Wells, Strive) publish their products-liability insurance limits or NAI-acceptance posture.
Email this question to your lawyerSpecific FDA-regulatory-action carve-back availability and pricing in D&O for telehealth-peptide startups.
Email this question to your lawyerWhether bundled telehealth program policies (Admiral, Beazley, Great American, Liberty Mutual) will accept a compounded-peptide telehealth MSO at all, vs requiring standalone layered policies.
Email this question to your lawyer