Launch Readiness Compliance Checklist

A single-page audit of the DEA, HIPAA, compounding, operational, and digital obligations that must be closed before Limitless Performance Medicine accepts its first founding member.

DEA & Controlled Substances

— 01

Testosterone is Schedule III. Improper handling = federal exposure. Close before first prescription.

DEA Form 224 registration — confirm active, addressed to 1502 Dug Gap Rd, Dalton GA 30720, Schedule III approved.Pre-launch
Georgia Controlled Substances Registration — current and matching DEA address.Pre-launch
PDMP enrollment — Georgia Prescription Drug Monitoring Program account active for Dr. Hare; staff query workflow documented.Pre-launch
Controlled-substance storage — locked, alarmed cabinet inside locked treatment room; access log started.Pre-launch
Theft / loss reporting protocol — DEA Form 106 procedure documented; staff briefed.Pre-launch
Biennial inventory schedule — first inventory date set within 2 weeks of launch.Pre-launch

Compounding Pharmacy Relationships

— 02

Every peptide and BHRT script flows through a 503A or 503B partner. Get it in writing.

503A pharmacy partner — signed services agreement on file; state board accreditation current; USP <797> sterility documentation reviewed.Pre-launch
503B outsourcing facility (backup) — for high-volume IV products; FDA registration verified.Month 1
Peptide formulary confirmation — Tesamorelin (FDA-approved GH-axis lead), BPC-157, TB-500, sermorelin / ipamorelin (per partner formulary), MOTS-c, NAD+ all stockable under current 503A regulatory posture. Document each by lot. Do not include CJC-1295 — not currently legal for 503A human compounding (May 2026); see our GH-axis brief.Pre-launch
Cold-chain documentation — temperature-monitored receipt, on-site refrigeration log, excursion response SOP.Pre-launch
Patient-specific prescription workflow — no office-use stock for 503A products; per-patient script audit trail in portal.Pre-launch

HIPAA & Patient Privacy

— 03

A single uncovered vendor or missing NPP can become a six-figure penalty.

Notice of Privacy Practices — printed, dated, posted at reception, and published at portal.emergelimitless.com/privacy.Pre-launch
BAA — Netlify — Business Associate Agreement on file (Netlify offers under Enterprise plan; verify or move portal off Netlify if needed).Pre-launch
BAA — every other PHI-touching vendor — Google Workspace (Healthcare/Enterprise), email service, telephony, fax, lab provider, payment processor, billing software.Pre-launch
Risk analysis — written HIPAA Security Risk Assessment completed and on file (required by §164.308).Pre-launch
Workforce HIPAA training — initial training delivered, attestation signed, refresher cadence set (annual minimum).Pre-launch
Breach notification policy — written, accessible, with 60-day clock procedure.Pre-launch
Patient access & amendment workflow — documented response time ≤ 30 days, fee schedule (or no fee) decided.Pre-launch

Clinical Operations & SOPs

— 04

Standard operating procedures protect patients and the practice equally.

Hormone administration SOP — TRT injection technique, site rotation, dose verification, IM vs. SubQ documented.Pre-launch
NAD+ IV protocol SOP — 5 × 750 mg loading + maintenance dosing; rate, monitoring, and adverse-event response.Pre-launch
Peptide reconstitution SOP — bacteriostatic water mixing, refrigeration windows, patient self-injection training.Pre-launch
Informed consent forms — separate forms for TRT, BHRT, peptides (off-label disclosures), NAD+ IV, IV therapy in general.Pre-launch
Emergency response — anaphylaxis kit (epi, diphenhydramine, oxygen), AED, written response protocol.Pre-launch
Sharps & biohazard disposal — vendor contract active, tracking manifest filed.Pre-launch
Lab ordering & CLIA-waived testing — confirm lab partner, scope of in-office testing, CLIA waiver if drawing.Pre-launch

Insurance, Legal & Financial

— 05

Cash-pay practice still needs the right paper.

Medical malpractice insurance — bound, with peptide therapy and IV therapy specifically named or confirmed in writing.Pre-launch
General liability + cyber liability — cyber must include HIPAA breach response.Pre-launch
Entity formation & PC structure — Georgia PC compliance verified; operating agreement signed.Pre-launch
Stark / anti-kickback review — any referral or co-located arrangements (e.g., with IPC) reviewed by counsel.Pre-launch
Membership agreement — concierge / DPC-style agreement reviewed by Georgia healthcare attorney.Pre-launch
Refund & cancellation policy — published, signed at intake.Pre-launch

Digital, Web & Portal

— 06

The portal is a patient-facing system. Treat it like a medical device.

SSL / HSTS — emergelimitless.com and portal.emergelimitless.com both A-grade on Qualys SSL Labs.Pre-launch
Audit logging in portal — every PHI view/edit timestamped with user ID; retention ≥ 6 years.Pre-launch
Multi-factor authentication — MFA enforced for staff; offered (preferred) for patients.Pre-launch
Encryption at rest & in transit — TLS 1.2+ in transit; AES-256 at rest for any PHI data store.Pre-launch
Backup & recovery — daily encrypted backups, restore tested, RTO/RPO documented.Pre-launch
Website medical disclaimers — every clinical page has standard disclaimer; testimonials comply with FTC.Pre-launch
Cookie / analytics review — no PHI in URLs, no third-party trackers loading on portal pages.Pre-launch

Staff Credentialing & Training

— 07

Every person who touches the patient or the chart needs the paperwork to back it up.

State licensure verification — every clinical staff member's GA license verified via GBC online portal.Pre-launch
BLS / ACLS certifications — current for all clinical staff; expiration tracking calendar built.Pre-launch
OSHA bloodborne pathogens training — annual; documented.Pre-launch
OIG / SAM exclusion checks — every hire screened pre-employment, monthly thereafter.Monthly

Reviewed and Approved By

Joshua Hare, DO · Founder & Medical Director

Date

YYYY-MM-DD

Re-review Cadence

Quarterly · Next: ___________