What Can You Legally Build for GLP-1 Telehealth Right Now?

Updated: March 9, 2026

On February 9, 2026, Novo Nordisk sued Hims & Hers Health. Days earlier, the FDA had already named Hims in a compounding enforcement announcement. By the next morning, a lot of founders building in this space were asking the same question: “Is GLP-1 telehealth legal in 2026, or am I exposed the same way Hims is?” That panic is understandable. It is also a great way to confuse a software problem with a drug-supply-chain problem.

Here’s the key point: if you’re building telehealth software, such as a prescribing workflow, adherence app, patient intake flow, or care coordination layer, and you are not touching compounding or dispensing, you are in a different legal position from the conduct that drew scrutiny in the Hims episode.

But that does not mean you get a free hall pass from compliance, sadly. It means your risks are different, and this guide maps them clearly.

Key Takeaways

• The Novo/Hims episode did not make GLP-1 telehealth illegal. It drew a sharper line between lawful telehealth software and platforms that get too close to compounded drug supply.
• Founders can still build valuable GLP-1 products: intake flows, prescribing workflows, adherence tools, side-effect tracking, care coordination, and EHR/pharmacy integrations. The danger starts when software begins facilitating unapproved compounded GLP-1 products.
• Most founder risk now sits in the boring stuff everyone wants to skip: state-by-state prescribing compliance, HIPAA architecture, vendor controls, truthful marketing, and clear workflow boundaries. Annoying, yes. Also the part that decides whether your platform survives contact with reality.

Table of Contents

1. What the Novo Nordisk vs. Hims Lawsuit Is Actually About
2. Am I Exposed the Same Way Hims Is?
3. What GLP-1 Telehealth Founders Can Legally Build Right Now
4. The Compounding Line — Where Telehealth Software Ends and Legal Exposure Begins
5. The Real Compliance Checklist for GLP-1 Telehealth Platforms in 2026
6. What Happens to GLP-1 Telehealth Platforms That Were Using Compounding Partners?
7. The Market Opportunity That Remains (It’s Larger Than Before)
8. Why Choose Topflight for GLP-1 Telehealth Platform Development

What the Novo Nordisk vs. Hims Lawsuit Is Actually About

Yes, you can still ask, “Can I build GLP-1 app after the Novo lawsuit?” The short answer is yes: the February 2026 fight is about compounded semaglutide and related regulatory exposure, not about telehealth software itself. In plain English, what Hims lawsuit means for health tech is this: the legal heat follows the drug product and how it is marketed, not the existence of a prescribing workflow, intake flow, or adherence app.

The Lawsuit Side

The Novo Nordisk Hims lawsuit was filed on February 9, 2026, in the U.S. District Court for the District of Delaware. Novo Nordisk, the maker of Ozempic and Wegovy, sued Hims & Hers over alleged infringement of Novo’s semaglutide patent, specifically U.S. Patent No. 8,129,343. Hims later disclosed the case in its own SEC filing and said Novo is seeking damages and an injunction tied to compounded GLP-1 products containing semaglutide offered through Hims’s digital platform.

Upd: As of March 7, 2026, Reuters reported that Novo and Hims had resolved the dispute and planned to sell obesity drugs together.

The Regulatory Side

That is the lawsuit side. The separate but closely related regulatory side is the FDA compounding enforcement wave that hit just before the suit. On February 6, 2026, the FDA said it intended to restrict GLP-1 active pharmaceutical ingredients used in non-FDA-approved compounded drugs being mass-marketed by companies, specifically naming Hims & Hers.

Although Novo and Hims later resolved their dispute, that enforcement signal still matters because it clarified where FDA was drawing the line on compounded GLP-1 marketing.

The agency’s statement was about non-approved compounded drugs being promoted as alternatives to approved products, which is a drug-compounding and drug-marketing problem, not a software-platform problem. Reuters also reported that FDA and HHS were moving against Hims over the $49 compounded semaglutide pill and that HHS referred the company to DOJ for potential violations of federal law.

Why the Shortage Context Matters

The timing matters because the old shortage-era excuse had already started evaporating. FDA determined on February 21, 2025 that the semaglutide shortage was resolved and said it would end enforcement discretion after a short transition window: until April 22, 2025 for 503A compounders and until May 22, 2025 for a 503B outsourcing facility.

Once semaglutide came off the FDA shortage list, the legal room for copycat compounding got much tighter. That is why this dispute is really about whether a compounding pharmacy model kept acting like shortage-era rules still applied. Regulators tend to get grumpy when people treat temporary exceptions like permanent business models.

The cleanest way to read this is as two related but distinct fronts. The court case is a patent dispute over semaglutide formulations: Novo’s public complaint and Hims’s SEC disclosure describe it that way. The regulatory pressure is separate: FDA’s February 6, 2026 announcement targeted the mass marketing of non-FDA-approved compounded GLP-1 drugs, and FDA had already ended semaglutide shortage-based enforcement discretion in 2025 after determining the shortage was resolved.

What This Actually Means for Health Tech Founders

That distinction matters for health tech founders. Neither the public complaint nor FDA’s announcement says telehealth platforms, prescribing workflows, patient intake tools, or adherence apps are unlawful just because they support GLP-1 care.

The exposure here follows the compounded drug product, how it is marketed, and whether the activity crosses compounding rules after semaglutide came off the FDA shortage list.

Am I Exposed the Same Way Hims Is?

No — if you are building telehealth software, you are not exposed to the same legal risk as Hims. Hims became the clearest recent example of legal and regulatory scrutiny tied to compounded GLP-1 activity, not to the existence of a telehealth platform.

The real Novo Nordisk lawsuit for telehealth founders takeaway is simple: your risk sits in compliance, clinical workflow design, and vendor architecture, not in drug compounding or patent infringement on semaglutide formulations.

That distinction matters because many founders in direct-to-consumer telehealth hear “telehealth company got sued” and assume the platform model itself is under attack. It is not. The exposure changes when a company starts touching the compounded drug itself, dispensing at scale, or operating inside drug compounding regulations rather than staying in the software lane. If your product is a

• prescribing workflow,
• patient intake system,
• async visit flow,
• care coordination app,
• or adherence layer,

you are dealing with a different risk profile altogether.

That does not mean software founders are off the hook. It means the hook is different. Your exposure usually lives in

• privacy,
• documentation,
• state-by-state care rules,
• clinical handoff design,
• and whether your product creates unsafe or misleading workflows.

That is where AI in healthcare compliance becomes a real operating issue, not a slide-deck slogan people toss around to sound expensive.

So no, you are probably not exposed the same way Hims is. But you may still have legal and operational blind spots if your architecture blurs the line between software enablement and regulated pharmacy activity.

Not sure how your platform maps to these risk categories? Topflight can review your product and flag the compliance gaps that actually matter.

What GLP-1 Telehealth Founders Can Legally Build Right Now

Yes, you can still build a GLP-1 telehealth platform legally. Based on the public Novo complaint and FDA’s February 6, 2026 announcement, the current enforcement focus is compounded GLP-1 drugs and how they are mass-marketed, not ordinary telehealth software workflows.

For a digital health startup, the safe lane is still the same boring-but-lucrative one: build the care infrastructure, not the drug supply chain.

Here are the main categories founders can still build right now:

Patient Intake and Eligibility Workflows

You can collect health history, BMI, contraindications, prior treatment history, lab intake, and payer information to determine whether a patient is even a candidate for GLP-1 care. That is workflow software, not compounding activity.

Asynchronous and Synchronous Consult Experiences

A telehealth platform that connects patients with licensed prescribers for obesity care, metabolic care, or follow-up visits is still squarely in the software/services bucket. The lawsuit and FDA announcement do not say that virtual consult infrastructure itself is unlawful.

Electronic Prescribing Tools

You can build the prescribing workflow that routes prescriptions for FDA-approved drugs to

• licensed retail,
• mail-order,
• or accredited pharmacy partners.

That includes workflows around branded semaglutide and tirzepatide products, so long as you are not sourcing or facilitating unapproved compounded versions.

Medication Adherence Products

Medication adherence apps remain fair game: refill reminders, injection logging, missed-dose prompts, coach follow-ups, and check-ins around tolerated dose escalation. This is exactly the kind of infrastructure the GLP-1 market still needs, because staying on therapy is a much bigger product problem than most founders admit out loud.

Side-Effect and Symptom Tracking

Logging nausea, GI symptoms, constipation, injection-site reactions, appetite changes, mood, energy, or escalation tolerance is still ordinary care-support software. Same for alerting a clinician when a patient reports symptoms that may require follow-up.

Weight and Metabolic Progress Dashboards

Tracking body weight, waist circumference, A1C, blood pressure, activity, and trends over time is still software infrastructure. These tools become more valuable when they are tied into care coordination rather than dumped into a lonely dashboard nobody opens after week three.

Nutrition, Behavior, and Coaching Tools

Meal logging, protein goals, hydration prompts, sleep check-ins, and behavior-change support are all still viable. This is also where conversational AI in healthcare can be useful, provided it supports education, triage, and follow-up rather than pretending to be the prescriber with a protein shake addiction.

EHR and Pharmacy Integration Layers

EHR integration via a FHIR API to pull medication history, diagnoses, labs, and visit context is still well within the normal health-tech stack. The same goes for connections to licensed dispensing pharmacies for branded drugs. Integration is infrastructure, not compounding.

What you should not build is the part that touches the compounded drug itself. Once your platform starts sourcing, compounding, white-labeling, or facilitating dispensing of unapproved compounded semaglutide or tirzepatide, you move out of the software bucket and into the exact zone FDA and Novo are fighting over. That line matters more than any UI decision, sadly.

The Compounding Line — Where Telehealth Software Ends and Legal Exposure Begins

GLP-1 compounding vs telehealth software comes down to one practical test: are you building the care workflow, or are you touching the drug supply chain? The Hims episode and recent FDA compounding enforcement actions focused on compounded GLP-1 products and how they were marketed, not on ordinary telehealth infrastructure.

If your platform stays in software, clinical routing, and patient support, you are in one bucket; once you facilitate unapproved compounded semaglutide or tirzepatide, you step into a very different one.

Safe Side of the Line (Software Activity)

You are generally on the safer side when your product handles care delivery rather than drug sourcing. That includes:

• A prescribing platform that sends prescriptions to a licensed retail or mail-order pharmacy for FDA-approved branded GLP-1s such as Ozempic, Wegovy, Mounjaro, or Zepbound
• A telehealth workflow that connects patients with licensed clinicians, supports prior authorization, and documents treatment decisions
• An adherence or follow-up app that reminds patients about doses, tracks symptoms, and supports education after a legitimate prescription is issued

Those are software and clinical operations functions. Nothing in Novo’s public complaint or FDA’s announcement suggests those activities became unlawful because of the lawsuit.

Even if your platform supports messaging, education, or care coordination, that is still different from acting like a compounding pharmacy. Your headaches here are more likely to involve privacy, clinical oversight, marketing claims, or a state medical board issue if workflows overstep clinician authority.

The Gray Zone (Requires Legal Counsel)

The gray zone starts when your platform gets too close to compounded supply without formally becoming the compounder. Common examples include:

• Referring patients to a 503B outsourcing facility for compounded semaglutide. A 503B entity is lawful under federal law, but scrutiny increased after the end of the semaglutide shortage, so partner selection, accreditation status, and product descriptions need legal review.
• Transitioning patients who previously used compounded semaglutide during the shortage period over to branded products. The transition itself is fine; the risk sits in how you communicate the change and whether your platform still blurs branded and compounded options in patient-facing language.

This is also where founders get sloppy with marketing. If your site says “semaglutide” everywhere without making clear whether you mean an FDA-approved branded drug or a compounded product, you are asking regulators to read the fine print for you. That usually ends about as well as letting legal sign off after launch.

Do Not Build (Lawsuit Exposure)

There are some patterns founders should simply avoid:

• Your own compounding operation at scale, even if you try to describe it as patient-specific or platform-enabled
• A white-labeled compounded GLP-1 offering sourced from a partner that is not clearly compliant and appropriately licensed
• Any workflow built around oral semaglutide copycat formulations or other product designs that invite patent exposure

This is where legal exposure starts to look much closer to the fact pattern that drew scrutiny in the Hims episode. Once your platform is operationally enabling unapproved compounded GLP-1 supply, you are no longer just building software. You are participating in the regulated drug side of the business.

One last point: dropping ChatGPT HIPAA compliance into a product page will not magically clean up a model that is too close to regulated drug activity. The line here is not branding. It is operational reality. If your platform routes care to licensed clinicians and approved pharmacies, you are in software territory.

If your platform starts sourcing, packaging, promoting, or operationally enabling unapproved compounded GLP-1 products, that is where software stops being software and legal exposure begins.

The Real Compliance Checklist for GLP-1 Telehealth Platforms in 2026

No, most GLP-1 founders are not exposed the same way Hims is. But yes, they still have a real compliance stack to manage: prescribing rules, HIPAA controls, software classification, and marketing claims. If you are building around GLP-1 care, this is the checklist that actually matters.

Prescribing and Clinical Compliance

Start with the part too many founders treat like an ops detail: who is actually allowed to prescribe on your platform, and where. GLP-1 drugs are prescription-only, so your clinician network has to cover every state where you serve patients, with the right licensure and prescribing authority for that jurisdiction. Federal telehealth policy is not a substitute for state law here; HHS explicitly notes that licensure and prescribing rules vary across states.

Then check whether any part of your obesity medicine workflow brings controlled substances into the picture. GLP-1s themselves are not controlled substances, but some weight-management protocols may involve other medications that are.

If that happens, the Ryan Haight Act and DEA telemedicine rules matter: DEA says a registered practitioner may prescribe Schedule II-V controlled substances via telemedicine without a prior in-person exam only if the applicable federal conditions are met, and the current temporary flexibilities run through December 31, 2026. 

You also need a clean intake-to-decision workflow. That means:

• documented informed consent for GLP-1 risks, side effects, contraindications, and any off-label use;
• a rule set for when asynchronous intake is enough and when synchronous evaluation is required;
• an auditable record showing that a licensed clinician, not the software, made the prescribing decision.

That last point matters both for liability and for FDA classification later. A workflow can assist; it should not impersonate medical judgment. 

HIPAA and Data Compliance

This is where HIPAA compliant app development stops being a slogan and starts becoming architecture. HHS says that if a cloud service provider creates, receives, maintains, or transmits ePHI on your behalf, it is a business associate and needs a HIPAA-compliant BAA, even if it stores only encrypted data and does not hold the key. The same logic extends to other PHI-handling vendors in your stack, such as

• messaging,
• storage,
• integration,
• and analytics providers.

Encryption Matters

Encryption is another place where founders love vibes and hate specifics. Under the current HIPAA Security Rule, encryption is still an addressable safeguard rather than a blanket statutory mandate in every scenario, but for a GLP-1 platform handling medication, weight, and metabolic data, encrypting data at rest and in transit is the sane baseline.

HHS’s 2025 proposed Security Rule updates would go further and expressly require encryption of ePHI at rest and in transit, which tells you where regulators think the floor should be going. 

Audit Logs and Breach Response Protocol

You also need audit logging and breach response discipline.

• Log who accessed which patient record and when.
• Know which vendors can touch protected data.
• Have a breach notification plan that is operational, not decorative

HHS says notice to the Secretary for breaches affecting 500 or more individuals must be made without unreasonable delay and no later than 60 calendar days after discovery, and business associates must notify covered entities without unreasonable delay and no later than 60 days from discovery.

Finally, make sure your privacy policy matches reality. If you collect weight trends, medication adherence data, symptom logs, or communication history, say so accurately. Regulators tend to dislike “trust us” privacy language almost as much as users do.

FDA Software Classification

Not every GLP-1 app is an FDA-regulated device. FDA’s 2026 guidance says some clinical decision support software functions can fall outside the device definition under the Cures Act, while software intended for patients or software that meets the definition of a device remains within FDA’s digital health framework.

In practice, the line is fairly intuitive. Scheduling, intake, messaging, reminders, side-effect logging, and adherence tools are generally workflow functions, not devices. The risk rises when your product starts scoring patients, recommending dose changes, or otherwise shaping clinical decisions in a way that goes beyond administrative support.

If your software is effectively recommending treatment rather than routing care, you need a serious look at whether FDA SaMD issues are in play.

FTC and Advertising Compliance

The FTC side is simpler than founders make it, which is probably why they keep messing it up. Health claims must be truthful, not misleading, and backed by competent and reliable scientific evidence, according to the FTC’s Health Products Compliance Guidance. That applies to apps, care programs, and GLP-1-related outcome claims just as much as it does to supplements or devices.

Testimonials need discipline too. FTC says dramatic outcomes that are not what users can generally expect can be deceptive, and “results not typical” is not a magic eraser; advertisers should clearly disclose the results a typical consumer can actually expect. And while the FTC’s “click-to-cancel” rule was blocked in court in 2025, that does not give subscription health platforms a free pass to hide billing terms or make cancellation needlessly difficult.

That is the real checklist. Not “Are we Hims?,” but “Are we licensed correctly, architected correctly, classified correctly, and marketed honestly?”

Topflight builds GLP-1 platforms with that reality in mind and can review your product architecture before those gaps become expensive.

What Happens to GLP-1 Telehealth Platforms That Were Using Compounding Partners?

If your platform was routing patients to compounded semaglutide during the shortage period, the answer is not “shut everything down.” The answer is: audit, transition, and clean up fast.

Since FDA declared the semaglutide shortage resolved on February 21, 2025, ended its enforcement-discretion windows in spring 2025, and then announced new action against mass-marketed non-FDA-approved GLP-1 drugs on February 6, 2026, GLP-1 telehealth startup compliance now depends on whether you are still facilitating compounded supply or enabling noncompliant GLP-1 prescribing workflows.

Here is the immediate action list:

Audit Every Pharmacy Relationship

Confirm each partner is either a properly licensed 503B outsourcing facility in good standing or a retail/mail-order pharmacy dispensing FDA-approved branded GLP-1 products. If you cannot clearly document who is dispensing what, that is already a telehealth software compliance problem, not just a vendor problem. And this points to weak controls in your broader health app development process.

Stop Routing New Patients to 503A Compounded Semaglutide

FDA said the semaglutide shortage was resolved and gave compounders only limited wind-down periods: through April 22, 2025 for state-licensed pharmacies and physicians operating under section 503A, and through May 22, 2025 for outsourcing facilities under 503B. If your workflow still treats shortage-era compounding like business as usual, that lane is closed.

Move Existing Patients to a Compliant Path

That may mean branded GLP-1 receptor agonist therapy, a legally reviewed exception path, or a different care model altogether. Frame the change as a regulatory transition affecting weight loss medication access, not as a product failure, and document the communication in the patient record.

Scrub Your Marketing Copy Now

Terms like “affordable semaglutide” or “compounded Ozempic” are exactly the kind of claims drawing FDA attention and scrutiny under FTC telehealth regulations. FDA’s February 2026 announcement targeted mass-marketed non-FDA-approved GLP-1 drugs, and FTC guidance still requires health claims to be truthful, not misleading, and backed by evidence.

Review Contracts, Consent Flows, and Data-Sharing

Recheck indemnities in pharmacy agreements, confirm each PHI-handling vendor has a business associate agreement, and make sure your handling of protected health information still matches your privacy policy and workflow. This is boring, but so is explaining the cost of AI in healthcare to a board after preventable compliance debt explodes into legal spend.

One more thing: if your clinical workflow includes telemedicine controlled substances, revisit DEA telehealth prescribing rules under the Ryan Haight Act framework too. The current federal telemedicine flexibilities for Schedule II-V prescribing run through December 31, 2026, but they do not excuse sloppy state-law compliance. 

The urgency here is real. If you are still routing patients to noncompliant compounded semaglutide after FDA’s February 6, 2026 action, this is no longer a theoretical cleanup project. Act now.

The Market Opportunity That Remains (It’s Larger Than Before)

The counterintuitive takeaway is this: the crackdown did not kill the GLP-1 telehealth opportunity. It clarified it. After the FDA ended semaglutide’s shortage status on February 21, 2025, and then increased pressure on non-FDA-approved compounded GLP-1 marketing in February and March 2026, the market began rewarding cleaner models and punishing sloppier ones.

Hims became the headline example, but even that story changed fast. As of March 7, 2026, Reuters reported that Novo Nordisk and Hims had resolved their dispute and planned to sell obesity drugs together. That does not weaken the compliance argument. It reinforces it: the market is moving toward regulated, brand-aligned distribution, not cowboy compounding.

Why the Opportunity Is Still Growing

• Demand is still expanding, with millions of Americans already using GLP-1 therapies and many more expected to enter the category.
• Novo Nordisk and Eli Lilly are both leaning into structured access models, partnerships, and employer-facing distribution.
• That makes compliant platform infrastructure more valuable across both direct-to-consumer and enterprise channels.

This is where gen AI in healthcare gets interesting: not as magic, but as operational leverage for intake, prior-auth prep, adherence support, and care coordination inside a compliant workflow.

Where AI Actually Helps

That also answers a broader question founders keep asking: How will AI help change EHR? In this category, it helps by making treatment-access workflows faster, more auditable, and easier to scale.

Founders who freeze will miss the window. Founders who build compliantly will be chasing a growing market, not a shrinking one.

Why Choose Topflight for GLP-1 Telehealth Platform Development

Topflight approaches HIPAA compliant software development like it should be approached in healthcare: as a product constraint from day one, not a cleanup project after launch. We build telehealth platforms for digital health startups, including GLP-1 adherence apps, prescribing workflows, and broader metabolic health products, with the technical and regulatory realities in view.

What that looks like in practice:

• HIPAA-ready architecture from the start: BAA-aware vendor selection, encryption, audit logging, and secure data flows
• Telehealth prescribing workflows: state-aware intake, asynchronous and synchronous consult logic, and clinician-friendly review paths
• EHR and pharmacy integration: FHIR-based connections to clinical records and licensed dispensing partners
• FDA software classification support: helping founders understand whether they are building a workflow tool, clinical decision support, or something that edges toward SaMD

The point is not just to ship fast. It is to ship something scalable without discovering six months later that the architecture, workflow, and compliance model were pulling in different directions.

The Window Is Still Open

The core lesson from this whole episode is simple: this was never a story about telehealth software becoming illegal. It was a story about what happens when drug-compounding exposure and platform economics get too cozy.

If you are building workflow infrastructure, prescribing support, adherence tools, side-effect tracking, or care coordination, the market is still there. More than that, it is getting cleaner. Founders who understand GLP-1 telehealth legal 2026 as a compliance design problem, not a panic headline, are in a much better position to build something durable.

The opportunity did not disappear. It just got less forgiving for sloppy operators.